Last week was unusually rich for the crowd security testing industry in terms of major events and announcements, many of which occurred during the RSA Conference.\n\nAmong the positive news, is the US government\u2019s announcement to keep their bug bounty program under Trump Administration, giving confidence both to security researchers and to startups raising new millions from wealthy investors. Open Bug Bounty announced 100,000 submissions with over 35,000 fixed vulnerabilities. Meanwhile, new companies, inspired by existing crowd security startups, launched new platforms dedicated to security testing of IoT and other smart devices.\n\nHowever, probably one of the most important news for the crowd security testing community is a partnership announced between Qualys, the global leader of automated security testing, and Bugcrowd, a prominent bug bounty platform. Henceforth, vulnerabilities detected by Qualys WAS won\u2019t be eligible anymore for an award in bounty programs of joint customers. In brief: security researchers, making easy cash by reporting trivial security flaws, are out of the game now.\n\nThe days of unregulated Wild West bug bounty market are gone. Such a move was predictable, and is pretty reasonable. In one of my previous articles, I already spoke in details about certain advantages and pitfalls of bug bounties, including bug bounty fatigue phenomenon that was presented a bit more in detail at Black Hat last year.\n\nThe issue is actually quite simple: companies running bounty programs for years are usually much less tested, both in terms of quality and quantity, than newcomers. This is because a bug hunter\u2019s chance to spot a rewardable vulnerability in a reasonable amount of time are almost zero - everything was already found and reported. Instead, security researchers are quickly jumping on new targets using Google dorking and arsenals of vulnerability scanning software to report the easiest security vulnerabilities before the others, and then switching to the next easy target. Such vulnerability reporting model was quite sustainable until now.\n\nNow companies will benefit from the new approach: the exclusion of simple XSS and similar vulnerabilities from the scope of bounty payment will reduce the volume of garbage traffic, as well as increase an average quality of testing. However, how many skilled security experts will be attracted to spend days and nights on sophisticated vulnerabilities detection without any guarantee to get ever paid? This is questionable, especially taking into consideration a global shortage of cybersecurity professionals.\n\nMark Barwinski, MSc, CISSP, CISA, cybersecurity director at PwC, comments: \u201cEvolving and maturing bug hunting programs are redefining their criteria while containing costs. Dialing down the noise level is welcomed, however, a security segment traditionally short on skilled researchers may be on the verge of greater and significant pressures as we accelerate digitalization efforts.\u201d\n\nCrowd bug hunting is now on the road to becoming a mature instrument in the security testing arsenals of large companies and organizations that operate non-critical public-facing systems. Refusal to pay for vulnerabilities, which Qualys WAS and automated solutions can easily detect at a fixed cost, will certainly make bug bounties more cost-efficient by eliminating newbies sending logs of vulnerability scanners demanding cash. However, if the newbies now turn to cybercrime, how many security professionals will be motivated to conduct regular and comprehensive security testing on the new conditions?