14 DAY TRIAL // Bugcrowd, a platform where companies outsource their security programs, has published a template for pricing security bugs, as a recommendation for all businesses that want to use its platform to host a bug bounty or intend to host a bug rewards program on their own servers but need help in setting up a payout model.
The Bugcrowd Defensive Vulnerability Pricing Model is based on 200 bug bounty programs that ran on the platform for the past three years but also includes information from external security rewards programs, such as Google’s Chrome rewards program, HP’s TippingPoint’s ZDI, or Microsoft’s Mitigation Bypass Bounty.
The model split companies into three categories. Basic organizations where security is addressed because of the nature of the developed product. Progressive organizations where you can see a well-defined security team, with some autonomy from the ID department. Advanced organizations where the CISO (Chief Information Security Officer) reports directly to the company's CEO and the security team has its own, prominent place in the enterprise's infrastructure.
Security bugs were also organized into five categories, based on their impact. Bugcrowd recommends a five-level model, with bugs labeled as P1 - Critical, P2 - High, P3 - Medium, P4 - Low, and P5 - Acceptable Risk. You can read more details about each level in the first table below.
$15,000 for a critical security bug in a top-level company
Based on these, Bugcrowd's staff recommends that organizations that fit in the Basic class pay up for security bugs with sums between $100 and $1,500. Progressive class organizations should provide payout ranges between $200 and $5,000 while Advanced organizations should be willing to dish out cash from $300 to $15,000, depending on the bug's impact level.
It is not uncommon for some companies to provide security bug rewards in the form of services and products. It may be nice to rack up free air miles from an air travel company, but air miles don't help security researchers pay their bills.
Bugcrowd's pricing model should help out businesses that don't want to do extensive research in the security field to assess the proper payout ranges for bug rewards programs.
"Our hope is that these insights will set you up for success in running a crowdsourced security program, and help you work with the researcher community more effectively," says Casey Ellis, Bugcrowd CEO.
With a proper pricing model in place, companies would get what they want (attracting the top-level security researchers) while infosec professionals would get what they want as well (proper monetary compensation for their work).
Bugcrowd's Defensive Vulnerability Pricing Model is available for download from the company's official website.
