Have you started paying someone to find flaws in your technology? If you haven’t already, data compiled by Bugcrowd suggests you will.
The startup, led by Structure Security adviser Casey Ellis, has released its second annual bug bounty report detailing trends and developments in the hacking-for-cash-or-cool-stickers marketplace. The full report can be found here, and is definitely worth your time if you’re considering setting up such a program at your own company or looking for a fun activity in your spare time, but here are a few highlights:
— 62 percent of participants in bug bounty programs worked on private projects, as opposed to the remainder, working on public projects. Nearly 40 percent of all respondents were in India, with 12 percent from the U.S.
— After kicking the tires on bug bounty programs, 63 percent of users thought the wisdom of this particular crowd was superior to traditional methods of finding bugs, and 64 percent said they would spend at least the same amount of money, or more, on future programs.
— Cross-site scripting (XSS) vulnerabilities were the largest group by a large margin, with cross-site request forgery (CSRF) vulnerabilities coming in second.
— There’s a big “long tail” effect in bounty payouts: the top payment was $15,000 for the successful identification of a bug, but the average payment is only $294.70, which is a small price to pay to find problems in your software. But that number is growing: this report only looked at 2015, but Bugcrowd said that in the first quarter of 2016, the average payout is up to $505.79.
There’s a lot more in the report, which is a great introduction to the state of the bug bounty market for anybody considering such a program and a great update for those already well underway with bug bounty programs. We’re looking forward to Ellis’ appearance at Structure Security this September, where we’ll be sure to get an update on these trends as 2016 evolves.
You can find more information about Structure Security here.