INSIDE THE

PLATFORM Vulnerability
Trends Report
VOLUME 9 • ISSUE 1
Table of Contents

Vulnerabilities Reported
Report Highlights
3 by Industry Breakdown
18

Letter from the Editor 4 Meet Martin Choluj 20

SPOTLIGHT

How Different Hacker Roles

What millions of vulnerabilities Contribute to Crowdsourced
tell us about the year to come 5 Security with Bugcrowd 21
THOUGHT PIECE

Why a Crowdsourced Security

The Value of an Platform is the Best Early Warning
Open-Scope Program 13 System for Vulnerabilities 24
THOUGHT PIECE

Making the Internet What was the most

a Safer Place to Hack 14 common bug of 2023?
SOCIAL
26

The Cybersecurity
Skills Gap in a Changing
Threat Landscape 16 Conclusion 27
SPOTLIGHT

Casey Speaks
17 Content recommendations 28
INFOGRAPHIC
 I N S I D E T H E P L AT F O R M K E Y TA K E AWAY S

Report Highlights
The government sector
The financial
Successful
experienced a

151%
services industry
and government programs
sector offered the increase in
highest median Higher vulnerability
payouts for P1 submissions
vulnerability rewards and

58%
The most successful
submissions.
programs were those that
offered higher rewards
(e.g., $10,000 or more
for P1 vulnerabilities).
increase in the
number of P1s
rewarded this year
compared to last year.
A new AI-related
category was added
Programs with open to Bugcrowd’s
scopes received
Vulnerability Rating

10x
more P1
Taxonomy (VRT).

vulnerabilities
than those with limited
scopes. Methodology
In preparing this edition of Inside the Platform, millions of
proprietary data points and vulnerabilities were analyzed.
These data were collected from across thousands of programs
on the Bugcrowd Platform from January 1, 2022, to October 31,
2023. When referring to “this year,” we imply measurements
taken from January 1, 2023, to October 31, 2023.

BUGCROWD VULNERABILITY TRENDS REPORT 3

 L E T T E R F R O M T H E E D I TO R NICK MCKENZIE

An Introduction
from Bugcrowd
CISO Nick McKenzie
Every year, Bugcrowd conducts landmark research
on the global vulnerability landscape and publishes
its findings for the benefit of security leaders.

A
s an industry, we’re truly on crowdsourced security programs over practices, quality software bills of
the precipice of so many private programs. More programs are materials (SBOM), tooling integrations
changes, and the goal of dropping the clutch and shifting their with various governance, risk and
this report is to arm security leaders and gear to “public.” compliance (GRC) requirements, and
practitioners alike with the necessary IT asset management-type tools.
Looking ahead, we can use insights
trend information, data, and expert
from this report in conjunction with 3 We will see a stronger
predictions to prepare for these changes.
other key learnings from the industry to focus on the human factor.
I’m balancing a lot of priorities as the
predict what is coming next. Thinking This will come in many forms, such
CISO of Bugcrowd, so believe me when
holistically about risks and threats, I often as controlling malicious insiders
I say I know how hard it is to keep a
look at what’s happening publicly in and preventing accidental or
pulse on everything going on in your
terms of events and combine that with unintentional control failures, like
organization—let alone what’s happening
information on emerging technologies, the actions of misguided employees
in the industry more broadly. That’s why
people trends, and usage. Here are three falling prey to social engineering or
I’m thrilled to share this report, wherein
predictions I have for the year ahead: focusing on improving application
you’ll find that my team and I have
security and development/coding
done much of that groundwork for you. 1 Threat actors will use
practices. To counter the cyber talent
Leveraging vulnerability data from the adversarial AI to speed up
skills gap and help their security
last 12 months, this report offers critical enterprise attacks.
teams scale, organizations will more
context, insights, and opportunities In general, security teams are now
broadly adopt the crowdsourcing of
for security leaders looking for new dealing with an increased number of
human intelligence to continuously
information to bolster their risk profiles. events and more noise. With the use
weed out unique or previously
of AI increasing, I believe we’ll see a
Throughout the research process, unidentified vulnerabilities.
higher volume of attacks, ultimately
I wasn’t surprised to find that
leading to more noise for those who Every organization’s risk and threat profile
vulnerabilities are still on the rise. When
are on defense to sift through. is unique. Challenges can arise as a
you combine an overall increase in rapid
result of anything from an organization’s
digitization (including new technologies 2 Supply chain security, third-
business model to its IT footprint,
that businesses are adding into business party risk, and inventory
industry vertical, people (costs, scarcity,
processes like generative AI) with more management will get hotter.
and skills shortage), security maturity,
products boasting many new features,
Coming off the back of high-profile and geographical sprawl. With this in
it’s inevitable that you end up with an
events and breaches that occurred mind, Bugcrowd’s goal in publishing this
exponential increase in bugs.
over the past couple of years, this annual vulnerability research report is to
Another insight from the report that I topic will permeate into the future, arm security leaders with key information
found especially telling is an increase pushing with it a stronger focus about trends, which they can apply to
in the trend toward favoring public on third-party risk management their unique challenges.

BUGCROWD VULNERABILITY TRENDS REPORT 4

What millions of
vulnerabilities tell us
about the year to come
With every annual edition of this report, we analyze
activity on the Bugcrowd Platform to identify larger
cybersecurity trends and better understand the specific
challenges that security leaders face.

T
he Bugcrowd Platform is a multi-solution Overall submissions, critical
crowdsourced security platform that
provides the scalability and adaptability
submissions, and payouts
needed to proactively safeguard organizations from
At the start of the decade, global lockdowns and
increasingly sophisticated threat actors. It is built on
the associated uptick in remote work came with
the industry’s richest repository of insights into
an unsurprising spike in vulnerability reports. The
vulnerabilities, assets, and hacker profiles, which have
increase in submissions in 2023 (up a double digit
been curated over the course of more than a decade.
percentage compared to the same timeframe
Bugcrowd connects organizations with trusted in 2022) is testament to the value of sustained
hackers (aka ethical hackers, security researchers, or investment in crowdsourced security. It is also
white hat hackers) to proactively defend their assets indicative of the continued expansion of work being
against sophisticated threat actors. Through solutions carried out over the internet and the infrastructure
like penetration testing as a service, managed bug around it, which continues to result in a high
bounty, and vulnerability disclosure programs (VDPs), number of vulnerabilities.
organizations can unleash the collective ingenuity
of hackers to better mitigate risks across all their Before looking at data around critical submissions
applications, systems, and infrastructure. vs. overall submissions, it is helpful to understand
how a rewarded submission is assigned a
For the third year in a row, we’ve seen growth in critical severity level. When a hacker sends in a
a number of key metrics, driven by the security submission, it is validated and checked to ensure
demands of hybrid workplaces and threat actors’ it isn’t a duplicate by Bugcrowd’s global team of in-
adoption of generative AI as a tool. This article house application security engineers.
breaks down these metrics and comments on why
these trends exist. This team adds important context to each
hacker submission before it is triaged
This report offers a glimpse into the according to the VRT, an open source
millions of proprietary data points framework for assessing, prioritizing, and
behind the Bugcrowd Platform, looking benchmarking the severity of security
at hacker vulnerability submissions vulnerabilities.
from every possible angle to truly
understand what vulnerability trends
tell us about the future of cybersecurity.

