Bug bounties are more popular than ever, with ever more companies stepping up to reward security researchers for finding flaws in software and platforms. As a result, the average payout to white-hats is rising, spiking 47% in the last 12 months.
That’s according to Bugcrowd, which found that in Q1 2016, the average payout on Bugcrowd’s platform was $505.79.
In a report detailing trends in the space, Bugcrowd found that bug bounty programs congruently grew in both volume and scope in the past year. Bug bounty programs on the Bugcrowd platform have increased over 210% on average year over year since January 2013.
Further, these have been implemented beyond the core base of major technology companies like Google and Microsoft. In fact, more than a quarter of public and private programs are now run in more “traditional” industry sectors—with particular traction across retail and e-commerce, financial services and banking, and automotive.
Larger organizations in particular are embracing the practice, with companies with more than 5,000 employees gaining particular traction. These now account for 44% of bounty programs.
“Mainstream enterprises are entering a new era of advanced security,” said Jonathan Cran, vice president of product at Bugcrowd. “Bug bounty programs are leveling the playing field, and Bugcrowd is making them accessible across more industries and organization types. Crowdsourced cybersecurity not only strengthens the security of products, but it also initiates rewarding, mutually beneficial relationships with the researcher community."
The report also found that vulnerability “super-hunters” have emerged: These are researchers who earn thousands of dollars in payouts, and often participate in bug bounty programs as full-time positions. This contrasts with the majority of researchers (85%) who participate in bug bounty programs as a hobby or part-time job, with 70% spending fewer than 10 hours a week working on bounties.
In 12 months, Bugcrowd’s researcher base grew 29% to include over 26,000 total researcher accounts at the end of Q1 2016. Nearly 75% of researchers are between the ages of 18-29. The second largest group, 30-44, represents 19% of the crowd.
Bugcrowd researchers come from 112 countries, and activity varies by region: More than half (56%) of all submissions originate from two countries: India (43%) and the United States (13%). The top ten countries by volume of vulnerabilities submitted are India, the United States, Pakistan, the United Kingdom, the Philippines, Germany, Malaysia, the Netherlands, Australia and Tunisia.
The average priority of submissions is continuing to improve across all programs: Higher impact submissions (on a scale of five to one in rising priority) have increased from 3.88 to 3.75 on average over the last 12 months, reflecting the maturing skillset of the crowd. Cross-site scripting (XSS) continues to be the single most-discovered vulnerability type, at over 66% of all classified vulnerabilities disclosed.
“2015 was the year companies realized that, when it comes to cybersecurity, the pain of staying the same is exceeding the pain of change,” said Casey Ellis, CEO and founder of Bugcrowd. “This tip is causing companies to realize that the only way to compete with an army of adversaries is with an army of allies. Even the most risk-averse industries are embracing, and successfully implementing, crowdsourced cybersecurity programs. This growth validates today's reality: distributed resourcing approaches like bug bounty programs are the best tools to create parity with the adversary."
Photo © Nicescene