September 2016 1

Folks Leading The Discussion TodayQuick Bios

September 2016 2

Folks Leading The Discussion TodayQuick Bios

@caseyjohnellis

Found and CEO, Bugcrowd

Recovering pentester turned solution architect turned sales guy turned

entrepreneur

@kym_possible

Senior Director of Researcher Operations, Bugcrowd

Data analyst, security evangelist, behavioral psychologist, former director

of a Red Team

September 2016 3

AgendaWhat Are We Covering Today?

1. What is a Bug Bounty?

2. Bug Bounty Industry Trends

3. Trends From the Researcher Community

CONFIDENTIALJULY 2016 GTM PLAYBOOK

What Is a Bug Bounty?

September 2016 5

What is a Bug Bounty?For Those of You Who Are New

To companies and their applications in exchange for…

Where independent security researchers all over the word

f

Think of it as a competition…

Find & report vulnerabilities

Rewards

September 2016 6

What Problem Do Bug Bounties Solve?Combat the Defenders Dilemma

September 2016 7

They Have Been Around For 20+ YearsBug Bounty History

1995

2002

2005

2004

2007

© BUGCROWD INC. 2016

Breakthrough in Bug Bounties Modern Bug BountiesEarly Bug Bounties

The History of Bug Bounties: Abbreviated Timeline from 1995 to Present

2010 2011 2012 2013 2014 2015 2016

September 2016 8

What Does Bugcrowd Do?Platform That Connects Organizations to the Researcher Community

38,000+ Researchers

With specialized skills including web, mobile and IoT hacking. Our community is made up of tens of thousands of the hackers from around the world.

f

Organizations Both Big and Small

Making Bug Bounties easy for ever type of company through a variety of Bug Bounty Solutions.

CONFIDENTIALJULY 2016 GTM PLAYBOOK

State of Bug Bounty 2016 What Our Data Is Saying About the Industry

September 2016 11

Where Has All Our Data Come From?Our Success So Far

300+ total programs run on the

Bugcrowd platform

64% private programs

compared to 36% public

54K+ Total vulnerability

submissions made as of September 15, 2016

$3M+ Paid out to the crowd as of September 15, 2016

38K+ researchers in the crowd as of September 15, 2016

210% program growth

September 2016 10

What We Know TodayBug Bounties Have Reached A Tipping Point

Quality Compared with traditional testing methods, bug bounties present a significant advantage

Maturation

As this model matures, with private programs gaining traction, more organizations can tap into the crowd

Growth

More organizations are adopting this model, including large enterprises and traditional industries

Impact

Critical vulnerabilities are increasing in volume along with average payout per bug

September 2016 12

Considerable Growth In Program TypesMarket Adopting Quickly

Total Number of Bounty Programs being ran are on the rise. A 210% increase YOY

Private programs being adopted quicker than public programs

63% of all launched programs are private

September 2016 13

Growth Across Many Verticals Industries Utilizing A Bug Bounty

Companies of all industry types are running Bug Bounty Programs

As expected, computer software and more internet built companies having widest adoption

“Non-Traditional” industries (healthcare, financial services) rapidly adopting over last 12 months

September 2016 14

Growth Across All Sizes of OrganizationsSMB & Enterprise

Enterprise quickly adopting over last 12 months accounting for 11% of programs

50% of programs ran by companies with 200 employees or less due to economical advantage

September 2016 15

What is Being Found?Volume of Valid & Original Vulnerabilities Over Time

Vulnerability Rating Taxonomy: http://bgcd.co/vrt-2016

More critical vulnerabilities being submitted

Less non-critical vulnerabilities being submitted

Security researchers are getting more discerning with what they submit

Organizations are getting more prescriptive with scope and goals of programs

September 2016 16

What is Being Found?Types of Vulnerabilities

Why So Much XXS: http://bgcd.co/xss-big-bugs

XSS accounts for 66% of all valid submissions

CSRF next highest at 20% of all valid submissions

September 2016 17

Why Is This Adoption Happening?Survey Results: Top value in running a bug bounty program

CONFIDENTIALJULY 2016 GTM PLAYBOOK

State of Bug Bounty 2016 What Our Data Is Saying About the Crowd

September 2016 19

Rapidly Growing Researcher CommunityCurrently 38,000+ Researchers

September 2016 20

Researchers Are Making MoneyHow Much Has Been Paid Out

$2,054,721 has been paid out to date to the global researcher community from 6,803 number of valid vulnerabilities being found

Defensive Vulnerability Pricing Model: http://bgcd.co/dvpm-2016

September 2016 21

Rapidly Growing Researcher CommunityFrom All Over The World

September 2016 22

Different Types of ResearchersSurvey Data: Wide Range of Age & Education

12.76%4.10%42.14%28.70%12.30%

Graduate DegreeSome Graduate SchoolCollege DegreeSome CollegeHigh School Degree

September 2016 23

Researcher Time Spent HackingSurvey Data: Not Yet a Full Time Thing For Most

15% of the crowd is hacking on bug bounties as primary source of income

24% of the crowd are full time developers

18% of the crowd are full time pen testers

Be on the look our for our upcoming report on the Bugcrowd community

September 2016 24

Different Types of ResearchersSurvey Data: Wide Range of Skills & Specialities

CONFIDENTIALJULY 2016 GTM PLAYBOOK

Key Takeaways Where the Market is Today and Where is it Going?

September 2016 26

What We Know TodayBug Bounties Have Reached A Tipping Point

Quality Compared with traditional testing methods, bug bounties present a significant advantage

Maturation

As this model matures, with private programs gaining traction, more organizations can tap into the crowd

Growth

More organizations are adopting this model, including large enterprises and traditional industries

Impact

Critical vulnerabilities are increasing in volume along with average payout per bug

September 2016 27

What We Know TodayWide Range of Companies Adopting

September 2016 28

Multi Solution Bug Bounty Model Gaining TractionNot Just About Public Programs

Engage the collective intelligence of

thousands of security researchers

worldwide.

The perfect solution to incentivize the

continuous testing of main web

properties, self-sign up apps, or anything

already publicly accessible.

Private Ongoing ProgramPublic Ongoing Program

Continuous testing using a private, invite-

only, crowd of researchers.

The perfect solution to incentivize the

continuous testing of apps that require

specialized skill sets or that are harder to

access.

Project based testing using a private,

invite-only, crowd of researchers.

The perfect solution for testing new

products, major releases, new features,

or anything needing a quick test for up to

two weeks.

On-Demand Program

Many organizations are utilizing different types of Bug Bounty Solutions

September 2016 29

Predictions and ChallengesBug Bounties Have Reached A Tipping Point

PREDICTION: The crowd will continue to diversify and mature, creating more opportunities for organizations to utilize bug bounties for increasingly complex applications

PREDICTION: Traditional testing methods will evolve to work alongside bug bounty programs

PREDICTION: Bug bounties will shift from a “nice to have” to a “must have” for most organizations

CONFIDENTIALJULY 2016 GTM PLAYBOOK

Q&A Download the full report here: http://bgcd.co/state-of-bug-bounty-2016