Bug bounty report card: Industry diversification and growth

With a global rise in cyberattacks and a critical deficit of security talent to combat adversaries, bug bounty programs congruently grew in both volume and scope in the last 12 months, according to Bugcrowd.

Company industries represented in public data of all known public bug bounty programs

Moving beyond technology companies, more than 25 percent of public and private programs are now run in more “traditional” industry sectors – with particular traction across retail & e-commerce, financial services & banking, and automotive – and deployed across larger organizations, with companies over 5,000 employees gaining particular traction in the last 12 months.

Number of bounty programs continuously increases: Bug bounty programs on the Bugcrowd platform have increased over 210 percent on average year over year since January 2013.

Larger enterprises are adopting bug bounties: Companies with 5,000+ employees accounted for 44 percent more of the total companies launching bug bounty programs over the last 12 months.

Average payouts are rising: The average bug reward to researchers rose 47 percent in the last 12 months. In Q1 2016, the average payout on Bugcrowd’s platform was $505.79.

Vulnerability ‘super hunters’ have emerged: ‘Super hunter’ researchers earn thousands of dollars in payouts, and often participate in bug bounty programs as full-time positions. This contrasts with the majority of researchers (85 percent) participate in bug bounty programs as a hobby or part-time job, with 70 percent spending fewer than 10 hours a week working on bounties.

Bugcrowd researchers come from 112 countries, and activity varies by region: More than half (56 percent) of all submissions originate from two countries: India (43 percent) and the United States (13 percent). The top ten countries by volume of vulnerabilities submitted are India, the United States, Pakistan, the United Kingdom, the Philippines, Germany, Malaysia, the Netherlands, Australia and Tunisia.

Cross-site scripting (XSS) continues to dominate: XSS is still the single most discovered vulnerability type, at over 66 percent of all classified vulnerabilities disclosed.

Average priority of submissions are continuing to improve across all programs: Higher impact submissions (on a scale of 5 to 1 in rising priority) have increased from 3.88 to 3.75 on average over the last 12 months, reflecting the maturing skillset of the crowd.

Bug types across all valid submissions including unclassi ed submissions

“Mainstream enterprises are entering a new era of advanced security,” said Jonathan Cran, VP of product at Bugcrowd. “Bug bounty programs are leveling the playing field, and Bugcrowd is making them accessible across more industries and organization types. Crowdsourced cybersecurity not only strengthens the security of products, but it also initiates rewarding, mutually beneficial relationships with the researcher community.”

In 12 months, Bugcrowd’s researcher base grew 29 percent to include over 26,000 total researcher accounts at the end of Q1 2016. Nearly 75 percent of researchers are between the ages of 18-29. The second largest group, 30-44, represents 19 percent of the crowd.

“2015 was the year companies realized that, when it comes to cybersecurity, the pain of staying the same is exceeding the pain of change. This tip is causing companies to realize that the only way to compete with an army of adversaries is with an army of allies. Even the most risk-averse industries are embracing, and successfully implementing, crowdsourced cybersecurity programs,” said Casey Ellis, CEO and founder of Bugcrowd. “This growth validates today’s reality: distributed resourcing approaches like bug bounty programs are the best tools to create parity with the adversary.”