Open Scope crowdsourced security programs find 10x more critical vulnerabilities

Open Scope crowdsourced security programs find 10x more critical vulnerabilities

Inside the Platform: Bugcrowd’s Vulnerability Trends report details security threats and solutions.

Bugcrowd, a multi-solution crowdsourced cybersecurity platform, has released its annual Inside the Platform: Bugcrowd’s Vulnerability Trends Report.  

The report highlights the types of vulnerability submissions that are on the rise today, according to global hackers. It also documents the steady adoption of public crowdsourced programs based on growing awareness and acceptance of crowdsourced security strategies. 

The government industry sector saw the fastest growth for crowdsourced security in 2023 compared to 2022, with a 151% increase in vulnerability submissions and a 58% increase in Priority 1 (or P1) rewards for finding critical vulnerabilities. Other industries recording big increases in submissions included retail (+34%), corporate services (+20%) and computer software (+12%). 

Over the past year, the hacker community recorded a 30% increase in web submissions created on the Bugcrowd platform compared to 2022, an 18% increase in API submissions, a 21% increase in Android submissions and a 17% increase in iOS submissions. 

“This report offers critical context, insights, and opportunities for security leaders looking for new information to bolster their risk profiles,” said Nick McKenzie, Chief Information and Security Officer of Bugcrowd. “Looking ahead, we can use insights from this report in conjunction with other key learnings to predict what is coming next.” 

McKenzie predicts that in 2024, threat actors will use adversarial AI to speed up enterprise attacks – creating more noise for defenders, not necessarily smarter attacks. In addition, and off the back of continued attacks in this space, he says that getting quality insights, coverage and continuous assurance in supply chain security, third-party risk and inventory management processes will become increasingly important areas for security leaders.  

The ‘human risk factor’ will also become more dangerous (i) based on actions by malicious insiders and misguided employees who fall prey to social engineering attacks or bypassing internal controls (intentionally or unintentionally) (ii) operationally, countering the ‘cyber talent skills gap’ and help their security teams ‘scale’ – organisations will certainly and more broadly adopt the crowdsourcing of human intelligence to continuously weed out unique or previously unidentified vulnerabilities that smaller, less diverse, budget or talent strapped teams just can’t.  

The Bugcrowd Platform connects organisations with trusted hackers to proactively defend their assets against sophisticated threat actors. In this way, organisations can unleash the collective ingenuity of the hacking community to better uncover and mitigate risks across applications, systems and infrastructure. 

Crowdsourced solutions include penetration-testing-as-a-service, managed bug bounties and vulnerability disclosure programs (VDPs). Not surprisingly, the report found that the most successful programs on the platform offered the highest rewards to hackers, generally US$10,000 or more for finding a P1 vulnerability. The highest payouts for P1 vulnerability submissions are found in the financial services and government sectors.  

In the past year, enterprises also increasingly favoured public crowdsourced programs over private ones, while programs with open scopes received 10X more P1 vulnerabilities than those with limited scopes. A scope is the defined set of targets listed by an organisation as assets to be tested. An open scope bug bounty program imposes no limitations on what hackers can or cannot test in terms of assets that belong to the organisation. 

The report also examines how different hacker roles contribute to crowdsourced security, and how crowdsourced security platforms can provide powerful warning systems to uncover vulnerabilities. Several sidebars help capture the spirit of the crowdsourcing community, including sections on the changing landscape for reward ranges; the Top 5 Most Commonly Reported Vulnerability Types; and customer case studies spotlighting Rapyd and ClickHouse. 

Access the full report 

Millions of proprietary data points and vulnerabilities were analysed for this edition of Inside the Platform. These data points were collected from across thousands of programs on the Bugcrowd Platform from January 1 2023 to October 31 2023. 

Bugcrowd’s goal in publishing the report is to arm security leaders with key information about cybertrends which they can apply to the unique challenges facing their organisations. The report also outlines policy changes and advocacy campaigns that are being undertaken to make the internet a safer place for ethical hacking.  

To download a copy of the Inside the Platform: Bugcrowd’s Vulnerability Trends Report, click here

To learn more about how the Bugcrowd Platform can equip your organization to protect itself from cyber risk, access link here

Click below to share this article

Browse our latest issue

Intelligent CISO

View Magazine Archive