Vulnerabilities are flaws and bugs in software design, development, or administration that allow attackers to trigger events which are unacceptable for an organization. The organization's cybersecurity team must find and fix all vulnerabilities as quickly as possible to improve application security and stay ahead of cybercriminals. However, sometimes these efforts are not enough, and attackers can cause great damage by exploiting just one critical vulnerability.
Vulnerabilities can be found in the most unexpected or most obvious places. To err is human, and developers make mistakes when designing and deploying applications. According to our study, critical vulnerabilities were found in 62% of web applications in 2020–2021, whereby the average number of vulnerabilities per web application fell by more than a third over the period of 2019–2021. This decrease can be attributed to development and adoption of vulnerability detection tools (for example, code analyzers) and secure software development practices. Automated vulnerability detection solutions are still relevant but not always effective, especially when it comes to finding critical access control vulnerabilities or business logic flaws. The rise in cyberattacks and discovery of previously unknown vulnerabilities make it more difficult to protect IT assets: the first half of 2022 saw 16% more cyberattacks than the same period of the previous year. With applications being constantly updated, manual application security assessment becomes too time-consuming and expensive. The idea of being able to find the most dangerous vulnerabilities in the shortest timeframe and at low cost seems utopian.
But what if automated vulnerability scanning and manual security assessment were combined and carried out not by a couple of infosec experts during their limited working hours, but by the vast global community of security researchers working around the clock and seven days a week? We have analyzed 24 platforms offering a variety of bug bounty programs. Now we share our findings in this report and explain how these platforms can be useful, what challenges they help to address, how much their services cost for organizations, and what rewards security researchers can expect. The research methodology is described in detail at the end of the report.
The crowdsourcing approach to cybersecurity is one of the best solutions to the business challenges mentioned above. It allows organizations to continuously test their software, websites, and infrastructure and detect vulnerabilities by engaging an unlimited number of security researchers. The best way to put this approach into practice is to launch a bug bounty program.
The key to a successful crowdsourcing cybersecurity program is to attract as many qualified researchers as possible.
A bug bounty program is a way for businesses to engage freelance cybersecurity researchers, security analysts, and penetration testers to probe corporate software, web applications, and infrastructure, with rewards paid for vulnerabilities detected.
Bug bounty programs give companies the opportunity to test their IT assets from different angles: any researcher can participate, using diverse approaches and tools to find vulnerabilities. Companies are in full charge of defining the program scope, controlling the budget, verifying vulnerability reports, and determining the reward size for each vulnerability.
Bug bounty is a result-oriented approach. Under the traditional approach to security analysis, organizations have to pay for the time spent on looking for vulnerabilities, regardless of the results. With bug bounty, organizations pay rewards to researchers for discovered and confirmed vulnerabilities, depending on their severity level. On top of that, competition among community members and result-based rewards motivate researchers to think outside the box and find the most business-relevant vulnerabilities with the highest damage potential.
Bug bounty programs reward researchers for vulnerabilities found, and not for the time spent on looking for them.
By engaging external experts, organizations can identify security flaws more efficiently and reduce the burden on their in-house IT teams, so they can focus on strengthening weak spots and developing their products and services. By paying only for detected vulnerabilities, companies can manage their budgets more wisely.
Despite the benefits of bug bounty programs, not all organizations can afford them for several reasons:
To help businesses cope with these and other challenges, bug bounty platforms emerged. They are like marketplaces that aggregate programs from multiple organizations and allow security researchers to find projects they are interested in. Such platforms provide organizations with the infrastructure required to run bug bounty programs efficiently, arrange collaboration with researchers, and offer support by experts during vulnerability verification.
Bug bounty platforms have the advantage of combining two elements:
All researchers who start searching for vulnerabilities commit to the principles of responsible disclosure. According to them, only the platform and the researcher will know about the vulnerabilities discovered, while the organization will get sufficient information about each vulnerability and enough time to fix it.
The world's largest bug bounty platforms are HackerOne, BugCrowd, Intigrity, Synack, and YesWeHack.
First, the organization and the platform define the program scope, the unacceptable events (in the context of Standoff 365), the pricing policy, and the vulnerability report template. Then the platform publishes the program and promotes it among community members, encouraging them to participate. Researchers find vulnerabilities and report them to the platform. The platform team verifies the existence of each vulnerability, its uniqueness, and compliance with the program scope.
Figure 1. Hosting a bug bounty program on a platform
The price for bug bounty platform services includes several components:
The average annual subscription to bug bounty platform services is $16,000. Platforms also charge a 20% commission on each payout (on average).
When it comes to rewarding the efforts of researchers, there are two payout models:
The pricing policy may depend on how dangerous a particular vulnerability is to the business. Such vulnerability severity scoring can be based, for example, on the CVSS 3.1 framework.
