Factoring in whether to include a bug bounty program in your annual cybersecurity budget can be confusing. It’s not often clear exactly what benefits you’ll reap until the program is up and running and while you might know that bug bounty can offer serious security rewards, you might want to know more about the financial stakes of choosing to launch a program.
The average cost of a bug bounty program varies, but in general it can cost up to $250,000 for large organizations looking for a bells-and-whistles model to suit their needs, while smaller business with fewer targets can create a robust program with less than $35,000.
Regardless of the size of the company, one thing is for sure – a bug bounty program isn’t cheap, it’s an investment that can benefit a user for years to come, and it needs to be considered as such. In this blog, we’ll take a look at the ROI (return on investment) of a bug bounty program to help you understand what solution is right for you.
Penetration testing
A popular alternative to using bug bounty is to commission regular – often annual – penetration testing. Pentesting is a service that companies often pay third parties for whereby a pentester will scan the company or organization’s networks for security vulnerabilities and create a report detailing their findings, often with remediation advice bundled in.
On average, a pentest can cost between $15,000-$30,000 and it can be a useful tool to help identify security vulnerabilities, though the cost can depend on the parameters of the test. Tight budgets can mean that an extensive report isn’t financially viable, in this case the pen tester might do a ‘light touch’ test. The insights of a pentest are also dependent on the knowledge and skills of the individual carrying it out, potentially meaning that this approach can miss bugs that require a certain set of skills or deeper investigation.
While a pentest can be a great way for companies to In fact, in our 2022 Ethical Hacker Report we found that of those polled that had hands-on pentesting experience, 88% agree or strongly agree that “a penetration test cannot provide continuous assurance that an organization is secure year-round.”
Speaking on this, Intigriti’s Chief Hacker Officer Inti De Ceukelaire said: “Penetration tests focus on one snapshot in time, whereas bug bounty programs are continuous. As attackers shift tactics, cyber defenses must too. The only way to test their effectiveness is to apply continuous pressure against them. Considering that an organization’s security posture will change with each new feature release or update, it’s not only a logical step to implement more security testing, but also critical.”
Just 14% of the pentesters also believed that a penetration test would be able to find all of the same types of vulnerabilities they have found during bug bounty hunting.
Security team cost
It can cost more than $456,000 a year on average for a business in the US to employ a competent security team to protect its networks from vulnerabilities, based on the average annual salary in 2023 of three security researchers, around $91,600 in the US, plus an additional $182,000 for a head of security, according to Indeed.
A study from researchers in the UK also reported that it was “economically viable to run bug bounty programs instead of hiring additional researchers”. The paper’s authors argued that considering average payout fees, report cadence, and other costs associated with hosting a bug bounty program, the average annual cost of the programs researched for the paper is around $84,000. Compared to the potential cost of hiring a security team, the researchers noted that bug bounty was a preferable option for some businesses or organizations – especially those concerned with sticking to a budget.
This figure will vary depending on the specifics, such as the level of support required for the program and the platform it is hosted on, however it gives an indication of the potential cost savings associated with having a bug bounty program.
Insurance savings
Investing in proactive security measures such as a bug bounty program can also help save money on potential costly cyber insurance premiums.
These days, it’s normal practice for businesses and organizations to be insured against the risk of a cyber-attack – and as the rate of cyber intrusions rises, the cost to protect against them also increases. The Global Insurance Market Index from Marsh estimates that spending on cyber insurance rose by 11% in Q1 of 2023, and a further 1% in Q2.
In addition to this, a recent report from insurance provider Hiscox states that the exposure to a cyber-attack is the biggest risk to businesses in 2023. The Cyber Readiness Report found that the cost of a cyber-attack is more than $16,000 for businesses worldwide – though eight companies in the past year reported much higher costs of over $5 million as a result of a breach. Hiscox also looked at the median spend for businesses investing in proactive cybersecurity measures, which reached $922,000 in 2023 for companies with a size of 250-999 employees, and $4.9 million for companies with 1,000 employees or more.
Cost of a breach
We’ve looked at how much proactive security might cost a company, but what about reactive – how expensive can it be to fall victim to a breach?
The average cost of a data breach in 2023 was $4.45 million according to IBM – an increase of 15% since 2020. Of course, it completely depends on the situation, however businesses can expect to be hit with a bill for a number of services in the wake of an incident.
Firstly, a company might want to employ a PR team to handle press enquiries and proactive reputation management. This can be the case particularly in situations where there is a major data breach affecting a large number of customers. Risk mitigation experts Aon estimate that companies that are ineffective in post-event crisis management have on average suffered 29% more damage compared to the better prepared ones by day 100. The average loss of shareholder value after 100 days was about $3 billion.
Lucia Barbato, CEO at Ilex Content Strategies, told Intigriti: “As well as having potential legal implications, a security breach can impact the level of trust that a brand enjoys. Trust can take years to establish and moments to erase. Brands must therefore be seen to be taking an open, honest and proactive approach should a situation like this arise.
“Any major security breach within the private sector will have had a PR cost associated. It won’t only be managing the fall out at the time, but going forward the PR team will need to pivot to manage incoming enquiries as well as to shape a story to the brands benefit, rebuilding trust. While we may be more familiar with public sector breaches (which also have PR costs associated but typically smaller budgets), it is the private sector, where buyers can decide where they spend their budgets, that are most vulnerable to these sorts of negative stories.”
On how much a security breach can cost a company financially, Barbato said that it “is almost impossible to quantify”. Barbato added: “It depends on the level of the breach, the organization involved and how it came about. The loss of trust is unquantifiable, and bringing in a PR team won’t be a quick fix. Often these relationships are long term. Trust is cumulative – once the immediate crisis recedes, the rebuilding will take time.”
Regulatory fines can also hit businesses or organizations hard. For example, Europe’s General Data Protection Regulation (GDPR) enforces a fine of up to €10 million, or 2% of a firm’s worldwide annual revenue from the preceding financial year, whichever is higher. Countries can also impose fines for breaches, for example the US Federal Trade Commission’s Consumer Financial Protection Bureau (CFPB) has the power to serve penalties to businesses that have suffered a breach affecting victims across all 50 states.
Companies or organizations might also choose to offer compensation to any potential victims of a breach – this figure is often at the discretion of the company, however it can sometimes be enforced by regulators or courts.
Is a bug bounty worth the investment?
It’s hard to definitively put a cost on a security breach due to the fluctuating nature of one – the financial impacts depend on variables such as the size of the company, the value of the data it holds, the length of downtime caused by the breach, and the loss of trust by the consumer. Richard Hollis, information security governance risk and compliance professional, agrees. While he estimates that a small to medium enterprise (SME) might face financial impacts of up to $1.2 million in a single incident, Hollis said this also depends on various factor such as “for example is, how much is my data worth if someone stole it from me? This includes fines and other regulatory impacts”, as well as costs associated with loss of public trust and compensating consumers, he told Intigriti.
It’s also hard to compare the average cost of one singular security incident to the cost of a bug bounty program, which could potentially protect against multiple bugs a year. It is clear, however, from the estimated figures that running a bug bounty program can be a cost-effective way of being proactive about security which, in turn, can help keep your business or organization secure against falling victim to such an incident.
Get in touch to speak to one of the Intigriti team to find out more about investing in your own program today.