Not All Hacks Are Created Equal

Written by

Hacks, breaches and security intrusions are in the headlines on a day-to-day basis, but these hacks aren’t all created equal. According to new analysis from HackerOne, the kind of intrusion differs by industry and breach type.

The Hacker-Powered Security Report 2018 compiled comprehensive analysis on the hacker-powered security environment, including a deep dive into different types of hacks across a wide variety of industries. The report also looked at the prevalence of each attack and found that cross-site scripting (XSS) vulnerabilities were the most common across every industry.

The report data was derived from the hacker community and from HackerOne’s platform data from May 2017 to April 2018. The company analyzed 78,275 of the security vulnerability reports it received in 2017. It’s worth noting that ethical hackers reported those vulnerabilities to over 1,000 organizations through HackerOne.

The total number of critical vulnerabilities reported increased by 26% over 2017. There were 38 times more insecure storage vulnerabilities reported in 2017 than in 2016. Many of these insecure storage vulnerabilities resulted in major breaches.

For healthcare and technology industries, of the top 15 vulnerability types reported, nearly 8,000 were related to information disclosure. The results of the analysis suggested that organizations are “vastly underprepared for effective discovery, communication, remediation and disclosure of vulnerabilities as 93% of the Forbes Global 2000 list do not have a policy to receive, respond and resolve critical bug reports submitted by the outside world. It means we are less safe as a society.”

In contrast, the analysis suggests that hackers and enterprises have much reason to be optimistic. The potential to earn a living as a hacker has grown substantially, with hackers in over 100 countries taking home $31m. Top earners brought home 2.7 times the median salary of a software engineer in their home country, with some reportedly earning up to 16 times more.

Other key findings that bode well for hackers is that governments are paving the way for widespread adoption of bug bounty programs and many enterprises are adopting vulnerability disclosure policies (VDPs).

“Latin America had the largest uptake of VDPs and bug bounty programs, with an increase of 143% year over year. North America and the Asia Pacific region each increased 37%, and Europe, the Middle East, and Africa saw a combined 26% increase in the past year,” the report wrote.

What’s hot on Infosecurity Magazine?