Organizations have a number of methods at their disposal that they can use in their effort to improve security, one of them being to institute a bug bounty program. Bug bounty programs incentivize security researchers with cash awards to help organizations find vulnerabilities. To minimize the work of running a bug bounty program, companies are increasingly outsourcing them to a third party such as Bugcrowd. On July 30, Bugcrowd released its inaugural State of Bug Bounty Report 30, providing an analysis of bug bounty trends for the 30-month period of January 2013 to June 2015. Bugcrowd’s clients paid out a total of $724,014.02 to 566 different researchers over the report period for all manner of vulnerabilities. So far in 2015, the average payout per accepted bug now stands at $200, though there have been higher payouts. The top payout reported by Bugcrowd is a $10,000 bounty, paid to a researcher for a cross-site request forgery (CSRF). While a CSRF flaw garnered the top payout, the single most common flaw reported is cross-site scripting (XSS), which topped the list at 17.9 percent of all reported bugs. While Bugcrowd gets submissions from all over the world, India is the source of most submissions in any given quarter. In this slide show, eWEEK examines some of the key findings from the State of Bug Bounty Report.

Leave a Reply