Positive Technologies summed up the results of the Standoff 365 Bug Bounty vulnerability search platform, launched in May 2022.In a year and a half, the number of hosted programs has increased from 2 to 53 and continues to grow. The amount of remuneration is from 9 thousand to 3 million rubles, depending on the level of vulnerability risk. At the same time, the maximum payouts are comparable to similar rewards on global platforms. This was reported to CNews by representatives of Positive Technologies.
To date, organizations from various industries have placed their programs on the platform: IT, trade, finance, and IT institutions. The largest number of programs is presented in the IT sector (38%), among public institutions (17%) and educational platforms (11%).
Since its opening, 7537 researchers have registered on the platform; programs were presented by Rambler&Co, VK, Gosuslugi, Odnoklassniki, and Tinkoff.
"One of the most significant indicators of the platform's performance is the number of valid vulnerability reports received," said Anatoly Ivanov, Product manager at Standoff 365. — As a rule, these are reports of researchers who have been verified by the platform and the program representative. In total, bug hunters sent 1,479 reports, of which 10% (152) were with critical vulnerabilities and 19% (287) were with high — risk vulnerabilities."
For a year and a half of work of Standoff 365 Bug Bounty hackers found vulnerabilities of 71 types according to the classification of CWE (Common Weakness Enumeration) in web applications. The CWE-79 flaw- " Incorrect neutralization of input data when generating web pages (cross-site scripting)" - took the first place in popularity, as it was included in 22% of reports.
One of the world's leading bug bounty platforms, HackerOne, also keeps statistics on CWE, which also publishes security flaws, which are ranked by the number of reports with them. Positive Technologies noted that the data from the two platforms are similar, and therefore, Standoff 365 Bug Bounty supports global trends even in statistics about vulnerabilities in organizations ' infrastructures.
The peak payout metric can vary significantly from program to program. In one case, you can pay several thousand rubles for a critical vulnerability, and in the other — more than 3 million rubles. The amount of remuneration depends on the company itself: its revenue, scale, and the information it uses.
"According to our data, IT companies and organizations from the financial sector paid hackers more than companies from other industries represented on the platform," said Grigory Prokhorov, an analyst in the research group of the Positive Technologies analytics department. — They account for a total of 81% of rewards, despite the fact that they are quantitatively represented in only 44% of programs. We note that the level of payments on foreign platforms is comparable to similar programs on Standoff 365 Bug Bounty. For example, on the HackerOne platform, rewards for them can be up to $20 thousand, depending on the company participating in the program."
To date, organizations from various industries have placed their programs on the platform: IT, trade, finance, and IT institutions. The largest number of programs is presented in the IT sector (38%), among public institutions (17%) and educational platforms (11%).
Since its opening, 7537 researchers have registered on the platform; programs were presented by Rambler&Co, VK, Gosuslugi, Odnoklassniki, and Tinkoff.
"One of the most significant indicators of the platform's performance is the number of valid vulnerability reports received," said Anatoly Ivanov, Product manager at Standoff 365. — As a rule, these are reports of researchers who have been verified by the platform and the program representative. In total, bug hunters sent 1,479 reports, of which 10% (152) were with critical vulnerabilities and 19% (287) were with high — risk vulnerabilities."
For a year and a half of work of Standoff 365 Bug Bounty hackers found vulnerabilities of 71 types according to the classification of CWE (Common Weakness Enumeration) in web applications. The CWE-79 flaw- " Incorrect neutralization of input data when generating web pages (cross-site scripting)" - took the first place in popularity, as it was included in 22% of reports.
One of the world's leading bug bounty platforms, HackerOne, also keeps statistics on CWE, which also publishes security flaws, which are ranked by the number of reports with them. Positive Technologies noted that the data from the two platforms are similar, and therefore, Standoff 365 Bug Bounty supports global trends even in statistics about vulnerabilities in organizations ' infrastructures.
The peak payout metric can vary significantly from program to program. In one case, you can pay several thousand rubles for a critical vulnerability, and in the other — more than 3 million rubles. The amount of remuneration depends on the company itself: its revenue, scale, and the information it uses.
"According to our data, IT companies and organizations from the financial sector paid hackers more than companies from other industries represented on the platform," said Grigory Prokhorov, an analyst in the research group of the Positive Technologies analytics department. — They account for a total of 81% of rewards, despite the fact that they are quantitatively represented in only 44% of programs. We note that the level of payments on foreign platforms is comparable to similar programs on Standoff 365 Bug Bounty. For example, on the HackerOne platform, rewards for them can be up to $20 thousand, depending on the company participating in the program."
