Web Vulnerability Submissions Exploded in 2023

There was an alarming surge of user-submitted web vulnerability submissions in 2023-with a 30% increase compared to 2022-as open-scoped bug bounty programs evolved, according to a report from Bugcrowd.
The study found API submissions, which report vulnerabilities or potential security issues involving application programming interfaces, rose by 18%, while Android submissions increased by 21% and Apple iOS submissions grew by 17%. Bugcrowd's report, compiled from millions of proprietary data points and vulnerabilities, also highlighted the government sector's growth in crowdsourced security, showing a 151% increase in vulnerability submissions and a 58% rise in Priority 1 rewards.
These rewards are typically associated with the most severe and impactful security issues that could potentially lead to serious consequences if exploited.
Programs with open scopes, offering higher rewards, proved most successful, indicating the impact of crowdsourced solutions like penetration-testing-as-a-service, managed bug bounties and vulnerability disclosure programs.
Enterprises increasingly favored public crowdsourced programs, with financial services and government sectors leading in P1 payouts.
P1 vulnerabilities often involve critical security flaws that, if exploited by malicious actors, could result in significant data breaches, system compromises, or other severe consequences for the affected organization.
Callie Guenther, senior manager of cyber threat research at Critical Start, said from a threat intelligence perspective, the findings underscored a critical escalation in the cybersecurity threat landscape.
This involves not only bolstering detection and response capabilities through advanced AI and machine learning systems but also ensuring that these systems are ethically designed to counter AI-driven attacks.
This necessitates a shift towards a zero-trust architecture and more rigorous network segmentation to contain breaches effectively.
She added that the trend towards open-scoped bug bounty programs, while beneficial in uncovering a wider range of vulnerabilities, introduces additional risks and challenges.
John Bambenek, president at Bambenek Consulting, said any bug bounty program needs to be backed with the software engineering expertise to help resolve issues quickly.
He noted that while this is a good thing, engineering needs to be prepared to resolve the reports to minimize multiple researchers reporting the same vulnerability simply because it continues to exist for months after the initial report.
Guenther added that organizations must carefully balance the need for comprehensive security testing with the potential exposure of sensitive systems.
From her perspective, the human element in cybersecurity is becoming increasingly pivotal.
John Gallagher, vice president of Viakoo Labs at Viakoo, said with the rise of AI-driven social engineering attacks, employee training needs to show what is possible.
Employee training needs to emphasize that all parts of the company are targets for cybercriminals, and that best practices always apply to all job functions.


This Cyber News was published on securityboulevard.com. Publication date: Fri, 26 Jan 2024 14:58:04 +0000


