Skip to main content

Bugcrowd’s bug bounties grow 210 percent, with more than $2 million paid out

google microsoft increase payouts in bug bounty programs
Jean Marconi/Flickr
Bug bounties are quickly becoming security best practice and no longer considered a novelty, according to Bugcrowd’s second annual State of Bug Bounty report.

The research from the bug bounty platform company shows it has paid out over $2 million in bounty rewards as of March this year and the number of bug bounty programs running on its platform has increased some 210 percent since January 2013.

Recommended Videos

Most interestingly, more and more larger corporations are turning to bug bounty hunters. Large companies, with 5,000 or more employees, now account for 44 percent of Bugcrowd’s bug bounty programs. It’s not just tech companies either, there’s been a swell of “traditional” industries like banking and retail that have turned to the crowd for security help.

Please enable Javascript to view this content

The company credits the growth in bug bounty researchers to the explosion in cyberattacks in recent years, coupled with a skills shortage in the security industry.

As a result, bug hunters have seen a 47 percent increase in the reward figures over the last year. In the first quarter of this year, Bugcrowd’s average payout was $505.79. The all-time average is $294.70, up from $200.81 last year.

As of March, Bugcrowd said it has paid out $2,054,721 through 6,803 valid submissions. Researcher Reginaldo Silva remains the highest paid bug bounty hunter to date, having received $33,500 from Facebook for an XML external entities vulnerability. He is now a security engineer at Facebook.

Researchers from 112 countries make up Bugcrowd’s bug hunter roster with submissions from India accounting for 43 percent of users with the U.S. in a distant second at 13 percent. However, when it comes it actual money paid out, India remains on top but Portugal comes in second with the U.S. at third.

Bugcrowd’s report also shows the growth of so-called “super hunters”, which are often dominating the number if payments made through bug bounty programs. These are security researchers that have turned hunting bugs from a hobby into a full-time job. Bug crowd’s top 10 researchers account for 23 percent of money paid out.

Cross-site scripting (XSS) remains the most frequently occurring bug, 66 percent of valid submissions, with cross-site forgery requests (CSFR) bugs also common at 20 percent.

The data for the report was collected from programs run on Bugcrowd’s platform, as well as from surveys on hundreds of security researchers and professionals. The research was conducted between January 2013 and March 2016.

Bug bounty programs and crowdsourced cybersecurity are leveling the playing field for companies and researchers by creating mutually beneficial relationships, said Jonathan Cran, Bugcrowd’s vice president of product.

“2015 was the year companies realized that, when it comes to cybersecurity, the pain of staying the same is exceeding the pain of change,” said CEO Casey Ellis. “This tip is causing companies to realize that the only way to compete with an army of adversaries is with an army of allies.”

Jonathan Keane
Former Digital Trends Contributor
Jonathan is a freelance technology journalist living in Dublin, Ireland. He's previously written for publications and sites…
Google is testing a feature that will let AI hide away internet pop-ups
Google Chrome browser running on Android Automotive in a car.

Google is testing a new feature in Chrome Canary, the experimental version of the Chrome browser. As reported by TechRadar, the "PermissionsAI" feature is designed to deal with pop-ups from websites asking you to share your location or consent to notifications.

According to Chromium, the tool will use Google's "Permission Predictions Service" and Gemini Nano v2 to analyze users' previous responses to pop-ups and guess how they will respond to new ones. If you're likely to decline, the feature will block the annoying pop-up that appears in the middle of your screen and instead hide it away in a corner in case you need it later.

Read more
AMD’s Ryzen Z2 Go disappoints in early benchmark
The Lenovo Legion Go S sitting on a window.

A recent YouTube video has showcased the gaming capabilities of AMD's upcoming Ryzen Z2 Go chipset, designed for budget gaming handhelds. As part of the new Ryzen Z2 lineup, the Z2 Go’s capabilities were tested on a Lenovo Legion Go S and compared to last year’s Z1 Extreme powering the Asus ROG Ally X.

According to gaming performance data shared by FPS VN, the Z2 Go shows some limitations compared to the Z1 Extreme. In Black Myth: Wukong, it achieved 36 fps versus 40 fps at 15W, 30 fps versus 32 fps at 20W, and 60 fps versus 64 fps at 30W. In Cyberpunk 2077, the Z2 Go delivered 50 fps compared to 54 fps at 15W, 45 fps versus 47 fps at 20W, and 61 fps compared to 66 fps at 30W. Similarly, in Ghost of Tsushima, the Z2 Go hits 62 fps versus 66 fps at 15W, 48 fps versus 52 fps at 20W, and 62 fps versus 66 fps at 30W. Although the performance gap is minor, it remains consistent at around 7–10% across all tested games.

Read more
When you sign up for two years of Surfshark you’ll get 10GB of roaming data for free!
Surfshark displayed on multiple devices including a smartphone, tablet, and laptop screen.

Investing in a VPN for your Wi-Fi network is one of the best ways to mask your IP address from those looking to gain control of your personal data, device logins, and other sensitive info. Fortunately, there’s a new VPN-masking service born every day, but not all of these services offer are worth your hard-earned cash. Instead, you should focus on vetted and reliable platforms like Surfshark.

As luck would have it, Surfshark is even offering a promo for new customers: For a limited time, when you sign up for two years of Surfshark One or Surfshark One+, you’ll get 10GB of Saily eSIM roaming data for free. We tested Surfshark not long ago, and reviewer Alan Truly said: “Surfshark is a fast streaming VPN that let me connect an unlimited number of devices, making it a great choice to protect privacy and unblock worldwide streaming for the whole family.” We've also reviewed Surfshark's anti-virus protection suite.

Read more