SOURCE: Bugcrowd

Bugcrowd

July 30, 2015 09:00 ET

Bugcrowd's Inaugural State of Bug Bounty Report Highlights Bourgeoning Economy of Bug Bounties

Study Conducted From 2013 to 2015 Draws Data From Over 37,000 Submissions

SAN FRANCISCO, CA--(Marketwired - Jul 30, 2015) - Bugcrowd, the innovator in crowdsourced security testing for the enterprise, today released the results of its inaugural State of Bug Bounty Report. Collected from over two years of vulnerability and community data, the report demonstrates the rapid growth of the bug bounty economy, with over 37,000 bug submissions and an ever-expanding researcher community currently totaling more than 18,600 researchers.

The State of Bug Bounty Report found that on average, nearly five high-to-critical priority vulnerabilities are found within the lifetime of a single program. Another observed trend includes the migration from public programs over to invitation-only programs. In the first quarter of 2013, there were no private bug bounties. By the first quarter of 2015, private bounties accounted for upwards of 35 of the newly initiated programs, handily surpassing new public bounty programs.

Additional report findings include:

  • A total of 729 high-priority vulnerabilities were discovered across 166 programs, where 175 of those vulnerabilities were deemed "critical" by trained application security engineers
  • The most discovered vulnerability was cross-site scripting (XSS) at nearly 20 percent of all bugs found
  • Researchers were paid for approximately one in every five submissions
  • Researchers took home an average paycheck of $1,279.18 collected from over 6.41 submissions annually
  • Researchers found on average, 4.39 high-to-critical priority vulnerabilities per program
  • More than half of researchers come from the United States (33 percent) and India (25 percent). With regards to paid submissions, India dominated at 31 percent, followed by the United States (18.2 percent) and the United Kingdom (8.6 percent)

"The data pulled from our sizable community demonstrates the impressive economics behind bug bounty programs, for both sides of the market," said Casey Ellis, CEO of Bugcrowd. "As the power of crowdsourced security testing continues to grow and evolve, it's critical to maintain transparency and open communication between researchers and organizations into how vulnerabilities are reported, patched and rewarded, and to that end we're very pleased to be releasing this report."

"Our researchers have found almost five high-to-critical priority findings per program, proving that bug bounties are an extremely effective way for organizations to assess the security of their applications," said Jonathan Cran, vice president of operations at Bugcrowd. "This report demonstrates what we've suspected all along. A crowd-sourced security intelligence platform like Bugcrowd's is a critical part of any serious system development life cycle (SDLC), helping organizations level the playing field in cybersecurity."

A number of security teams have opted to work with Bugcrowd to manage their bug bounty programs, including companies like Pinterest, Western Union, Blackphone and Silent Circle, Indeed, Drupal, Tesla and many more. For more information on Bugcrowd's customer programs, visit: https://bugcrowd.com/stories.

Click here to view the full report.

About Bugcrowd
An innovator in crowdsourced security testing for the enterprise, Bugcrowd harnesses the power of more than 18,000 security researchers to surface critical software vulnerabilities and level the playing field in cybersecurity. Bugcrowd also provides a range of responsible disclosure and managed service options that allow companies to commission a customized security testing program that fits their specific requirements. Bugcrowd's proprietary vulnerability disclosure platform is deployed by Western Union, Pinterest, Drupal and many others. Based in San Francisco, CA, Bugcrowd is backed by Costanoa Venture Capital, Rally Ventures, Paladin Capital Group and Blackbird Ventures. For more information visit www.bugcrowd.com.

Contact Information

  • Contact information:
    Anthony Acosta
    (570) 894-4592
    LEWIS PR for Bugcrowd
    Email Contact