Bug bounty payouts double in 2018; India reports the most bugs while U.S. wins highest payouts

Some of the biggest players in various industries have turned to the crowdsourced security model – white hat-driven bug bounty programs – in a race to identify emerging vulnerabilities before the black hats do.

AWS Builder Community Hub

The crowdsourced security model brings the brightest ethical hackers together. Bug bounty and vulnerability disclosure programs uncover seven times more high-priority vulnerabilities than traditional assessment methods, and the smart companies are turning to crowdsourced security to cope with a complex threat landscape, according to Bugcrowd.

The industries most eager to adopt the crowdsourced security model include Computer Hardware, Software & Networking, IT Services, eCommerce / Retail, Financial Services, and Telecom / Communication Services, the company said.

In its fourth iteration, the 2018 Bugcrowd State of Bug Bounty Report reveals a spike across the board in the number and severity of vulnerabilities, as well as an increase in payouts to ethical hackers.

The total number of vulnerabilities submitted via the company’s platform rose 21 percent in the last 12 months, year-over-year, to more than 37,000. Significantly, the average payout across all programs and industries doubled.

The Top 5 vulnerabilities submitted this past year were: Cross-Site Scripting (XSS) Reflected; Cross-Site Scripting (XSS) Stored Admin; Broken Authentication and Session Management Failure to Invalidate Session; Broken Authentication and Session Management Weak Login Function Over HTTP; and Server Security Misconfiguration No Rate Limiting on Form.

Bugcrowd’s legion of white hat hackers has grown 71 percent in the past year, with representatives from more than 100 countries. One standout from the report is India, responsible for an impressive 30 percent of vulnerability submissions. However, the largest payment amount went to the United States, suggesting Americans have more of a knack for high-profile bugs.

(This post on the Microsoft Developer blog explains, rather comically, how the P1, P2, P3… priority system works in the bug bounty world).

The report also notes a 40 percent increase in the number of bug bounty programs opened during the past year. A 33 percent increase was also recorded among private programs. In another key finding, 75 percent of all P1 vulnerability payouts were above $1,200, up from $926 last year. And more than 91 percent of all vulnerability submissions were web vulnerabilities.

*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Filip Truta. Read the original post at: