How to Use Your Bug Bounty Budget Efficiently
Every organization is different, which means that one team’s bug bounty budget may be drastically different from that of the next. Yet, time and again, we notice organizations of all sizes and budgets experience some of the same challenges when managing their bug bounty budgets. In HackerOne’s 7th Annual Hacker Powered Security Report, we shared our annual bounty benchmarking data that can help security teams secure the appropriate budget, price bounties more effectively, and manage budgets more efficiently.
Cost of a Breach
Before diving into the bug bounty data, it’s critical that teams understand the value of a bug bounty program in identifying vulnerabilities before they result in a breach. According to the IBM Security Cost of a Data Breach Report 2023, “The average cost of a data breach reached an all-time high in 2023 of $4.45 million.” That’s a 2.3% increase from last year and a 15.3% increase since 2020.
According to the IBM report, when broken down by industry, healthcare continues to report the highest breach costs for the 13th year in a row at $10.93 million. In 2022, the technology sector was in the top five of most expensive breaches, but this year, it has dropped down to the sixth spot at $4.66 million, while the industrial sector moved up from the seventh spot to the fifth, costing $4.73 million for a breach. The cost of a breach broken down by industry is as follows:
Industry | Average Cost of Breach |
Healthcare | $10.93 million |
Financial | $5.90 million |
Pharmaceuticals | $4.82 million |
Energy | $4.78 million |
Industrial | $4.73 million |
Technology | $4.66 million |
Communications | $3.90 million |
Entertainment | $3.62 million |
Hospitality | $3.36 million |
It’s perhaps no surprise that the technology industry has dropped in the ranks of breach expense since these organizations are some of the most mature when it comes to cybersecurity initiatives, including their collaborations with the ethical hacking community. Let’s look closer at how the industries outlined by IBM compare to those analyzed in the Hacker Powered Security Report.
Cost of a Bug
When comparing the cost of a breach to the cost of a vulnerability surfaced through bug bounty, the value is clear. According to the 7th Annual Hacker Powered Security Report, the average price of a bug bounty on the HackerOne platform is $1,000, and the median price of a bug is $500, up from $400 in 2022. The average cost for high and critical bounties is $3,700, and the 90th percentile for high and critical is $12,000. Even the cost of the most critical and expensive bugs pales in comparison to the cost of a breach.
Breaking it down by industry, the most competitive bug bounties don’t necessarily match up with the industries that experience the highest costs of a breach. The automotive industry, for example, which is an emerging industry on the HackerOne platform, has seen the largest increase in bounties overall. Technology companies are seeing their costs falling when it comes to breaches, and the computer software subset may be following this trend with bounty payments at an average of only $1,500 for the 90th percentile. When examining high and critical bugs, crypto and blockchain organizations continue to pay the highest bounties, with the top award reaching $100,050 in this industry. While computer software and internet companies offer lower bounties on average, they offer highly competitive rewards for the most critical vulnerabilities.
In many cases, there may not be a direct parallel between the cost of a breach and bounty trends across industries. Cryptocurrency and blockchain organizations, for example, may not be a benchmark that makes sense for everyone to measure against as a peer. However, the connection between breach cost and bounty payouts can help showcase the ROI of not only bug bounty but the security program as a whole against the cost of a breach.
3 Tips for Managing Bug Bounty Budget Efficiently
There are nuances that can make managing a bug bounty budget challenging. Based on some of the most common bug bounty issues we’ve seen, here are three tips to help you make the most of your bug bounty budget.
1. Make a Strong Business Case For Your Budget
Many security leaders are challenged to articulate the business case of bug bounty to stakeholders and board members, and that’s a difficult conversation to have without the right information. As a result, security teams fail to secure the budgetary resources they need, and the program is less effective. As a starting point, the cost-of-breach vs. cost-of-bounty breakdown above will help express the return on investment of bug bounty.
In addition, HackerOne customers have had success with different tactics to secure healthy budgets for their bug bounty programs.
Cost of a breach vs. cost of a bug
“Traditionally, you have your return on investment, which can be harder to express with bug bounty. I sell it internally by comparing the ROI of mitigation with the ROI of prevention. If you ask leadership for a monetary number for the bug bounty program, they’re going to be thinking ‘But what do we get in return?’ but if you explain that if we have a breach, it's going to cost you millions, then the cost of your program doesn’t sound like much!”
— Alex Hagenah, Head of Cyber Controls, SIX Group
Preventing breaches before they happen
"Since 2019, Zoom has worked with 900 hackers, of which 300 have submitted vulnerabilities that we have had to quickly move on. We’ve paid out over $7 million. It’s a substantial investment but the returns are worth it: we find world-class talent to find real-world solutions before it’s a real-world problem."
— Michael Adams, CISO, Zoom
Integrate bug bounty into a holistic strategy
“For me, it was essential that we incorporated bug bounty into our comprehensive information security strategy. Otherwise, we wouldn't be able to achieve what we want to achieve. This approach has been crucial in securing and spreading the budget for it over a few years.”
— Alex Hagenah, Head of Cyber Controls, SIX Group
2. Don’t Blow Your Budget On Low-Value Issues
We have new customers come to us because they’ve previously struggled with a high volume of low-quality findings, depleting their bug bounty budget on low-severity findings.
This can be easily avoided by taking a tiered-award approach with bounty awards weighted by asset type. Bounty award amounts can be tuned to incentivize testing on your most critical assets. as well as assets that may require a more rarified skillset to produce the best results.
At HackerOne, our customer success team works very closely with you to understand your budget and the priorities of your scope, creating a unique budgetary system that will deliver the bugs you’re looking for without using up your budget too quickly.
3. Price Your Bounties Correctly
Some organizations have the opposite problem with not seeing enough reports on certain assets if the bounty is too low to attract interest. If you are tracking behind what you budgeted and aren’t seeing report coverage on business-critical assets, that’s a clear indication your bounties may be set too low for those assets.
There are a number of factors that contribute to hacker engagement, such as offering a varied scope to keep testing interesting (46%), challenges and opportunities to learn by solving real-world problems (45%), and similar to most people, liking the brand can be a factor (42%). While hackers aren’t solely focused on bounties, it is far and away the most important factor for attracting hackers to your bug bounty program. In fact, 73% of hackers choose a program because it pays generous bounties, and 48% will choose not to participate in a program if they feel the bounties are too low.
Take a look at how you’re pricing your bounties in comparison to the average bounty costs for your industry above — maybe it’s time to reevaluate.
Get the Most Out of Your Bug Bounty Budget
Even having implemented this advice, security teams only have so much bandwidth to effectively and efficiently manage their bug bounty budgets. The HackerOne team has the expertise and the flexibility to tailor your bug bounty program to work for your unique budget, team capacity, and goals. If you’re not seeing the financial impact you want from your bug bounty program, contact the experts at HackerOne today. Or, if you want to learn more about how your organization compares to peers in your industry for hacker-powered security initiatives, download the 7th Annual Hacker Powered Security Report.
The Ultimate Guide to Managing Ethical and Security Risks in AI