Our 2016 State of Bug Bounty Report announced that bug bounty programs adoption has increased 210% since 2013.
As more and more companies leverage the capabilities of the global researcher community to identify critical vulnerabilities, we must ask...has the bug bounty economy reached a tipping point?
Join Bugcrowd as we unpack the top trends in crowdsourced cybersecurity and review the key findings from The State of Bug Bounty Report 2016.
Webinar: https://www.brighttalk.com/webcast/14415/221275/the-bug-bounty-tipping-point-strength-in-numbers
2. September 2016 2
Folks Leading The Discussion Today
Quick Bios
@caseyjohnellis
Found and CEO, Bugcrowd
Recovering pentester turned solution
architect turned sales guy turned
entrepreneur
@kym_possible
Senior Director of Researcher
Operations, Bugcrowd
Data analyst, security evangelist,
behavioral psychologist, former director
of a Red Team
3. September 2016 3
Agenda
What Are We Covering Today?
1. What is a Bug Bounty?
2. Bug Bounty Industry Trends
3. Trends From the Researcher Community
5. September 2016 5
What is a Bug Bounty?
For Those of You Who Are New
To companies and
their applications in
exchange for…
Where independent
security researchers
all over the word
f
Think of it as a competition…
Find & report
vulnerabilities
Rewards
8. September 2016 8
What Does Bugcrowd Do?
Platform That Connects Organizations to the Researcher Community
36,000+ Researchers
With specialized skills including
web, mobile and IoT hacking.
Our community is made up of
tens of thousands of the
hackers from around the world.
f
Organizations Both Big
and Small
Making Bug Bounties easy for
ever type of company through a
variety of Bug Bounty Solutions.
9. CONFIDENTIALJULY 2016 GTM PLAYBOOK
State of Bug Bounty 2016
What Our Data Is Saying About the Industry
10. September 2016 10
Where Has All Our Data Come From?
Our Success So Far
268total programs run on the
Bugcrowd platform
64%private programs
compared to 36% public
54K+Total vulnerability
submissions made as of
September 15, 2016
$3M+Paid out to the crowd as
of September 15, 2016
36K+researchers in the crowd
as of September 15, 2016
210%program growth over time
11. September 2016 11
Considerable Growth In Program Types
Market Adopting Quickly
Total Number of Bounty Programs being ran are
on the rise. A 210% increase YOY
Private programs being adopted quicker than
public programs
63% of all launched programs are private
12. September 2016 12
Growth Across Many Verticals
Industries Utilizing A Bug Bounty
Companies of all industry types are running Bug
Bounty Programs
As expected, computer software and more internet
built companies having widest adoption
“Non-Traditional” industries (healthcare, financial
services) rapidly adopting over last 12 months
13. September 2016 13
Growth Across All Sizes of Organizations
SMB & Enterprise
Enterprise quickly adopting over last 12 months
accounting for 11% of programs
50% of programs ran by companies with 200
employees or less due to economical advantage
14. September 2016 14
What is Being Found?
Volume of Valid & Original Vulnerabilities Over Time
Vulnerability Rating Taxonomy: http://bgcd.co/vrt-2016
More critical vulnerabilities being submitted
Less non-critical vulnerabilities being submitted
Security researchers are getting more discerning with what
they submit
Organizations are getting more prescriptive with scope and
goals of programs
15. September 2016 15
What is Being Found?
Types of Vulnerabilities
Why So Much XXS: http://bgcd.co/xss-2016
XSS accounts for 66% of all valid submissions
CSRF next highest at 20% of all valid
submissions
16. September 2016 16
Why Is This Adoption Happening?
Survey Results: Top value in running a bug bounty program
19. September 2016 19
Researchers Are Making Money
How Much Has Been Paid Out
$2,054,721 has been paid out to
date to the global researcher
community from 6,803 number of
valid vulnerabilities being found
Defensive Vulnerability Pricing Model: http://bgcd.co/dvpm-2016
21. September 2016 21
Different Types of Researchers
Survey Data: Wide Range of Age & Education
12.76%
4.10%
42.14%
28.70%
12.30%
Graduate Degree
Some Graduate School
College Degree
Some College
High School Degree
22. September 2016 22
Researcher Time Spent Hacking
Survey Data: Not Yet a Full Time Thing For Most
15% of the crowd is hacking on bug bounties as
primary source of income
24% of the crowd are full time developers
18% of the crowd are full time pen testers
Be on the look our for our upcoming report on the Bugcrowd
community
25. September 2016 25
What We Know Today
Bug Bounties Have Reached A Tipping Point
Quality
Compared with traditional testing
methods, bug bounties present a
significant advantage
Maturation
As this model matures, with private
programs gaining traction, more
organizations can tap into the
crowd
Growth
More organizations are adopting
this model, including large
enterprises and traditional
industries
Impact
Critical vulnerabilities are
increasing in volume along with
average payout per bug
27. September 2016 27
Multi Solution Bug Bounty Model Gaining Traction
Not Just About Public Programs
Engage the collective intelligence of
thousands of security researchers
worldwide.
The perfect solution to incentivize the
continuous testing of main web
properties, self-sign up apps, or anything
already publicly accessible.
Private Ongoing ProgramPublic Ongoing Program
Continuous testing using a private, invite-
only, crowd of researchers.
The perfect solution to incentivize the
continuous testing of apps that require
specialized skill sets or that are harder to
access.
Project based testing using a private,
invite-only, crowd of researchers.
The perfect solution for testing new
products, major releases, new features,
or anything needing a quick test for up to
two weeks.
On-Demand Program
Many organizations are utilizing different types of Bug Bounty Solutions
28. September 2016 28
Predictions and Challenges
Bug Bounties Have Reached A Tipping Point
PREDICTION: The crowd will continue to diversify and mature, creating more opportunities
for organizations to utilize bug bounties for increasingly complex applications
PREDICTION: Traditional testing methods will evolve to work alongside bug bounty
programs
PREDICTION: Bug bounties will shift from a “nice to have” to a “must have” for most
organizations
29. CONFIDENTIALJULY 2016 GTM PLAYBOOK
Q&A
Download the full report here: http://bgcd.co/state-of-bug-bounty-2016