Bug Bounty Programs Paying Off for Vendors, Security Researchers

More companies are finding bug bounty programs to be an effective method of improving security. And Bugcrowd’s recent bug bounty report bears that out.

Bugcrowd operates both public and invitation-only private bug bounty programs. Over the last 30 months, Bugcrowd has found a 36.1 percent submission success rate with invitation-only programs, in contrast to an 18 percent valid bug submission rate for public programs.

India is the top source for bug report submissions, followed by the United States and the United Kingdom.

Bugcrowd’s community submitted multiple types of vulnerabilities, with cross-site scripting (XSS) topping the list at 17.9 percent. However, Bugcrowd identifies a whopping 67.7 percent of bug types as “other.”

Looking into the 67.7 percent of vulnerability types that Bugcrowd has classified as “other,” information leakage is identified as one of the most submitted types of flaws.

While bug payments vary, the average reward reported by Bugcrowd in 2015 now stands at $200, which is a marginal increase from the $180 average in 2013.

While the average bug payout is $200, the top bug reward reported by Bugcrowd was a $10,000 award paid out in the second quarter of 2014. The big payout was made for a cross-site request forgery (CSRF) vulnerability.

For the 30-month period that the report covered, Bugcrowd’s clients paid out a total of $724,014.02 to 566 different researchers.