Hacker-powered pentests gaining momentum
Hackers have reported over 66,000 valid vulnerabilities this year – over 20% more than 2020 – with hacker-powered pentests seeing a 264% increase in reported vulnerabilities, HackerOne has announced.
Pandemic-led digital transformation and cloud migration continue to create vulnerabilities as attack surfaces expand and services are outsourced.
This year’s report revealed bounty prices for high and critical vulnerabilities are rising as organizations prioritize high-impact bugs. Businesses are also remediating vulnerabilities faster than ever as vulnerability management increasingly becomes a core business priority.
“We’ve continued to see high growth in the financial services sector, for example. Measuring and quantifying risk is their business, and they’re seeing that both risk and business outcome is better if they embrace hackers. Across the board, we’re seeing customers using vulnerability report data to inform their software development lifecycles.
“Organizations are catching issues earlier, and remediating them, at greatly reduced cost by focusing on improvements to developer education, source code integrations, and development frameworks.”
The state of hacker-powered security programs
- The adoption of hacker-powered security programs is growing across all industries, with a 34% increase in total customer programs in 2021.
- The traditionally conservative industries of financial services and government continue to lead in adoption of hacker-powered security testing programs, with a 62% increase in financial services programs and an 89% increase of government programs, led this year by the UK’s Ministry of Defence and Singapore’s GovTech agency.
- Hackers reported 21% more vulnerabilities in 2021 than 2020. While traditional bug bounty saw a 10% increase in valid vulnerability reports, Vulnerability Disclosure Programs (VDPs) saw a 47% increase, and reports from hacker-powered pentests rose by 264%.
- The median price of a critical bug rose 20% from $2500 in 2020 to $3000 in 2021. The average bounty price for a critical bug rose by 13%, and by 30% for a high severity rated bug.
- In the past year, the industry-wide median time to resolution fell by 19% from 33 days to 26.7 days, with some industries such as retail and e-commerce seeing time-to-remediation dropping by more than 50%.
- The number-one most discovered bug continues to be Cross Site Scripting, but other bug categories have seen a significant increase in reports since 2020. Information Disclosure saw a 58% increase in valid reports and Business Logic Errors had a 67% increase, giving them a spot on the Top 10 for the first time.