During the past year, the Bugcrowd bug bounty platform has seen a tremendous growth when it comes bug bounty payouts, but also in terms of the enterprises that signed up for its service.
The company has recently published its annualreport, and according to statistics gathered since the service started back in 2013, the company ran 286 total bug bounty programs, received 54,114 bug submissions, and paid researchers $2,054,721 for 6,803 accepted reports.
Surprisingly, 63 percent of all the bug bounty programs ran on the platform have been private programs, where only invited researchers were able to submit bug reports.
Researchers are reporting more severe bugs
Nevertheless, the platform has been a hot destination for security researchers, whose bug reports increased in quality. Bugcrowd noticed an overall growth in terms of bug severity, meaning researchers stopped reporting low-to-medium issues and focused their efforts on discovering high and critical vulnerabilities.
The reason behind this shift towards more quality bug reporting comes from the fact that most companies tend to pay higher rewards for critical bugs.
Bugcrowd says that this trend is also one of the many factors that helped improve the platform’s all-time bug reward average payout, which grew from $200.81, as calculated at this time last year, to $290.70.
The rise of superstar bug hunters
The company also reports a 41 percent userbase growth in the past year, with a tally of 26.782 researchers on March 31, 2016.
Of these, the company notes the rise of a special class of bug hunters, which it calls “super hunters,” researchers that produce high volumes of valid bug reports, earning over $100,000 per year from bug hunting on Bugcrowd alone.
In fact, Bugcrowd’s top ten most successful researchers accounted for 23 percent of all bug payouts.
These researchers are in high demand for many of Bugcrowd’s private bug bounty programs and are also the prime targets of head-hunting HR firms.
As for what types of bugs have been reported, Bugcrowd’s report reveals that during the platform’s lifetime, 66.24 percent of all bug reports were XSS vulnerabilities, followed by 19.71 percent of CSRF issues, 8.79 percent of mobile-related bugs, 3.64 percent of SQL injections, and 1.62 percent of clickjacking bugs.