BUGCROWD VULNERABILITY TRENDS REPORT 5

 I N S I D E T H E P L AT F O R M T H E Y E A R TO C O M E

Before looking at data around critical submissions vs. overall

submissions, it is helpful to understand how a rewarded
submission is assigned a critical severity level.

When a hacker sends in a submission, it is validated We’ve observed significant economic changes in
and checked to ensure it isn’t a duplicate by the market over the past few years, fueled by both
Bugcrowd’s global team of in-house application greater investment in crowdsourced security and
security engineers. This team adds important increased geopolitical uncertainty.
context to each hacker submission before it is triaged
according to the VRT, an open source framework for Today, the most successful
assessing, prioritizing, and benchmarking the severity
programs pay $10,000 or
of security vulnerabilities.
more for P1 vulnerabilities.
Since 2017, Bugcrowd has been the creator
and maintainer of the VRT.

The VRT was designed to be a

simple-to-use, evolving method for
assigning a severity level to a specific
vulnerability class—and taking an open
source approach to managing it enables us
to keep our ear to the ground, ensuring that
the taxonomy stays aligned with the market.

Since the VRT’s creation, hundreds of thousands of

vulnerability submissions on the Bugcrowd Platform
have been created, validated, triaged, and accepted
by program owners who subscribe to this rubric.

We use the VRT as a common point of reference One of the main reasons for this increase in payouts
for setting the priority of submissions on the is the increased complexity and nuance behind the
Bugcrowd Platform. Every vulnerability submitted findings, which is a function of hackers moving and
is tagged with a category that has an associated growing beyond “recon-style” bug hunting. While
technical severity. For a complete listing of still heavily prevalent today, low-hanging fruit isn’t as
categories, visit the VRT page. easy to find as it was in years prior.

One key metric we track at Bugcrowd is critical

vulnerabilities, which we call P1s. Generally, P1
vulnerabilities offer the highest payouts. The In response, the most successful hackers
incentive for hackers to report P1 vulnerabilities is have adaapted to go deeper, as opposed
more compelling than ever, as the average payout to wider, knowing that the most impactful
increased by 7% this year. This increase is one that vulnerabilities still lie beneath the surface.
we were expecting to see.

BUGCROWD VULNERABILITY TRENDS REPORT 6

 I N S I D E T H E P L AT F O R M T H E Y E A R TO C O M E

Automated tools are a standard part of

the hacker’s toolbox, but a breadth of skills
is required to find the more interesting
and high-impact vulnerabilities.
On average, the level of effort required to find a critical vulnerability
is much higher. But as the bar climbs, so do the incentives. Organizations
that keep up with the latest market rates for vulnerabilities always attract
top talent—there is simply no substitute when it comes to engaging the
best hackers in any given area of expertise.

Recommended reward ranges

Based on historical data available from the Bugcrowd Platform at the time of publication.

SEVERITY LEVEL PER

VULNERABILITY RATING P1 P2 P3 P4
TAXONOMY (VRT)

LOW RANGE1
$3,500–$4,500 $1,500–$2,500 $500–$750 $175–$225
Attracts: Generalists

MID RANGE2
$5,500–$7,500 $2,500–$3,500 $750–$1,500 $250–$500
Attracts: Expert Hackers

HIGH RANGE3
$11,000–$20,000 $3,500–$7,500 $1,000–$2,500 $300–$600
Attracts: P1 Specialists

HARDWARE PROVIDERS $5,000–$10,000+ $2,000–$4,000 $600–$900 $200–$400

CLOUD PROVIDERS $5,000–$15,000+ $3,000–$5,000 $1,000–$2,500 $250–$700

FINANCIAL SERVICES $8,000–$20,000+ $3,000–$8,000 $600–$1,500 $250–$350

CRYPTOCURRENCY $50,000+ $10,000–$20,000 $2,000–$3,000 $500–$750

1 2 3

BEST FOR: Untested web apps with BEST FOR: Well-tested web apps that have BEST FOR: Extremely hardened and
basic credentialed access and no hacker been part of longstanding crowdsourced sensitive web apps, APIs, mobile apps, and
restrictions (e.g., geolocation) new to programs, moderately tested APIs or mobile moderate-to-highly secure thick clients/
crowdsourced testing—for any target with apps, and presumed-to-be-vulnerable thick binaries and/or hardened embedded
restrictions in place, rewards should default clients/binaries and/or embedded devices. devices.
to one range higher.

BUGCROWD VULNERABILITY TRENDS REPORT 7

 I N S I D E T H E P L AT F O R M T H E Y E A R TO C O M E

The number of P1 vulnerabilities Bugcrowd rewarded in 2023 Some examples, along with descriptions from the National
aligns with the observations of other industry experts. According Vulnerability Database, include the following:
to a report by Statista, hackers discovered more than
CVE-2023-027350
25,000 new common IT security
This bug allows remote attackers to bypass authentication
vulnerabilities and exposures (CVEs)
on affected installations of PaperCut NG 22.0.5 (Build 63914).
this year—the largest number reported Therefore, authentication is not required to exploit this
in a single year to date. vulnerability. This specific flaw exists within the SetupCompleted
class, with the issue resulting from improper access control.

CVE-2023-34362

This SQL injection vulnerability found in the MOVEit Transfer

web application allows an unauthenticated attacker to gain
access to MOVEit Transfer’s database. Depending on the
database engine being used, an attacker may be able to infer
information about the structure and contents of the database
and execute SQL statements that alter or delete database
elements.

CVE-2023-26360

Adobe ColdFusion versions 2018 Update 15 (and earlier)

and 2021 Update 5 (and earlier) are affected by an improper
access control vulnerability that could result in arbitrary code
execution in the context of the current user. Exploitation of this
In 2023, it was nearly impossible to issue does not require user interaction.
ignore the news coverage and social
Keeping all of this in mind, it’s no surprise that ICS2 recently
media activity around critical bugs found that 75% of security professionals believe that the
and hackers chaining vulnerabilities current threat landscape is the most challenging one in the
together to pull off bigger exploits. past five years.

