State of Bug Bounty Report
Embed Size (px)
Transcript of State of Bug Bounty Report
THE STATE OF BUG BOUNTY Bugcrowds second annual report on the current state of the bug bounty economy
BUGCROWD INC. STATE OF BUG BOUNTY REPORT 2015 2
TABLE OF CONTENTS
Introduction 3WHAT EXACTLY IS A BUG BOUNTY?
Executive Summary 5
About the Data Set 6BUGCROWD PLATFORM DATA PUBLIC DATA SOURCES SURVEY DATA IN THIS REPORT
Market Adoption 8ACCESSIBILITY OF BUG BOUNTIESPROGRAM GROWTH OVER TIMEINDUSTRY DIVERSIFICATIONENTERPRISE ENTERING THE MARKET
Submissions and Vulnerabilities 13VULNERABILITY RATING TAXONOMYVULNERABILITIES BY CRITICALITYVULNERABILITIES BY TYPE
Bounty Payouts 16DEFENSIVE VULNERABILITY PRICING MODEL
Researchers 17AGE AND EDUCATIONREGIONAL RESEARCHER ACTIVITYREGIONAL RESEARCHER QUALITYBUG TYPES AND SPECIALIZATIONSRESEARCHER ENGAGEMENT
STATE OF BUG BOUNTY 2016 3BUGCROWD INC.
What were witnessing right now is the maturation of a model that will fundamentally change the way we approach the security, trust and safety of the Internet.
Bug bounty programs are moving from the realm of novelty towards becoming best practice. They provide an opportunity to level the cybersecurity playing field, strengthening the security of products as well as cultivating a mutually rewarding relationship with the security researcher community. While bug bounty programs have been used for over 20 years, widespread adoption by enterprise organizations has just begun to take off within the last few.
Developing, deploying, and managing secure products presents a massive challenge to all Internet-dependant organizations in 2016. The pressure on short time-to-market continues to increase, and attackers are upping their intensity and resourcefulness to capitalize on security vulnerabilities. Product owners must grow and evolve their vulnerability assessment and identification processes to match their adversaries and keep their users safe.
Our second annual State of Bug Bounty Report provides an inside look into the economics and emerging trends of bug bounties, with data collected from Bugcrowds platform and other sources throughout 2016. This report is published on a yearly basis for CISOs and other security decision makers to provide a transparent look at the evolving bug bounty market.
In this report, youll learn more about the bug bounty ecosystem, the researcher workforce, and how modern organizations are tackling their application security challenges with bug bounties.
THE FIRST BUG BOUNTYThe first bug bounty program was started at Netscape in late 1995 to find bugs in Netscapes Navigator 2.0 Internet Browser. The idea of this program was to incentivize the security research community to provide feedback on the Netscape Navigator 2.0 by providing cash rewards to anyone who found bugs in their software. Although the program is noted as one of Netscapes biggest successes, the bug bounty model did not spread quickly among other software companies.
Read the full history of bug bounties >
STATE OF BUG BOUNTY 2016 4BUGCROWD INC. RESEARCHERS
In the past year, the term bug bounty has become more well known and widely publicized through popular programs such as Tesla Motors car hacking program launched mid 2015, and Hack the Pentagon. This uptick in interest is portrayed below.
What Exactly is a Bug Bounty?
As bug bounties have gained traction and evolved to achieve organizations security assessment goals, additional variables have been introduced to the basic model. As a business, and for the purposes of the State of Bug Bounty Report, we use the term bug bounty more holistically, encompassing programs that can be further classified into the below categories.
The majority of todays bug bounty programs are scoped to web and mobile application targets, although there are several high profile examples of programs run on IoT devices and cars, such as Tesla Motors program and General Motors program. Other bounties focus on traditional, installable software, including Microsofts Bug Bounty program and Googles Vulnerability Reward Program (VRP).
PROGRAM TYPE + GOAL VISIBILITY INCENTIVE SCOPE
Vulnerability Disclosure Programs: The primary objective of these programs is to ensure there is a single, public, well-defined channel for security issues.
PublicRecognition (i.e. public leaderboard)
Generally broad, accepting anything that could be considered a security risk
Public Bug Bounty Programs: The organization running the bounty typically interacts directly with researchers to incentivize them to submit vulnerabilities.
Public Cash, swag, misc. (i.e. airline miles)
Slightly less broad, anything that could be considered a security risk and requires a fix
Private Programs: A more exclusive and more highly incentivized program, often run via a crowdsourcing platform vendor that provides submission vetting and program management.
Private High cash incentive
Typically more specific scope or focus to encourage testing on a particular aspect of an attack surface - can be either time-boxed, or on an ongoing basis
Differences in the type of program, incentives, time frames, and exclusivity all affect the results of a program. In this report we will address these variables in terms of the various success metrics used by the market.
Figure 1: Google search keyword trends by interest from 2004 depicts an all time peak interest at the beginning of 2016.
DEFINING BUG BOUNTYA bug bounty is most simply defined as an incentivized, results-focused program that encourages security researchers to report security issues to the sponsoring organization.
Learn more about how it works >2005 2007 2009 2011 2013 2015
STATE OF BUG BOUNTY 2016 5BUGCROWD INC.
Public bounties are just the beginning Organizations looking to reap the benefits of a traditional public bug bounty program are utilizing private, on-demand and ongoing, bounty programs more and more. 63% of all programs launched have been private. Jump to this finding.
Bug bounties move beyond just technology companies In nearly 300 programs run, our customer base has diversified from mostly tech companies, to now over 25% of programs launched by more traditional verticals such as Financial Services + Banking. Jump to this finding.
Average priority of submissions increases across all programs We saw an overall increase in average priority per vulnerability, up from what we reported in our last report, with regional differences in average priority. Jump to this finding.
XSS continues to dominateThe most commonly discovered vulnerability is still Cross-site Scripting (XSS), which represents over 66% of categorized vulnerabilities disclosed, followed by Cross-site Request Forgery (CSRF). Jump to this finding.
Payouts are on the riseRelated to the increased severity of vulnerability submissions, the all time average bug reward on Bugcrowds platform has risen from $200.81 in our first annual report, to $294.70, an increase of 47%. Jump to this finding.
Super hunters emergeEarning hundreds of thousands of dollars from bug bounties alone, a tier of super hunters is emerging, often getting attention from organizations security team recruiting efforts. Jump to this finding.
Bugcrowds second annual State of Bug Bounty report provides comprehensive data from organizations running bug bounty programs, researchers participating in them, vulnerabilities discovered and rewards, with a specific focus on trends over the past year. Here are some of those top trends...
STATE OF BUG BOUNTY 2016 6BUGCROWD INC. RESEARCHERS
ABOUT THE DATA SET
Our inaugural State of Bug Bounty report, released mid-2015, included data from the programs run during an 18-month period between January 1, 2013 and June 30, 2015. This report adds to that data, including figures from programs run from January 1, 2013 to March 31, 2016. This data is analyzed with a specific focus on trends over the last year.
As one of the largest sources of vulnerability submission and bug bounty data, we aim to present a novel and impactful vie