Bigger Bugs Drive Higher Payouts to the Crowd

Today, we’re very happy to announce the launch of Bugcrowd’s 2018 State of Bug Bounty Report!

Now in its fourth year, the Bugcrowd State of Bug Bounty Report provides an unparalleled, inside look into the trends across the emerging crowdsourced security market, and for the first time, a deep dive into the most common and emerging vulnerabilities found over the past year.

Since we started publishing this report, the data has continued to support our thesis that the crowdsourced security model is evolving with the threat landscape as a definitive way to reduce risk. This year, we found an increase across the board in the number and severity of vulnerabilities and payouts to hackers. The numbers are in and once again it is clear — It takes a crowd of allies to stay ahead of a crowd of adversaries, and a growing and a more diverse group of internet defenders are realizing and engaging the crowdsourced security model to take advantage of this fact.

The total number of vulnerabilities submitted via our CrowdcontrolTM platform increased 21% from last year. This volume has increased the average payout 2X, a reflection of the impact caused by the bugs the crowd finds. Now, 75% of all P1 vulnerability payouts were over $1,200, up from $926 last year. Cross-Site Scripting (XSS) Reflected (P3) scripting continues to dominate submissions by volume, speaking to the ubiquity, ease of discovery, and difficulty of prevention in this class of vulnerability. 20% of all valid vulnerabilities were classified as critical (P1 or P2). Of this 7 % were P1, the most critical. Companies continue to add more complex and diverse targets to their scope, as the crowd continues to demonstrate and build trust in the diversity of its skillset. Security professionals are realizing that better awareness and information about disclosed vulnerabilities is critical to their operational success. Along with this, comes the realization that their organizations cannot rely on scanners or other traditional methods alone to assess risk.

The net of all of this: More helpful hackers engaged in securing the Internet, and a safer internet as a result.

Vulnerabilities will exist for as long as humans are building and (attacking) software, and human creativity is an intractable part of the solution to our cybersecurity challenges… but we face the combination of extreme resource shortages, a rapidly expanding attack surface, active efficient adversaries. Organizations can take action to reduce the risk created by vulnerabilities, but only if they know they are there. The biggest difference between an unknown vulnerability and a known vulnerability is the ability to taken action on it.

This report reinforces what technology leaders and many others have known for a while now –  The crowd is unparalleled in its ability to safely and quickly identify risk.

I hope you enjoy Bugcrowd’s 2018 State of Bug Bounty Report, and the insights it provides into the evolution of this fascinating market, just as much as we enjoyed creating it.