Healthcare Bug Bounty Programs Have Big Payouts, Opportunity

Bug bounty programs can get you paid, whether as a side endeavor or a proper job. But in all the programs we hear about, one major industry is flying under the radar… and the payouts are really good.

Year-over-year (2017 to 2018), the healthcare industry saw the number of bugs reported jump 340 percent. Bugcrowd’s report also states: “While we see an uptick in submissions in Q3 year-on-year, we are on track to see a steady increase in vulnerability again this year.” The bugs are just waiting to be squashed!

Around 42 percent of the bugs reported are “P3” designation, which is about as standard as it gets (the scale runs from 1 through 5, with a ‘1’ being critical and ‘5’ being the least critical). Meanwhile, 29 percent are P1 or P2 bugs.

Bugcrowd says a whopping 75 percent of the bugs submitted for bounty are for websites.

Getting paid is what drives bug bounty programs. In Q1 2019, payouts were up 30 percent versus Q1 2018. Average payouts are also trending upward over the course of the past two years. In 2017, a P1 bug for the healthcare industry paid about $1,266; in 2019, the same-level bug pays $3,425. The average payout for healthcare bug bounties in Q1 2019 was right around $1,000.

Payouts are up across all levels of bugs reported, too. P1 and P2 ($855 in 2017; $2,642 in 2019) are the most lucrative, and have seen the largest bump in payout, but even a P5 bug pays 25 percent more in 2019 ($100 in 2017; $125 in 2019).

Healthcare bug bounty programs aren’t flashy, but they are critical. As Bugcrowd points out, “Cyber attacks in healthcare can compromise not only networks and data, but also threaten the applications and services supporting critical patient care systems,” adding, “This evolving threat landscape in healthcare and migration to cloud-based infrastructure are giving rise to innovative programs such as crowdsourced cybersecurity.”

If being a champion for healthcare data security doesn’t drive you, money likely does: Healthcare bug bounty programs outpace the rest of the industry. HackerOne reports its average payout is about $625 per bug reported, several hundred less than what severe healthcare bugs tend to pay.

Some companies such as Uber and GitHub have headline-grabbing bounty programs, but you have to effectively take the entire service down to earn those huge payouts. Let’s be honest: that’s probably not you.

Discovering and reporting a bunch of mid-level bugs that target a website and how it handles data, though? That’s more doable, and probably a lot more helpful to everyone.