The government sector has witnessed the most significant growth in crowdsourced security in 2023, marking a 151% increase in vulnerability submissions and a substantial 58% rise in Priority 1 (P1) rewards for critical vulnerabilities.
Noteworthy increases in vulnerability submissions were also observed in retail (+34%), corporate services (+20%) and computer software (+12%) sectors.
The new data comes from Bugcrowd’s latest report, which also recorded a 30% surge in web submissions, an 18% increase in API submissions, a 21% uptick in Android submissions and a 17% rise in iOS submissions within the Bugcrowd platform in the past year.
Furthermore, the report indicates that bug bounty programs with an open scope experienced a tenfold increase in P1 vulnerability submissions compared to those with restricted scopes.
“[This trend], while beneficial in uncovering a wider range of vulnerabilities, introduces additional risks and challenges,” commented Callie Guenther, senior manager of cyber threat research at Critical Start. “Organizations must carefully balance the need for comprehensive security testing with the potential exposure of sensitive systems.”
Notably, the financial services sector and government segment emerged as the top contributors to median payouts for P1 vulnerabilities, with figures reaching $10,000 and $5000, respectively.
“P1 vulnerabilities are the most lucrative. Therefore, you want those found and reported because the nation’s adversaries certainly won’t be reporting them,” explained John Bambenek, president at Bambenek Consulting.
“In so far as agencies can show their increased security posture because of these programs, they should use themselves as case studies to expand the use of crowdsourced vulnerability hunting throughout the government.”
Bugcrowd’s Vulnerability Rating Taxonomy (VRT) has also been updated to include a new category related to AI. This addition reflects the significant influence of AI on the threat landscape and how hackers, clients and the Bugcrowd triage team perceive specific vulnerability classes and their respective impacts.
Read more on AI-enabled attacks: ChatGPT Cybercrime Surge Revealed in 3000 Dark Web Posts
“Employee training needs to show what is possible: that voice recordings or videos can be fake, that public sources of personal information can be combined to create an illusion and that all communications should be questioned,” warned John Gallagher, VP of Viakoo Labs at Viakoo.
“In addition, employee training needs to emphasize that all parts of the company (not just IT) are targets for cybercriminals and that best practices apply to all job functions at all times.”