Hackers reported 21% extra vulnerabilities in 2021 than in 2020

Bug bounty hub HackerOne has introduced that its consumer base of freelance bounty-hunting hackers have reported a whopping 66,000+ verified vulnerabilities in 2021, a 20% improve over final yr’s whole. What, precisely, may very well be happening to trigger such a surge this yr, when the final was the precise yr of uncertainty and COVID-induced chaos?

Along with the rise within the variety of verified bugs, HackerOne’s report additionally discovered that the median bounty paid out for a vital bug (rated utilizing the CVSS scale) rose by 13%, and by 30% for bugs rated “excessive severity,” which is one step under vital. 

SEE: Password breach: Why popular culture and passwords do not combine (free PDF) (TechRepublic)

Corresponding with elevated bug detection and bigger payouts, the variety of what HackerOne calls “hacker-powered safety applications” grew by 34% in 2021, with the biggest progress being within the aviation/aerospace, medical know-how and authorities industries. HackerOne additionally identified that use of hacker-based safety within the monetary companies trade continues to develop by 62% (the fourth largest), which it mentioned is predicted as a result of “exterior of core tech industries, [financial services] tends to prepared the ground with forward-thinking and agile safety options.” 

What kind of bugs are being discovered?

Realizing the types of bugs which can be being discovered is a crucial a part of constructing a safety drawback ready to answer the kind of issues which can be trending within the safety world. 

Based on HackerOne’s analysis, cross-site scripting vulnerabilities stay probably the most found from 2020 to 2021, with a 7% year-over-year improve. Info disclosure elevated 58% YoY, triggering its rise from third to second place. It displaced improper entry management, which slid to 3rd. 

Essentially the most harmful risk this yr, nevertheless, has been enterprise logic errors, which rose by 67% YoY to enter the highest 10 for the primary time within the 5 years HackerOne has printed its report. 

Enterprise logic errors are methods attackers misuse authentic capabilities on a web site to the detriment of the location’s proprietor. Examples of this embrace issues like cancelling a purchase order quick sufficient to not be charged, however to nonetheless acquire loyalty factors related to a purchase order; or injecting decrease costs on objects in an ecommerce cart by abusing the way in which the location handles its pricing logic. These errors aren’t a lot a strategy to break methods, and extra a strategy to abuse authentic, however poor, web site design. 

Are there extra bugs, or simply extra stories?

The central query of this report, whether or not or not the variety of bugs in software program is definitely growing, or if current bugs are being discovered extra often attributable to elevated bug bounty program reputation, cannot be definitively answered with out extra insights. I’ve reached out to HackerOne for its opinion, however have but to listen to again; this text shall be up to date if I do.

With out that perception it is nonetheless doable to attract conclusions, although, particularly when contemplating HackerOne’s numbers on how bugs are being discovered. Bug bounty applications, for instance, solely rose by 10% this yr, reporting 42,805 bugs to 2020’s 38,863. Of the 2 sorts of bug bounty applications, personal bounties (accessible solely to invited hackers) grew by 16%, whereas public bounties solely rose by 2%. 

The opposite two strategies of discovering bugs, vulnerability disclosure applications (VDPs) and penetration checks, have been the place the true progress was. Studies from VDPs rose by 47%, and bug stories from pentests rose by a tremendous 264%. 

HackerOne mentioned that it is seeing an enormous rise within the reputation of pentests, which it mentioned is because of “enhanced buyer deal with compliance with safety rules and requirements.” When it comes to sheer numbers, nevertheless, pentests are solely discovering a sliver of the bugs that non-public bug bounties do: Pentests uncovered 1,804 bugs in 2021 to non-public bounty’s 25,278. 

SEE: Google Chrome: Safety and UI ideas you want to know  (TechRepublic Premium)

Whatever the type stories are available in, HackerOne mentioned that hacker-powered options are proving their worth. “The information and vulnerability insights organizations acquire from their bug bounty, VDPs and pentests are enabling them to raised establish the place issues are originating and the place sources and coaching have to be directed,” the report concludes. 

Whether or not or not that ought to consolation you is up within the air: It appears extra bugs are being discovered not as a result of the variety of bugs is growing, however as a result of the variety of white-hat hackers utilizing their powers for good (and revenue) is rising. What that basically means is that your methods are in all probability simply as riddled with bugs as everybody else’s. The one drawback is that you have not discovered yours but. 

Cybersecurity Insider E-newsletter

Strengthen your group’s IT safety defenses by conserving abreast of the most recent cybersecurity information, options, and greatest practices.
Delivered Tuesdays and Thursdays

Enroll immediately

Additionally see