Bugcrowd Blog

Why You Can’t Ignore the Economics of a Bug Bounty

Posted by David Baker on Jul 14, 2017 11:48:06 AM

It’s common knowledge that the security industry has been facing a massive shortage of resources. Add the fact that companies are accelerating their cloud presence and growing an API ecosystem of their own. CISOs are up-leveling their security strategy by adding bug bounty programs to their toolbox.  

According to our recent research, enterprise bug bounty adoption is at an all-time high, growing more than 300% over the last year. On top of that, total bug bounty payouts have surpassed $6 million, up 211% since last year while the average payout is now $451.

Today, the average payout on critical vulnerabilities is $1,776. This bump coincides with the increased number and average criticality of vulnerabilities identified over the past year. Our research shows the highest average payouts for hardware/IoT targets such as routers, webcams and wearables, and the lowest for mobile applications. The automotive industry also lines up as the industry offering the highest average payout.

As the bug bounty ecosystem matures, organizations are adding more, increasingly complex targets to their program scope. These targets require more time and effort to break. Thus the identified vulnerabilities and corresponding proof of concept exploits come with a higher price tag. This begs the question of how and when should companies raise their bounty payouts? Organizations often don't realize the various complexities and permutations of attack surfaces that go into scoping targets and pricing submissions over time. This can cause program stalling or losing researcher participation and confidence. Bottom-line, bounty programs are difficult to start and will become more complicated as they mature.

I recently examined the business impact of software vulnerabilities in a blog post, highlighting the fact that the bug bounty market is growing, creating fierce competition, not only among the different programs, but also for the best researchers. Without the proper guidance, many organizations will struggle to make their programs stand out therefore losing the race to get the best researchers.

Just last week, reports surfaced that security researchers who had been invited by Apple to submit high-value bugs through their self-managed program, weren’t reporting bugs because the rewards weren’t as high as they could be, especially in light of what third party companies were willing to pay for them.

As companies like Apple continue to both adopt programs and learn how to best manage pricing vulnerabilities, the risk of hackers selling serious vulnerabilities (e.g. an iOS backdoor) to other companies like Zerodium will be reduced. But staying competitive isn’t all about big cash rewards. A wide scope with interesting targets will always attract talent.

At Bugcrowd, we’ve learned a lot over the years. By utilizing the expertise acquired while managing hundreds of programs, organizations that work with a trusted partner ensure they are getting the most out of their bug bounty programs. Not only at the outset, but also over time to ensure the long-term assurance value of bug bounties.

For more on bug bounty economics and payout trends, download The 2017 State of Bug Bounty Report.

Interesting, Running Your Own Program, Research and Reports
David Baker

Written by David Baker

CSO