As more organizations look to adopt bug bounty programs, a tier of "super hunters" is emerging, who earn hundreds of thousands of dollars in payouts. In the process, these super hunters are attracting the attention of many companies’ security team recruiting efforts, according to Bugcrowd’s latest report on the state of the bug bounty economy.
Super hunters, although not an entirely new phenomenon, are making more money than ever as more complex and high-profile bounty programs launch with higher stakes, according to findings in the second annual State Of Bug Bounty Report.
The elite group of hunters deploy various techniques, looking for niches, such as finding and exposing vulnerabilities in staging or development servers or forgotten servers that clearly should be de-commissioned, says Jonathan Cran, vice president of operations at Bugcrowd. Other super hunters have deep understanding of the business logic or underlying infrastructure of applications.
A bug bounty is most simply defined as “an incentivized, results-focused program that encourages security researchers to report security issues to the sponsoring organization.” Bug bounties were originally uncapped “blank check” affairs, introduced by technology giants such as Facebook, Google, Yahoo, and a few others, which have spent over $10 million on bug bounty payouts to date, Cran says.
In the past year, the term “bug bounty” has become more well-known and widely publicized through popular programs such as Tesla Motors’ car hacking program, launched in mid-2015. In March, the US Department of Defense announced “Hack the Pentagon,” in which the DoD plans to invite vetted hackers to test the department’s cybersecurity under a unique pilot program.
However, the majority of researchers (85%) participate in bug bounty programs as a hobby or part-time job, with 70% spending fewer than 10 hours a week working on bounties. But payouts are on the rise even for these part-time bug bounty hunters, Cran says. The all-time average bug reward on Bugcrowd’s platform has risen from the $200.81 cited in last year’s report, to $294.70, an increase of 47%. The average bug payout in just the first quarter of 2016 was at an all-time high of $505.79.
Bugcrowd harnesses the power of more than 30,000 security researchers to surface critical software vulnerabilities and level the playing field in cybersecurity. The company connects security researchers with organizations and helps them build a partnership. The second annual report consists of survey responses from approximately 500 researchers with experience in bug bounty programs from 51 different countries.
Seventy-five percent of the researchers are between the ages of 18 and 29, followed by the second-largest age group, 30 to 44, representing 19% of respondents. Additionally, 88% of the respondents have completed at least one year of college; 55% of them have graduated with a bachelor’s or postgraduate degree. All respondents had at least a high school degree.
Diversified Industries Adopt Programs
Bug bounty programs are being adopted by all types of organizations; from startups to enterprises, and from virtually every industry, the report states. “I see it as the evolution of security assessment in general,” Cran says. “Five or 10 years ago very few folks were doing it.” But now almost every business has become a software vendor or pushes out software-based services to customers, he notes.
Of the nearly 300 programs Bugcrowd has launched over the past three years, “we have seen growth and diversification in the makeup of our customer base from purely tech to 25% more traditional verticals such as financial services and banking,” the report states. The top two industries represented are computer software companies and internet-based companies, followed by financial services and banking, information technology and services, computer and network security, e-commerce and retail.
Larger enterprises are adopting bug bounty programs, the report states. Companies with 5,000+ employees accounted for 44% more of the total companies launching bug bounty programs over the last 12 months.
Organizations looking to start a public bug bounty program begin privately, incentivizing a smaller number of researchers while they build their response capabilities. Over time, the programs become public, allowing everyone to participate. As of March 31 2016, 63% of all Bugcrowd program launches have been private programs.
“Organizations looking to access the benefits of crowdsourcing with specific business goals, complex technologies or environments benefit from a smaller testing pool. These organizations pay higher bounties to attract and maintain interest from the best researcher talent,” the report states.
“We recommend companies to start with a short-term private program or even an ongoing private program,” Cran says. Organizations should also establish a non-incentivized bug reporting program, opening up a channel for customers and others to submit vulnerability-related information, he says.
XSS continues to dominate
The most commonly discovered vulnerability is still Cross-site Scripting (XSS), which represents 66% of the total vulnerabilities disclosed, followed by Cross-site Request Forgery (CSRF).
Bug bounties are often compared to traditional application security assessment methods such as penetration testing. “The biggest differences between the two are volume of testers involved and the differing reward models. Bug bounties involve thousands of researchers as opposed to a select few penetration testers, and utilize a pay for results reward model rather than for effort,” the report states.
Additionally, the volume and diversity of security researchers participating in bug bounty programs results in a diverse range of bug types, classes, and criticality of vulnerabilities, and testing is usually performed without prior knowledge of the target, according to the report.