Navigating Changing Reward Ranges

Bugcrowd recently increased our suggested suggested reward ranges happened almost
reward ranges to keep pace with changes five years ago. A lot has changed in the past
in the industry. The last major update to the five years, including the following:

INCREASED REWARDS INFLATION

THROUGHOUT THE MARKET

There is now competitive

$1 in 2018
is worth approximately
pressure from more programs
offering higher rewards. $1.21 in 2023

CONT.

BUGCROWD VULNERABILITY TRENDS REPORT 8

 When it comes to setting reward ranges for your program,
there are six guiding principles that I recommend keeping in mind:

Reward ranges are More complex programs

suggestions, not absolutes. require higher rewards.
In some cases, a set of targets will call for higher Although this sounds intuitive, it cannot be
rewards, and in other cases, lower. It all depends on overstated—programs that apply onerous
your security maturity and your appetite for success. preconditions to testing will not see activity (or at
least not activity by highly qualified parties) unless
It’s important to remember that everyone is
their rewards are attractive enough to get the
vulnerable at the right price point—perhaps there
attention of said parties.
are no findings right now for a program that offers
$1,000 for a P1, but it can be reasonably guaranteed
that if you offer $1M for a P1, someone will find one. Programs that want to attract
To that end, the goal of setting a reward range is the best talent and yield the most
to blend your organization’s desire for findings findings should pay the highest
with your security maturity and willingness to pay a rewards.
certain amount. A program that desperately wants Coupled with an open scope, this is a surefire
findings but isn’t willing to pay for them needs to way to get all of the best talent working on your
review and possibly reset expectations. program en masse. Clearly demonstrated by
the data on major programs on the Bugcrowd
Reward ranges are not Platform, big scopes and big rewards will bring
universally applied to the big talent. If significant impact is what you want,
this is the way to do it.
entirety of a program.
Some assets will be more secure or complex than “High-” and “mid-level”
others. It is reasonable to offer higher rewards for
ranges can also apply to things
more difficult targets and lower rewards for easier
targets, even within the same brief/program. A
that are more complex.
brief doesn’t have to offer the same rewards for all When looking at the recommended reward table
targets. In fact, adding in this variability will help craft above, it’s important to keep in mind that while
a more precise program. the headings used involve terms like “high range,”
this guidance also applies to things that are more
The crowd is a free market. complex. For example, you could have an entry-
level, extremely complex program that needs to
In a free market, the value of any given thing is set pay at the “high” level to get attention. Conversely,
by the people willing to pay for it. Paradoxically, a moderately complex entry-level program may
even though organizations are the ones paying need to pay at the mid-level, as opposed to the
dollars, the real currency here is the attention of low range.
hackers (and often, more specifically, top hackers).

If a program isn’t receiving the desired level of

engagement or results, provided the program has
a large enough sample size to be representative
of the crowd as a whole, low results are typically
a reflection of the fact that the rewards are
inadequate incentives in driving the desired results.

It’s important to note that there may also be other

reasons why (e.g., inaccessible targets or creds
issues), but at the end of the day, the reality is that
individuals might not be willing to spend or invest
their time on a target for the perceived return on
their investment (their time).

As covered above, at a high-enough dollar

amount, just about anyone can be activated
—the reward just has to be worth their time
and investment.

BUGCROWD VULNERABILITY TRENDS REPORT 9

 I N S I D E T H E P L AT F O R M T H E Y E A R TO C O M E

Notable targets
and VRT categories

Every submission to the Bugcrowd platform is tagged with

a target category. Categories include Android, Hardware,
IOS, IoT, API, Network, Web, and Other. Web continues to
Top 5 Most Commonly
be, by far, the largest target category, making up 58% of all
submissions created. Interestingly, in this year’s Inside the
Reported Vulnerability
Mind of a Hacker report, 70% of hackers identified web Types Explained
applications as their area of specialty.

Compared to 2022, this year saw: Digging deeper into the VRT, let’s look at the
specific vulnerabilities submitted within various VRT
categories. We asked prominent hacker Joseph
Thacker, aka rez0, to break down the meaning of
increase increase
↑30% ↑18%
each vulnerability type.
in Web in API
WEB submissions API submissions
created created Thacker is a security researcher who specializes
in application security and AI. He's helped Fortune
500 companies find vulnerabilities by submitting
and collaborating on more than 1,000 reports.
increase increase Thacker currently works as an offensive security
↑21% in Android ↑17% in IOS engineer at AppOmni, a SaaS security posture
ANDROID submissions IOS submissions
created created
management company based in California.

Measured by the total number of valid submissions

found over the past year, the top 5 most commonly
Breaking vulnerability data up by VRT category, the top identified vulnerability types were as follows:
three categories of critical submissions rewarded were
broken authentication and session management, sensitive
data exposure, and server-side injection. 1 Reflected
cross_site_scripting_xss

It’s important to note here that the 2 Insecure Direct Object

VRT categories aren’t set in stone— References, aka IDOR
they evolve just as the security industry broken_access_control

evolves. The VRT is a reflection of the

3 Disclosure of Secrets
current threat environment. sensitive_data_exposure

Changes to the VRT are often canaries in the coal mine 4 Authentication Bypass
broken_authentication_
when it comes to the opportunities associated with certain
and_session_management
kinds of vulnerabilities. The VRT evolves dynamically, just
like the security industry itself.
5 Misconfigured Domain
One key change to the VRT is the addition of new AI- Name System (DNS)
server_security_
related vulnerabilities, formalizing how AI vulnerabilities
misconfiguration
get defined, reported, and prioritized. This release reflects
the profound influence that AI is having on the threat
environment and the ways that hackers, customers, and the
Bugcrowd triage team view certain vulnerability classes and CONT.

their relative impacts.

BUGCROWD VULNERABILITY TRENDS REPORT 10

 I N S I D E T H E P L AT F O R M T H E Y E A R TO C O M E

Top 5 Most Commonly Reported

Vulnerability Types Explained

Reflected Authentication Bypass

cross_site_scripting_xss broken_authentication_and_session_management

1 Reflected XSS refers to when a hacker injects

malicious code into a website’s context like other
4 This is when a hacker gets around a website’s
authentication in some way. It might be as simple
XSS, but the code only executes if an unsuspecting as accessing the API without a token or navigating
user were to click on it. When they do, the harmful code is directly to an admin panel without logging in. Many methods
“reflected” back from the website to the user’s browser. The are used for authentication bypasses, but some common
browser, thinking the code is safe because it comes from ones are forced browsing (browsing straight to the desired
the website it trusts, executes the harmful code. This can web page without logging in first), default credentials,
have varying impacts depending on the architecture, just like path traversal, and unique characters in the path of a
other XSS vulnerabilities. It can always change content, but request to bypass proxy rules. If an attack can bypass the
account takeover is sometimes also possible. Reflected XSS authentication requirements, it’s an authentication bypass.
is notorious for requiring user interaction, meaning that the
malicious link needs to be emailed/messaged to the victims
or placed where they are likely to click it. Misconfigured Domain
Name System (DNS)
server_security_misconfiguration
Insecure Direct Object
References, aka IDOR
broken_access_control
5 A misconfigured Domain Name System (DNS)
occurs when a website's DNS is set up incorrectly.
The DNS can be incorrect in many ways.

