The bug bounty hunting company HackerOne has brought out its Hacker-Powered Security Report. It features researchers, customers, and cyber security people. According to the report: whether you regard AI as a threat or an opportunity, you’re correct.
More than two-thirds (68 per cent) of security people asked said that an external and unbiased review of AI uses is the most effective way to mitigate AI safety and security risks overall. There has been a 171pc increase in AI assets in scope on the HackerOne platform, with 55pc of all AI vulnerabilities reported being AI safety issues.
Cross-site scripting (XSS) and misconfigurations remain the top most-reported weaknesses. Penetration tests and bug bounties also continue to be the top engagements identifying these issues. Pentests uncover more systemic or architectural vulnerabilities like misconfigurations. For bug bounty, security researchers focus on real-world attack vectors, user-level issues, and business logic flaws, with XSS as the most commonly discovered weakness.
Technologically advanced industries are more likely to reduce common vulnerabilities during development compared to other industries, according to the report. What the report terms security-mature and tech-focused industries like online services, retail, and e-commerce are actively reducing common vulnerabilities as opposed to more traditional industries. Web3 companies also have 65 per cent fewer reports for XSS than the industry average.
Crypto bounties continue to raise the bar, the report argues. Crypto and blockchain organisations continue to pay well above the average for vulnerabilities, with bounties in the 95th percentile reaching $1 million. Internet and online services, retail and e-commerce, and computer software offer the next highest average payouts.
Income and education opportunities are top motivators for researchers. While security researchers in the main hack to improve their income potential (77pc), the opportunity to learn new skills and further their abilities motivates many (64pc) too.
Comment
Chris Evans, HackerOne CISO and Chief Hacking Officer, said: “Even the most sophisticated automation can’t match the ingenuity of human intelligence. The 2024 Hacker-Powered Security Report proves how essential human expertise is in addressing the unique challenges posed by AI and other emerging technologies. The report also provides guidance on building productive relationships between organisations and security researchers so the most novel and elusive vulnerabilities can be effectively found and fixed.”
About the report
The Hacker-Powered Security Report is based on data from the San Francisco-based firm’s vulnerability database and includes the firm’s customers, a panel of 500 global security people, and more than 2,000 hackers on the platform. It was compiled between June 2023 and August 2024. For further information, download the full report at https://hackerpoweredsecurityreport.com. The firm is running a webinar, on November 21.
