New breed of 'super hunters' earn thousands from bug bounty programs
With data breaches still making headlines and security teams facing increased pressures it's not surprising that companies are looking for innovative ways to find flaws in their systems.
Crowdsourced security specialist Bugcrowd has released the results of its second annual State of Bug Bounty Report which shows that the number of bug bounty programs hosted on its platform is up by an average of 210 percent year on year since January 2013.
Among its other findings are that larger enterprises are increasingly adopting bug bounties. Companies with 5,000+ employees accounted for 44 percent more of the total companies launching bug bounty programs over the last 12 months. Average payouts are rising too with the rewards to researchers rising 47 percent in the last 12 months. In Q1 2016, the average payout on Bugcrowd's platform was $505.79. Cross-site scripting is the single most discovered vulnerability type, at over 66 percent of all classified vulnerabilities disclosed.
It's also identified a new breed of vulnerability 'super hunters'. These researchers earn thousands of dollars in payouts, and often participate in bug bounty programs as full-time positions. They're still in a minority, however, as the majority of researchers (85 percent) participate in bug bounty programs as a hobby or part-time job, with 70 percent spending fewer than 10 hours a week working on bounties.
"Mainstream enterprises are entering a new era of advanced security," says Jonathan Cran, vice president of product at Bugcrowd. "Bug bounty programs are leveling the playing field, and Bugcrowd is making them accessible across more industries and organization types. Crowdsourced cybersecurity not only strengthens the security of products, but it also initiates rewarding, mutually beneficial relationships with the researcher community".
You can find out more in the full report which is available on the Bugcrowd website.