Security Experts:

Traditional Industries Increasingly Turn to Bug Bounty Programs

The number of bug bounty programs launched over the past year has increased considerably and more than a quarter of programs are run by larger organizations in more “traditional” sectors, according to Bugcrowd’s second annual State of Bug Bounty Report.

As recruitment remains a major problem for the cyber security industry, more and more organizations have turned to private and public bug bounty programs to secure their products and services.

According to Bugcrowd, the number of bug bounty programs hosted on its platform has increased by 210 percent since January 2013. Of the programs launched in the last 12 months, larger enterprises with more than 5,000 employees accounted for 44 percent more than in the previous period.

While technology companies still top the chart with more than 43 percent of the total, an increasing number of organizations from traditional sectors have adopted bug bounty programs, including financial services and banking, automotive, education, healthcare, telecoms, hospitality, and real estate.

“Mainstream enterprises are entering a new era of advanced security,” noted Jonathan Cran, VP of product at Bugcrowd. “Bug bounty programs are leveling the playing field, and Bugcrowd is making them accessible across more industries and organization types. Crowdsourced cybersecurity not only strengthens the security of products, but it also initiates rewarding, mutually beneficial relationships with the researcher community.”

Bugcrowd’s researcher base, which as of March 31 included over 26,000 people, hails primarily from India (40 percent) and the United States (12 percent). A significant number of bug bounty hunters are also located in the Philippines, Pakistan, the United Kingdom, the Netherlands, Italy, Germany, Egypt and Russia. Three-quarters of these experts are aged between 18 and 29.

The average payout via the Bugcrowd platform rose 47 percent in the last year to $505. However, the company pointed out that there are so-called “super hunters” who take part in bug bounty programs full time and make thousands of dollars. In contrast to these super hunters, most researchers submit reports only as a hobby or part-time job, with 70 percent spending less than 10 hours per week trying to find vulnerabilities.

As for the types of vulnerabilities found by researchers, unsurprisingly, cross-site scripting (XSS) continues to be the most common, accounting for more than 66 percent of all disclosed flaws.

The full State of Bug Bounty 2016 report is available for download in PDF format.

Related: Bugcrowd Raises $15 Million to Expand Bug Bounty Business

Related: Yahoo Paid Out $1.6 Million in Bug Bounty Program

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.