Bug Bounty Tipping Point: Strength in Numbers

download Bug Bounty Tipping Point: Strength in Numbers

of 30

  • date post

    15-Apr-2017
  • Category

    Technology

  • view

    155
  • download

    2

Embed Size (px)

Transcript of Bug Bounty Tipping Point: Strength in Numbers

  • September 2016 1

    Folks Leading The Discussion TodayQuick Bios

  • September 2016 2

    Folks Leading The Discussion TodayQuick Bios

    @caseyjohnellis

    Found and CEO, Bugcrowd

    Recovering pentester turned solution architect turned sales guy turned

    entrepreneur

    @kym_possible

    Senior Director of Researcher Operations, Bugcrowd

    Data analyst, security evangelist, behavioral psychologist, former director

    of a Red Team

  • September 2016 3

    AgendaWhat Are We Covering Today?

    1. What is a Bug Bounty?

    2. Bug Bounty Industry Trends

    3. Trends From the Researcher Community

  • CONFIDENTIALJULY 2016 GTM PLAYBOOK

    What Is a Bug Bounty?

  • September 2016 5

    What is a Bug Bounty?For Those of You Who Are New

    To companies and their applications in exchange for

    Where independent security researchers all over the word

    f

    Think of it as a competition

    Find & report vulnerabilities

    Rewards

  • September 2016 6

    What Problem Do Bug Bounties Solve?Combat the Defenders Dilemma

  • September 2016 7

    They Have Been Around For 20+ YearsBug Bounty History

    1995

    2002

    2005

    2004

    2007

    BUGCROWD INC. 2016

    Breakthrough in Bug Bounties Modern Bug BountiesEarly Bug Bounties

    The History of Bug Bounties: Abbreviated Timeline from 1995 to Present

    2010 2011 2012 2013 2014 2015 2016

  • September 2016 8

    What Does Bugcrowd Do?Platform That Connects Organizations to the Researcher Community

    38,000+ Researchers

    With specialized skills including web, mobile and IoT hacking. Our community is made up of tens of thousands of the hackers from around the world.

    f

    Organizations Both Big and Small

    Making Bug Bounties easy for ever type of company through a variety of Bug Bounty Solutions.

  • CONFIDENTIALJULY 2016 GTM PLAYBOOK

    State of Bug Bounty 2016 What Our Data Is Saying About the Industry

  • September 2016 11

    Where Has All Our Data Come From?Our Success So Far

    300+ total programs run on the

    Bugcrowd platform

    64% private programs

    compared to 36% public

    54K+ Total vulnerability

    submissions made as of September 15, 2016

    $3M+ Paid out to the crowd as of September 15, 2016

    38K+ researchers in the crowd as of September 15, 2016

    210% program growth

  • September 2016 10

    What We Know TodayBug Bounties Have Reached A Tipping Point

    Quality Compared with traditional testing methods, bug bounties present a significant advantage

    Maturation

    As this model matures, with private programs gaining traction, more organizations can tap into the crowd

    Growth

    More organizations are adopting this model, including large enterprises and traditional industries

    Impact

    Critical vulnerabilities are increasing in volume along with average payout per bug

  • September 2016 12

    Considerable Growth In Program TypesMarket Adopting Quickly

    Total Number of Bounty Programs being ran are on the rise. A 210% increase YOY

    Private programs being adopted quicker than public programs

    63% of all launched programs are private

  • September 2016 13

    Growth Across Many Verticals Industries Utilizing A Bug Bounty

    Companies of all industry types are running Bug Bounty Programs

    As expected, computer software and more internet built companies having widest adoption

    Non-Traditional industries (healthcare, financial services) rapidly adopting over last 12 months

  • September 2016 14

    Growth Across All Sizes of OrganizationsSMB & Enterprise

    Enterprise quickly adopting over last 12 months accounting for 11% of programs

    50% of programs ran by companies with 200 employees or less due to economical advantage