2 Insecure direct object references, or IDOR,

are a type of vulnerability that occurs when
Regarding related security impacts, the most common DNS
vulnerabilities are ones that result in subdomain takeovers
an application allows an unauthorized user to where a DNS record points at an IP address or domain that
reference an object (essentially any data, be it a user, an attacker can take control of. An example of the former is
file, org, or something else) they shouldn't be able an elastic IP address in a cloud provider. An example of the
to access. The key aspect of IDORs is that they are latter would be a DNS record pointing to a SaaS provider
always categorized by accessing the object via an ID. that allows you to “register” a domain for the SaaS instance.
Sometimes, it’s numerical, but other times, it could be a If you no longer use it, an attacker registers it, and you still
username or UUID. have a DNS record pointing to it. The
subdomain you are pointing to
will direct all users to the
Disclosure of Secrets attacker’s instance. This
sensitive_data_exposure
has implications for XSS
and businesses if the

3 Disclosure of secrets, also known as sensitive

data exposure, is a vulnerability that happens
attacker were to host
explicit content on it.
when a website or application does not properly
protect deployment secrets, tokens, user data, etc.
Common avenues for data to be exposed are accidentally
uploaded files on a webserver, hard-coded data in
JavaScript files, deployment files that don’t use runtime
variables, or GitHub exposures. The impact varies
depending on what is exposed.

Joseph Thacker
aka rez0

BUGCROWD VULNERABILITY TRENDS REPORT

Public vs. 3 Steps Rapyd Took
to Make its Program Public
Private Programs
Rapyd is a cutting-edge fintech leader focused on
helping businesses create great commerce experiences
There are more public programs on the Bugcrowd Platform anywhere. It had been using crowdsourced security
for years, but about a year ago, it made the switch to
than ever. Although all bug bounty programs begin as
Bugcrowd with the goal of launching a public program,
private, the idea that they need to stay private is a legacy
which it did six months later.
mindset that stems from what we call “Crowd Fear” here
Rapyd has experienced outstanding results
at Bugcrowd. Crowd Fear is the fear that when a program
sofar, uncovering almost 40 unique and valid
goes public, it will open the floodgates to thousands vulnerabilities—15 of which were critical. We spoke
and thousands of hackers simultaneously testing the to Achiad Aviv, who is responsible for application
organization’s assets while reporting a significant number security at Rapyd, for his advice on how to successfully
of findings, making the program unmanageable and take a bug bounty program public.

overwhelming. It’s understandable for an organization

to be hesitant about taking a program public.
TIP 1 Find the right hackers for your program
and engage with the community.
While your program is still private, focus on finding
There are three main drivers specialized hackers for engagements so you have
behind the increasing appetite the right fit. By picking the right hackers for specific
programs, researchers remain engaged, setting up a
for public bug bounty programs. future public program for success. Be sure to respond
quickly to hackers and engage with them to build
First, there is growing customer demand for more positive relationships and a good reputation.

transparency when it comes to security and data.

TIP 2 Build confidence in your security
Customers want to support businesses that are proactive
posture across the organization.
in their security approach. It is not in an organization’s best
interest to hide the fact that it is on the cutting edge of Be sure you have the right roadmap in place before
launching a public program. We worked with Bugcrowd
cybersecurity and doing everything it can to help secure its
to build this. Our entire team participates in the strategy
clients and their data. and operations of our program. We’ve integrated the
platform with numerous DevSec tools for tracking
We can also see this demand for security transparency
program findings and routing to the appropriate
in the growing adoption of VDPs. A VDP is a structured stakeholders. By preparing our process in advance,
framework for hackers to document and submit security we felt confident in going public.
vulnerabilities to organizations. VDPs reduce risk by
enabling organizations to accept, triage, and rapidly TIP 3 Leverage unparalleled expertise
remediate valid vulnerabilities submitted by the security from the Bugcrowd team.
community. 87% of organizations reported receiving a Launching a public program is a journey, not a
critical or high-impact vulnerability through a VDP. They also destination. We haven’t stopped looking for ways to
signal a public commitment to cybersecurity best practices, continuously improve our program, and we work very
closely with the Bugcrowd team via email, meetings,
which helps improve confidence in the organization among
and Slack for advice on how best to do this. I encourage
customers and the hacker community.
you to take similar advantage of these channels.

The second driver behind the increase in public bug bounty

programs is increased trust in the hacker community. As
organizations spend more time on the Bugcrowd Platform “We quickly felt safe to take our
leveraging crowdsourced security and working closely with program public with Bugcrowd.
hackers, they build confidence in their programs and want to We value the way Bugcrowd finds
increase their scope and impact. the right hackers with the right
The third and final driver is that organizations want to take
expertise for our programs.”
the opportunity for more impactful outcomes from a wider ACHIAD AVIVI, Applications Security, Rapyd

pool of talent. The more accessible programs are to hackers,

the more successful outcomes organizations can expect.
Learn more about Rapyd’s journey.

BUGCROWD VULNERABILITY TRENDS REPORT 12

The Value of an
Open-Scope Program

When organizations launch bug bounty programs, they decide

what type of scope is right for their programs. A scope is the
defined set of targets that have been listed by an organization
as assets that are to be tested as part of a particular engagement.

Hackers are incentivized to report (and get rewarded for) To give your organization a shot
what is in scope, and what’s out of scope is off limits, meaning
at defending against attackers,
no compensation is awarded for findings in those targets.
Organizations choose between three main types of scope—
it’s critical to give the good guys as
limited scope, wide scope, and open scope. much opportunity as possible to find
the issues before the bad actors do.
Having an open scope is quite Otherwise, it’s a lopsided race out
possibly the single most effective of the gate.
thing an organization can do to help
The second reason is that there is always more than one
secure its external attack surface.
way in. The reality is that while you may have a bank vault for
An open-scope bug bounty program is one that imposes a front door, you may have a wide-open window in the back.
no limitations on what hackers can or cannot test, so long It’s often far easier to find a way around via a less secure
as the target or asset belongs to the organization. Open vector versus attacking things head-on where defenses are
scopes generally look something like “any externally facing the strongest.
asset belonging to Example Organization,” where nothing is
In 2023, programs with open scopes received 10x more P1
excluded.
vulnerabilities than those with limited scopes. This supports
Most organizations and bug bounty programs tend to follow a the idea that bad actors aren’t asking for permission to test
general progression as they grow their security postures over everywhere, and by limiting where the good actors can test,
time, starting with a limited scope, expanding to a wide scope, organizations only further disadvantage themselves.
and eventually ending with an open scope.

