2016 State of Bug Bounty report: Bigger bounties, more industries offering programs

The rise in global cyberattacks and the “critical deficit of security talent” helped bug bounty programs grow in the last year and to diversify from those offered by “tech giants” to more traditional industries.

One trend over the last year has been for payouts to increase, according to the 2016 State of Bug Bounty report (pdf). Last year, the average bug reward on Bugcrowd’s platform was $200.81. This second annual report shows an increase of 47 percent, with the average reward rising to $294.70.

According to Bugcrowd, after it published its Defensive Vulnerability Pricing Model guide this year, “the average bug payout in just the first quarter of 2016 was at an all-time high of $505.79.”

Bug bounty program by industry

It’s not just tech companies offering bug bounty programs; the last year has seen an increase in bug bounty programs from retail and e-commerce, as well as financial services and banking. The finance and banking industry tend to run private programs, which helps to explain the difference between Bugcrowd’s vulnerability disclosure programs industry breakdown and all public bug bounty programs.

The report said, “Overall, organizations from more ‘traditional’ industries have seen year-over-year growth of over 217 percent on average, including Financial Services and Banking, Automotive, Healthcare, Education, Telecommunications, Hospitality, Real Estate, Utilities and Consumer Goods.”

Despite all that, Bugcrowd’s report stated, “The bug bounty economy is growing rapidly, and yet it still has a long way to go, as proven by recent research stating that 94 percent of companies on the Forbes 2000 list do not currently have a vulnerability disclosure or bug bounty program.”

As for which companies have launched on the Bugcrowd platform, enterprises (with over 5,000 employees) account for the fastest growth in the last year. Yet the enterprise still doesn’t make up the biggest chunk of companies offering bug bounties.

Super hunters

“Super hunters” have emerged. These are researchers who earn thousands of dollars and often work full time as bug bounty hunters. “The top 10 paid out researchers have made, collectively, 23 percent of total payouts,” the report said. Some from smaller regions have been so successful that they “put their entire countries on our radar.” Most researchers, about 85 percent, participate in bug bounty programs as a hobby or part time, with 70 percent spending fewer than 10 hours a week hunting for bugs.

Private bug bounty programs

While any researcher can participate in a public bug bounty program, 63 percent of all programs are private and pay higher bounties to attract top researchers. Companies may begin such programs as private, with researchers needing an invite to participate, but most programs eventually become public.

Bugcrowd said that to receive an invitation into its private programs, “researchers must score high in all of the following measures: trust, acceptance rate and overall submission quality, finding severity and activity.”

XSS and CSRF are top bugs reported

Although “higher impact submissions” increased over the last year, “reflecting the maturing skillset of the crowd,” cross-site scripting (XSS) still rules as king of vulnerability type discovered. Cross-site request forgery (CSRF) is the second most popular vulnerability reported.

Bug hunters

Who are these bug hunters who are finding and cashing in by reporting vulnerabilities? Bugcrowd said it has over 26,000 researcher accounts, and those researchers come from 112 countries, but primarily they are from India (43 percent) and the U.S. (13 percent). About 75 percent of the researchers are between the ages of 18 and 29. Nineteen percent are age 30 to 44. Eighty-eight percent had at least one year of college, with 55 percent having a bachelor’s or postgraduate degree.

Bug type reported by country

The graphic below shows the breakdown of “valid submission” bug types, excluding unclassified bugs, by country.

Casey Ellis, CEO of Bugcrowd, said:

“2015 was the year companies realized that, when it comes to cybersecurity, the pain of staying the same is exceeding the pain of change. This tip is causing companies to realize that the only way to compete with an army of adversaries is with an army of allies. Even the most risk-averse industries are embracing, and successfully implementing, crowdsourced cybersecurity programs. This growth validates today’s reality: distributed resourcing approaches like bug bounty programs are the best tools to create parity with the adversary.”

You can get a copy of the report here.