Threat Intelligence

6/7/2018
05:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Bug Bounty Payouts Up 73% Per Vulnerability: Bugcrowd

Bug bounty programs grew along with payouts, which averaged $781 per vulnerability this year, researchers report.

The past year was a big one for bug bounties, with more programs offering more money to more researchers. Bug bounty programs grew 40% year-over-year, the average payout per vulnerability rose 73% to reach $781, and the number of Bugcrowd researchers grew by 71%.

These new numbers come from Bugcrowd's 2018 State of Bug Bounty, its fourth annual report on crowdsourced security. Analysts pulled data from more than 700 managed crowdsourced security programs from April 1, 2017 through March 31, 2018. Over the year they saw more than 37,000 submissions, 69% of which were valid - a 21% increase from the prior year.

Private programs saw a 33% increase year-over-year and made up 79% of all new programs launched. Only vetted, ID-verified, and trusted researchers are allowed to participate in private programs, whereas public initiatives are open to all researchers.

Where the Money Is

Financial gain is an incentive for black-hat and white-hat hackers alike. Bugcrowd founder and CTO Casey Ellis says growth in reward amounts was his key takeaway from this year's report. Total payouts have increased 36% from last year; the number of researchers paid is up 13%.

"It's a reflection of the fact that more of the critical vulnerabilities are being found by the Crowd," he says. "It also reflects the fact that customers are starting to get into the rhythm that the more you incentivize bug hunters, the more you can reduce risk."

The increase in payout reflects the increase in seriousness of bugs found. Bugcrowd categorizes vulnerabilities according to severity and noticed 20% more critical (P1 and P2) vulnerabilities submitted over the year. Seven percent of these were P1, the more severe of the two. Three-quarters of all P1 vulnerability payouts were greater than $1,200, up from $926 last year.

The bulk of bug bounty payouts went toward website vulnerabilities, which ate up 81.2% of funds. Hardware vulnerabilities were a far second, with 6.7% of payouts, followed by API (5.8%), Android (3.1%), IoT (2.5%), and iOS (0.7%) vulnerabilities.

Ellis chiefly attributes the increase in severe vulnerability payouts to the skill of the bug hunting community, and their motivation to go after critical flaws. "We have more talented hunters at this point," he notes. However, he adds, if more organizations had bug hunting programs, the team might be able to make estimates about the security of the software they're researching.

It's positive to see more and larger payouts, but where does the funding come from?

"We see some organizations where it's a [reallocation] of existing budgets, where they were questioning the ROI of their original [vulnerability] assessment methods," says Ellis. Others started working with the "Crowd" and realized they were more vulnerable than they thought.

Building and Expanding 

Most (57%) of all programs launched in the past year primarily included website vulnerabilities. Seventeen percent include API targets, 13.6% include Android, 8.9% include iOS, 1.4% include hardware, and less than one percent include IoT.

Tech companies are the strongest adopters of bug bounty programs, with computer hardware, software, and networking companies making up 40.6% of all new programs launched, followed by IT services (12.7%), ecommerce/retail (9.1%), financial services (8.7%), and telecom (5.1%).

Ellis says they continue to see a lot of growth in the tech vertical. "They continue to be the strongest adopters of this model and those who ultimately tell the story of what it looks like to the rest of the market," he explains.

However, older industries like healthcare and retail have also expressed interest in bug bounty programs over the past year. While they don't have the same representation as tech-first firms, Ellis says their inclusion is significant. "These older organizations are often the most in need of fresh adversarial input from someone who's helpful," he points out.

Looking toward the year ahead, Ellis says he'd like to see greater representation of IoT bug hunting. "It's a pretty broad area of tech that's growing very rapidly right now," Ellis says. "What we're seeing is those types of threats are becoming pretty critical."

While IoT bug hunting will require additional skillsets on the part of hunters, Ellis doesn't think the transition will be quite as difficult as perceived. The mental transition from Web to IoT hacking isn't as big of a leap as the physical change: for IoT, you have to obtain the devices. "You have to get possession of what you're trying to test," he says.

On a broader level, he expects the severity of bugs disclosed will increase, and people with more advanced skillsets will go after more critical issues. The average payout will also likely increase, he says.

"Logically there is a ceiling that the average will hit, but I don't think we're anywhere near that ceiling yet," Ellis says.

Related Content:

 

Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for more information

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3937
PUBLISHED: 2018-08-14
An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera G5 firmware 1.87.00. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability...
CVE-2018-3938
PUBLISHED: 2018-08-14
An exploitable stack-based buffer overflow vulnerability exists in the 802dot1xclientcert.cgi functionality of Sony IPELA E Series Camera G5 firmware 1.87.00. A specially crafted POST can cause a stack-based buffer overflow, resulting in remote code execution. An attacker can send a malicious POST r...
CVE-2018-12537
PUBLISHED: 2018-08-14
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.
CVE-2018-12539
PUBLISHED: 2018-08-14
In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows,...
CVE-2018-3615
PUBLISHED: 2018-08-14
Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.