Crowdsourced security has increased significantly in the last year. In the public sector, 151 percent more vulnerabilities were reported than in the previous year. In retail, filings increased 34 percent.
Bugcrowd has published its annual “Inside the Platform: Bugcrowd's Vulnerability Trends Report”. The report details the types of vulnerabilities that global hackers say are currently on the rise. It also documents the continued increase in the use of public crowdsourced programs due to growing awareness and acceptance of crowdsourced security strategies.
Crowdsourced security has grown rapidly in the public sector
The public sector (government) saw the fastest growth for crowdsourced security in 2023 compared to 2022, with a 151% increase in vulnerability submissions and a 58% increase in Priority 1 (or P1) rewards for discovery critical vulnerabilities. Other industries with sharp increases in filings included retail (+34%), business services (+20%) and computer software (+12%).
Last year, the hacker community saw a 2022% increase in web submissions created on the Bugcrowd platform, an 30% increase in API submissions, a 18% increase in Android submissions, and a 21% increase compared to 17 -percent increase in iOS submissions.
“This report provides important context, insight and opportunities for security leaders looking for new information to inform their risk profiles,” said Nick McKenzie, Bugcrowd’s Chief Information and Security Officer. “Looking forward, we can use the insights from this report in conjunction with other key insights to predict what comes next.”
Crowdsourcing can support smaller businesses
McKenzie predicts that in 2024, threat actors will use AI to accelerate attacks on organizations - meaning more effort for defenders, but not necessarily smarter attacks. With ongoing attacks in this space, it is becoming increasingly important for security leaders to gain high-quality insights and continually review supply chain security, third-party risk, and inventory management processes.
The “human risk factor” will also become more dangerous. This is based on the actions of malicious insiders and misguided employees who fall victim to social engineering attacks or the circumvention of internal controls (intentionally or unintentionally), as well as operationally to address the “cyber talent gap” and help their security teams “scale " to help. Companies will certainly and more broadly employ crowdsourcing of human intelligence to continually adapt unique or previously unidentified vulnerabilities because smaller, less diverse, budget or talent-constrained teams cannot afford this.
Financial rewards for finding vulnerabilities
The Bugcrowd platform connects companies with trusted hackers to proactively defend their assets against advanced threats. This enables companies to leverage the collective ingenuity of the hacker community to better uncover and mitigate risks in applications, systems and infrastructure.
Crowdsourced solutions include penetration testing as a service, managed bug bounties, and vulnerability discovery programs (VDPs). Not surprisingly, the report confirms that the most successful programs on the platform offer the highest rewards for hackers - typically $10.000 or more for finding a P1 vulnerability. The highest rewards for reporting P1 vulnerabilities are paid in the financial services and government sectors.
Crowdsourced security programs find 10x more critical vulnerabilities
Over the past year, companies have also increasingly favored public crowdsourcing programs over private programs, while open-approach programs received ten times more P1 vulnerabilities than those with limited scope. A scope is the defined set of objectives listed by an organization as values to be tested. An open-scope bug bounty program does not limit what hackers can or cannot test in light of the organization's values.
The report also examines how different hacker roles contribute to crowdsourced security and how crowdsourced security platforms can provide powerful alert systems to uncover vulnerabilities. Several sections help capture the spirit of the crowdsourcing community, including sections on the changing landscape for reward areas, the 5 most commonly reported vulnerability types, and customer case studies highlighting Rapyd and ClickHouse.
More at Bugcrowd.com
About Bugcrowd
Bugcrowd, the only multi-solution crowdsourced cybersecurity platform, combines data- and ML-driven crowd-matching with decades of application experience to focus the right human creativity on the right problem at the right time. Trusted by companies around the world, the Bugcrowd Security Knowledge Platform™ makes it possible to find hidden vulnerabilities throughout their attack surface before they can be exploited, leveraging the knowledge of world-class ethical hackers. Bugcrowd is based in San Francisco and is backed by Blackbird Ventures, Costanoa Ventures, Industry Ventures, Paladin Capital Group, Rally Ventures, Salesforce Ventures and Triangle Peak Partners.
Matching articles on the topic