Bugcrowd Report Shows Marked Increase in Crowdsourced Security

The impact of the novel coronavirus pandemic on how enterprises work—and secure their workers and data—will last for years. And while the long-term ramifications are yet to be known, a recent survey from Bugcrowd shows a marked increase in crowdsourced vulnerability assessments.

According to the Bugcrowd “2021 Priority One” report, there was an increase in the use of bug bounty programs—submissions increased 24% for the first 10 months of 2020 compared to all of 2019. Perhaps not surprisingly, the software industry paid more in bounties than any other industry—almost five times as much.

When comparing data from the past two years, Bugcrowd noted that crowdsourced cybersecurity efforts are growing rapidly due to the push of digital transformation and the novel coronavirus pandemic. “Vulnerability submissions are up, with higher numbers of critical vulnerabilities, and total payouts are growing steadily by about 15% to 20% per quarter,” the company said in its statement. The company noted that 2020 has proven to be a record year for crowdsourced cybersecurity, with the practice spreading across all industries.

Bugcrowd also claimed it has witnessed a 50% increase in submissions on its platform throughout the past year, including a 65% increase in Priority One (P1) submissions, or the most critically ranked security vulnerabilities.

According to the report, vulnerability researchers find software vulnerabilities within a week or more when participating in a vulnerability disclosure, attack surface, bug bounty or pentest program. The report also found that the time to vulnerability discovery varied greatly. While researchers frequently identified vulnerabilities within a day in certain market segments such as consumer services and media, it took several days for vulnerabilities to be found in the government and automotive sectors. However, vulnerabilities in the government and automotive sectors are often rated at higher risk. “The speed of discovery across the board demonstrates the tremendous value crowdsourced security can add to security teams and companies looking to fast-track digital transformation efforts and bring new infrastructure online. This speed is replicated by adversaries, too,” said Ashish Gupta, CEO at Bugcrowd, in a statement.

The financial services sector significantly increased its vulnerability payouts in 2020. In Bugcrowd’s view, bank branch closures and other business process changes caused by the pandemic forced the financial service industry to accelerate digital transformation at a faster rate than most verticals. This led to an expanded attack surface, which the industry responded to by engaging the crowd with strong incentives to identify new risks.

As a result, the financial services sector doubled its payouts for the most critical vulnerabilities from the first quarter of 2020 to the second quarter. In fact, financial services returned more submissions between January and October than all of 2019.

The “Priority One” report also offered a glimpse into the direction the industry is headed, based on the number of submissions involving APIs and IoT devices. Vulnerability submissions for those devices doubled, while those found for Android targets more than tripled, according to Bugcrowd.

For the year, the most reported vulnerability was broken access controls, while the second most reported were related to cross-site scripting.

“The heavy focus on remote work and subsequent growth in IoT device adoption in 2020 made IoT devices more attractive targets for cybercriminals. Both IoT vendors and Bugcrowd, which has the largest curated and active crowd for IoT and mobile devices, have responded by expanding their efforts to discover IoT security issues,” the company said.