New 'super hunters' earning big bucks from bug bounty programs

With data breaches still making headlines and security teams facing increased pressures it's not surprising that companies are looking for innovative ways to find flaws in their systems.

Crowdsourced security specialist Bugcrowd has released the results of its second annual State of Bug Bounty Report which shows that the number of bug bounty programs hosted on its platform is up by an average of 210 per cent year on year since January 2013.

Among its other findings are that larger enterprises are increasingly adopting bug bounties. Companies with 5,000+ employees accounted for 44 per cent more of the total companies launching bug bounty programs over the last 12 months. Average payouts are rising too with the rewards to researchers rising 47 per cent in the last 12 months. In Q1 2016, the average payout on Bugcrowd's platform was $505.79. Cross-site scripting is the single most discovered vulnerability type, at over 66 per cent of all classified vulnerabilities disclosed.

It's also identified a new breed of vulnerability 'super hunters'. These researchers earn thousands of dollars in payouts, and often participate in bug bounty programs as full-time positions. They're still in a minority, however, as the majority of researchers (85 per cent) participate in bug bounty programs as a hobby or part-time job, with 70 per cent spending fewer than 10 hours a week working on bounties.

"Mainstream enterprises are entering a new era of advanced security," says Jonathan Cran, vice president of product at Bugcrowd. "Bug bounty programs are leveling the playing field, and Bugcrowd is making them accessible across more industries and organisation types.

"Crowdsourced cybersecurity not only strengthens the security of products, but it also initiates rewarding, mutually beneficial relationships with the researcher community".

You can find out more in the full report which is available on the Bugcrowd website.

Photo Credit: Ollyy/Shutterstock