Success in Crowdsourced Security Relies on Expert Management


  •  
  •  
  •  
  •  

According to the CVE, 2017 saw 14,713 published vulnerabilities, an increase of more than 128% from last year. For 2018, the CVE has already seen more than 5K published vulnerabilities so we should see the upward trajectory continue.

This past year was a year for the books. The Equifax breach, the third Yahoo! breach, the Uber breach — today nearly every American has been impacted by the loss of personally identifiable information (PII) data. And the threat continues to rise. Companies, healthcare systems, governmental and educational entities have started to realize how real the threat is but resources are scarce and dwindling. The number of vulnerabilities out in the wild is outpacing the ability to find and fix them. Crowdcontrol intakes hundreds of vulnerability submissions a day. Over the past year, we saw a 21% increase in total vulnerabilities from last year. 20% of all valid vulnerabilities were classified as critical (P1 or P2). Of these, 7 % were P1, the most critical — a 10% increase over the previous year.

The process of managing vulnerability reports can be painfully time-consuming. Organizations hardly have the time or resources to triage and validate incoming vulnerability findings from outside researchers. Each and every vulnerability submitted through the Crowdcontrol platform is evaluated by our team of experts and is moved through different stages of triage and evaluation. Bugcrowd’s security operations team prioritizes them for customers based on their business needs and scope of the program. Bugcrowd sets the standard for program management.

  • Our managed validation team has a response time of less than 24 hours for critical issues and only slightly higher for everything that comes into the platform.
  • Our acceptance rate post-triage to submission resolution is ~ 92%. 
  • Our signal-to-noise ratio is an industry leading 95% for customers across all of our managed programs.
  • Our payouts are industry leading with more than 80% of all valid vulnerabilities rewarded within 1 minute of acceptance.

There has been a steady increase in new and uncategorized vulnerabilities discovered over the past few years, as well as the amount paid out for them. We saw a 21% increase in total vulnerabilities from last year. 75% of all P1 vulnerability payouts were above $1,200, up from $926 last year. Organizations continue to add complex targets to their scope, at the same time adding more value to securing their assets via their bounty offering. The more complex a target and the more critical a vulnerability, the higher the price tag.

Crowdsourced security breaks that mold with the goal to find high-risk vulnerabilities, and not to complete a simplistic set of tests that do not reflect the way advanced attacks actually work. Services such as bug bounty and vulnerability disclosure programs leverage human intelligence at scale to deliver rapid discovery of high-risk vulnerabilities across attack surfaces. With crowdsourced security, each vulnerability submission is verified and risk-rated and can include advice that aids remediation and developer security best practices training. Organizations can get the coverage necessary in today’s modern software development lifecycle.

For more on the crowdsourced security landscape, trends and findings, check out our 2018 State of Bug Bounty.

Learn about 4 Reasons to Swap Your Traditional Pen Test with a Next Gen Pen Test on November 27 at 10AM PSTRegister Here
+