According to a recent survey, bug bounty hunters (a term used for white hat hackers who identify vulnerabilities and bugs) are finding more and more cloud-based vulnerabilities as businesses undertake “digital transformation”. Through the bug bounty programme – HackerOne (a program where developers discover and resolve bugs), researchers found more than 65,000 software flaws in 2022, a 21% increase year over year.
As per HackerOne’s 2022 Hacker-Powered Security Report, which was published on December 13, the increase is exactly the same percentage increase that was seen in the previous year’s report.
Rising numbers of misconfigurations:
The research, which is currently in its sixth edition, also looks at the ongoing effect of digital transformation on attack surfaces. Organizations have implemented ever-more granular permissions as a result of cloud migration and the move to remote work. This trend is reflected in the rising number of misconfiguration vulnerabilities, which increased by 150%, and inappropriate authorization concerns, which increased by 45%.
The majority of hackers continue to prioritise websites, which means online applications continue to rule the scene. APIs (45%), Android mobile apps (38%), cloud platforms (24%), and open source (24%) are the next most sought-after objectives.
Companies who implement bug bounty programmes should be aware that the biggest barriers to participation in a programme were inadequate communication (49%), limited scopes (50%), and sluggish response times (51%).
In-house expertise was cited by 38% of bug hunters as the largest cybersecurity risk confronting firms in a HackerOne survey of 5,000 hackers conducted between September and October 2022. This result illustrates the combined trends of expanding attack surfaces and a skills gap in cybersecurity.
The utility of utilities:
The three hacking tools most frequently used by ethical hackers are web proxies or scanners (38%), fuzzing utilities, and Burp Suite (87%). 34% of people even create their own tools.
Nevertheless, the report found that 92% of respondents still relied on their own efforts to identify vulnerabilities that scanners had overlooked.
US hacker Jon Colston told HackerOne, “I employ automated tools in my reconnaissance loop to locate chances where to focus my efforts.”
“While it can provide a rapid win message right away, I’m more interested in gathering as much data as I can from other data sources to study trends.
“Specifically, I’m figuring out where a company will probably keep certain files or documentation that I can use in more sophisticated attacks. I can obtain a better understanding of the terrain and swiftly reduce my list of targets from 5000 to 500 by conducting recon with a goal.
HackerOne says that mean and median reward prices have not increased significantly, despite the fact that seven-figure payouts are becoming more regular. The exception is the cryptocurrency and blockchain industries, where average payouts increased by 315%.
While only a small percentage of bug hunters became billionaires, 41% of them made enough money to view it as a vocation in and of itself, and 25% said their freelancing work had helped them advance their careers by getting a promotion or otherwise. The most often reported problem, cross-site scripting (XSS), increased in total submissions by 32% year over year.