Cash rewards for breaking stuff.
The cost of cybersecurity is going up.
A report by San Francisco-based cybersecurity bugs testing platform Bugcrowd said that the average financial reward paid to white hat hackers for pointing out flaws in the system has risen by 47% in the last 12 months. Vulnerability researchers can now expect to receive around $294.70 per bug compared to $200.81 a year ago, the report said.
Following on from its inaugural report in 2015, Bugcrowd’s State of Bug Bounty 2016 report said bug bounty programs were becoming more widespread. In the first quarter of 2016, the average payout on Bugcrowd’s platform was $505.79, the report said.
The data was gathered through a combination of Bugcrowd’s own security research community and an active survey of 500 additional security researchers.
The Average Bug Bounty Hunter Is A Hobbyist
Around 70% of people spend less than 10 hours a week as a bounty hunter, but there are 15% of people that bounty hunt on a full-time basis. These so-called “super hunters” can make up to $20,000 per month and look for niche vulnerabilities to maximize their bounty payout.
Bug bounty hunters are young. The report said that 75% of security researchers were between 18 and 29 years of age, with 88% of people having at least one year of college. Every respondent had at least a high school degree.
The vast majority of bug bounty programs are tailored to Web and mobile app targets, but there are high-profile programs that focus on the Internet of Things and connected cars. According to the report, there has been a year-on-year increase of 210% since 2013 in the number of programs on the platform. Companies with more than 5,000 employees were responsible for 44% of all bug bounty programs launched in the last year, Bugcrowd said.
What Are The Most Frequent Cybersecurity Bugs?
Bugcrowd cited research that said 94% of companies that make up the Forbes 2000 list do not have a vulnerability disclosure or bug bounty program in place.
Bug bounty programs were traditionally limited to technology and software companies but more than 25% of all programs are now run in industry sectors such as retail, financial services and automotive, said the report.
Some bug bounty programs are less mainstream. Pornhub recently offered up to $25,000 via invite to any researcher who can find unique security vulnerabilities in their Web and mobile sites, The Next Web reported.
The main problem that companies are finding is there aren’t enough good guys in the white hats to fight the baddies in the black. Bug bounty programs are less likely to be made available to the general public, with 63% of programs launched remaining private or invitation only—a slight uptick from the first quarter of 2015, said Bugcrowd.
A bug bounty is defined in the report as, “an incentivized, results-focused program that encourages security researchers to report security issues to the sponsoring organization.”
Around 38% of all valid or duplicate submissions by researchers fall into one of five categories—Cross-site scripting (XSS), Cross Site Request Forgery (CRSF), mobile, SQL injection (SQLi) and Clickjack. The slightly nebulous “Other” category accounts for the rest of the valid submissions.
In terms of bug types, XSS vulnerabilities account for 66.24%, while CSRF and mobile garner 19.71% and 8.79%, respectively. SQLi and Clickjack—a low technical impact hack that conceals hyperlinks beneath legitimate clickable content—are responsible for 3.64% and 1.62%, respectively, although the former has risen in prominence since Q1 2015.
*Applause is the corporate owner and sole advertiser for ARC and is a company that provides in the wild testing services. This story was not assigned by Applause or subject to its approval.
Interested in staying up to date with daily or weekly ARC articles? Subscribe now!