HackerOne reports that hackers are reporting more bugs and earning bigger bounties, but is an increase in testing or an increase in software vulnerabilities the cause of the jump?
Bug bounty hub HackerOne has announced that its user base of freelance bounty-hunting hackers have reported a whopping 66,000+ verified vulnerabilities in 2021, a 20% increase over last year’s total. What, exactly, could be going on to cause such a surge this year, when the last was the actual year of uncertainty and COVID-induced chaos?
In addition to the rise in the number of verified bugs, HackerOne’s report also found that the median bounty paid out for a critical bug (rated using the CVSS scale) rose by 13%, and by 30% for bugs rated “high severity,” which is one step below critical.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Corresponding with increased bug detection and larger payouts, the number of what HackerOne calls “hacker-powered security programs” grew by 34% in 2021, with the largest growth being in the aviation/aerospace, medical technology and government industries. HackerOne also pointed out that use of hacker-based security in the financial services industry continues to grow by 62% (the fourth largest), which it said is expected because “outside of core tech industries, [financial services] tends to lead the way with forward-thinking and agile security solutions.”
What sort of bugs are being found?
Knowing the sorts of bugs that are being found is an important part of building a security problem prepared to respond to the sort of things that are trending in the security world.
According to HackerOne’s research, cross-site scripting vulnerabilities remain the most discovered from 2020 to 2021, with a 7% year-over-year increase. Information disclosure increased 58% YoY, triggering its rise from third to second place. It displaced improper access control, which slid to third.
The most dangerous threat this year, however, has been business logic errors, which rose by 67% YoY to enter the top 10 for the first time in the five years HackerOne has published its report.
Business logic errors are ways attackers misuse legitimate functions on a site to the detriment of the site’s owner. Examples of this include things like cancelling a purchase fast enough to not be charged, but to still gain loyalty points associated with a purchase; or injecting lower prices on objects in an ecommerce cart by abusing the way the site handles its pricing logic. These errors aren’t so much a way to break systems, and more a way to abuse legitimate, but poor, site design.
Are there more bugs, or just more reports?
The central question of this report, whether or not the number of bugs in software is actually increasing, or if existing bugs are being found more frequently due to increased bug bounty program popularity, can’t be definitively answered without additional insights. I’ve reached out to HackerOne for its opinion, but have yet to hear back; this article will be updated if I do.
Without that insight it’s still possible to draw conclusions, though, especially when considering HackerOne’s numbers on how bugs are being found. Bug bounty programs, for example, only rose by 10% this year, reporting 42,805 bugs to 2020’s 38,863. Of the two types of bug bounty programs, private bounties (available only to invited hackers) grew by 16%, while public bounties only rose by 2%.
The other two methods of finding bugs, vulnerability disclosure programs (VDPs) and penetration tests, were where the real growth was. Reports from VDPs rose by 47%, and bug reports from pentests rose by an amazing 264%.
HackerOne said that it’s seeing a big rise in the popularity of pentests, which it said is due to “enhanced customer focus on compliance with security regulations and standards.” In terms of sheer numbers, however, pentests are only finding a sliver of the bugs that private bug bounties do: Pentests uncovered 1,804 bugs in 2021 to private bounty’s 25,278.
SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)
Regardless of the form reports come in, HackerOne said that hacker-powered solutions are proving their value. “The data and vulnerability insights organizations gain from their bug bounty, VDPs and pentests are enabling them to better identify where problems are originating and where resources and training need to be directed,” the report concludes.
Whether or not that should comfort you is up in the air: It seems more bugs are being found not because the number of bugs is increasing, but because the number of white-hat hackers using their powers for good (and profit) is growing. What that really means is that your systems are probably just as riddled with bugs as everyone else’s. The only problem is that you haven’t found yours yet.