Vendors Finding Value in Bug Bounty Programs

Casey Ellis started Bugcrowd in 2012 with the idea that crowdsourced bug discovery is a better way to improve security. It’s an idea that is working, according to Bugcrowd’s inaugural State of Bug Bounty Report issued July 30, which looks at bug bounties from January 2013 to June 2015.

Ellis is both surprised and pleased at how the Bugcrowd model for crowdsourcing bug reporting is working out and gaining adoption across the industry. Bugcrowd runs bug bounty programs on behalf of vendors, providing a mature back-end infrastructure and community of researchers to help improve security.

“When I first started the company, I spent most of my time explaining to people what a bug bounty was all about,” Ellis told eWEEK. “Now I do that a whole lot less.”

Big technology vendors understand the need for bug bounties, but the challenge remains for those outside of the big vendors who are worried about inviting hackers to find bugs, according to Ellis.

Bug Bounty initiatives

Bug (c) bofotolux, Shutterstock 2014Over the 30-month period covered in the State of Bug Bounty Report, Bugcrowd received 37,227 submissions from security researchers across 166 bug bounty programs that it operates. Of those, only 7,958 submissions actually included valid vulnerabilities. Drilling down a level deeper, of the valid submissions, 729 were deemed high-priority and 175 were identified by security professionals as being critical flaws.

Ellis runs Bugcrowd as a business and not a charity or an altruistic effort—researchers are paid for their valid bug reports. For the 30-month period that the report covered, Bugcrowd’s clients paid out a total of $724,014.02 to 566 different researchers.

Researchers who participate in Bugcrowd’s program had an average of $1,279.18 paid to them annually. That said, there are some outliers in the data, as the top single reward paid by Bugcrowd over the last 30 months was a $10,000 bounty, paid to a researcher for a cross-site request forgery (CSRF) flaw found in an e-commerce platform.

Bugcrowd runs multiple types of programs, including public bug bounties where anyone can submit reports and invitation-only programs. Jonathan Cran, vice president of operations at Bugcrowd, said that what surprised him was the success of invitation-only bounty programs. There was a higher percentage of valid submissions on invitation-only bounties versus public programs, he said.

“It stands to reason since there are highly qualified researchers in the invite-only program,” Cran told eWEEK. “In the public bounty programs, 18 percent of submissions were valid, while 36 percent of submissions were valid in the invitation-only bounty programs.”

Looking across both public and invitation-only bounty programs, the most common vulnerability found over the 30-month report period was cross-site scripting (XSS) flaws, which represented 17.8 percent of submissions. CSRF flaws came in second, representing 8.6 percent of submissions.

Moving forward, both Ellis and Cran expect that even more bugs and rewards will be paid out to Bugcrowd’s community of researchers.

“We’ve been really good at this point to make sure that researchers get paid for things that are valuable and that our customers aren’t paying for things that they shouldn’t be paying for,” Ellis said. “Over time, the general consensus and understanding of what a vulnerability is worth will grow.”

Are you a security pro? Try our quiz!

Originally published on eWeek.

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

Recent Posts

Bitcoin Slides To $81,000 In Trump Tariff Shock

As global markets reel from Trump's tariffs, the price of Bitcoin slides as investors seek…

33 mins ago

Amazon’s First Project Kuiper Satellites Slated For 9 April Launch

Rival for Starlink and OneWeb. United Launch Alliance slated to send 27 Kuiper satellites into…

3 hours ago

Trump’s Tariffs: Implications For Tech Sector

Semiconductor imports are free of Trump's tariff war, but concerns remain over imports of smartphones…

4 hours ago

OpenAI Secures $40 Billion Funding Deal With SoftBank, Others

SoftBank has agreed a funding deal that will see OpenAI being provided with up to…

20 hours ago

Tesla Sales Plummet Amid Elon Musk Backlash

Tesla sales have plummeted to lowest level in three years, as deliveries of new EVs…

22 hours ago

Amazon Launches Nova AI Agent To Perform Browser Actions

New addition. Next generation foundation model, as Amazon Nova model launches to perform actions within…

23 hours ago