Bugcrowd Study Reveals 65% Increase in Discovery of High-Risk Vulnerabilities in 2020 Amid COVID-19 Pandemic
Crowdsourced cybersecurity is booming as enterprises across all industries embrace ethical hackers to identify vulnerabilities amid a rapidly evolving threat landscape
SAN FRANCISCO – Dec. 15, 2020 – Bugcrowd, the leading crowdsourced cybersecurity platform, today announced that 2020 has been a record year for crowdsourced cybersecurity adoption, with enterprises across all industries implementing crowdsourced cybersecurity programs to keep up with the evolving threat landscape. According to its 2021 Priority One report, Bugcrowd saw a 50% increase in submissions on its platform in the last 12 months, including a 65% increase in Priority One (P1) submissions, which refer to the most critical security vulnerabilities.
The report gives a comprehensive view of how COVID-19 redefined cybersecurity practices across industries. The World Health Organization reported that attacks directed at its staff and email scams targeting the public at large increased by 500% soon after the pandemic began, driven by a sevenfold increase in ransomware and new attack vectors that opened up in a remote-first world of work.
The software industry in particular saw a critical need for crowdsourced security due to the new security challenges created by the pandemic. Vulnerability submissions were up 24% in the first ten months, compared to all of 2019. Across the board, computer software companies paid out almost five times as much as any other industry for submissions. Most notably, P1 submissions in the software industry nearly tripled in 2020.
“Our Priority One report findings clearly show that leading organizations across all sectors are embracing crowdsourced security as a core element of their security strategy,” said Ashish Gupta, CEO, Bugcrowd. “Comparing data from the last two years, we see that crowdsourced cybersecurity is growing rapidly as a result of rapid digital transformation and increased threats caused by the COVID-19 pandemic. Vulnerability submissions are up, with higher numbers of critical vulnerabilities, and total payouts are growing steadily by about 15-20% per quarter.”
API and Android vulnerabilities on the rise
The report found that eight of the top 10 bugs submitted in 2020—as rated by Bugcrowd’s Vulnerability Rating Taxonomy (VRT), a widely-used, open-source standard that offers a baseline risk-rating for each vulnerability submitted via Bugcrowd’s platform—were also featured on the 2019 list. This illustrates that managing known risks remains a challenge for most enterprises.
In the last year, submissions to all industries increased. Most notably, API and IoT vulnerabilities doubled, while those found in Android targets more than tripled. The heavy focus on remote work and subsequent growth in IoT device adoption in 2020 made IoT devices more attractive targets for cybercriminals. Both IoT vendors and Bugcrowd, which has the largest curated and active crowd for IoT and mobile devices, have responded by expanding their efforts to discover IoT security issues.
Human error is the driving force behind the most submitted vulnerability
The most submitted vulnerabilities in 2020 stem from broken access controls, while the second-highest number of vulnerabilities were related to cross-site scripting (XSS). The broken access control vulnerability is driven by human error and can often be prevented through the correct use of code frameworks that have XSS prevention built-in. The findings underscore the fact that human error is a major source of security risk.
Financial services sector investing more for critical vulnerabilities
Companies in the financial sector doubled their payouts for P1 vulnerabilities from Q1 of 2020 to Q2. Bank branch closures and other business process changes caused by the pandemic forced the financial service industry to accelerate digital transformation at a faster rate than most verticals. This led to an expanded attack surface, which the industry responded to by engaging the crowd with strong incentives to identify new risks. This resulted in the financial services sector returning more submissions from January to October of 2020 than in all of 2019.
Speed is a competitive advantage for customers
In almost all industries, ethical security researchers will discover vulnerabilities in a week or less when participating in a Bugcrowd Vulnerability Disclosure, Attack Surface, Bug Bounty or Pen Test program. In sectors like consumer services and media, researchers often find vulnerabilities in less than a day. While it typically takes a few days for researchers to find vulnerabilities in the government and automotive sectors, the vulnerabilities are typically much higher risk.
“The speed of discovery across the board demonstrates the tremendous value crowdsourced security can add to security teams and companies looking to fast-track digital transformation efforts and bring new infrastructure online,” added Gupta. “This speed is replicated by adversaries too, which places even more of a premium on having a crowdsourced security platform that allows a company to tap into the expertise and agility of the Crowd to keep their organizations safe.”
Bugcrowd is the force multiplier in cybersecurity, providing access to a global network of ethical hackers who help organizations maximize the impact of their security defenses. Top Fortune 500 organizations trust Bugcrowd to manage their Pen Test, Bug Bounty, Vulnerability Disclosure, and Attack Surface Management programs. Bugcrowd’s award-winning platform combines actionable, contextual intelligence with the skill and experience of the world’s most elite hackers to help leading organizations identify and fix vulnerabilities, protect customers, and make the digitally connected world a safer place. Based in San Francisco, Bugcrowd is backed by Blackbird Ventures, Costanoa Ventures, Industry Ventures, Paladin Capital Group, Rally Ventures, Salesforce Ventures and Triangle Peak Partners. Learn more at www.bugcrowd.com.
“Bugcrowd” is a trademark of Bugcrowd Inc. and its subsidiaries. All other trademarks, trade names, service marks and logos referenced herein belong to their respective companies.