  • September 2016 15

    What is Being Found?Volume of Valid & Original Vulnerabilities Over Time

    Vulnerability Rating Taxonomy: http://bgcd.co/vrt-2016

    More critical vulnerabilities being submitted

    Less non-critical vulnerabilities being submitted

    Security researchers are getting more discerning with what they submit

    Organizations are getting more prescriptive with scope and goals of programs

    http://bgcd.co/vrt-2016

  • September 2016 16

    What is Being Found?Types of Vulnerabilities

    Why So Much XXS: http://bgcd.co/xss-big-bugs

    XSS accounts for 66% of all valid submissions

    CSRF next highest at 20% of all valid submissions

    http://bgcd.co/xss-big-bugs

  • September 2016 17

    Why Is This Adoption Happening?Survey Results: Top value in running a bug bounty program

  • CONFIDENTIALJULY 2016 GTM PLAYBOOK

    State of Bug Bounty 2016 What Our Data Is Saying About the Crowd

  • September 2016 19

    Rapidly Growing Researcher CommunityCurrently 38,000+ Researchers

  • September 2016 20

    Researchers Are Making MoneyHow Much Has Been Paid Out

    $2,054,721 has been paid out to date to the global researcher community from 6,803 number of valid vulnerabilities being found

    Defensive Vulnerability Pricing Model: http://bgcd.co/dvpm-2016

    http://bgcd.co/dvpm-2016

  • September 2016 21

    Rapidly Growing Researcher CommunityFrom All Over The World

  • September 2016 22

    Different Types of ResearchersSurvey Data: Wide Range of Age & Education

    12.76%4.10%42.14%28.70%12.30%

    Graduate DegreeSome Graduate SchoolCollege DegreeSome CollegeHigh School Degree

  • September 2016 23

    Researcher Time Spent HackingSurvey Data: Not Yet a Full Time Thing For Most

    15% of the crowd is hacking on bug bounties as primary source of income

    24% of the crowd are full time developers

    18% of the crowd are full time pen testers

    Be on the look our for our upcoming report on the Bugcrowd community

  • September 2016 24

    Different Types of ResearchersSurvey Data: Wide Range of Skills & Specialities

  • CONFIDENTIALJULY 2016 GTM PLAYBOOK

    Key Takeaways Where the Market is Today and Where is it Going?

  • September 2016 26

    What We Know TodayBug Bounties Have Reached A Tipping Point

    Quality Compared with traditional testing methods, bug bounties present a significant advantage

    Maturation

    As this model matures, with private programs gaining traction, more organizations can tap into the crowd

    Growth

    More organizations are adopting this model, including large enterprises and traditional industries

    Impact

    Critical vulnerabilities are increasing in volume along with average payout per bug

  • September 2016 27

    What We Know TodayWide Range of Companies Adopting

  • September 2016 28

    Multi Solution Bug Bounty Model Gaining TractionNot Just About Public Programs

    Engage the collective intelligence of

    thousands of security researchers

    worldwide.

    The perfect solution to incentivize the

    continuous testing of main web

    properties, self-sign up apps, or anything

    already publicly accessible.

    Private Ongoing ProgramPublic Ongoing Program

    Continuous testing using a private, invite-

    only, crowd of researchers.

    The perfect solution to incentivize the

    continuous testing of apps that require

    specialized skill sets or that are harder to

    access.

    Project based testing using a private,

    invite-only, crowd of researchers.

    The perfect solution for testing new

    products, major releases, new features,

    or anything needing a quick test for up to

    two weeks.

    On-Demand Program

    Many organizations are utilizing different types of Bug Bounty Solutions

  • September 2016 29

    Predictions and ChallengesBug Bounties Have Reached A Tipping Point

    PREDICTION: The crowd will continue to diversify and mature, creating more opportunities for organizations to utilize bug bounties for increasingly complex applications

    PREDICTION: Traditional testing methods will evolve to work alongside bug bounty programs

    PREDICTION: Bug bounties will shift from a nice to have to a must have for most organizations

  • CONFIDENTIALJULY 2016 GTM PLAYBOOK

    Q&A Download the full report here: http://bgcd.co/state-of-bug-bounty-2016