Open Scope Crowdsourced Security Programs Find 10X More Critical Vulnerabilities
“Inside the Platform: Bugcrowd’s Vulnerability Trends Report” Details Security Threats and Solutions
SAN FRANCISCO, January 24, 2024 — Bugcrowd, the only multi-solution crowdsourced cybersecurity platform, today released its annual “Inside the Platform: Bugcrowd’s Vulnerability Trends Report.” The report highlights the types of vulnerability submissions that are on the rise today, according to global hackers. It also documents the steady adoption of public crowdsourced programs based on growing awareness and acceptance of crowdsourced security strategies.
The government industry sector saw the fastest growth for crowdsourced security in 2023 compared to 2022, with a 151% increase in vulnerability submissions and a 58% increase in Priority 1 (or P1) rewards for finding critical vulnerabilities. Other industries recording big increases in submissions included retail (+34%), corporate services (+20%), and computer software (+12%).
Over the past year, the hacker community recorded a 30% increase in Web submissions created on the Bugcrowd platform compared to 2022, an 18% increase in API submissions, a 21% increase in Android submissions, and a 17% increase in iOS submissions.
“This report offers critical context, insights, and opportunities for security leaders looking for new information to bolster their risk profiles,” said Nick McKenzie, Chief Information and Security Officer of Bugcrowd. “Looking ahead, we can use insights from this report in conjunction with other key learnings to predict what is coming next.”
McKenzie predicts that in 2024, threat actors will use adversarial AI to speed up enterprise attacks – creating more noise for defenders, not necessarily smarter attacks. In addition, and off the back of continued attacks in this space, he says that getting quality insights, coverage and continuous assurance in supply chain security, third-party risk, and inventory management processes will become increasingly important areas for security leaders. The “human risk factor” will also become more dangerous (i) based on actions by malicious insiders and misguided employees who fall prey to social engineering attacks or bypassing internal controls (intentionally or unintentionally) (ii) operationally, countering the “cyber talent skills gap” and help their security teams “scale” – organizations will certainly and more broadly adopt the crowdsourcing of human intelligence to continuously weed out unique or previously unidentified vulnerabilities that smaller, less diverse, budget, or talent strapped teams just can’t.
The Bugcrowd Platform connects organizations with trusted hackers to proactively defend their assets against sophisticated threat actors. In this way, organizations can unleash the collective ingenuity of the hacking community to better uncover and mitigate risks across applications, systems, and infrastructure.
Crowdsourced solutions include penetration-testing-as-a-service, managed bug bounties, and vulnerability disclosure programs (VDPs). Not surprisingly, the report found that the most successful programs on the platform offered the highest rewards to hackers, generally $10,000 or more for finding a P1 vulnerability. The highest payouts for P1 vulnerability submissions are found in the financial services and government sectors.
In the past year, enterprises also increasingly favored public crowdsourced programs over private ones, while programs with open scopes received 10X more P1 vulnerabilities than those with limited scopes. A scope is the defined set of targets listed by an organization as assets to be tested. An open scope bug bounty program imposes no limitations on what hackers can or cannot test in terms of assets that belong to the organization.
The report also examines how different hacker roles contribute to crowdsourced security, and how crowdsourced security platforms can provide powerful warning systems to uncover vulnerabilities. Several sidebars help capture the spirit of the crowdsourcing community, including sections on the changing landscape for reward ranges; the Top 5 Most Commonly Reported Vulnerability Types; and customer case studies spotlighting Rapyd and ClickHouse.
Access the Full Report
Millions of proprietary data points and vulnerabilities were analyzed for this edition of Inside the Platform. These data points were collected from across thousands of programs on the Bugcrowd Platform from January 1, 2023 to October 31, 2023.
Bugcrowd’s goal in publishing the report is to arm security leaders with key information about cyber trends which they can apply to the unique challenges facing their organizations. The report also outlines policy changes and advocacy campaigns that are being undertaken to make the Internet a safer place for ethical hacking. To download a copy of the Inside the Platform: Bugcrowd’s Vulnerability Trends Report, click here. Read our blog here.
To learn more about how the Bugcrowd Platform can equip your organization to protect itself from cyber risk, access link here.
About Bugcrowd
We are Bugcrowd. Since 2012, we’ve been empowering organizations to take back control and stay ahead of threat actors by uniting the collective ingenuity and expertise of our customers and trusted alliance of elite hackers, with our patented data and AI-powered Security Knowledge Platform™. Our network of hackers brings diverse expertise to uncover hidden weaknesses, adapting swiftly to evolving threats, even against zero-day exploits. With unmatched scalability and adaptability, our data and AI-driven CrowdMatch™ technology in our platform finds the perfect talent for your unique fight. We are creating a new era of modern crowdsourced security that outpaces threat actors. Unleash the ingenuity of the hacker community with Bugcrowd, visit www.bugcrowd.com. Read our blog.
“Bugcrowd”, “CrowdMatch” and “Security Knowledge Platform” are trademarks of Bugcrowd Inc. and its subsidiaries. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.
Contact
Nathaniel Hawthorne for Bugcrowd
Lumina Communications
press@bugcrowd.com
nathaniel@luminapr.com
PR Contact
Zonic Group Japan
担当:川合
Tel: 080-4320-6029
ykawai@zonicgroup.com