The rapid growth of the bug bounty economy

On average, nearly five high-to-critical priority vulnerabilities are found within the lifetime of a single program, according to Bugcrowd.

Another observed trend includes the migration from public programs over to invitation-only programs. In the first quarter of 2013, there were no private bug bounties. By the first quarter of 2015, private bounties accounted for upwards of 35 of the newly initiated programs, handily surpassing new public bounty programs.


Additional report findings include:

  • A total of 729 high-priority vulnerabilities were discovered across 166 programs, where 175 of those vulnerabilities were deemed “critical” by trained application security engineers
  • Researchers were paid for approximately one in every five submissions
  • Researchers took home an average paycheck of $1,279.18 collected from over 6.41 submissions annually
  • Researchers found on average, 4.39 high-to-critical priority vulnerabilities per program
  • More than half of researchers come from the United States (33 percent) and India (25 percent). With regards to paid submissions, India dominated at 31 percent, followed by the United States (18.2 percent) and the United Kingdom (8.6 percent).

The top six vulnerabilities found in all programs (public and invitation only) represent 35% of the vulnerability types uncovered:

1. XSS – 17.8%
2. CSRF – 8.6%
3. Clickjack – 2.7%
4. Mobile device – 2.5%
5. SQL injection – 2.2%
6. Mobile network – 1.3%

XSS, CSRF and SQL injection are still driving top vulnerability submissions—which is consistent across other publicly available bug bounty data from Google and Facebook’s programs. The 65% of “other” vulnerabilities can be broken down into the following categories:


“The data pulled from our sizable community demonstrate the impressive economics behind bug bounty programs, for both sides of the market,” said Casey Ellis, CEO of Bugcrowd.

“As the power of crowdsourced security testing continues to grow and evolve, it’s critical to maintain transparency and open communication between researchers and organizations into how vulnerabilities are reported, patched and rewarded, and to that end we’re very pleased to be releasing this report,” Ellis concluded.