Request a Demo Contact Us
Bugcrowd Acquires Informer to Enhance Offerings Across Attack Surface Management and Penetration Testing
Learn More
Press release

Enterprises Increasingly Turning to Hackers, Finds Bugcrowd 2017 State of Bug Bounty Report

SAN FRANCISCO –  June 28, 2017 – Enterprises are turning to the hacker community to help amp up their cyber security protection at an astounding rate, according to Bugcrowd’s 2017 State of Bug Bounty Report.

The report found that upwards of 44 percent of bug bounty programs are run by businesses with more than 500 employees, a 300 percent increase from the prior year. These organizations reward in cash – the average amount increasing to $451/bug from last year – or offer alternative rewards like kudos, or swag – as opposed to paying an hourly rate as they would with traditional assessment methods.

Over the past year, the report shows organizations paid out more than $4 million to a global crowd of over 60,000 security researchers. This represents an increase in payouts of more than 200 percent over the prior year.

“Enterprise adoption of the crowdsourced security model is fast approaching mainstream,” said Casey Ellis, founder and CEO of Bugcrowd. “Bug bounties are challenging traditional ways of thinking about cybersecurity. The model addresses the growing complexity and severity of vulnerabilities in software, hardware, and IoT devices – all of which form the foundation for today’s always-on digital economy.”

Key takeaways from the report include:

  • Of more than 600 bug bounty programs, 77 percent were private and 23 percent public with primary growth coming from private programs.
  • Vulnerability submissions have steadily risen, including a 67 percent increase in overall submissions and valid submissions have surpassed 52,000
  • Criticality of bugs has increased: the average today is 3.10 versus 3.75 in March, 2016, with a 25 percent increase in critical vulnerabilities identified. Bugs are rated on a scale of 1 to 5 with 1 being the most critical.
  • Cross-site scripting (XXS) and cross site request forgery (CSRF) remain the most reported vulnerabilities across industries.
  • The top five industries embracing bug bounty programs include automotive, leisure/travel, IoT/computer networking, healthcare, and financial services.

Clients such as Fiat Chrysler of America, Pinterest and Instructure run bug bounty programs to identify vulnerabilities created by human error, untimely updating and patching of vulnerable software, and lack of process to catch security vulnerabilities. Given the constantly evolving security landscape, being able to react in near real-time has become a priority for most organizations. In the first two weeks of a bug bounty program researchers find an average of 5 critical vulnerabilities and 60 valid vulnerabilities.

“The days of the legacy cybersecurity firm are drawing to a close,” said Q. Wade Billings, vice president of technology services at Instructure. “With 60,000 researchers in the crowd Bugcrowd has amassed the most impressive and valuable security research team on the planet. Instructure’s customers entrust us to protect the privacy and integrity of their data. We take this trust seriously, which is why we in turn trust Bugcrowd to ensure our systems are continuously tested and secure.”

According to Ellis, “The combination of broken status-quos, a ballooning attack surface, a dearth of defenders, and the increasing proof of active, efficient adversaries are accelerating this trend. With a larger attack surface, we are experiencing a staggering number of data breaches in which traditional security assessment methods are simply not enough to stem the tide. Crowdsourcing addresses many pain points for even the most traditional of organizations, including tackling the shortage of cybersecurity professionals.”  

For a list of public programs, visit:

Additional Resources:

About Bugcrowd

The pioneer and innovator in crowdsourced security testing for the enterprise, Bugcrowd harnesses the power of more than 60,000 security researchers to surface critical software vulnerabilities and level the playing field in cybersecurity. Bugcrowd also provides a range of responsible disclosure and managed service options that allow companies to commission a customized security testing program that fits their specific requirements. Bugcrowd’s proprietary vulnerability disclosure platform is deployed by Tesla Motors, Fiat-Chrysler, The Western Union Company, Pinterest, Barracuda Networks and Based in San Francisco, Bugcrowd is backed by Blackbird Ventures, Costanoa Ventures, Industry Ventures, Paladin Capital Group, Rally Ventures and Salesforce Ventures. Bugcrowd is a trademark of Bugcrowd, Inc. Learn more at