Crowdsourced security trends: Payouts to hackers increase

Bugcrowd has released the 2018 Bugcrowd State of Bug Bounty Report, which analyzes proprietary platform data collected from more than 700 crowdsourced security programs managed by the organization. The data includes all Bugcrowd platform data from April 1, 2017 through March 31, 2018.

The report found an increase across the board in the number and severity of vulnerabilities, and payouts to hackers, making it clear that companies are turning to crowdsourced security to cope with a complex threat landscape.

Submitted vulnerabilities

The total number of vulnerabilities submitted via the Crowdcontrol platform surpassed 37,000 submissions in the last year, a 21 percent increase from year prior. While there has been a steady increase in new and uncategorized vulnerabilities discovered over the past year, there has also been a 2X uplift in the average payout across all programs and industries.

Over the past year, 20% of all valid vulnerabilities were classified as critical (P1 or P2). Of these 7% were P1 (the most critical). 31% of all valid submissions were classified as P3 severity, a 10% increase over last year. 26% were classified as P4, 16% were classified as P5 and 13% were P2.

The top-5 vulnerabilities submitted this past year are:

• Cross-Site Scripting (XSS) Reflected (P3)
• Cross-Site Scripting (XSS) Stored Admin (P3)
• Broken Authentication and Session Management Failure to Invalidate Session (P4)
• Broken Authentication and Session Management Weak Login Function Over HTTP (P3)
• Server Security Misconfiguration No Rate Limiting On Form (P4)

75% of all P1 vulnerability payouts were above $1,200, up from $926 last year. More than 91% of all vulnerability submissions were web vulnerabilities.

Crowdsourced security trends

To stay ahead of these adversaries, organizations like Netgear, Jet.com, and Atlassian have turned to the crowdsourced security model to identify emerging vulnerabilities unknown to most scanners – before the bad guys do. Bug bounty and vulnerability disclosure programs have the ability to bring together tens of thousands of the brightest minds in security research, to uncover seven times more high priority vulnerabilities than traditional assessment methods.

While the Crowd has grown by 71 percent, represented by more than 100 countries around the world, the report also uncovered a maturing market: India. The largest payment amount went to the United States; yet the majority of total vulnerability submissions (30 percent) came from India, suggesting that younger bug hunters are emerging, learning and growing their skills as they find lower priority bugs.

Other key takeaways from the report include:

• There’s been a 40% increase in number of programs launched during the past year with a 33% increase in private programs
• 79% of all program launched in the last year were private
• The top 5 areas of adoption by industry are Computer Hardware, Software & Networking, IT Services, eCommerce / Retail, Financial Services, and Telecom / Communication Services.

“Vulnerabilities happen – humans aren’t perfect and errors are written inadvertently into code. Crowdsourced security empowers organizations to mitigate the risk that these will be discovered by threat actors. Our fourth annual SOBB report demonstrates the power of the Crowd in discovering increasingly critical vulnerabilities to protect global businesses and government organizations,” said Casey Ellis, founder and CTO of Bugcrowd.