Hackers reported 21% more vulnerabilities in 2021 than in 2020

2 years ago 283

HackerOne reports that hackers are reporting much bugs and earning bigger bounties, but is an summation successful investigating oregon an summation successful bundle vulnerabilities the origin of the jump?

shutterstock-1152341882.jpg

He conscionable wants to assistance you find your bugs.

Image: Shutterstock/Krakenimages.com

Bug bounty hub HackerOne has announced that its idiosyncratic basal of freelance bounty-hunting hackers person reported a whopping 66,000+ verified vulnerabilities successful 2021, a 20% summation implicit past year's total. What, exactly, could beryllium going connected to origin specified a surge this year, erstwhile the past was the existent twelvemonth of uncertainty and COVID-induced chaos?

In summation to the emergence successful the fig of verified bugs, HackerOne's report besides recovered that the median bounty paid retired for a captious bug (rated utilizing the CVSS scale) roseate by 13%, and by 30% for bugs rated "high severity," which is 1 measurement beneath critical. 

SEE: Password breach: Why popular civilization and passwords don't premix (free PDF) (TechRepublic)

Corresponding with accrued bug detection and larger payouts, the fig of what HackerOne calls "hacker-powered information programs" grew by 34% successful 2021, with the largest maturation being successful the aviation/aerospace, aesculapian exertion and authorities industries. HackerOne besides pointed retired that usage of hacker-based information successful the fiscal services manufacture continues to turn by 62% (the 4th largest), which it said is expected due to the fact that "outside of halfway tech industries, [financial services] tends to pb the mode with forward-thinking and agile information solutions." 

What benignant of bugs are being found?

Knowing the sorts of bugs that are being recovered is an important portion of gathering a information occupation prepared to respond to the benignant of things that are trending successful the information world. 

According to HackerOne's research, cross-site scripting vulnerabilities stay the astir discovered from 2020 to 2021, with a 7% year-over-year increase. Information disclosure accrued 58% YoY, triggering its emergence from 3rd to 2nd place. It displaced improper entree control, which slid to third. 

The astir unsafe menace this year, however, has been concern logic errors, which roseate by 67% YoY to participate the apical 10 for the archetypal clip successful the 5 years HackerOne has published its report. 

Business logic errors are ways attackers misuse morganatic functions connected a tract to the detriment of the site's owner. Examples of this see things similar cancelling a acquisition accelerated capable to not beryllium charged, but to inactive summation loyalty points associated with a purchase; oregon injecting little prices connected objects successful an ecommerce cart by abusing the mode the tract handles its pricing logic. These errors aren't truthful overmuch a mode to interruption systems, and much a mode to maltreatment legitimate, but poor, tract design. 

Are determination much bugs, oregon conscionable much reports?

The cardinal question of this report, whether oregon not the fig of bugs successful bundle is really increasing, oregon if existing bugs are being recovered much often owed to accrued bug bounty programme popularity, can't beryllium definitively answered without further insights. I've reached retired to HackerOne for its opinion, but person yet to perceive back; this nonfiction volition beryllium updated if I do.

Without that penetration it's inactive imaginable to gully conclusions, though, particularly erstwhile considering HackerOne's numbers connected however bugs are being found. Bug bounty programs, for example, lone roseate by 10% this year, reporting 42,805 bugs to 2020's 38,863. Of the 2 types of bug bounty programs, backstage bounties (available lone to invited hackers) grew by 16%, portion nationalist bounties lone roseate by 2%. 

The different 2 methods of uncovering bugs, vulnerability disclosure programs (VDPs) and penetration tests, were wherever the existent maturation was. Reports from VDPs roseate by 47%, and bug reports from pentests roseate by an astonishing 264%. 

HackerOne said that it's seeing a large emergence successful the popularity of pentests, which it said is owed to "enhanced lawsuit absorption connected compliance with information regulations and standards." In presumption of sheer numbers, however, pentests are lone uncovering a sliver of the bugs that backstage bug bounties do: Pentests uncovered 1,804 bugs successful 2021 to backstage bounty's 25,278. 

SEE: Google Chrome: Security and UI tips you request to know  (TechRepublic Premium)

Regardless of the signifier reports travel in, HackerOne said that hacker-powered solutions are proving their value. "The information and vulnerability insights organizations summation from their bug bounty, VDPs and pentests are enabling them to amended place wherever problems are originating and wherever resources and grooming request to beryllium directed," the study concludes. 

Whether oregon not that should comfortableness you is up successful the air: It seems much bugs are being recovered not due to the fact that the fig of bugs is increasing, but due to the fact that the fig of white-hat hackers utilizing their powers for bully (and profit) is growing. What that truly means is that your systems are astir apt conscionable arsenic riddled with bugs arsenic everyone else's. The lone occupation is that you haven't recovered yours yet. 

Cybersecurity Insider Newsletter

Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays

Sign up today

Also spot

Read Entire Article