Positive Technologies analyzed the largest and most active bug bounty platforms across the globe1. The highest demand for services of bug bounty platforms was observed2 in the following sectors: IT (16%), online services (14%), services (13%), trade (11%), and finance (9%). This global trend largely correlates with the situation in the Russian market. Russian bug bounty programs are mostly used by private businesses serving a large number of customers. Some examples of such businesses are banks, online services, e-commerce players, and IT vendors. Public sector and critical infrastructure organizations could become the main driver of bug bounty initiatives.
According to HackerOne, the number of bug bounty programs increased by 34% in 2021, with security researchers discovering 21% more vulnerabilities. By 2027, the bug bounty market is expected to reach $5.5 billion in revenue.
Positive Technologies found that Asia is leading by number of large bug bounty platforms: 38% of platforms included in the analysis are located in this region. Europe (including Russia) ranks second with one-third of the platforms. Some of the largest platforms are hosted here, in particular Intigriti, YesWeHack, Zerocopter, and Standoff 365 Bug Bounty. North America and the Middle East account for 21% and 8%, respectively.
The Russian bug bounty market is rapidly evolving. In 2020, Russia was among the top three countries by size of earnings for bug bounty hunters, overtaking China and Germany. About 40 companies launched public bug bounty programs in recent years. There are three major local platforms: BI.ZONE Bug Bounty, Bug Bounty Ru, and Standoff 365 Bug Bounty. Half of Russian bug bounty programs are private, with a limited number of handpicked researchers.
Russian companies are willing to pay tens, sometimes hundreds of thousands of rubles per vulnerability discovered by bug bounty hunters. Some payouts even exceed 1 million rubles. For example, Standoff 365 Bug Bounty offers 420,000 rubles on average for a critical vulnerability, which matches the rewards on offer in other countries. Worldwide, the highest average bug bounty rewards for critical and high-severity vulnerabilities are paid by blockchain projects ($13,100 and $5,300, respectively) and IT companies ($6,600 and $2,200, respectively).
Positive Technologies expects the number of Russian bug bounty programs to increase dramatically in the near future. There are several drivers for further market growth: the number and complexity of cyberthreats is increasing, many global services are not available in Russia, while more and more organizations from various sectors (including small businesses and public institutions) are embracing bug bounty programs as a valid cybersecurity approach.
Another contributing factor could be the elimination of legal barriers currently pursued by the Russian Ministry of Digital Development, Communications, and Mass Media together with FSTEC (Federal Service for Technology and Export Control). As a result, more economic sectors would be able to use bug bounty programs, thus enhancing their cybersecurity processes and fueling organic market growth. Experts believe that critical infrastructure assets would benefit from employing such programs, in addition to cybersecurity scanners and regular penetration tests. Organizations operating critical infrastructure assets see bug bounty programs as a way to check whether their IT systems are prone to unacceptable events that could cause irreparable damage.
Such programs are offered by Standoff 365: security researchers can not only look for vulnerabilities, but also try to exploit them, triggering unacceptable events.
"This innovative approach benefits all Standoff 365 Bug Bounty users," comments Yaroslav Babin, CPO of Standoff 365. "Companies get detailed reports on exploitation of vulnerabilities that led to unacceptable events, and can start fixing the flaws immediately. Meanwhile, researchers get much higher rewards than in conventional programs."
Within five months after the launch of Standoff 365 Bug Bounty, security researchers submitted 550 reports, more than 150 vulnerabilities were discovered and fixed, and over 3 million rubles were paid as bounty. Compared to its Russian peers, the platform has the highest number of participants and programs: over 2,500 registered community members and 21 bug bounty programs (including those of Azbuka Vkusa, Mail.ru, Rambler&Co, VKontake, and Zen).
Based on the experience of Standoff 365 Bug Bounty, Positive Technologies recommends that customers with large scopes (more than ten full-featured, content-rich web applications) should allocate an average of 5 million rubles per year for bug bounty programs, not including the cost of subscription. The true amount of necessary expenses can be determined as the program runs, according to company experts. The recommended size of allocated funds removes the risk of going over budget, allowing customers to make maximum use of the program.
- The report covers 24 bug bounty platforms, each having over 700 users and hosting at least 20 active programs.
- Among organizations whose programs are hosted on bug bounty platforms.