To what degree does raising Bug Bounty rewards increase the quality and quantity of bugs discovered? 💰Researchers from Harvard, Bocconi University, Hebrew University and Google Research have evaluated the effect of Google increasing bounties by up to 200% last year for the most critical tier of its Vulnerability Rewards Program (VRP). Spoiler alert: this bounty boost had the desired effect – especially for the most valuable findings. The study (PDF) found that a 100% increase in payouts led to a 20% rise in total submissions, but a tripling of critical reports. 📊 The researchers also discovered that “the reward increase both redirected the attention of veteran researchers and attracted new top security researchers into the program”.
They raised the prospect of follow-up research examining the subsequent impact of AI-powered bug hunting tools on Bug Bounty Programs, as well as “whether the high-value bugs found from this bug bounty program actually differ from bugs that would have been found through regular internal debugging processes”. 🤖
Cyber budgets growing – but not fast enough for CISOs
Most CISOs have enjoyed larger cyber budgets this year and expect them to grow further in 2026, according to a survey of more than 300 security leaders. 💸 The 2026 CISO Budget Benchmark reveals that 85% of organisations had bigger cybersecurity budgets in 2025, and 88% of respondents expect them to grow again in 2026. Reflecting the scale of the challenges their security teams face, however, more than half of those polled believe their organisations are still underinvesting in security. Wiz, a cloud security platform, also found that nearly half of CISOs say cloud complexity and tool sprawl are actively holding back their security programmes. 🛠️
Microsoft succour for beleaguered security teams
“The acceleration we are witnessing – cyberattack speed, operational scale, and technical sophistication – demands an equivalent acceleration in our response,” writes Ann Johnson, corporate VP and deputy CISO for Microsoft’s Customer Security Management Office, in an article announcing the Microsoft Digital Defense Report 2025. “This is not about working harder; it’s about working differently. It means treating AI and automation as operational imperatives, not future projects.” 🧠 Other actionable takeaways for defenders include embedding resilience “into the very DNA of an organization’s infrastructure” and, with Quantum computing threatening to break open cryptographic systems, “organizations should inventory their cryptography (keys, certificates, and protocols) and establish a roadmap to replace vulnerable algorithms with PQC standards as they become available.” 🔐
Before we move onto YesWeHack-related news and our own insights on offensive security, here’s some more content of potential interest to CISOs that caught our attention recently:
🔒 Employees regularly paste company secrets into ChatGPT – The Register
🔒 Responsible vulnerability disclosure in 2025: Why the debate still matters – Martin Jartelius, CTO at Outpost24, SC Media
🔒 It’s time the UK got proactive about software security – Robert Finn, VP International, Chainguard, on TechRadar
🔒 A shared vision of software bill of materials (SBOM) for cybersecurity - US Cybersecurity and Infrastructure Security Agency (CISA) in collaboration with the National Security Agency (NSA)
🔒 Trump's workforce cuts blamed as America’s cyber edge dulls – The Register
EU contract signed
📢 We’ve made a slew of announcements since our last roundup aimed at CISOs that attest (in our humble opinion!) to our strong and growing reputation in the world of Bug Bounty and vulnerability management. 💪
First, YesWeHack is now the European Commission’s preferred provider of bug bounty services under a cascade model, having outperformed rival platforms during the Commission’s latest tender for crowdsourced security services. 🇪🇺 We have signed a four-year framework contract potentially worth up to €7.6 million as the EC's most-favoured provider of bug bounty services. 🐛
📢We’re also honoured to have been authorised as a CVE Numbering Authority (CNA) by the CVE Program. “Being entrusted with this responsibility attests to our pedigree and proven processes for managing vulnerabilities,” said Guillaume Vassault-Houlière, CEO and co-founder of YesWeHack. “By designating CVE IDs and managing CVE Records for certain vulnerabilities discovered through our Bug Bounty Programs, we hope to eliminate hassle for our affected customers and streamline the coordination, remediation and attribution of vulnerabilities.” 🚀
We’ve also made our first-ever acquisition: Sekost, an innovative player in the cybersecurity auditing space, which can now leverage YesWeHack’s international reputation and commercial strength to enhance its offerings for SMEs and accelerate its expansion. 🤝
And we’ve acquired ‘high performer’ and ‘users love us’ badges on G2, a peer-to-peer review site for business software. 💖 Our average review rating remains super-high at 4.8/5. ⭐
Bug Bounty success stories
Crowdsourced security testing provides “an outside-in perspective that other layers can’t replicate,” say security execs from NOV in our latest customer story. James Cooper and Justin Moore from the global energy services provider discuss: the value of continuous testing, effective triage, and an agile #BugBounty model; overcoming their greatest challenge so far; and their vision for making digital assets more secure by design. 🔐
Another customer, this time in the identity verification space, told YesWeHack that #BugBounty Programs are viable for all kinds of organisations – even those without a dedicated security team. 🛡️ In this interview, security engineers Luca Sangalli and Joachim Vanthienen of Entrust (formerly Onfido) recount how their employer, which switched to YesWeHack from a rival platform, has scaled rewards and kept hunters engaged. 💰
“We backed the right horse and have never regretted our decision,” says TeamViewer’s Patricia Leppert in a new video interview about the global tech company’s Bug Bounty Program. The interview, which follows an earlier piece distilling a webinar presented by TeamViewer’s senior project manager for security, took place in 2025 during a YesWeHack live hacking event in Berlin. We’ve also published highlights from that hacking event, for which TeamViewer provided the targets. 🎯
The CTEM-Bug Bounty synergy
Gartner’s prediction that organisations implementing CTEM (continuous threat exposure management) would witness a two thirds drop in breaches seems fanciful if their offensive security testing remains shallow, narrow or point-in-time 🕵️ The fourth and final chapter of our CTEM series outlines the benefits of tightly integrating Bug Bounty Programs with other testing mechanisms, attack surface management and the wider CTEM cycle. 🔄
The conference schedule is winding down with the festive season now on the horizon. The only events remaining in 2025 for YesWeHack are Black Alps, between 20-21 November in Yverdon-les-Bains, Switzerland and Black Hat Europe in London, 10-11 December. 🇨🇭🇬🇧
Wrapping up YesWeHack-related content now, we have a couple of stories about our public-sector work in Singapore: the country's Ministry of Defence (MINDEF) has just completed a time-limited Bug Bounty Program, which we trailed here, while Singapore’s Government Bug Bounty Programs have completed their first year. 🇸🇬
And that's 2025 done as far as this newsletter is concerned! The next edition lands in January. In the meantime, have yourself a fantastic festive season.🎄
Read this monthly roundup even sooner by subscribing to CrowdSecWisdom – our LinkedIn newsletter curating news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.
Are you a bug hunter or do you have an interest in ethical hacking? Check out our ethical hacking-focused sister newsletter, Bug Bounty Bulletin – offering hunting advice, interviews with hunters and CTF-style challenges, among other things.
