Freely subscribe to our NEWSLETTER

The government industry sector saw the fastest growth for crowdsourced security in 2023 compared to 2022, with a 151% increase in vulnerability submissions and a 58% increase in Priority 1 (or P1) rewards for finding critical vulnerabilities. Other industries recording big increases in submissions included retail (+34%), corporate services (+20%), and computer software (+12%).
Over the past year, the hacker community recorded a 30% increase in Web submissions created on the Bugcrowd platform compared to 2022, an 18% increase in API submissions, a 21% increase in Android submissions, and a 17% increase in iOS submissions.

“This report offers critical context, insights, and opportunities for security leaders looking for new information to bolster their risk profiles,” said Nick McKenzie, Chief Information and Security Officer of Bugcrowd. “Looking ahead, we can use insights from this report in conjunction with other key learnings to predict what is coming next.”

McKenzie predicts that in 2024, threat actors will use adversarial AI to speed up enterprise attacks - creating more noise for defenders, not necessarily smarter attacks. In addition, and off the back of continued attacks in this space, he says that getting quality insights, coverage and continuous assurance in supply chain security, third-party risk, and inventory management processes will become increasingly important areas for security leaders. The “human risk factor” will also become more dangerous (i) based on actions by malicious insiders and misguided employees who fall prey to social engineering attacks or bypassing internal controls (intentionally or unintentionally) (ii) operationally, countering the “cyber talent skills gap” and help their security teams “scale” - organizations will certainly and more broadly adopt the crowdsourcing of human intelligence to continuously weed out unique or previously unidentified vulnerabilities that smaller, less diverse, budget, or talent strapped teams just can’t.

The Bugcrowd Platform connects organizations with trusted hackers to proactively defend their assets against sophisticated threat actors. In this way, organizations can unleash the collective ingenuity of the hacking community to better uncover and mitigate risks across applications, systems, and infrastructure.

Crowdsourced solutions include penetration-testing-as-a-service, managed bug bounties, and vulnerability disclosure programs (VDPs). Not surprisingly, the report found that the most successful programs on the platform offered the highest rewards to hackers, generally $10,000 or more for finding a P1 vulnerability. The highest payouts for P1 vulnerability submissions are found in the financial services and government sectors.
In the past year, enterprises also increasingly favored public crowdsourced programs over private ones, while programs with open scopes received 10X more P1 vulnerabilities than those with limited scopes. A scope is the defined set of targets listed by an organization as assets to be tested. An open scope bug bounty program imposes no limitations on what hackers can or cannot test in terms of assets that belong to the organization.

The report also examines how different hacker roles contribute to crowdsourced security, and how crowdsourced security platforms can provide powerful warning systems to uncover vulnerabilities. Several sidebars help capture the spirit of the crowdsourcing community, including sections on the changing landscape for reward ranges; the Top 5 Most Commonly Reported Vulnerability Types; and customer case studies spotlighting Rapyd and ClickHouse.

Millions of proprietary data points and vulnerabilities were analyzed for this edition of Inside the Platform. These data points were collected from across thousands of programs on the Bugcrowd Platform from January 1, 2023 to October 31, 2023.
Bugcrowd’s goal in publishing the report is to arm security leaders with key information about cyber trends which they can apply to the unique challenges facing their organizations. The report also outlines policy changes and advocacy campaigns that are being undertaken to make the Internet a safer place for ethical hacking.