freshidea - stock.adobe.com
Bugcrowd sees surge in vulnerability submissions, led by public sector
Crowdsourced vulnerability disclosure and bug bounty platform Bugcrowd says it saw a 151% uptick in submissions related to government and public sector organisations in 2023
Multi-solution crowdsourced cyber security platform Bugcrowd says it saw growing acceptance and adoption of crowdsourced security strategies among mainstream end-user organisations in 2023, as ethical hackers continue to prove their value to in-house security teams over and over again.
The organisation this week published its latest annual Inside the platform report, revealing that in the past 12 months, in which it claimed its open scope, crowdsourced approach to vulnerability rewards programmes (VRPs), aka bug bounty programmes, found 10 times more critical issues than more traditional approaches.
In 2023, it found that customers in the government and public sector verticals was the most eager to take up crowdsourced ethical hacking as an option, with a 151% increase in overall vulnerability submissions, and a 56% increase in critical flaws.
Submissions relating to the retail sector were up 34%, to the corporate services sector 20%, and to the computer software sector 12%.
Overall, Bugcrowd’s ethical hacking community recorded a 30% increase in web vulnerability submissions, an 18% increase in application programming interface (API) vulnerability submissions, a 21% increase in Android vulnerability submissions, and a 17% increase in iOS vulnerability submissions. All data represents a year-on-year comparison to 2022.
“As an industry, we’re truly on the precipice of so many changes, and the goal of this report is to arm security leaders and practitioners alike with the necessary trend information, data, and expert predictions to prepare for these changes,” wrote Bugcrowd CISO Nick McKenzie in the report’s preamble.
“Leveraging vulnerability data from the last 12 months, this report offers critical context, insights, and opportunities for security leaders looking for new information to bolster their risk profiles.”
Outlining some of the key trends highlighted in Bugcrowd’s latest report, McKenzie continued: “Throughout the research process, I wasn’t surprised to find that vulnerabilities are still on the rise. When you combine an overall increase in rapid digitisation – including new technologies that businesses are adding into business processes like generative AI – with more products boasting many new features, it’s inevitable that you end up with an exponential increase in bugs.
“Another insight from the report that I found especially telling is an increase in the trend toward favoring public crowdsourced security programs over private programs. More programs are dropping the clutch and shifting their gear to ‘public’.”
Who pays the most?
For ethical hackers who may be wondering if it is possible to make a living from pen testing alone, the Bugcrowd report also contains fresh data on the scale of the payouts its community received in 2023.
For the most impactful vulns – rated Priority 1 in Bugcrowd’s matrix – hackers can expect to start somewhere in the range of $3,500 to $4,500 (£2,750 to £3,500) for a vulnerability in an untested app with basic credentialed access and no hacker restrictions.
Moving up the scale, hackers can expect to see payouts of $5,500 to $7,500 (£4,300 to £5,900) for a vulnerability in a well-tested app that has been part of a crowdsourced programme before, moderately tested APIs and apps, and presumed-to-be-vulnerable thick clients/binaries and/or embedded devices.
For high-end P1 vulnerabilities, they can expect to see $11,000 to $20,000 (£8,600 to £15,700) for vulnerabilities in hardened and sensitive apps, APIs and moderate-to-highly secure thick clients/binaries and/or hardened embedded devices.
Payouts by sector range significantly, and the report contains much more granular data on this, but the cryptocurrency industry stands out in Bugcrowd’s data as a particularly well-paying one, with P1 flaws frequently attracting bounties of over $50,000 (£39,300).
Bugcrowd said it was likely that the scale of rewards hackers receive will continue to grow – not least due to inflation, £1 in 2018 is worth about £1.23 today – but also due to growing competitive pressure in the market. Indeed, it recently upped its suggested reward ranges to keep pace with its competition.
AI proves the need for ethical hackers
Looking ahead to the rest of 2024, McKenzie highlighted three trends that Bugcrowd believes will continue to prove the value of ethical hackers and VRPs.
The first and second of these trends will both be driven to some extent by the increased traction of adversarial artificial intelligence (AI) among threat actors
In the first instance, organisations will need to invest in better insights, coverage and continuous assurance would increase, particularly in areas relating to supply chain security, third-party risk and inventory management.
In the second instance, AI-enhanced cyber threats like spear-phishing will make human risk-factors more of a consideration, and organisations can expect to have to deal with more insider threats resulting from these.
Finally, he said, the need to counter the ever-present security skills gap and scale in-house security reams points to broader adoption of crowdsourced intelligence to weed out the issues that smaller, skills- and cash-strapped teams cannot.
Read more about VRPs
- Ethical hackers disclosed more than 4,000 vulnerabilities to Salesforce last year through its bug bounty programme, and received over $3m in rewards.
- Google expands its bug bounty programme to encompass generative AI and takes steps to grow its commitment to supply chain security as it relates to the emerging technology.
- Digital media brand Yahoo is setting up a crowdsourced bug bounty programme with ethical hacking specialist Intigriti, and is reaching out to the Capture the Flag community to participate.