There is a misconception that only software and technology companies are leveraging crowdsourced security. However, data contradict this idea. Bugcrowd reports that companies across a wide range of sectors are increasingly adopting crowdsourced security.
In the government industry sector, crowdsourcing security will grow fastest in 2023 compared to 2022, with 151% increase in vulnerability submissions and priority 1 (or P1) rewards for discovering critical vulnerabilities. increased by 58%. Other industries that recorded significant increases in registrations included retail (+34%), corporate services (+20%), and computer software (+12%).
Adversarial AI amplifies corporate attacks
Over the past year, the hacker community has seen a 30% increase in web submissions, an 18% increase in API submissions, a 21% increase in Android submissions, and a 17% increase in iOS submissions made on the Bugcrowd platform compared to 2022 Did.
“This report provides important context, insight, and opportunity for security leaders looking for new information to strengthen their risk profile,” said Nick McKenzie, CISO at Bugcrowd. “Looking to the future, the insights from this report can be used in conjunction with other key findings to predict what will happen next.”
McKenzie predicts that by 2024, threat actors will be using adversarial AI to speed up corporate attacks, creating more noise for defenders rather than necessarily smarter attacks. Additionally, with continued attacks in this space, gaining quality insight, coverage, and ongoing assurance in supply chain security, third-party risk, and inventory management processes becomes increasingly important for security leaders. He says it will be an important area.
“Human risk factors” also pose heightened risks based on the actions of malicious insiders or misguided employees, who may fall prey to social engineering attacks or compromise internal controls (intentionally or (unintentional) operational bypass to combat the “cyber talent skills gap” and aid security. Team “scale” – Organizations will be able to securely and more broadly crowdsource human intelligence to address unique vulnerabilities and unidentified areas that are not possible with smaller, less diverse, budget- and talent-constrained teams. vulnerabilities will be continuously eliminated.
Crowdsourcing security industry matures
Societal misconceptions about the hacking community run deep, reflected in outdated laws that at best stifle creativity and at worst result in criminal liability for unethical disclosure. Progress has been made, but there is still much work to be done.
Crowdsourcing solutions include penetration testing as a service, managed bug bounties, and vulnerability disclosure programs (VDPs). Not surprisingly, the report found that the most successful programs on the platform offered hackers the highest rewards, typically $10,000 or more for discovering a P1 vulnerability. Financial services and government sectors pay the most for P1 vulnerability submissions.
Additionally, over the past year, companies have increasingly preferred public crowdsourcing programs over private ones, while programs with open scope have 10 times more P1 vulnerabilities than programs with limited scope. I am receiving A scope is a defined set of targets that an organization lists as assets to test. OpenScope's bug bounty program has no restrictions on what hackers can and cannot test on your organization's assets.
The crowdsourcing security industry has matured over the past decade, and while it is still seen by many as a newer part of the security technology stack, there is no denying that the industry is evolving.