September 2016 2
Folks Leading The Discussion TodayQuick Bios
@caseyjohnellis
Found and CEO, Bugcrowd
Recovering pentester turned solution architect turned sales guy turned
entrepreneur
@kym_possible
Senior Director of Researcher Operations, Bugcrowd
Data analyst, security evangelist, behavioral psychologist, former director
of a Red Team
September 2016 3
AgendaWhat Are We Covering Today?
1. What is a Bug Bounty?
2. Bug Bounty Industry Trends
3. Trends From the Researcher Community
September 2016 5
What is a Bug Bounty?For Those of You Who Are New
To companies and their applications in exchange for…
Where independent security researchers all over the word
f
Think of it as a competition…
Find & report vulnerabilities
Rewards
September 2016 7
They Have Been Around For 20+ YearsBug Bounty History
1995
2002
2005
2004
2007
© BUGCROWD INC. 2016
Breakthrough in Bug Bounties Modern Bug BountiesEarly Bug Bounties
The History of Bug Bounties: Abbreviated Timeline from 1995 to Present
2010 2011 2012 2013 2014 2015 2016
September 2016 8
What Does Bugcrowd Do?Platform That Connects Organizations to the Researcher Community
38,000+ Researchers
With specialized skills including web, mobile and IoT hacking. Our community is made up of tens of thousands of the hackers from around the world.
f
Organizations Both Big and Small
Making Bug Bounties easy for ever type of company through a variety of Bug Bounty Solutions.
CONFIDENTIALJULY 2016 GTM PLAYBOOK
State of Bug Bounty 2016 What Our Data Is Saying About the Industry
September 2016 11
Where Has All Our Data Come From?Our Success So Far
300+ total programs run on the
Bugcrowd platform
64% private programs
compared to 36% public
54K+ Total vulnerability
submissions made as of September 15, 2016
$3M+ Paid out to the crowd as of September 15, 2016
38K+ researchers in the crowd as of September 15, 2016
210% program growth
September 2016 10
What We Know TodayBug Bounties Have Reached A Tipping Point
Quality Compared with traditional testing methods, bug bounties present a significant advantage
Maturation
As this model matures, with private programs gaining traction, more organizations can tap into the crowd
Growth
More organizations are adopting this model, including large enterprises and traditional industries
Impact
Critical vulnerabilities are increasing in volume along with average payout per bug
September 2016 12
Considerable Growth In Program TypesMarket Adopting Quickly
Total Number of Bounty Programs being ran are on the rise. A 210% increase YOY
Private programs being adopted quicker than public programs
63% of all launched programs are private
September 2016 13
Growth Across Many Verticals Industries Utilizing A Bug Bounty
Companies of all industry types are running Bug Bounty Programs
As expected, computer software and more internet built companies having widest adoption
“Non-Traditional” industries (healthcare, financial services) rapidly adopting over last 12 months
September 2016 14
Growth Across All Sizes of OrganizationsSMB & Enterprise
Enterprise quickly adopting over last 12 months accounting for 11% of programs
50% of programs ran by companies with 200 employees or less due to economical advantage
September 2016 15
What is Being Found?Volume of Valid & Original Vulnerabilities Over Time
Vulnerability Rating Taxonomy: http://bgcd.co/vrt-2016
More critical vulnerabilities being submitted
Less non-critical vulnerabilities being submitted
Security researchers are getting more discerning with what they submit
Organizations are getting more prescriptive with scope and goals of programs
September 2016 16
What is Being Found?Types of Vulnerabilities
Why So Much XXS: http://bgcd.co/xss-big-bugs
XSS accounts for 66% of all valid submissions
CSRF next highest at 20% of all valid submissions
September 2016 17
Why Is This Adoption Happening?Survey Results: Top value in running a bug bounty program
September 2016 20
Researchers Are Making MoneyHow Much Has Been Paid Out
$2,054,721 has been paid out to date to the global researcher community from 6,803 number of valid vulnerabilities being found
Defensive Vulnerability Pricing Model: http://bgcd.co/dvpm-2016
September 2016 22
Different Types of ResearchersSurvey Data: Wide Range of Age & Education
12.76%4.10%42.14%28.70%12.30%
Graduate DegreeSome Graduate SchoolCollege DegreeSome CollegeHigh School Degree
September 2016 23
Researcher Time Spent HackingSurvey Data: Not Yet a Full Time Thing For Most
15% of the crowd is hacking on bug bounties as primary source of income
24% of the crowd are full time developers
18% of the crowd are full time pen testers
Be on the look our for our upcoming report on the Bugcrowd community
September 2016 26
What We Know TodayBug Bounties Have Reached A Tipping Point
Quality Compared with traditional testing methods, bug bounties present a significant advantage
Maturation
As this model matures, with private programs gaining traction, more organizations can tap into the crowd
Growth
More organizations are adopting this model, including large enterprises and traditional industries
Impact
Critical vulnerabilities are increasing in volume along with average payout per bug
September 2016 28
Multi Solution Bug Bounty Model Gaining TractionNot Just About Public Programs
Engage the collective intelligence of
thousands of security researchers
worldwide.
The perfect solution to incentivize the
continuous testing of main web
properties, self-sign up apps, or anything
already publicly accessible.
Private Ongoing ProgramPublic Ongoing Program
Continuous testing using a private, invite-
only, crowd of researchers.
The perfect solution to incentivize the
continuous testing of apps that require
specialized skill sets or that are harder to
access.
Project based testing using a private,
invite-only, crowd of researchers.
The perfect solution for testing new
products, major releases, new features,
or anything needing a quick test for up to
two weeks.
On-Demand Program
Many organizations are utilizing different types of Bug Bounty Solutions
September 2016 29
Predictions and ChallengesBug Bounties Have Reached A Tipping Point
PREDICTION: The crowd will continue to diversify and mature, creating more opportunities for organizations to utilize bug bounties for increasingly complex applications
PREDICTION: Traditional testing methods will evolve to work alongside bug bounty programs
PREDICTION: Bug bounties will shift from a “nice to have” to a “must have” for most organizations