There’s nothing wrong with running a bug bounty program

with a limited scope, but there’s almost always an opportunity
to do more. There are two main reasons why having an open
scope is so valuable for identifying flaws before they are
exploited in the wild.

The first is that bad actors don’t have to play by any set
scope or rules. They go wherever they want to find the path
of least resistance. If the goal of a bug bounty is to harden
and secure assets by finding issues before bad actors, then
both sides need to operate from the same perspective.

BUGCROWD VULNERABILITY TRENDS REPORT 13

Making
the Internet
a Safer Place
to Hack

Now that you know more about There is a deep societal misunderstanding of the

vulnerability trends and recent hacking community, which is reflected in outdated

laws that hinder their creativity at best and hold them
crowdsourced security insights, let’s criminally liable for ethical disclosures at worst.
tease apart the policy that makes Although progress has been made, there is
submissions from hackers possible. still a lot of work to be done.

Bugcrowd founder and

Chief Strategy Officer Create a more favorable
Casey Ellis is on the legal environment for
advisory committee of the vulnerability disclosure and
Hacking Policy Council, an management, bug bounties,
organization that strives to: independent repair for
security, good faith security Foster
research, and pen testing. collaboration
among the
security, business,
and policymaking
communities.

Prevent new legal

restrictions on security
research, pen testing,
Strengthen organizations’
or vulnerability disclosure
resilience through the effective
and management.
adoption of vulnerability
disclosure policies and security
researcher engagement.

BUGCROWD VULNERABILITY TRENDS REPORT 14

 M A K I N G T H E I N T E R N E T A S A F E R P L AC E TO H AC K

The Hacking Policy Council works on many initiatives

throughout the year, but here are three highlights from 2023:

NIST SP 800-171 Rev. 3

In July, the National Institute of Standards and
Technology (NIST) updated draft guidelines for
NIST Special Publication 800-171—Protecting
Controlled Unclassified Information in
Nonfederal Systems and Organizations.

Ellis, in partnership with the Hacking Policy

State Charging Policies
Council, recommended the addition of VDPs for Good-Faith Security
to these guidelines. VDPs help organizations Researchers
mitigate risk by supporting and enabling the
In August, Ellis worked with the Hacking Policy
disclosure and remediation of vulnerabilities
Council to submit a letter encouraging state
before hackers exploit them. VDPs usually
attorney generals to support the advancement
contain a program scope, safe harbor clause,
of independent cybersecurity research and the
and remediation method. VDPs generally cover
security community for the benefit of all.
all publicly accessible, internet-facing assets.
Their recommendation encourages state attorney
The addition of VDPs into these guidelines would
generals to establish policies that clarify and
prevent hackers from having to face the legal
protect the rights of hackers conducting security
consequences of good-faith participation in VDPs.
research in good faith.

Hacker Workshops
At the DEF CON 31 event in Las Vegas last August, the Hacker Policy
Council ran a workshop to show hackers how to engage with their
governments to influence local hacking regulations.

The DEF CON workshops highlighted the process of submitting

official comments to hacking regulations and legislation. They covered
the process of using regulations.gov and congress.gov as a way
to find open opportunities to influence regulations, along with how
to form an advocacy strategy to amplify its impact. By attending
these workshops, hackers can become active participants in crucial
conversations around hacking policy on a government level.

In addition to his work with the Hacking Policy Council, Ellis is also a
founding member of The disclose.io Project. The goal of this project is to
make vulnerability disclosure safe, simple, and standardized for everyone.

BUGCROWD VULNERABILITY TRENDS REPORT 15

 S P OT L I G H T C U S TO M E R

The Cyber security

Skills Gap in They predict the cybersecurity skills gap will
continue to increase in the short term, but they

a Changing
aren’t without hope. “The security industry has
been a pioneer in hiring people

Threat
from diverse technology and
education backgrounds,
helping them train in

Landscape
cybersecurity skills to fix
the hiring gap,” they said.

They recommend that

organizations focus on investing
resources in their cybersecurity personnel to ensure
they stay updated on the latest and greatest with
In a recent conversation, we had respect to cybersecurity skills. “Cybersecurity
the opportunity to speak with the upskilling should be one of the top business priorities
Director of Cybersecurity at a leading in the organization.”
data networking organization. Our
discussion provided insights into their Crowdsourced security is another way to address
experience launching a Vulnerability the cybersecurity skills gap, helping organizations
Disclosure Program and shed light on connect with thousands of security experts around
the current threat landscape. the world. The data networking organization decided
to partner with Bugcrowd to establish a Vulnerability
This director is a winner of Cyber Defense Magazine’s Disclosure Program (VDP) in order to help manage the
2023 Top Global CISO Award with over 19 years of vulnerabilities reported by the hacker community. With
experience in the IT security field. This Bugcrowd the help of Bugcrowd, they were able to put a structure
customer is a data networking hardware leader that to vulnerability submissions, helping them comply with
strives to build the world’s most reliable, innovative, security, compliance, and regulatory requirements.
future-ready wireless technologies that securely
connect every person and everything, effortlessly. Beyond compliance requirements, they explored
adopting a VDP because they wanted to do everything
We spoke to their director, who is seeing major possible to proactively reduce risk exposure,
changes to the threat landscape since the beginning innovating in security instead of just checking boxes.
of the pandemic, specifically in the complexity of
security threats and the prevalence of automated and “We want to visibly demonstrate our commitment
AI-based cyber threats. “As vulnerabilities and threats to security, building productive relationships with
continue to increase and become more complex in the the hacker community. We want security testing
wake of AI-based cyber threats, security professionals and remediation to keep up with the pace of
need to upskill themselves in automation and AI-based innovation,” they said.
technologies to tackle such threats,” they said.
They chose to partner with Bugcrowd because
They also cite the cybersecurity skills gap as one of it offers a multi-solution platform, extensive
the top security risks impacting organizations at the experience and a track record of fast triage response
moment. times, reporting and analytics capabilities, adoption
and integration, and emphasis on long-term success.
“We are at the cusp of an ever-changing Looking forward, they intend to complement their
technology landscape and evolving, sophisticated VDP with other Bugcrowd products, including
security threats. Without adequate cybersecurity launching a Managed Bug Bounty program and
skills, organizations are at a significant risk of utilizing Pen Testing as a Service.
getting compromised.”

