Bug Bounties Becoming Increasingly Popular, With Payouts Rising

Paying out a bug bounty—that is, rewarding a security researcher for responsibly disclosing a security vulnerability—is an increasingly popular and lucrative endeavor, according to Bugcrowd’s “2017 State of Bug Bounty” report. Bugcrowd offers its customers a managed bug bounty program that engages a “crowd” of researchers to help find software vulnerabilities. Across all industries served by Bugcrowd, the average bug payout last year was $451, up 53 percent year-over-year. Among Bugcrowd’s customer base, automotive clients reported the highest average bug bounty payout at $1,514, while those in retail and e-commerce paid an average of $403 per bug. In this slide show, eWEEK takes a look at some of the highlights of Bugcrowd’s third annual bug bounty report.

Across all industries served by Bugcrowd, the average bug payout last year was $451, up 53 percent year-over-year.

Among Bugcrowd’s customer base, automotive clients reported the highest average bug bounty payout at $1,514.

The average payout among targets varies quite a bit, with the average mobile payout coming in at $385 and hardware (including IoT) at $742.

The most commonly reported critical vulnerability by Bugcrowd’s community of researchers is SQL injection (with an average payout of $1,058), followed by cross-site scripting, or XSS (with an average payout of $314).

Researchers from around the world participate in bug bounty programs. In terms of payouts, the Bugcrowd “2017 State of Bug Bounty” report found researchers in India topped the list at $1,591,485, followed by the United States at $1,436,147. In contrast, researchers in the UK earned a total of $535,080.

Bugcrowd manages on-demand as well as ongoing bug bounty programs. Over the last three years, growth in ongoing bug bounty programs has outpaced on-demand programs.

Bugcrowd hosts more than 600 bug bounty programs, with the majority (77 percent) being private programs.