Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Webinar kym-casey-bug bounty tipping point webcast - po edits


Published on

Our 2016 State of Bug Bounty Report announced that bug bounty programs adoption has increased 210% since 2013.

As more and more companies leverage the capabilities of the global researcher community to identify critical vulnerabilities, we must ask...has the bug bounty economy reached a tipping point?

Join Bugcrowd as we unpack the top trends in crowdsourced cybersecurity and review the key findings from The State of Bug Bounty Report 2016.


Published in: Technology
  • Be the first to comment

  • Be the first to like this

Webinar kym-casey-bug bounty tipping point webcast - po edits

  1. 1. September 2016 1 Folks Leading The Discussion Today Quick Bios
  2. 2. September 2016 2 Folks Leading The Discussion Today Quick Bios @caseyjohnellis Found and CEO, Bugcrowd Recovering pentester turned solution architect turned sales guy turned entrepreneur @kym_possible Senior Director of Researcher Operations, Bugcrowd Data analyst, security evangelist, behavioral psychologist, former director of a Red Team
  3. 3. September 2016 3 Agenda What Are We Covering Today? 1. What is a Bug Bounty? 2. Bug Bounty Industry Trends 3. Trends From the Researcher Community
  4. 4. CONFIDENTIALJULY 2016 GTM PLAYBOOK What Is a Bug Bounty?
  5. 5. September 2016 5 What is a Bug Bounty? For Those of You Who Are New To companies and their applications in exchange for… Where independent security researchers all over the word f Think of it as a competition… Find & report vulnerabilities Rewards
  6. 6. September 2016 6 What Problem Do Bug Bounties Solve? Combat the Defenders Dilemma
  7. 7. September 2016 7 They Have Been Around For 20+ Years Bug Bounty History 1995 2002 2005 2004 2007 © BUGCROWD INC. 2016 Breakthrough in Bug Bounties Modern Bug BountiesEarly Bug Bounties The History of Bug Bounties: Abbreviated Timeline from 1995 to Present 2010 2011 2012 2013 2014 2015 2016
  8. 8. September 2016 8 What Does Bugcrowd Do? Platform That Connects Organizations to the Researcher Community 36,000+ Researchers With specialized skills including web, mobile and IoT hacking. Our community is made up of tens of thousands of the hackers from around the world. f Organizations Both Big and Small Making Bug Bounties easy for ever type of company through a variety of Bug Bounty Solutions.
  9. 9. CONFIDENTIALJULY 2016 GTM PLAYBOOK State of Bug Bounty 2016 What Our Data Is Saying About the Industry
  10. 10. September 2016 10 Where Has All Our Data Come From? Our Success So Far 268total programs run on the Bugcrowd platform 64%private programs compared to 36% public 54K+Total vulnerability submissions made as of September 15, 2016 $3M+Paid out to the crowd as of September 15, 2016 36K+researchers in the crowd as of September 15, 2016 210%program growth over time
  11. 11. September 2016 11 Considerable Growth In Program Types Market Adopting Quickly Total Number of Bounty Programs being ran are on the rise. A 210% increase YOY Private programs being adopted quicker than public programs 63% of all launched programs are private
  12. 12. September 2016 12 Growth Across Many Verticals Industries Utilizing A Bug Bounty Companies of all industry types are running Bug Bounty Programs As expected, computer software and more internet built companies having widest adoption “Non-Traditional” industries (healthcare, financial services) rapidly adopting over last 12 months
  13. 13. September 2016 13 Growth Across All Sizes of Organizations SMB & Enterprise Enterprise quickly adopting over last 12 months accounting for 11% of programs 50% of programs ran by companies with 200 employees or less due to economical advantage
  14. 14. September 2016 14 What is Being Found? Volume of Valid & Original Vulnerabilities Over Time Vulnerability Rating Taxonomy: More critical vulnerabilities being submitted Less non-critical vulnerabilities being submitted Security researchers are getting more discerning with what they submit Organizations are getting more prescriptive with scope and goals of programs
  15. 15. September 2016 15 What is Being Found? Types of Vulnerabilities Why So Much XXS: XSS accounts for 66% of all valid submissions CSRF next highest at 20% of all valid submissions
  16. 16. September 2016 16 Why Is This Adoption Happening? Survey Results: Top value in running a bug bounty program
  17. 17. CONFIDENTIALJULY 2016 GTM PLAYBOOK State of Bug Bounty 2016 What Our Data Is Saying About the Crowd
  18. 18. September 2016 18 Rapidly Growing Researcher Community Currently 36,000+ Researchers
  19. 19. September 2016 19 Researchers Are Making Money How Much Has Been Paid Out $2,054,721 has been paid out to date to the global researcher community from 6,803 number of valid vulnerabilities being found Defensive Vulnerability Pricing Model:
  20. 20. September 2016 20 Rapidly Growing Researcher Community From All Over The World
  21. 21. September 2016 21 Different Types of Researchers Survey Data: Wide Range of Age & Education 12.76% 4.10% 42.14% 28.70% 12.30% Graduate Degree Some Graduate School College Degree Some College High School Degree
  22. 22. September 2016 22 Researcher Time Spent Hacking Survey Data: Not Yet a Full Time Thing For Most 15% of the crowd is hacking on bug bounties as primary source of income 24% of the crowd are full time developers 18% of the crowd are full time pen testers Be on the look our for our upcoming report on the Bugcrowd community
  23. 23. September 2016 23 Different Types of Researchers Survey Data: Wide Range of Skills & Specialities
  24. 24. CONFIDENTIALJULY 2016 GTM PLAYBOOK Key Takeaways Where the Market is Today and Where is it Going?
  25. 25. September 2016 25 What We Know Today Bug Bounties Have Reached A Tipping Point Quality Compared with traditional testing methods, bug bounties present a significant advantage Maturation As this model matures, with private programs gaining traction, more organizations can tap into the crowd Growth More organizations are adopting this model, including large enterprises and traditional industries Impact Critical vulnerabilities are increasing in volume along with average payout per bug
  26. 26. September 2016 26 What We Know Today Wide Range of Companies Adopting
  27. 27. September 2016 27 Multi Solution Bug Bounty Model Gaining Traction Not Just About Public Programs Engage the collective intelligence of thousands of security researchers worldwide. The perfect solution to incentivize the continuous testing of main web properties, self-sign up apps, or anything already publicly accessible. Private Ongoing ProgramPublic Ongoing Program Continuous testing using a private, invite- only, crowd of researchers. The perfect solution to incentivize the continuous testing of apps that require specialized skill sets or that are harder to access. Project based testing using a private, invite-only, crowd of researchers. The perfect solution for testing new products, major releases, new features, or anything needing a quick test for up to two weeks. On-Demand Program Many organizations are utilizing different types of Bug Bounty Solutions
  28. 28. September 2016 28 Predictions and Challenges Bug Bounties Have Reached A Tipping Point PREDICTION: The crowd will continue to diversify and mature, creating more opportunities for organizations to utilize bug bounties for increasingly complex applications PREDICTION: Traditional testing methods will evolve to work alongside bug bounty programs PREDICTION: Bug bounties will shift from a “nice to have” to a “must have” for most organizations

  29. 29. CONFIDENTIALJULY 2016 GTM PLAYBOOK Q&A Download the full report here: