There was an alarming surge of user-submitted web vulnerability submissions in 2023-with a 30% increase compared to 2022-as open-scoped bug bounty programs evolved, according to a report from Bugcrowd.
The study found API submissions, which report vulnerabilities or potential security issues involving application programming interfaces, rose by 18%, while Android submissions increased by 21% and Apple iOS submissions grew by 17%. Bugcrowd's report, compiled from millions of proprietary data points and vulnerabilities, also highlighted the government sector's growth in crowdsourced security, showing a 151% increase in vulnerability submissions and a 58% rise in Priority 1 rewards.
These rewards are typically associated with the most severe and impactful security issues that could potentially lead to serious consequences if exploited.
Programs with open scopes, offering higher rewards, proved most successful, indicating the impact of crowdsourced solutions like penetration-testing-as-a-service, managed bug bounties and vulnerability disclosure programs.
Enterprises increasingly favored public crowdsourced programs, with financial services and government sectors leading in P1 payouts.
P1 vulnerabilities often involve critical security flaws that, if exploited by malicious actors, could result in significant data breaches, system compromises, or other severe consequences for the affected organization.
Callie Guenther, senior manager of cyber threat research at Critical Start, said from a threat intelligence perspective, the findings underscored a critical escalation in the cybersecurity threat landscape.
This involves not only bolstering detection and response capabilities through advanced AI and machine learning systems but also ensuring that these systems are ethically designed to counter AI-driven attacks.
This necessitates a shift towards a zero-trust architecture and more rigorous network segmentation to contain breaches effectively.
She added that the trend towards open-scoped bug bounty programs, while beneficial in uncovering a wider range of vulnerabilities, introduces additional risks and challenges.
John Bambenek, president at Bambenek Consulting, said any bug bounty program needs to be backed with the software engineering expertise to help resolve issues quickly.
He noted that while this is a good thing, engineering needs to be prepared to resolve the reports to minimize multiple researchers reporting the same vulnerability simply because it continues to exist for months after the initial report.
Guenther added that organizations must carefully balance the need for comprehensive security testing with the potential exposure of sensitive systems.
From her perspective, the human element in cybersecurity is becoming increasingly pivotal.
John Gallagher, vice president of Viakoo Labs at Viakoo, said with the rise of AI-driven social engineering attacks, employee training needs to show what is possible.
Employee training needs to emphasize that all parts of the company are targets for cybercriminals, and that best practices always apply to all job functions.
This Cyber News was published on securityboulevard.com. Publication date: Fri, 26 Jan 2024 14:58:04 +0000