High-risk vulnerabilities discovery increased 65% in 2020

2020 has been a record year for crowdsourced cybersecurity adoption, with enterprises across all industries implementing crowdsourced cybersecurity programs to keep up with the evolving threat landscape.

High-risk vulnerabilities discovery

Bugcrowd saw a 50% increase in submissions on its platform in the last 12 months, including a 65% increase in Priority One (P1) submissions, which refer to the most critical security vulnerabilities.

The report gives a comprehensive view of how COVID-19 redefined cybersecurity practices across industries. The World Health Organization reported that attacks directed at its staff and email scams targeting the public at large increased by 500% soon after the pandemic began, driven by a sevenfold increase in ransomware and new attack vectors that opened up in a remote-first world of work.

The software industry saw a critical need for crowdsourced security

The software industry in particular saw a critical need for crowdsourced security due to the new security challenges created by the pandemic. Vulnerability submissions were up 24% in the first ten months, compared to all of 2019.

Across the board, computer software companies paid out almost five times as much as any other industry for submissions. Most notably, P1 submissions in the software industry nearly tripled in 2020.

“Our Priority One report findings clearly show that leading organizations across all sectors are embracing crowdsourced security as a core element of their security strategy,” said Ashish Gupta, CEO, Bugcrowd.

“Comparing data from the last two years, we see that crowdsourced cybersecurity is growing rapidly as a result of rapid digital transformation and increased threats caused by the COVID-19 pandemic. Vulnerability submissions are up, with higher numbers of critical vulnerabilities, and total payouts are growing steadily by about 15-20% per quarter.”

API and Android vulnerabilities on the rise

The report found that eight of the top 10 bugs submitted in 2020 were also featured on the 2019 list. This illustrates that managing known risks remains a challenge for most enterprises.

In the last year, submissions to all industries increased. Most notably, API and IoT vulnerabilities doubled, while those found in Android targets more than tripled. The heavy focus on remote work and subsequent growth in IoT device adoption in 2020 made IoT devices more attractive targets for cybercriminals.

Human error is the driving force behind the most submitted vulnerability

The most submitted vulnerabilities in 2020 stem from broken access controls, while the second-highest number of vulnerabilities were related to cross-site scripting (XSS).

The broken access control vulnerability is driven by human error and can often be prevented through the correct use of code frameworks that have XSS prevention built-in. The findings underscore the fact that human error is a major source of security risk.

Financial services sector investing more for critical vulnerabilities

Companies in the financial sector doubled their payouts for P1 vulnerabilities from Q1 of 2020 to Q2. Bank branch closures and other business process changes caused by the pandemic forced the financial service industry to accelerate digital transformation at a faster rate than most verticals.

This led to an expanded attack surface, which the industry responded to by engaging the crowd with strong incentives to identify new risks. This resulted in the financial services sector returning more submissions from January to October of 2020 than in all of 2019.

Speed is a competitive advantage for customers

In almost all industries, ethical security researchers will discover vulnerabilities in a week or less when participating in a Bugcrowd Vulnerability Disclosure, Attack Surface, Bug Bounty or Pen Test program.

In sectors like consumer services and media, researchers often find vulnerabilities in less than a day. While it typically takes a few days for researchers to find vulnerabilities in the government and automotive sectors, the vulnerabilities are typically much higher risk.

“The speed of discovery across the board demonstrates the tremendous value crowdsourced security can add to security teams and companies looking to fast-track digital transformation efforts and bring new infrastructure online,” added Gupta.

“This speed is replicated by adversaries too, which places even more of a premium on having a crowdsourced security platform that allows a company to tap into the expertise and agility of the Crowd to keep their organizations safe.”