Table 1. Vulnerability severity scoring based on CVSS 3.1
|Vulnerability severity rating based on CVSS 3.1||CVSS 3.1 score||Vulnerability examples|
|Critical||от 9 до 10||XXE Injection and SQL Injection with significant impact on the application; Remote Arbitrary Code Execution and Privilege Escalation|
|High||от 7 до 8,9||IDOR, Stored XXS, and CSRF with significant impact on the application; SSRF and Authentication Bypass|
|Medium||от 4 до 6,9||IDOR, Reflective XSS, and CSRF with medium impact on the application|
|Low||от 0,1 до 3,9||Invalid SSL parameters, XXS, and CSRF with low impact on the application|
On average, organizations are willing to pay over $7,000 for a critical vulnerability. For example, a researcher can get $12,000 for discovering an SQL Injection vulnerability that allows unauthorized access to data on Twitter. Various platforms offer an average of $3,000 for vulnerabilities related to authorization and authentication flaws. Zerocopter reports that payouts for the most common Cross-Site Scripting (XSS) vulnerability, which was discovered in 13% of applications, can range from $250 to $700, depending on the impact.
Figure 2. Average rewards by vulnerability severity level
Figure 3. Average rewards per vulnerability
In order to determine the severity rating more accurately, every organization needs to know how potential exploitation of vulnerabilities could affect its operations and whether it could lead to business-critical consequences. Standoff 365, a bug bounty platform, suggests a new approach: in addition to hunting for vulnerabilities and submitting reports, researchers are encouraged to demonstrate how the security flaws they discover can be used to trigger unacceptable events. If a researcher submits a report with a clear and comprehensive description of the complete attack vector and the vulnerabilities exploited, and this report is verified by the platform team, the researcher is eligible for a reward that is several times higher than payouts for ordinary vulnerabilities.
An unacceptable event is an event that occurs as a result of cybercriminal activity, making it impossible to achieve operational and strategic goals or leading to long-term disruption of core operations.
Bug bounty platforms are represented unevenly in the global market, and not every country has large and trustworthy platforms. The highest number of large bug bounty platforms is concentrated in Asia, which is home to 38% of the platforms covered by this study. Europe ranks second with one-third of the platforms, including some of the largest, such as Intigriti, YesWeHack, Zerocopter, and Standoff 365. North America and the Middle East account for 21% and 8%, respectively.
Figure 4. Bug bounty platforms by region
1. Public programs are open to any researcher: anyone can get access and start looking for vulnerabilities.
2. Private programs are aimed at a certain group of researchers who get access by invitation.
Figure 5. Bug bounty platforms by program type
Figure 6. Bug bounty platform customers by industry
Bug bounty programs and platforms are becoming increasingly popular among organizations seeking to ensure cybersecurity of their assets. HackerOne analysts found that in 2021 the number of bug bounty programs increased by 34% compared to 2020, with security researchers discovering 21% more vulnerabilities. According to an AllTheResearch report, the global bug bounty market is expected to reach $5.4 billion in revenue by 2027. This growth is driven by the following factors:
However, the following factors may restrict the projected growth:
The crowdsourcing approach to cybersecurity is very promising, and its implementation in the form of bug bounty programs gives many advantages over traditional solutions. Among such advantages are result orientation, continuous testing, program flexibility and scalability, and a transparent reward system.
However, not all organizations are capable of implementing self-managed bug bounty programs: some of them struggle with scope definition, some lack experience or resources to launch their own programs, and others are not trusted by security researchers.
To overcome these challenges, bug bounty platforms were created, aggregating bug bounty programs from multiple organizations. Such platforms give security researchers the freedom to find projects they like. Platforms help customers define program scope, target applications, and testing systems. They also take care of communication with researchers and verification of their reports. This frees up resources of customers' IT teams, so they can focus on improving their systems and applications based on vulnerability reports.
For a reasonable fee, organizations get all the necessary infrastructure, support, the ability to pay only for results, and, most importantly, researchers with diverse skillsets who are willing to hunt for vulnerabilities 24/7. Standoff 365 offers organizations a unique chance to test how well their products are protected from unacceptable events. This approach allows customers to understand the real-life consequences of attacks on their applications and get detailed reports that accelerate fixing the security issues.
Security researchers, in turn, can benefit from speedy feedback provided by platform representatives, fair rewards that are significantly higher if a detected vulnerability could trigger an unacceptable event, and rating systems that pave the road to more profitable private programs. All these measures foster competition and drive improvement among community members.
This report presents the results of our study covering 24 of the largest and most active (at the time of the study) bug bounty platforms from across the globe. We considered the following parameters: geographic location, types of programs offered by platforms, customers' industry, average rewards depending on vulnerability severity and industry, average cost of joining a platform, and average commission charged per payout to the researcher. Table 2 shows the bug bounty platforms included in this study and their geographic location.
All information was obtained from official platform websites and does not contain any confidential data. The average rewards by industry are calculated based on the average maximum and average minimum values for each industry and platform. The average rewards by severity are calculated based on the average maximum and average minimum payouts for each severity level and platform. All amounts are in U.S. dollars.
The severity of vulnerabilities was assessed according to the Common Vulnerability Scoring System (CVSS) version 3.1. The resulting scores were used to determine the qualitative severity values: critical, high, medium, and low.
Table 2. Bug bounty platforms covered by this studyy