Vendors Finding Value in Bug Bounty Programs

Casey Ellis started Bugcrowd in 2012 with the idea that crowdsourced bug discovery is a better way to improve security. It’s an idea that is working, according to Bugcrowd’s inaugural State of Bug Bounty Report issued July 30, which looks at bug bounties from January 2013 to June 2015.

Ellis is both surprised and pleased at how the Bugcrowd model for crowdsourcing bug reporting is working out and gaining adoption across the industry. Bugcrowd runs bug bounty programs on behalf of vendors, providing a mature back-end infrastructure and community of researchers to help improve security.

“When I first started the company, I spent most of my time explaining to people what a bug bounty was all about,” Ellis told eWEEK. “Now I do that a whole lot less.”

Big technology vendors understand the need for bug bounties, but the challenge remains for those outside of the big vendors who are worried about inviting hackers to find bugs, according to Ellis.

Bug Bounty initiatives

Over the 30-month period covered in the State of Bug Bounty Report, Bugcrowd received 37,227 submissions from security researchers across 166 bug bounty programs that it operates. Of those, only 7,958 submissions actually included valid vulnerabilities. Drilling down a level deeper, of the valid submissions, 729 were deemed high-priority and 175 were identified by security professionals as being critical flaws.

Ellis runs Bugcrowd as a business and not a charity or an altruistic effort—researchers are paid for their valid bug reports. For the 30-month period that the report covered, Bugcrowd’s clients paid out a total of $724,014.02 to 566 different researchers.

Researchers who participate in Bugcrowd’s program had an average of $1,279.18 paid to them annually. That said, there are some outliers in the data, as the top single reward paid by Bugcrowd over the last 30 months was a $10,000 bounty, paid to a researcher for a cross-site request forgery (CSRF) flaw found in an e-commerce platform.

Bugcrowd runs multiple types of programs, including public bug bounties where anyone can submit reports and invitation-only programs. Jonathan Cran, vice president of operations at Bugcrowd, said that what surprised him was the success of invitation-only bounty programs. There was a higher percentage of valid submissions on invitation-only bounties versus public programs, he said.

“It stands to reason since there are highly qualified researchers in the invite-only program,” Cran told eWEEK. “In the public bounty programs, 18 percent of submissions were valid, while 36 percent of submissions were valid in the invitation-only bounty programs.”

Looking across both public and invitation-only bounty programs, the most common vulnerability found over the 30-month report period was cross-site scripting (XSS) flaws, which represented 17.8 percent of submissions. CSRF flaws came in second, representing 8.6 percent of submissions.

Moving forward, both Ellis and Cran expect that even more bugs and rewards will be paid out to Bugcrowd’s community of researchers.

“We’ve been really good at this point to make sure that researchers get paid for things that are valuable and that our customers aren’t paying for things that they shouldn’t be paying for,” Ellis said. “Over time, the general consensus and understanding of what a vulnerability is worth will grow.”

Are you a security pro? Try our quiz!

Originally published on eWeek.