The rise in global cyberattacks and the \u201ccritical deficit of security talent\u201d helped bug bounty programs grow in the last year and to diversify from those offered by \u201ctech giants\u201d to more traditional industries.One trend over the last year has been for payouts to increase, according to the 2016 State of Bug Bounty report (pdf). Last year, the average bug reward on Bugcrowd\u2019s platform was $200.81. This second annual report shows an increase of 47 percent, with the average reward rising to $294.70.According to Bugcrowd, after it published its Defensive Vulnerability Pricing Model guide this year, \u201cthe average bug payout in just the first quarter of 2016 was at an all-time high of $505.79.\u201dBug bounty program by industryIt\u2019s not just tech companies offering bug bounty programs; the last year has seen an increase in bug bounty programs from retail and e-commerce, as well as financial services and banking. The finance and banking industry tend to run private programs, which helps to explain the difference between Bugcrowd\u2019s vulnerability disclosure programs industry breakdown and all public bug bounty programs.The report said, \u201cOverall, organizations from more\u00a0\u2018traditional\u2019 industries have seen year-over-year growth of over 217 percent on average, including Financial Services and Banking, Automotive, Healthcare, Education, Telecommunications, Hospitality, Real Estate, Utilities and Consumer Goods.\u201dDespite all that, Bugcrowd\u2019s report stated, \u201cThe bug bounty economy is growing rapidly, and yet it still has a long way to go, as proven by recent research stating that 94 percent of companies on the Forbes 2000 list do not currently have a vulnerability disclosure or bug bounty program.\u201dAs for which companies have launched on the Bugcrowd platform, enterprises (with over 5,000 employees) account for the fastest growth in the last year. Yet the enterprise still doesn\u2019t make up the biggest chunk of companies offering bug bounties.Super hunters\u201cSuper hunters\u201d have emerged. These are researchers who earn thousands of dollars and often work full time as bug bounty hunters. \u201cThe top 10 paid out researchers have made, collectively, 23 percent of total payouts,\u201d the report said. Some from smaller regions have been so successful that they \u201cput their entire countries on our radar.\u201d Most researchers, about 85 percent, participate in bug bounty programs as a hobby or part time, with 70 percent spending fewer than 10 hours a week hunting for bugs.Private bug bounty programsWhile any researcher can participate in a public bug bounty program, 63 percent of all programs are private and pay higher bounties to attract top researchers. Companies may begin such programs as private, with researchers needing an invite to participate, but most programs eventually become public.Bugcrowd said that to receive an invitation into its private programs, \u201cresearchers must score high in all of the following measures: trust, acceptance rate and overall submission quality, finding severity and activity.\u201dXSS and CSRF are top bugs reportedAlthough \u201chigher impact submissions\u201d increased over the last year, \u201creflecting the maturing skillset of the crowd,\u201d cross-site scripting (XSS) still rules as king of vulnerability type discovered. Cross-site request forgery (CSRF) is the second most popular vulnerability reported.Bug huntersWho are these bug hunters who are finding and cashing in by reporting vulnerabilities? Bugcrowd said it has over 26,000 researcher accounts, and those researchers come from 112 countries, but primarily they are from India (43 percent) and the U.S. (13 percent). About 75 percent of the researchers are between the ages of 18 and 29. Nineteen percent are age 30 to 44. Eighty-eight percent had at least one year of college, with 55 percent having a bachelor\u2019s or postgraduate degree.Bug type reported by countryThe graphic below shows the breakdown of \u201cvalid submission\u201d bug types, excluding unclassified bugs, by country.Casey Ellis, CEO of Bugcrowd, said:\u201c2015 was the year companies realized that, when it comes to cybersecurity, the pain of staying the same is exceeding the pain of change. This tip is causing companies to realize that the only way to compete with an army of adversaries is with an army of allies. Even the most risk-averse industries are embracing, and successfully implementing, crowdsourced cybersecurity programs. This growth validates today's reality: distributed resourcing approaches like bug bounty programs are the best tools to create parity with the adversary.\u201dYou can get a copy of the report here.