Bug bounty programs triple in 2017; $742 payout per vulnerability

99.7 percent of applications investigated have at least one vulnerability, says the Trustwave Global Security Report. Hackers take advantage of undetected vulnerabilities to exploit devices and launch attacks, but what if some switched sides and joined bug bounty programs? How much money is each vulnerability worth?

Bug bounty programs, once only run by the tech industry, have tripled since April 2016, according to Bugcrowd’s 2017 State of Bug Bounty report, a company that performs both public and private bug bounty programs.

In fact, since March 31, 2017, the number of valid vulnerability submissions has grown 73 percent, while payouts are approximately 53 percent higher now than in 2016.

Because the attack surface is growing rapidly, “traditional security assessment is simply not effective in stemming the tide [of attacks]. Interconnectivity at scale requires security assessment at scale,” says the bug bounty service provider.

As many as 44 percent of bug bounty programs are run by companies with at least 500 employees, out of which only 16 percent have more than 5,000 staff members.

Because they’re so difficult to detect, hackers scanning for IoT vulnerabilities receive the highest payouts, especially in the automotive industry which registered 400 percent growth. Other fast-growing industries are leisure and travel (300%), computer networking (143%), healthcare (133%) and financial services (94%). Computer software, Internet, information technology and services, financial services and banking, and computer and network security run 68 percent of bug bounty programs.

IoT and hardware targets receive an average payout of $742, while payouts for web targets are $595 and $385 for mobile targets. And these are not even expensive. The highest reported payout for a vulnerability was $50,000, while the lowest was $50.

Naturally, it depends on the type of vulnerability. For example, the payout for a critical vulnerability is $1,776. Some of the most critical vulnerabilities reported are SQL Injection (63%) with the highest payout of $1,958, cross-site scripting (25%) at $314 and Cross Site Request Forgery (7%) at $252.

Bugcrowd’s key findings are based on data collected between January 2013 and March 2017 from over 600 bug bounty programs (77% private and 23% public) and over 96,000 vulnerability submissions from more than 60,000 researchers.