Average Bug Bounty Payout Now Over $500, Bugcrowd Finds

The latest Bugcrowd State of Bug Bounty report shows an increase in bounty payouts as organizations embrace the model of paying researchers for security flaws.

bug bounty

Crowdsource security vendor Bugcrowd released its 2016 State of Bug Bounty report on June 8, providing insight into the current state of the bug bounty marketplace. Bugcrowd launched in 2012 to help organizations run bug bounty programs that reward researchers for finding and responsibly disclosing security flaws.

Although Bugcrowd has been in business for four years, it wasn't until 2015 that the company issued its first State of Bug Bounty report—a 30-month roundup of statistics from January 2013 to June 2015. The new report looks at the period of January 2013 to March 31, 2016, providing details on overall trends.

In the first quarter of 2016, Bugcrowd reported that the average bug payout was $505.79, up sharply from the $185.79 average for the first quarter of 2015. In the past 12 months (March 31, 2015, to March 31, 2016) Bugcrowd paid out $1,527,950 in bounties, a significant increase from the prior 12-month period (March 31, 2014, to March 31, 2015), when Bugcrowd paid out $345,216, according to Jonathan Cran, vice president of operations at Bugcrowd.

Cran told eWEEK that "74.36 percent of all payouts were made over the past 12 months alone."

The increases in total and average payouts are being fueled by an increase in the total number of submissions that Bugcrowd receives from the security researchers. As of March 31, 2015, Bugcrowd had a total of 32,437 submissions, with 12,486 duplicates, 14,857 marked as invalid and 5,094 valid submissions. As of March 31, 2016, those numbers have jumped to 54,114 total submissions, with 19,574 duplicates, 24,516 marked as invalid and 9,963 marked as valid. From 2015 to 2016, Cran said there was about a 67 percent increase in total submissions.

Since January 2013, when Bugcrowd began recording bug bounty statistics, Cross-Site Scripting (XSS) flaws have consistently remained the single most reported category of software vulnerability. As of March 31, 2015, XSS submissions made up 56 percent of all categorized submissions to Bugcrowd, Cran said. By March 2016, the XSS number had increased to 66 percent of all categorized submissions.

What's also helping the growth of the Bugcrowd platform is a continued increase in the number of researchers. On March 31, there were 26,782 researchers signed up on the Bugcrowd platform, with 41 percent of those signing up over the course of the last 12 months. While Bugcrowd has a growing community, most researchers still only participate on a part-time basis. Bugcrowd asked its researchers how much time they spend on security bug bounty research, and only 15 percent said that it's a full-time occupation.

"Companies across more industries are starting bug bounty programs," Cran said. "In the next year, we'll see wider adoption across health care, automotive and financial services in particular, and we'll see more public programs overall. We may even see a researcher earn over a half-million dollars."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.