30% of CISOs Plan on Entering a Bug Bounty Program in the Next Year

With cybercrime showing no signs of slowing down in 2018, security leaders are looking to find and invest in the best tools and approaches to combat their adversaries. Yet the cat-and-mouse-game continues, as hackers get more innovative every day, sometimes outpacing even the best cyber defenses.

To get a better understanding of what is top of mind for cyber security leaders this year – top investment goals and concerns – Bugcrowd surveyed more than 250 CISOs, CIOs and CTOs across different industries and regions.

Bugcrowd offers vulnerability disclosure and bug bounty programs for software vendors, where white hat hackers sink their teeth into the code to intentionally find vulnerabilities before bad actors do so, giving vendors a chance to plug those holes.

30 percent of Chief Information Security Officers (CISOs) are now considering signing up for such a program in the coming year, new data shows.

“With policies and standards in place such as NIST and the Data Security and Breach Notification Act, it’s now incumbent on organizations to ensure they are setup to receive vulnerability data from external parties and is already becoming an adhered-to standard for major private organizations,” according to Bugcrowd.

The number of new enterprise bug bounty programs launched in the last year has grown rapidly. Nearly half of all programs (44.2%) are run by organizations with more than 500 employees. Companies with over 5,000 employees are commanding 16.3% of programs this year, and surveyors said they’ve noticed an accelerated growth in adoption among the Fortune 500 this year.

The top 5 industries in terms of adoption are: Computer Software, Internet, Information Technology and Services, Financial Services and Banking, and Computer and Network Security.

Security strategists were asked to name the most valuable aspects pertaining to a vulnerability disclosure or bug bounty program. In their own words:

63.6% of CISOs believe the most valuable aspect of running VDP or bug bounty is the varied skill sets, skill level and expertise of hackers in the community, while 56.8% believe the expertise of testers in specific areas is a true asset to their organization. A similar percentage of security executives think the most value comes from finding high-profile, critical vulnerabilities. All in all, CISOs running vulnerability disclosure programs or bug bounties are seeing real benefits from the crowdsourced approach, surveyors concluded.

There are also some perceived concerns of running a vulnerability disclosure / bug bounty program, such as fear of unauthorized public disclosure situations, implementations issues, or skepticism around the quality of the results.

Bitdefender itself reaps the benefits of the crowdsourced security assessments made possible by the Bugcrowd community. We strongly believe that being pro-active (rather than re-active) to emerging threats is instrumental towards achieving a robust offering, both to enterprise clients and regular consumers.