The past year was a big one for bug bounties, with more programs offering more money to more researchers. Bug bounty programs grew 40% year-over-year, the average payout per vulnerability rose 73% to reach $781, and the number of Bugcrowd researchers grew by 71%.
These new numbers come from Bugcrowd’s 2018 State of Bug Bounty, its fourth annual report on crowdsourced security. Analysts pulled data from more than 700 managed crowdsourced security programs from April 1, 2017 through March 31, 2018. Over the year they saw more than 37,000 submissions, 69% of which were valid – a 21% increase from the prior year.
Private programs saw a 33% increase year-over-year and made up 79% of all new programs launched. Only vetted, ID-verified, and trusted researchers are allowed to participate in private programs, whereas public initiatives are open to all researchers.
Where the Money Is
Financial gain is an incentive for black-hat and white-hat hackers alike. Bugcrowd founder and CTO Casey Ellis says growth in reward amounts was his key takeaway from this year’s report. Total payouts have increased 36% from last year; the number of researchers paid is up 13%.
“It’s a reflection of the fact that more of the critical vulnerabilities are being found by the Crowd,” he says. “It also reflects the fact that customers are starting to get into the rhythm that the more you incentivize bug hunters, the more you can reduce risk.”
The increase in payout reflects the increase in seriousness of bugs found. Bugcrowd categorizes vulnerabilities according to severity and noticed 20% more critical (P1 and P2) vulnerabilities submitted over the year. Seven percent of these were P1, the more severe of the two. Three-quarters of all P1 vulnerability payouts were greater than $1,200, up from $926 last year.
The bulk of bug bounty payouts went toward website vulnerabilities, which ate up 81.2% of funds. Hardware vulnerabilities were a far second, with 6.7% of payouts, followed by API (5.8%), Android (3.1%), IoT (2.5%), and iOS (0.7%) vulnerabilities.
Ellis chiefly attributes the increase in severe vulnerability payouts to the skill of the bug hunting community, and their motivation to go after critical flaws. “We have more talented hunters at this point,” he notes. However, he adds, if more organizations had bug hunting programs, the team might be able to make estimates about the security of the software they’re researching.
It’s positive to see more and larger payouts, but where does the funding come from?
“We see some organizations where it’s a [reallocation] of existing budgets, where they were questioning the ROI of their original [vulnerability] assessment methods,” says Ellis. Others started working with the “Crowd” and realized they were more vulnerable than they thought.
Building and Expanding
Most (57%) of all programs launched in the past year primarily included website vulnerabilities. Seventeen percent include API targets, 13.6% include Android, 8.9% include iOS, 1.4% include hardware, and less than one percent include IoT.
Tech companies are the strongest adopters of bug bounty programs, with computer hardware, software, and networking companies making up 40.6% of all new programs launched, followed by IT services (12.7%), ecommerce/retail (9.1%), financial services (8.7%), and telecom (5.1%).
Ellis says they continue to see a lot of growth in the tech vertical. “They continue to be the strongest adopters of this model and those who ultimately tell the story of what it looks like to the rest of the market,” he explains.
However, older industries like healthcare and retail have also expressed interest in bug bounty programs over the past year. While they don’t have the same representation as tech-first firms, Ellis says their inclusion is significant. “These older organizations are often the most in need of fresh adversarial input from someone who’s helpful,” he points out.
Looking toward the year ahead, Ellis says he’d like to see greater representation of IoT bug hunting. “It’s a pretty broad area of tech that’s growing very rapidly right now,” Ellis says. “What we’re seeing is those types of threats are becoming pretty critical.”
While IoT bug hunting will require additional skillsets on the part of hunters, Ellis doesn’t think the transition will be quite as difficult as perceived. The mental transition from Web to IoT hacking isn’t as big of a leap as the physical change: for IoT, you have to obtain the devices. “You have to get possession of what you’re trying to test,” he says.
On a broader level, he expects the severity of bugs disclosed will increase, and people with more advanced skillsets will go after more critical issues. The average payout will also likely increase, he says.
“Logically there is a ceiling that the average will hit, but I don’t think we’re anywhere near that ceiling yet,” Ellis says.
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio