Casey Ellis started Bugcrowd in 2012 with the idea that crowdsourced bug discovery is a better way to improve security. It’s an idea that is working, according to Bugcrowd’s inaugural State of Bug Bounty Report issued July 30, which looks at bug bounties from January 2013 to June 2015.
Ellis is both surprised and pleased at how the Bugcrowd model for crowdsourcing bug reporting is working out and gaining adoption across the industry. Bugcrowd runs bug bounty programs on behalf of vendors, providing a mature back-end infrastructure and community of researchers to help improve security.
“When I first started the company, I spent most of my time explaining to people what a bug bounty was all about,” Ellis told eWEEK. “Now I do that a whole lot less.”
Big technology vendors understand the need for bug bounties, but the challenge remains for those outside of the big vendors who are worried about inviting hackers to find bugs, according to Ellis.
Ellis runs Bugcrowd as a business and not a charity or an altruistic effort—researchers are paid for their valid bug reports. For the 30-month period that the report covered, Bugcrowd’s clients paid out a total of $724,014.02 to 566 different researchers.
Researchers who participate in Bugcrowd’s program had an average of $1,279.18 paid to them annually. That said, there are some outliers in the data, as the top single reward paid by Bugcrowd over the last 30 months was a $10,000 bounty, paid to a researcher for a cross-site request forgery (CSRF) flaw found in an e-commerce platform.
Bugcrowd runs multiple types of programs, including public bug bounties where anyone can submit reports and invitation-only programs. Jonathan Cran, vice president of operations at Bugcrowd, said that what surprised him was the success of invitation-only bounty programs. There was a higher percentage of valid submissions on invitation-only bounties versus public programs, he said.
“It stands to reason since there are highly qualified researchers in the invite-only program,” Cran told eWEEK. “In the public bounty programs, 18 percent of submissions were valid, while 36 percent of submissions were valid in the invitation-only bounty programs.”
Looking across both public and invitation-only bounty programs, the most common vulnerability found over the 30-month report period was cross-site scripting (XSS) flaws, which represented 17.8 percent of submissions. CSRF flaws came in second, representing 8.6 percent of submissions.
Moving forward, both Ellis and Cran expect that even more bugs and rewards will be paid out to Bugcrowd’s community of researchers.
“We’ve been really good at this point to make sure that researchers get paid for things that are valuable and that our customers aren’t paying for things that they shouldn’t be paying for,” Ellis said. “Over time, the general consensus and understanding of what a vulnerability is worth will grow.”
Are you a security pro? Try our quiz!
Originally published on eWeek.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…