Bug bounty programs have increased in popularity among mainstream enterprises and are turning into an industry best practice, Bugcrowd report says.
Recent research shows bug bounty programs are implemented not only by technical companies, as over 25% of the 286 programs are run by financial and banking companies. The large tech corporations who created the market for bug bounty programs have so far spent over $13 million on their programs in 2016.
Compiled from data collected from Bugcrowd’s platform and other sources throughout 2016, “the all-time average bug reward on Bugcrowd’s platform has risen from $200.81 in our first annual report, to $294.70, an increase of 47%.”
Although bug bounty programs trace their origins to Netscape over 20 years ago, only now are they turning into a best practice. Companies are aware changes are needed in the way surfing the Internet and its security are approached so they should assess their vulnerabilities to improve the safety of their products and services, researchers say.
“The majority of today’s bug bounty programs are scoped to web and mobile application targets, although there are several high profile examples of programs run on IoT devices and cars, such as Tesla Motor’s program and General Motor’s program,” Bugcrowd analysts said. “Other bounties focus on traditional, installable software, including Microsoft’s Bug Bounty program and Google’s Vulnerability Reward Program (VRP).”
Cross-site Scripting (XSS) represents 66% of reported vulnerabilities, followed by Cross-site Request Forgery. Some 38% of submissions apply to the XSS, CSRF, mobile, SQLi and clickjack categories.
“2015 was the year companies realized that, when it comes to cybersecurity, the pain of staying the same is exceeding the pain of change,” said Casey Ellis, CEO and founder of Bugcrowd. “This tip is causing companies to realize that the only way to compete with an army of adversaries is with an army of allies. Even the most risk-averse industries are embracing, and successfully implementing, crowdsourced cybersecurity programs. This growth validates today’s reality: distributed resourcing approaches like bug bounty programs are the best tools to create parity with the adversary.”