BUGCROWD VULNERABILITY TRENDS REPORT 16

 RISK MANAGEMENT
WILL GET NOISIER
AI WILL ACCELERATE
EVERYTHING IN SECURITY
The first three predictions beget this one—with a higher
volume, greater volatility, and a wider range of “baddies”
to think about—the importance of efficient prioritization Since the mainstream adoption of generative
will never be more obvious, and the core role that risk AI, brought on by the release of ChatGPT, the
plays in priority assessments will breathe fresh interest potential of AI has captured imaginations
into risk management and calculations. everywhere, including those of adversaries.
The cat-and-mouse game between attack
and defense is as old as time, but the general
availability of powerful AI tooling is poised to
speed things up.

THE CHAOTIC THREAT

ACTOR RETURNS

The last time defenders had their attention focused QUESTIONABLE ELECTION
squarely on “asymmetric” or “chaotic” threat
SECURITY WILL CONTINUE
actors was Lulzsec and Anonymous in 2013. In
2023, Lapsu$ demonstrated that defenders have
Has it been four years already? Despite
focused on financially and state-motivated
progress in election system security, a
attackers, leaving open doors for those whose
deepening distrust in election integrity
goals might seem “irrational.” The increasing array
in North America will once again bring
of reasons for hacktivists to use hacking as a
the subject of vulnerabilities, hacking
protest tool puts chaotic threat actors at the top of
in good faith, and the place of security
my list for 2024.
research into public discourse.

BUGCROWD VULNERABILITY TRENDS REPORT 17

 Vulnerabilities Reported

by Industry Breakdown

Now that we’ve seen an overview of vulnerability trends over the

past few years, let’s dive deeper into what is happening in specific
industries to uncover more of the story. There is a misconception
that only software and technology companies leverage crowdsourced
security; however, our data show that this isn’t accurate.

Although crowdsourced security In 2020, the Cybersecurity and

is heavily used in these spaces, Infrastructure Security Agency issued
organizations from a wide variety
The biggest increase Binding Operational Directive 20-01.
of industries worked with hackers on
the Bugcrowd Platform in 2023. was in government, This directive requires federal, executive
departments and agencies to implement
For this report, we narrowed our case
which experienced their own VDPs and maintain handling
study down to six key industries— a 151% increase procedures—challenging the perception
computer software, computer hardware, in submissions. that less regulated industries like
corporate services, financial services, technology embrace crowdsourced
government, and retail. Across the board Federal directives that require security the most.
in five of the six industries, the number organizations to develop VDPs
of submissions increased in 2023 may contribute to increased reporting
compared to 2022. in these industries.

↑12% ↓2% ↑20%

increase in submissions decrease in submissions increase in submissions

COMPUTER SOFTWARE COMPUTER HARDWARE CORPORATE SERVICES

↑11% ↑151% ↑34%

increase in submissions decrease in submissions increase in submissions

FINANCIAL SERVICES GOVERNMENT RETAIL

BUGCROWD VULNERABILITY TRENDS REPORT 18

 I N S I D E T H E P L AT F O R M VULNER ABILITIES INDUSTRY

Average Payouts
90TH
Payouts for P1s are increasing in all industries. The graph below shows the AVERAGE MEDIAN PERCENTILE

average, median, and 90th percentile bounties paid for P1 submissions in 2023.

$7,278 $2,500 $10,000 $3,058 $2,500 $5,200 $2,708 $2,500 $3,000

COMPUTER SOFTWARE COMPUTER HARDWARE CORPORATE SERVICES

$10,247 $10,000 $20,000 $5,000 $5,000 $8,000 $1,066 $500 $2,500

FINANCIAL SERVICES GOVERNMENT RETAIL

Yet again, we see that the financial To minimize the chances Additionally, security environments
services sector offers the highest of a breach in the midst of a are often siloed and fragmented,
average payouts for critical leaving more blind spots that attackers
deal—or after its closing—many
vulnerabilities. The financial sector can exploit. As such, many financial
organizations in the financial
has experienced continuous growth in organizations use up to 50 security
sector find value in crowdsourced
crowdsourced security adoption over tools, sometimes more.
the past decade. Financial services security as a way to assess risk
and help protect IT infrastructure, Although we only presented data on
institutions were one of the first industries
six key industries in this section, it’s
to adopt crowdsourced security. applications, and assets during the
important to remember that all industries
merger and acquisition process.
One reason for this is the regular are currently adapting to today’s security
occurrence of mergers and acquisitions Digital transformation is another environment.
in the financial sector. Unfortunately, core driver of crowdsourced security
A recent ICS2 study found that those in
companies involved in mergers and popularity in this sector. The speed
the healthcare, military, energy/power/
acquisitions have become prime targets with which financial institutions have
utilities, government, and manufacturing
for ransomware and other kinds of adopted new technologies, moved
industries believe that they are more
cyberattacks. to adopt the cloud, and adopted new
sensitive to threats than other industries
collaborative tools and technologies
in the modern threat landscape.
has likely contributed to an increase in
vulnerabilities.

BUGCROWD VULNERABILITY TRENDS REPORT 19

 S P OT L I G H T CUSTUOMER VIEW PROFILE

Meet Martin Choluj

VP of Security at ClickHouse

W
e recently had the privilege of speaking with He praised Bugcrowd’s triage response time and
Martin Choluj, the vice president of security at commitment to long-term customer success, both
ClickHouse. Our discussion yielded valuable underpinned by a solid track record of experience. The
insights into his experience collaborating with Bugcrowd primary challenge for ClickHouse was anticipating attack
and the critical role that crowdsourced security plays in vectors and attacker ingenuity—an area where Bugcrowd’s
safeguarding a brand’s intellectual property. expertise has proven invaluable.

Choluj is a seasoned security professional with an impressive Choluj also acknowledged a skill gap in cybersecurity,
15-year track record in the field. He is currently VP of security particularly when bridging the divide between security and
at ClickHouse, a company renowned for its efficient open engineering. He sees the Bugcrowd platform as a viable
source database solutions. solution to this challenge, enabling organizations to augment
their internal teams by tapping into the collective creativity of
Before stepping into this role, Choluj spent nearly six years
hackers. This approach effectively bridges the workforce
as CISO at Campaign Monitor and held various security
gap, fostering stronger synergy between different domains
leadership roles in international financial institutions. Bolstering
of expertise.
his practical experience, he holds a Master’s Degree in
Security and Forensic Computing and a Bachelor’s Degree in A wave of digital revolution has prompted organizations to
Information Technology. rethink their security strategies. Old-school methods centered
on safeguarding known environments and networks no longer
At its core, ClickHouse champions the principles of trust and
suffice. Choluj asserted that the shift to remote work, amplified
risk reduction, and it’s this ethos that led it to explore a bug
by the pandemic, requires a new focus on securing systems
bounty program. Choluj highlighted that the company’s aim is
and users, regardless of location.
not simply compliance but fostering innovation in security and
building constructive relationships with the hacker community. Choluj’s experience highlights the importance of treating

Choluj’s partnership with Bugcrowd started in 2016 cybersecurity as an ongoing strategic endeavor rather than

in a previous role, which led ClickHouse to choose our as a one-off project. His partnership with
Bugcrowd exemplifies how a platform-
platform over others. With Bugcrowd, ClickHouse
was able to tap into a global community of driven approach to crowdsourced

hackers to identify and address hidden, high- security can strengthen an

organization’s defenses, turning
impact vulnerabilities.
potential vulnerabilities into
According to Choluj, a proactive approach fortified security measures.
is essential to any large-scale assurance
Embracing crowdsourced
program. He underscored the importance
of crowdsourced security by saying, security is more than a wise
business decision in today’s
intricate digital landscape;
“Interacting with the
it’s a necessary step toward
hacker community is vital a secure digital tomorrow.
for our assurance program
to operate on a large
scale effectively.”

