Request a Demo Contact Us
Bugcrowd Acquires Informer to Enhance Offerings Across Attack Surface Management and Penetration Testing
Learn More
Press release

Surge in Number and Severity of Vulnerabilities Drives Higher Payouts to Crowd in 2018

Bugcrowd 2018 State of Bug Bounty Report Provides Inside Look at Trends in Crowdsourced Security

SAN FRANCISCO –  June 6, 2018 In its fourth iteration released today, the 2018 Bugcrowd State of Bug Bounty Report provides an unparalleled, inside look into the trends in crowdsourced security, as well as a deep dive into the most common and emerging vulnerabilities found over the past year.

The report found an increase across the board in the number and severity of vulnerabilities, and payouts to hackers, making it clear that companies are turning to crowdsourced security to cope with a complex threat landscape. The total number of vulnerabilities submitted via the CrowdcontrolTM platform surpassed 37,000 submissions in the last year, a 21 percent increase from year prior. While there has been a steady increase in new and uncategorized vulnerabilities discovered over the past year, there has also been a 2X uplift in the average payout across all programs and industries.

“With policies and standards in place such as NIST, The Department of Justice Framework, and the Data Security and Breach Notification Act, it’s now incumbent on organizations to ensure they are setup to receive vulnerability data from external parties and is already becoming an adhered-to standard for major private and public organizations,” said Casey Ellis, founder and CTO of Bugcrowd. “Vulnerabilities happen – humans aren’t perfect and errors are written inadvertently into code. Crowdsourced security empowers organizations to mitigate the risk that these will be discovered by threat actors. Our fourth annual SOBB report demonstrates the power of the Crowd in discovering increasingly critical vulnerabilities to protect global businesses and government organizations.”

The Top-5 vulnerabilities submitted this past year are:

  • Cross-Site Scripting (XSS) Reflected (P3)
  • Cross-Site Scripting (XSS) Stored Admin (P3)
  • Broken Authentication and Session Management Failure to Invalidate Session (P4)
  • Broken Authentication and Session Management Weak Login Function Over HTTP (P3)
  • Server Security Misconfiguration No Rate Limiting On Form (P4)

While the Crowd has grown by 71 percent, represented by more than 100 countries around the world, the report also uncovered a maturing market: India. The largest payment amount went to the United States; yet the majority of total vulnerability submissions (30 percent) came from India, suggesting that younger bug hunters are emerging, learning and growing their skills as they find lower priority bugs.

Other key takeaways from the report include:

  • A 40 percent increase in number of programs launched during the past year with a 33 percent increase in private programs
  • 79 percent of all program launched in the last year were private
  • 75 percent of all P1 vulnerability payouts were above $1,200, up from $926 last year
  • More than 91 percent of all vulnerability submissions were web vulnerabilities
  • The top 5 areas of adoption by industry are Computer Hardware, Software & Networking, IT Services, eCommerce / Retail, Financial Services, and Telecom / Communication Services.

To stay ahead of these adversaries, organizations like Netgear,, and Atlassian have turned to the crowdsourced security model to identify emerging vulnerabilities unknown to most scanners — before the bad guys do. Bug bounty and vulnerability disclosure programs have the ability to bring together tens of thousands of the brightest minds in security research, to uncover seven times more high priority vulnerabilities than traditional assessment methods.

The Bugcrowd State of Bug Bounty Report analyzes proprietary platform data, collected from more than 700 crowdsourced security programs managed, segmenting for statistics around adoption, economics, the researcher community or The Crowd and vulnerabilities. The data includes all Bugcrowd platform data from April 1, 2017 through March 31, 2018.

Additional Resources:

About Bugcrowd

Bugcrowd is trusted by more of the Fortune 500 than any other crowdsourced security platform. Why? Because people need the increased security of a bug bounty without all the extra work and chaos. Bugcrowd cracked the code on crowdsourced security through rock-solid program management, top trusted researchers and a versatile platform. That’s how our vulnerability disclosure and bug bounty programs find seven times as many critical vulnerabilities as traditional testing. Based in San Francisco, Bugcrowd is backed by Blackbird Ventures, Costanoa Ventures, Industry Ventures, Paladin Capital Group, Rally Ventures, Salesforce Ventures and Triangle Peak Partners. Bugcrowd. Outhack Them AllTM. Learn more at