Bug Bounty Payouts Way Up as Companies Rush to Patch Holes

A new report from Bugcrowd shows the number of bug bounty submissions in 2019 is way up, while payouts have increased 83 percent year-over-year.

Analyzing the first half of 2019, Bugcrowd found a 29 percent increase in the total number of bug bounty programs launched by companies looking to patch vulnerabilities. We’ve seen this with GitHub and Google, both of which reported an expanded bug bounty program. In both cases, finding a critical vulnerability will earn you upwards of $30,000… so long as you have the right bugs squished (and the right skillset to do so).

Bugcrowd notes that, in 2018, the bug bounty program ecosystem shifted a bit. Companies became more focused on things that artificial intelligence (A.I.) and machine learning couldn’t identify. Vulnerabilities such as “broken access control” and “sensitive data exposure” have become the top two vulnerabilities identified in bug bounty programs over the past 12 months. Bugcrowd writes they “are systemic issues with critical impact, and very few programming frameworks out there… protect against them,” adding: “The ones that do are far from perfect.”

With the total number of payouts up 83 percent, the report also shows bug bounty programs are also paying a higher average per bug squashed; a 27 percent increase YoY brings the average payout to $2,669.72. There was also a 50 percent increase in the number of public bounty programs launched.

If you’re wondering where the vulnerabilities lie, the report shows a massive 384 percent uptick in the number of Internet of Things (IoT) targets available to bug bounty programs. Bugcrowd notes this is directly related to more security researchers specializing and focusing on the IoT sector, which is leading to a massive number of targets being posted to bounty programs.

Internet of Things targets weren’t the best-paying, though; the IoT falls second to web-based targets in overall payouts. But IoT critical payouts surpass all others by far: the average IoT-related payout is $8,556. Critical API targets earn you $3,055, while critical web targets receive a $2,442 payout.

Across the board, bug bounty programs are simply ‘up.’ Payouts are better, there are more public and private programs, and there are just more targets to go after. Industries such as healthcare and automotive are also increasing their bug bounty programs. We can’t say you’ll become a millionaire off bug-squishing, but increased payouts and better access to bug bounty programs are great indicators that you should keep them in mind when trying to earn some side cash.