Cyber News related to Web Vulnerability Submissions Exploded in 2023

Web Vulnerability Submissions Exploded in 2023 - There was an alarming surge of user-submitted web vulnerability submissions in 2023-with a 30% increase compared to 2022-as open-scoped bug bounty programs evolved, according to a report from Bugcrowd. The study found API submissions, which report ...
10 months ago Securityboulevard.com
Revolutionizing WordPress Bug Bounty and Security: Latest Enhancements to the Wordfence Bug Bounty Program - Our team has triaged around 2,140 vulnerability submissions, with about 1,320 deemed in-scope. Together with our researchers and software vendors, we've protected millions of websites from vulnerabilities - and this is just the beginning. We're ...
7 months ago Wordfence.com
FTC soliciting contest submissions to help tackle voice cloning technology - The Federal Trade Commission is now accepting submissions for a contest designed to spur development of products and policies to protect consumers from the malicious use of voice cloning technology, which has been fueled by the advance of ...
11 months ago Therecord.media
FTC offers $25,000 prize for detecting AI-enabled voice cloning - The U.S. Federal Trade Commission has started accepting submissions for its Voice Cloning Challenge, a public competition with a $25,000 top prize for ideas that protect consumers from the danger of AI-enabled voice cloning for fraudulent activity. ...
11 months ago Bleepingcomputer.com
CISA: Thousands of bugs remediated in second year of vulnerability disclosure program - With 11 new agency programs onboarding in 2023, the VDP Platform drew heightened researcher attention and engagement, which facilitated a marked increase in the volume of vulnerability submissions received, valid vulnerabilities identified and ...
2 months ago Therecord.media
CVE-2021-34647 - The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulk_export_submissions function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated ...
2 years ago
CVE-2024-53258 - Autolab is a course management service that enables auto-graded programming assignments. From Autolab versions v.3.0.0 onward students can download all assignments from another student, as long as they are logged in, using the ...
3 weeks ago Tenable.com
Vulnerability Summary for the Week of November 27, 2023 - PrimaryVendor - Product apple - multiple products Description A memory corruption vulnerability was addressed with improved locking. Published 2023-12-01 CVSS Score not yet calculated Source & Patch Info CVE-2023-48842 PrimaryVendor - Product dell - ...
1 year ago Cisa.gov
CVE-2024-37051 - GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 ...
6 months ago Tenable.com
CVE-2023-23715 - Missing Authorization vulnerability in JobBoardWP JobBoardWP – Job Board Listings and Submissions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JobBoardWP – Job Board Listings and Submissions: from n/a ...
1 week ago Tenable.com
Why CVEs Are an Incentives Problem - I've been thinking about some of these unintended consequences in the context of a growing problem faced by all of us in cybersecurity: how a fast-rising tide of software vulnerabilities tracked as common vulnerabilities and exposures - are reported ...
6 months ago Darkreading.com
CVE-2021-34648 - The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the trigger_email_action function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send ...
2 years ago
CVE-2013-4230 - The mm_webform submodule in the Monster Menus module 6.x-6.x before 6.x-6.61 and 7.x-1.x before 7.x-1.13 for Drupal does not properly restrict access to webform submissions, which allows remote authenticated users with the "Who can read data ...
7 years ago
CVE-2018-19287 - XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript via the includes/Admin/Menus/Submissions.php (aka submissions page) begin_date, end_date, or form_id parameter. ...
6 years ago
CVE-2024-2043 - The EleForms – All In One Form Integration including DB for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check when downloading form submissions in all versions up to, and including, ...
7 months ago
CVE-2024-6628 - The EleForms – All In One Form Integration including DB for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.9.9.9. This is due to missing or incorrect nonce validation when deleting ...
1 month ago Tenable.com
Web Shells Gain Sophistication for Stealth, Persistence - Web shells, a common type of post-exploitation tool that provides easy-to-use interface through which to issue commands to a compromised server, have become increasingly popular as attackers become more cloud-aware, experts say. A Web shell known as ...
1 year ago Darkreading.com
Top 42 Cybersecurity Companies You Need to Know - As the demand for robust security defense grows, the market for cybersecurity technology has exploded, as have the number of available solutions. To help you navigate this growing market, we provide our recommendations for the world's leading ...
1 year ago Esecurityplanet.com
Heimdal Partners with Jupiter Technology to Distribute Cybersecurity Solutions in Japan - We have partnered with Jupiter Technology Corporation, who will distribute our cybersecurity products across Japan as part of a long-term sales and distribution agreement. As the first of its kind, the platform delivers end-to-end cybersecurity in ...
10 months ago Heimdalsecurity.com
FTC Warns AI Companies About Changing Policies to Leverage User Data - The Federal Trade Commission is warning AI companies against secretly changing their security and privacy policies in hopes of leveraging the data they collect from customers to feed models they use to develop their products and services. ...
10 months ago Securityboulevard.com
Social Engineering: The Art of Human Hacking - Social engineering exploits this vulnerability by manipulating human psychology and emotions to gain unauthorized access to systems and data. Rather than directly breaking cyber defenses, social engineering tactics exploit human vulnerabilities - ...
1 year ago Offsec.com
2024 cybersecurity outlook: The rise of AI voice chatbots and prompt engineering innovations - In their 2024 cybersecurity outlook, WatchGuard researchers forecast headline-stealing hacks involving LLMs, AI-based voice chatbots, modern VR/MR headsets, and more in the coming year. Companies and individuals are experimenting with LLMs to ...
1 year ago Helpnetsecurity.com
Threat Actors Team Up for Post-Holiday Phishing Email Surge - Last week, two different threat actors teamed up to send thousands of post-holiday-break phishing emails destined for North American organizations. Other than volume, the campaign was fairly standard fare. What's more interesting, perhaps, is the ...
11 months ago Darkreading.com
CVE-2007-2705 - Directory traversal vulnerability in the Test View Console in BEA WebLogic Integration 9.2 before SP1 and WebLogic Workshop 8.1 SP2 through SP6, when "deployed in an exploded format," allows remote attackers to list a WebLogic Workshop ...
7 years ago
The Dangerous Mystery of Hamas' Missing 'Suicide Drones' - Faced with the looming possibility that Hamas could leverage some of the same techniques, Israel began running drills, practicing with fighter jets to intercept UAVs. In February 2014, it announced a prototype of a new air defense system: The "Iron ...
1 year ago Wired.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)