BUGCROWD VULNE 20
 I N S I D E T H E P L AT F O R M THOUGHT PIECE

How Different Hacker Roles

Contribute to Crowdsourced
Security with Bugcrowd

Adopters of crowdsourced security are only as

successful as the hackers/security researchers with
whom they collaborate, whether it’s in a crowdsourced
penetration test, bug bounty, or something else.
A major ingredient in that success is Furthermore, it’s a strong signal that
the ability to match and activate the right “pay for effort” (typical of an industry- Michael Skelton
hackers and/or pentesters for the task standard pen test) and “pay for impact” VP of Security Operations
at hand—and quite often, the types of (typical of a bug bounty) testing models and Hacker Success
hacker roles involved also make a big are highly complementary.
difference in the results.
At Bugcrowd, we think of hackers/
When evaluating the value of pentesters as occupying one of
crowdsourced security, many people five distinct roles: BEGINNERS,
focus on the number of hackers who RECON HACKERS, DEEP

will focus on their targets. While this is a DIVERS, GENERALISTS, and

logical approach, it’s just as important to SPECIALISTS. (It’s also important
consider the diversity of perspectives to keep in mind that over time,
that a “crowd” can provide. For example, hackers/pentesters can and will
in a traditional penetration test, the journey from one role to another.)
findings usually reflect the perspective Each role plays an important part
of a single “type” of tester (more on that in a given program, and these
below), which produces results aligned roles are relevant to how the
with that one perspective, albeit these Bugcrowd Platform’s CrowdMatch
results conform to a methodology. In technology matches the right crowd
contrast, a genuinely crowdsourced pen to a customer’s needs, at the right
test (not a “crowd-washed” one) inherits time, across hundreds of dimensions.
value from the full range of thoughts, Next, let’s take a look at each type
approaches, and styles that only a crowd of role in more detail. ↓
can provide—and that enables more
comprehensive, intensive testing to find
more diverse types of bugs.

BUGCROWD VULNERABILITY TREND

 I N S I D E T H E P L AT F O R M THOUGHT PIECE

The Beginner The Recon Hacker The Deep Diver

Beginners on the Bugcrowd Platform Recon Hackers focus on identifying Deep Divers are the most valuable
refer to those who are new to the issues across the largest scope hackers for Bugcrowd to identify,
concept of crowdsourced security in possible, so these individuals often engage, retain, and uplift. These
general rather than just being new to the discover P2/P3 issues that would not hackers tend to focus on a particular
platform specifically. When assessing typically be found in a penetration test. program, learn as much as they can
a hacker’s level of experience, we about it, and provide unique and
Over the past few years, Recon Hackers
may consider factors such as their distinct value. A Deep Diver can
have dominated every provider’s
participation on other platforms or their uncover vulnerabilities that nobody
leaderboard due to the proliferation
published research and tools. However, else can due to their persistence
of subdomain takeovers, particularly
if such information is not available, and long-term knowledge of how a
in ROUTE53 and EC2 takeovers.
we may assume that the hacker is a program operates.
While these takeovers are now largely
beginner in the ecosystem, at least
patched, the leaderboards are now Identifying these hackers is best done
initially (although this may not always be
askew, and thus, the highest-rated by analyzing the content of their
the case).
hackers may not always bring the submissions—rather than just looking
It’s important to note that a Beginner maximum level of impact. at the spread of vulnerabilities across
is not necessarily unskilled, even if a program—due to the unique nature
It’s important to note that many
they’re only submitting P3/P4 issues. of these findings.
recon-based hackers are highly skilled.
For example, they may be working
However, many who take a recon-first
through a course to broaden their
approach have found a lucrative niche
skill set, or they may have limited
and thus tend to focus on refining their
public presence but already work as a
toolkit to further exploit only that niche.
pentester and want to further develop
their skills. Typically, this type of hacker
covers vulnerability classes that others
may not focus on as much, including → Beginners add value in terms of coverage and consistency.
P4 issues related to authentication Their participation in a program ensures, for example, vulnerabilities
and authorization, as well as simpler that would typically be found in a penetration test are also identified
infrastructure issues (such as DMARC). in a bug bounty program. The last thing we want is for a customer
to follow a penetration test with an overlapping bug bounty and only
then learn about a bunch of lower-priority items!

BUGCROWD VULNERABILITY TRENDS REPORT 22

 I N S I D E T H E P L AT F O R M THOUGHT PIECE

The Generalist The Specialist An Engineered Approach

Generalists take a multifaceted Specialists are a rare breed who To maximize the contributions of each
approach: They have a solid foundation require specific sourcing for an hacker role, Bugcrowd is strategic in
in reconnaissance and utilize it to cover engagement. They possess unique and its approach to sourcing and engaging
attack surfaces thoroughly, without rare skill sets and typically have years with hackers. For example, adding
relying solely on large-scale monitoring of experience in a particular technology Beginners to a program that has been
and tooling. Generalists also apply a (e.g., APIs, AI, IoT, and Web3) or a running for three months may lead
deep-diving approach to evaluating specific Bugcrowd VRT category. to frustration and a high number of
assets. While they may not spend as duplicates, while adding Generalists
As you read in the introduction, one of
much time on a particular program as too early dilutes the ability of Beginners
the greatest strengths of the Bugcrowd
deep divers do, they invest considerable to up-level themselves through their
Platform is its ability to source and
time across a variety of programs. Due findings. Therefore, program maturity
activate specialists to meet a program’s
to their dual proficiency in recon and is an important input for our platform’s
specific skill set needs. Due to their
deep diving, Generalists quickly gain a CrowdMatch technology when it comes
specialized knowledge, Specialists can
reputation on the Bugcrowd Platform to sourcing the appropriate roles.
uncover issues that other hackers may
and are highly valued.
miss, and they often provide invaluable,
unique solutions to a problem.

