Menu

Travel App Testing

Learn the unique challenges and opportunities with launching winning travel app

Get The Free eBook

Mobile App Testing

Learn tips, techniques and trends for launching great mobile apps

Get The Free eBook

Sign Up For ARC’s Newsletters

Stay informed to make better business decisions.

Sign Up

Retail App Testing

Learn the unique challenges and opportunities with launching winning retail apps

Get The Free eBook

Retail App Testing

Learn the unique challenges and opportunities with launching winning retail apps

Get The Free eBook Now

Accessible By Design

This free eBook details why accessibility testing matters and offers guidelines to digital accessibility

Get the Free eBook

Mobile Payments: More Than Just A New Way To Pay

Learn the fundamentals of mobile payment technology and what to consider when implementing a new payment strategy

Get the Free eBook

The Essential Guide to Mobile App Testing

Learn tips, techniques and trends for launching great mobile apps

Get The Free eBook Now

Travel App Testing

Learn the unique challenges and opportunities with launching winning travel apps

Get The Free eBook Now
June 10th, 2016

The Price (And Importance) Of Discovering Cybersecurity Bugs Is Increasing

Cash rewards for breaking stuff.

The cost of cybersecurity is going up.

A report by San Francisco-based cybersecurity bugs testing platform Bugcrowd said that the average financial reward paid to white hat hackers for pointing out flaws in the system has risen by 47% in the last 12 months. Vulnerability researchers can now expect to receive around $294.70 per bug compared to $200.81 a year ago, the report said.

Following on from its inaugural report in 2015, Bugcrowd’s State of Bug Bounty 2016 report said bug bounty programs were becoming more widespread. In the first quarter of 2016, the average payout on Bugcrowd’s platform was $505.79, the report said.

The App Quality Imperative Creating Apps that Win - 5 Challenges and 5 Solutions Get It Now

The data was gathered through a combination of Bugcrowd’s own security research community and an active survey of 500 additional security researchers.

The Average Bug Bounty Hunter Is A Hobbyist

Around 70% of people spend less than 10 hours a week as a bounty hunter, but there are 15% of people that bounty hunt on a full-time basis. These so-called “super hunters” can make up to $20,000 per month and look for niche vulnerabilities to maximize their bounty payout.

Bug bounty hunters are young. The report said that 75% of security researchers were between 18 and 29 years of age, with 88% of people having at least one year of college. Every respondent had at least a high school degree.

The vast majority of bug bounty programs are tailored to Web and mobile app targets, but there are high-profile programs that focus on the Internet of Things and connected cars. According to the report, there has been a year-on-year increase of 210% since 2013 in the number of programs on the platform. Companies with more than 5,000 employees were responsible for 44% of all bug bounty programs launched in the last year, Bugcrowd said.

bug_bounty_companies

Source: Bugcrowd, State of Bug Bounty 2016

What Are The Most Frequent Cybersecurity Bugs?

Bugcrowd cited research that said 94% of companies that make up the Forbes 2000 list do not have a vulnerability disclosure or bug bounty program in place.

Bug bounty programs were traditionally limited to technology and software companies but more than 25% of all programs are now run in industry sectors such as retail, financial services and automotive, said the report.

Some bug bounty programs are less mainstream. Pornhub recently offered up to $25,000 via invite to any researcher who can find unique security vulnerabilities in their Web and mobile sites, The Next Web reported.

See also: Less Than 1% Of Smartphones Are Infected With Malware

The main problem that companies are finding is there aren’t enough good guys in the white hats to fight the baddies in the black. Bug bounty programs are less likely to be made available to the general public, with 63% of programs launched remaining private or invitation only—a slight uptick from the first quarter of 2015, said Bugcrowd.

A bug bounty is defined in the report as, “an incentivized, results-focused program that encourages security researchers to report security issues to the sponsoring organization.”

Around 38% of all valid or duplicate submissions by researchers fall into one of five categories—Cross-site scripting (XSS), Cross Site Request Forgery (CRSF), mobile, SQL injection (SQLi) and Clickjack. The slightly nebulous “Other” category accounts for the rest of the valid submissions.

bug_bounty

Source: Bugcrowd, State of Bug Bounty 2016

In terms of bug types, XSS vulnerabilities account for 66.24%, while CSRF and mobile garner 19.71% and 8.79%, respectively. SQLi and Clickjack—a low technical impact hack that conceals hyperlinks beneath legitimate clickable content—are responsible for 3.64% and 1.62%, respectively, although the former has risen in prominence since Q1 2015.

*Applause is the corporate owner and sole advertiser for ARC and is a company that provides in the wild testing services. This story was not assigned by Applause or subject to its approval.

Lead image: “Lady and the Peach” via Flickr by Onny Carr, Creative Commons, no changes made.

Interested in staying up to date with daily or weekly ARC articles? Subscribe now!