Skip to main content

Bugcrowd’s bug bounties grow 210 percent, with more than $2 million paid out

google microsoft increase payouts in bug bounty programs
Jean Marconi/Flickr
Bug bounties are quickly becoming security best practice and no longer considered a novelty, according to Bugcrowd’s second annual State of Bug Bounty report.

The research from the bug bounty platform company shows it has paid out over $2 million in bounty rewards as of March this year and the number of bug bounty programs running on its platform has increased some 210 percent since January 2013.

Related Videos

Most interestingly, more and more larger corporations are turning to bug bounty hunters. Large companies, with 5,000 or more employees, now account for 44 percent of Bugcrowd’s bug bounty programs. It’s not just tech companies either, there’s been a swell of “traditional” industries like banking and retail that have turned to the crowd for security help.

The company credits the growth in bug bounty researchers to the explosion in cyberattacks in recent years, coupled with a skills shortage in the security industry.

As a result, bug hunters have seen a 47 percent increase in the reward figures over the last year. In the first quarter of this year, Bugcrowd’s average payout was $505.79. The all-time average is $294.70, up from $200.81 last year.

As of March, Bugcrowd said it has paid out $2,054,721 through 6,803 valid submissions. Researcher Reginaldo Silva remains the highest paid bug bounty hunter to date, having received $33,500 from Facebook for an XML external entities vulnerability. He is now a security engineer at Facebook.

Researchers from 112 countries make up Bugcrowd’s bug hunter roster with submissions from India accounting for 43 percent of users with the U.S. in a distant second at 13 percent. However, when it comes it actual money paid out, India remains on top but Portugal comes in second with the U.S. at third.

Bugcrowd’s report also shows the growth of so-called “super hunters”, which are often dominating the number if payments made through bug bounty programs. These are security researchers that have turned hunting bugs from a hobby into a full-time job. Bug crowd’s top 10 researchers account for 23 percent of money paid out.

Cross-site scripting (XSS) remains the most frequently occurring bug, 66 percent of valid submissions, with cross-site forgery requests (CSFR) bugs also common at 20 percent.

The data for the report was collected from programs run on Bugcrowd’s platform, as well as from surveys on hundreds of security researchers and professionals. The research was conducted between January 2013 and March 2016.

Bug bounty programs and crowdsourced cybersecurity are leveling the playing field for companies and researchers by creating mutually beneficial relationships, said Jonathan Cran, Bugcrowd’s vice president of product.

“2015 was the year companies realized that, when it comes to cybersecurity, the pain of staying the same is exceeding the pain of change,” said CEO Casey Ellis. “This tip is causing companies to realize that the only way to compete with an army of adversaries is with an army of allies.”

Editors' Recommendations

Make some serious cash finding bugs with Microsoft's Office Insider Bug Bounty program
paying is for suckers heres how to use microsoft office free mem 3

There's probably no better way to find security bugs than to offer money to the people who actually use software on a daily basis to do just that. That's why companies like Microsoft and Google offer increasingly significant amounts of money through reward programs aimed at discovering and then fixing vulnerabilities.

Microsoft has its lucrative Bug Bounty program for Windows that just saw its reward double to $30,000 for anyone identifying a verified exploit. Now, the company has announced a new program that offers some serious cash to users of its Office productivity suite for Windows Desktop.

Read more
Microsoft and Google paying more than ever for bugs found in their systems
google microsoft increase payouts in bug bounty programs

If you're a coder or other highly technical sort who can dig into a system and find bugs, then you can turn that skill into some cash. Developers big and small, including major players like Google and Microsoft, have programs that will pay you real money for discovering flaws and vulnerabilities in their systems.

Both Google and Microsoft recently decided to up ante in their bounty programs, jacking up the amount they pay people for finding bugs. Google made the first increase, and then Microsoft literally doubled down on its own program, as FossBeta reports.

Read more
Apple plays catch-up with a bug bounty program coming in September
apple store logo

Google, Facebook, and Microsoft all have had bug bounty programs for quite some time. Hackers and security enthusiasts work to find bugs and exploits, and in return they receive large cash prizes. While Apple has been willing to accept vulnerability disclosures, it has never explicitly offered cash awards for them. Not anymore.

Announced at the Black Hat conference, Apple will unveil a program in September that will offer a cash reward for people who discover exploits and vulnerabilities in its suite of products, according to TechCrunch. The program will focus on Apple's most recent products, meaning iOS 10 and the new devices rumored to launch in the fall.

Read more