Over the past 12 months, the number of vulnerability reports submitted through the Bugcrowd platform has increased by one and a half times. The number of finds with a critical degree of threat over the same period increased by 65%. Operators of crowdsourcing services believe that this trend is caused by a revision of attitudes towards cybersecurity due to the increased frequency of attacks in various spheres of economic activity.
The sharp increase in attacker activity this year is due to the expansion of the attack surface: due to COVID-19, organizations began to massively transfer employees to remote work and accelerated the pace of transferring business operations to the cloud. According to WHO estimates, since the beginning of the pandemic, the frequency of attacks on its personnel and the number of fraudulent mailings have increased sixfold, while ransomware attacks and the use of new attack vectors have become seven times more frequent.
In these conditions, business is forced to actively encourage bug hunters who can help identify new risks. According to Bugcrowd, the total amount of payments for vulnerabilities found in the past year increased on average by 15-20% on a quarterly basis. IT companies are willing to pay the most – their premiums are almost five times higher than in other verticals. The most expensive find cost the customer more than 200 thousand dollars.
The number of bug reports in the IT sector between January and October increased by 24% compared to 2019, and extremely dangerous finds began to occur almost three times more often. The search for gaps in banking services also expanded significantly: in the second quarter, financial institutions doubled the amount of remuneration.
The number of vulnerabilities in API and IoT devices filed under the Bugcrowd programs has overall doubled, and for Android devices it has more than tripled. The most common bug hunters found errors in access control implementation and XSS flaws.
It is noteworthy that eight out of ten top bugs found in the past year were also listed in last year’s reports. Apparently, most organizations are not yet coping well with the known risks.
When opening programs on Bugcrowd, the first finds are usually announced within a week, or even faster. In areas such as consumer services and the media, researchers often find vulnerabilities in less than a day. In the public sector and the automotive industry, these terms are a couple of days, but vulnerabilities there, as a rule, are associated with great risk.