Connect with us

Hi, what are you looking for?



Traditional Industries Increasingly Turn to Bug Bounty Programs

The number of bug bounty programs launched over the past year has increased considerably and more than a quarter of programs are run by larger organizations in more “traditional” sectors, according to Bugcrowd’s second annual State of Bug Bounty Report.

The number of bug bounty programs launched over the past year has increased considerably and more than a quarter of programs are run by larger organizations in more “traditional” sectors, according to Bugcrowd’s second annual State of Bug Bounty Report.

As recruitment remains a major problem for the cyber security industry, more and more organizations have turned to private and public bug bounty programs to secure their products and services.

According to Bugcrowd, the number of bug bounty programs hosted on its platform has increased by 210 percent since January 2013. Of the programs launched in the last 12 months, larger enterprises with more than 5,000 employees accounted for 44 percent more than in the previous period.

While technology companies still top the chart with more than 43 percent of the total, an increasing number of organizations from traditional sectors have adopted bug bounty programs, including financial services and banking, automotive, education, healthcare, telecoms, hospitality, and real estate.

“Mainstream enterprises are entering a new era of advanced security,” noted Jonathan Cran, VP of product at Bugcrowd. “Bug bounty programs are leveling the playing field, and Bugcrowd is making them accessible across more industries and organization types. Crowdsourced cybersecurity not only strengthens the security of products, but it also initiates rewarding, mutually beneficial relationships with the researcher community.”

Bugcrowd’s researcher base, which as of March 31 included over 26,000 people, hails primarily from India (40 percent) and the United States (12 percent). A significant number of bug bounty hunters are also located in the Philippines, Pakistan, the United Kingdom, the Netherlands, Italy, Germany, Egypt and Russia. Three-quarters of these experts are aged between 18 and 29.

The average payout via the Bugcrowd platform rose 47 percent in the last year to $505. However, the company pointed out that there are so-called “super hunters” who take part in bug bounty programs full time and make thousands of dollars. In contrast to these super hunters, most researchers submit reports only as a hobby or part-time job, with 70 percent spending less than 10 hours per week trying to find vulnerabilities.

Advertisement. Scroll to continue reading.

As for the types of vulnerabilities found by researchers, unsurprisingly, cross-site scripting (XSS) continues to be the most common, accounting for more than 66 percent of all disclosed flaws.

The full State of Bug Bounty 2016 report is available for download in PDF format.

Related: Bugcrowd Raises $15 Million to Expand Bug Bounty Business

Related: Yahoo Paid Out $1.6 Million in Bug Bounty Program

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.