Pen testing and ethical hacking specialist Intigriti has launched a free-to-use comparison tool that it believes will help bug bounty programme owners match their payout rates to market conditions and community sentiment.
Intigriti said that newcomers to the concept of bug bounties often have difficulty deciding what payment rates to set, while others pour time and effort into building the “perfect bug bounty programme” only to find themselves being overlooked in a rapidly growing marketplace.
Its new Bug Bounty Calculator will supposedly let programme-builders optimise their vulnerability disclosure programme, and help ensure that it gets the attention of ethical hackers.
“Anyone can set up a bug bounty programme, but if you aren’t sure what you’re doing, you may pay too much for vulnerabilities,” said Inti de Ceukelaire, head of hackers at Intigriti. “Even worse, set your bounties too low and you may not attract any researchers at all.
“Our experience shows us that researchers are highly tuned to payments. It’s important to find the sweet spot to ensure your programme remains an attractive proposition and if you pay under market value, you will not attract the top hackers.”
The calculator will enable users to compare their bounty rates to the industry average and indicate what level of ethical hacking expertise their bounty levels might attract.
Hacker-developed and regularly updated to reflect market fluctuations or other cyber issues, it incorporates anonymised data from more than 400 existing public bug bounty programmes across 18 industries, and allows users to account for additional, more in-depth variables such as their risk appetite and security maturity levels.
Intigriti said this will make it much easier for users to find targeted information that is benchmarked against their competitors.
Bug bounty programmes can differ widely in their scale and scope, so is worth learning about optimal payout rates across various sectors.
For example, according to Intigriti’s data, the financial services and blockchain industries are the highest paying on average, while high-risk health and social care services can expect to pay $4,000 for a critical vulnerability, compared to $2,600 across the public sector as a whole.
The planning and managing of bug bounty programmes is important to get right because a badly designed one can throw up more problems than it solves.
Writing on ComputerWeekly’s sister site SearchSecurity, Rob Shapland of Falanx Cyber, a Reading-based security consultancy, said it is easy for costs to get out of control if multiple vulnerabilities turn out to exist within the programme’s scope, and teams have been known to become inundated with reports thanks to a surge in ethical hackers probing their networks.