The evolution of crowdsourced security testing is rapidly reaching a critical mass, with continual adoption and uptake by buyers expected to accelerate, according to a Gartner Emerging Technology Analysis published in June 2018. This shift towards hacker-powered security is highlighted in the Hacker-Powered Security Report 2018, which provides a detailed analysis of 78,275 security vulnerability reports submitted by ethical hackers to over 1,000 programs through HackerOne over the past year.
One of the key findings of the report is the increasing severity of vulnerabilities discovered by hackers, leading to higher bounty awards. Approximately 24% of resolved vulnerabilities are classified as high to critical severity. Additionally, false positives are becoming a thing of the past, with 80% of reports being valid signals platform-wide.
The opportunities and challenges presented by hacker-powered security are greater than ever before. As the industry approaches critical mass, it is essential for organizations to adopt best practices for starting and running effective disclosure and bug bounty programs. The report also delves into the stories and statistics of the hackers themselves, providing valuable insights into their motivations and skills.
The financial incentives for ethical hackers are substantial, with over $31 million awarded to hackers as of June 2018, and $11.7 million awarded in 2017 alone. Notably, a total of 116 unique bug reports earned bounties over $10,000 in the past year, with organizations now offering as much as $250,000 for critical issues. The average amount paid for critical issues has risen to over $2,000.
Governments are leading the way in embracing hacker-powered security, with a 125% increase year over year. New public programs, including those by the European Commission and the Ministry of Defense in Singapore, are joining established programs like the U.S. Department of Defense on HackerOne. The global adoption of vulnerability disclosure policies and bug bounty programs is on the rise, with Latin America experiencing a significant increase of 143% year over year.
Despite the growing recognition of the importance of hacker-powered security, a significant portion of organizations, including 93% of the Forbes Global 2000 list, still do not have a policy to receive, respond, and resolve critical bug reports submitted by external sources. This highlights the need for more education and awareness in the industry.
Interestingly, less than 5% of hackers learn their skills in a traditional classroom setting, underscoring the importance of hands-on experience and practical learning opportunities. Hackers from over 100 countries have been paid for their research through HackerOne programs, with some earning up to 16.7 times more than they would as a security engineer in their home country.
The report also features customer success stories that showcase how various organizations are harnessing the power of the community through hacker-powered security. These real-world examples demonstrate the value and effectiveness of bug bounty and vulnerability disclosure programs in improving overall security posture.
Overall, the Hacker-Powered Security Report 2018 provides a comprehensive overview of the state of hacker-powered security and highlights the increasing importance of ethical hacking in today’s cybersecurity landscape. As organizations continue to grapple with evolving threats and vulnerabilities, embracing hacker-powered security solutions can help them proactively identify and remediate security issues before they can be exploited by malicious actors.