Super Bug Hunters Collect Millions in Bounties
-
Super Bug Hunters Collect Millions in Bounties
Although the first bug bounty program was started by Netscape in 1995, enterprises have been slow to adopt them. That changed this year. -
Enterprises Adopting Bug Bounties
Companies with 5,000-plus employees accounted for 44% more of the total companies that launched bug bounty programs during the last 12 months. -
Bug Bounty Growth
Bug bounty program growth increased to 210% on average year-over-year since Bugcrowd's inaugural report in 2015. -
Private Bounty Programs Growing
Private bounty programs are an emerging trend—63% of all bounty programs launched are private. -
Average Payouts Rising
The average bug reward to researchers rose 47% during the last 12 months. Q1 2016 saw average payouts of $505.79 on Bugcrowd's platform. -
Bug Bounties Move to Traditional Verticals
The industries launching bug bounty programs are becoming more diversified. The top five according to public data of bug bounty programs are: Computer software: 21%, Internet: 15%, IT and services: 13%, Financial services and banking: 7%, Business services: 5% -
‘Super Hunters’ Emerge
A new tier of "super hunters" is emerging. The top 10 researchers have collected 23% of total payouts. -
Where Are Bugcrowd Researchers?
Bugcrowd researchers come from 112 countries. 56% of all submissions originate from India (43%) and in the United States (13%). -
Top 10 Countries by Volume of Vulnerabilities Submitted
The Top 10 countries by volume of vulnerabilities submitted are: India, U.S., Pakistan, U.K., Philippines, Germany, Malaysia, the Netherlands, Australia, Tunisia. -
XSS Continues to Dominate
Cross-Site Scripting (XSS) remains the most discovered vulnerability type at over 66% of all classified vulnerabilities disclosed. -
Bugcrowd Program Data
Bugcrowd platform data includes program data gathered since January 1, 2013, through March 31, 2016, as follows: 286 total programs, 64% private 37% public, 54,114 total submissions, $2,054,721 in bounty payments across 6,724 paid submissions, 26,782 researchers as of March 31, 2016
More organizations are adopting bug bounties—incentivized programs that encourage security researchers to report security issues to a sponsoring organization. Bug bounties are moving from novelties to best practices, helping to strengthen the security of products. "2015 was the year companies realized that when it comes to cyber-security, the pain of staying the same is exceeding the pain of change," said Casey Ellis, CEO and founder of Bugcrowd. "This tip is causing companies to realize that the only way to compete with an army of adversaries is with an army of allies. Even the most risk-averse industries are embracing and successfully implementing crowdsourced cyber-security programs." The study, "State of Bug Bounty Report," was conducted between Jan. 1, 2013, and March 30, 2016, by Bugcrowd, a crowdsourced security testing firm for enterprise. The report includes data from programs run on Bugcrowd's platform and a survey of 500 security researchers and 600 security professionals. Included in the term "bug bounty" are vulnerability disclosure programs, public bug bounty programs, and private programs.