Crowdsourced security is not just for tech companies anymore

There is a misconception that only software and technology companies leverage crowdsourced security. However, data contradicts this belief. Companies across various sectors are increasingly adopting crowdsourced security, as reported by Bugcrowd.

The government industry sector saw the fastest growth for crowdsourced security in 2023 compared to 2022, with a 151% increase in vulnerability submissions and a 58% increase in Priority 1 (or P1) rewards for finding critical vulnerabilities. Other industries recording big increases in submissions included retail (+34%), corporate services (+20%), and computer software (+12%).

Adversarial AI to amplify enterprise attacks

Over the past year, the hacker community recorded a 30% increase in Web submissions created on the Bugcrowd platform compared to 2022, an 18% increase in API submissions, a 21% increase in Android submissions, and a 17% increase in iOS submissions.

“This report offers critical context, insights, and opportunities for security leaders looking for new information to bolster their risk profiles,” said Nick McKenzie, CISO of Bugcrowd. “Looking ahead, we can use insights from this report in conjunction with other key learnings to predict what is coming next.”

McKenzie predicts that in 2024, threat actors will use adversarial AI to speed up enterprise attacks – creating more noise for defenders, not necessarily smarter attacks. In addition, and off the back of continued attacks in this space, he says that getting quality insights, coverage and continuous assurance in supply chain security, third-party risk, and inventory management processes will become increasingly important areas for security leaders.

The “human risk factor” will also become more dangerous based on actions by malicious insiders and misguided employees who fall prey to social engineering attacks or bypassing internal controls (intentionally or unintentionally) operationally, countering the “cyber talent skills gap” and help their security teams “scale” – organizations will certainly and more broadly adopt the crowdsourcing of human intelligence to continuously weed out unique or previously unidentified vulnerabilities that smaller, less diverse, budget, or talent strapped teams just can’t.

Crowdsourced security industry matures

There is a deep societal misunderstanding of the hacking community, reflected in outdated laws that hinder their creativity at best and hold them criminally liable for ethical disclosures at worst. Although progress has been made, there is still a lot of work to be done.

Crowdsourced solutions include penetration-testing-as-a-service, managed bug bounties, and vulnerability disclosure programs (VDPs). Not surprisingly, the report found that the most successful programs on the platform offered the highest rewards to hackers, generally $10,000 or more for finding a P1 vulnerability. The financial services and government sectors have the highest payouts for P1 vulnerability submissions.

In the past year, enterprises also increasingly favored public crowdsourced programs over private ones, while programs with open scopes received 10X more P1 vulnerabilities than those with limited scopes. A scope is the defined set of targets an organization lists as assets to be tested. An open scope bug bounty program imposes no limitations on what hackers can or cannot test in terms of assets that belong to the organization.

The crowdsourced security industry has matured over the course of the last decade, and even though many still view it as a new part of the security technology stack, there is no denying that the industry is evolving.