Super Bug Hunters Collect Millions in Bounties
Although the first bug bounty program was started by Netscape in 1995, enterprises have been slow to adopt them. That changed this year.
Companies with 5,000-plus employees accounted for 44% more of the total companies that launched bug bounty programs during the last 12 months.
Bug bounty program growth increased to 210% on average year-over-year since Bugcrowd’s inaugural report in 2015.
Private bounty programs are an emerging trend—63% of all bounty programs launched are private.
The average bug reward to researchers rose 47% during the last 12 months. Q1 2016 saw average payouts of $505.79 on Bugcrowd’s platform.
The industries launching bug bounty programs are becoming more diversified. The top five according to public data of bug bounty programs are: Computer software: 21%, Internet: 15%, IT and services: 13%, Financial services and banking: 7%, Business services: 5%
A new tier of “super hunters” is emerging. The top 10 researchers have collected 23% of total payouts.
Bugcrowd researchers come from 112 countries. 56% of all submissions originate from India (43%) and in the United States (13%).
The Top 10 countries by volume of vulnerabilities submitted are: India, U.S., Pakistan, U.K., Philippines, Germany, Malaysia, the Netherlands, Australia, Tunisia.
Cross-Site Scripting (XSS) remains the most discovered vulnerability type at over 66% of all classified vulnerabilities disclosed.
Bugcrowd platform data includes program data gathered since January 1, 2013, through March 31, 2016, as follows: 286 total programs, 64% private 37% public, 54,114 total submissions, $2,054,721 in bounty payments across 6,724 paid submissions, 26,782 researchers as of March 31, 2016