Bug bounties more popular, profitable as security threats grow
The number of enterprise bug bounty programs grew more than 300% over the last year, according to the 2017 State of Bug Bounty Report released by BugCrowd.
The average payout increased from $295 to $451, or more than 200% over the year before. In total, more than 12,000 vulnerabilities were submitted by over 60,000 global security researchers as part of bug bounty programs. Bugcrowd’s researcher community also grew to 53,332 members in 2017 from 26,782 in 2016.
Almost 45% of bug bounty programs are run by businesses with more than 500 employees, a 300% increase from the prior year, the report found. Internet of Things devices such as routers, webcams and wearable technologies had the biggest average bug bounty payouts at approximately $740 per bug.
Crowdsourcing security is becoming a more popular option as the security landscape continues to evolve and hackers hone their skills. Bug bounties can help an enterprise keep on top of vulnerabilities, and such programs are often much cheaper than the cost of recovering from an attack.
The average cost of recovery from a single security incident is estimated to be $86,500 for small and medium businesses and $861,000 for enterprises, according to a recent report from Kaspersky Lab.
Bug bounties can also help companies as they struggle to find and pay for full-time cybersecurity talent. With a reported 1.8 million workforce gap in cybersecurity, crowdsourcing can be an affordable option, even as the average payout increases.
Meanwhile, increased payouts are likely attracting more security researchers to participate in bug bounties, creating a win-win situation. Large companies like Google, General Electric, Microsoft, United Airlines, Western Union, Tesla Motors and Fiat Chrysler have all participated in bug bounty programs over the last few years.
IoT has spurred more concerns about security, as many IoT devices lack strong security protocols. As IoT grows, it’s also likely to fuel more bug bounty programs.