Average Bug Bounty Payout Now Over $500, Bugcrowd Finds
The latest Bugcrowd State of Bug Bounty report shows an increase in bounty payouts as organizations embrace the model of paying researchers for security flaws.Crowdsource security vendor Bugcrowd released its 2016 State of Bug Bounty report on June 8, providing insight into the current state of the bug bounty marketplace. Bugcrowd launched in 2012 to help organizations run bug bounty programs that reward researchers for finding and responsibly disclosing security flaws. Although Bugcrowd has been in business for four years, it wasn't until 2015 that the company issued its first State of Bug Bounty report—a 30-month roundup of statistics from January 2013 to June 2015. The new report looks at the period of January 2013 to March 31, 2016, providing details on overall trends. In the first quarter of 2016, Bugcrowd reported that the average bug payout was $505.79, up sharply from the $185.79 average for the first quarter of 2015. In the past 12 months (March 31, 2015, to March 31, 2016) Bugcrowd paid out $1,527,950 in bounties, a significant increase from the prior 12-month period (March 31, 2014, to March 31, 2015), when Bugcrowd paid out $345,216, according to Jonathan Cran, vice president of operations at Bugcrowd. Cran told eWEEK that "74.36 percent of all payouts were made over the past 12 months alone."
The increases in total and average payouts are being fueled by an increase in the total number of submissions that Bugcrowd receives from the security researchers. As of March 31, 2015, Bugcrowd had a total of 32,437 submissions, with 12,486 duplicates, 14,857 marked as invalid and 5,094 valid submissions. As of March 31, 2016, those numbers have jumped to 54,114 total submissions, with 19,574 duplicates, 24,516 marked as invalid and 9,963 marked as valid. From 2015 to 2016, Cran said there was about a 67 percent increase in total submissions.