TO SUMMARIZE ↓

Different Hacker roles contribute to To respect this process, unlike other

providers that rely on leaderboards
crowdsourced security programs in or coarse-grained methods,
different ways, and it’s important to deeply Bugcrowd’s engineered approach

understand a program’s needs to make intelligently sources and activates

the right role types and skills for
the most of these contributions. your programs, at the right time.

BUGCROWD VULNERABILITY TRENDS REPORT 23

Why a Crowdsourced
Security Platform is
the Best Early Warning
System for Vulnerabilities
By providing access to the collective expertise of thousands
of trusted ethical hackers, a crowdsourced security
platform can serve as an early warning system that enables
organizations to discover and remediate vulnerabilities
before attackers can exploit them.

As organizations look to mature their security strategies, many have

found that a crowdsourced security platform best addresses their
needs. Whether you are just getting started with crowdsourced
security or improving upon an existing program, implementing a
platform-based solution is a good place to start.

The ideal solution

Streamlines workflows Connects your organization

with integration across with trusted ethical hackers
the platform and DevOps who have the skills to meet
tools you rely on. your specific requirements. To better understand
the benefits of taking a
platform-based approach,
Provides contextual Offers fast triage and let’s take a look at some
intelligence without prioritization of vulnerability of the key benefits of the
the noise of traditional submissions. Bugcrowd Platform.
scanning solutions.

BUGCROWD VULNERABILITY TRENDS REPORT 24

 I N S I D E T H E P L AT F O R M T H E B U G C R O W D P L AT F O R M

The Bugcrowd Platform

Our platform is designed to apply over Severity levels are based on a rich, open source VRT
developed over a decade and our deep connections
a decade of expertise and context to an
to the hacker community.
organization’s cybersecurity program. Its
massive knowledge graph of historical Finally, a good crowdsourced security
hacker, vulnerability, interaction, asset, and strategy does not exist in a vacuum.
remediation data can inform workflows. It must be part of a broader workflow
Using the platform, organizations can easily create and
that extends across DevOps tools and the
incentivize bug bounty, vulnerability disclosure, and pen software development life cycle (SDLC).
testing programs. To ensure organizations are connected
That’s why the platform includes
with the “right” hackers, the platform uses AI models
pre-built connectors, webhooks,
and data from our vast knowledge base to match hacker
and rich APIs to flow findings into
skill sets, interests, and availability with an organization’s
your DevOps tools and life cycle
specific needs.
in real time.
For successful crowdsourcing to be effective, rapid triage
and prioritization are required. Thus, our platform enables GET A DEMO
rapid vulnerability triage at any scale with the industry’s
best signal-to-noise ratio. Our global team of security
engineers adds critical context to hacker submissions by
rapidly validating and triaging bugs (with the most critical
ones handled within hours).

Vulnerability Bug Pen Test Attack Surface

Disclosure Bounty as a Service Management
Accept External Discover More Go Beyond Discover and Prioritize
Feedback Vulnerabilities Compliance Unknown Assets

The Bugcrowd Platform

AI-driven Validation Workflow Orchestration Analytics &

Crowd Curation & Triage & Automation Reporting
Hackers and Hacker Management Customers
Pentesters Workbench Console

DevOps Integration— API, Webhooks, and Pre-Built Connectors for JIRA, GitHub, and ServiceNow, etc.

BUGCROWD VULNERABILITY TRENDS REPORT 25

 JOIN THE CONVO

Now that we’ve seen the data around Areeb Tanzeem

the most common bugs of 2023, @areeb_tanzeem

we wanted to get some anecdotal Improper auth/access control

feedback from the hacking community
s
12:14 PM • Oct 23, 2023 • 526 View
via X to understand if what they are
seeing aligns with the data.
Nikhil Rajpit
Here are some of their thoughts. @Swaggy_Singh_R

Broken Access Control

12:04 PM • Oct 23, 2023 • 265 View

Sujay Hazra s
@The LittleH4ck3r

IDOR and Privilege Escalation

12:30 PM • Oct 23, 2023 • 194 Views V1k1ing

@v1ik1ing_h4ck3r

IDOR Exploits
Exposed Sensitive Inf
B_K_S ormation
@srb1mal in Publiclu Accessed
URLs/Directories
Improper Access Control
and Specially suth bypasses I would have to say th
ose
2 for sure are at least
1:36 PM • Oct 23, 2023 • 65 Views in the top 3!
1:13 PM • Oct 23, 2023
• 34 Views

BUGCROWD VULNERABILITY TRENDS REPORT 26

Conclusion

That’s a wrap on this year’s edition of Inside is not a “one-and-done” exercise.

Organizations must think about
the Platform. This year, we found that vulnerability
building dynamic programs with
trends from past years have continued to hold continuous improvement in mind.
true—more and more organizations across all
This may seem daunting for
industries are using crowdsourced security, many organizations, but they
so we continue to see a rise in the number don’t have to go it alone.
of high-impact and valid vulnerabilities. Bugcrowd has a decade of
experience. We know what
design their programs, briefs, “good” looks like, we know the
These data highlight many
and incentives. In addition, different levers organizations
trends in the industry, but
organizations must think about call pull at different times to grow
our biggest takeaway is that
the ways in which they interact their programs, and we know
crowdsourced security is
with hackers to foster mutually the red flags to watch out for. We
both an art and a science—
beneficial relationships. also help organizations prioritize
and Bugcrowd makes both
continuous improvement
parts scalable. On the one
The crowdsourced security through analytics, powered
hand, crowdsourced security
industry has matured over the by a rich Security Knowledge
is not a free for all. There is a
course of the last decade, and Graph of vulnerabilities, assets,
rationale behind every decision,
even though many still view it environments, and skill sets
and organizations can follow
as a new part of the security based on thousands of customer
these predictors of success
technology stack, there is no experiences. Critical insights
to maximize their programs.
denying that the industry is from that data help organizations
However, this isn’t all an exact
evolving. It is no longer enough continuously improve their
science. Organizations must
to just have a bug bounty security posture, constantly
be thoughtful about how they
program—crowdsourced security raising the bar for excellence.

1 2 3

Embrace Design dynamic Leverage

crowdsourced programs the industry's
security to with continuous richest security
uncover improvement knowledge graph
high-impact in mind for for a stronger
vulnerabilities. long-term success. security posture.

BUGCROWD VULNERABILITY TRENDS REPORT 27

 KEEP READING

Content
recommendations

DATA S H E E T GUIDE

CrowdMatch What’s a
Unleash hacker ingenuity Vulnerability
with AI-powered matching Worth?
and activation
Building a rewards model
for your bug bounty program

EBOOK I N T E R AC T I V E T O U R

Expanding Risk Bugcrowd

Reduction with Platform Tour
a Crowdsourced A 5-minute overview
of how the Bugcrowd
Security Platform Platform works
Ways the Bugcrowd
Platform goes beyond
crowdsourced security

BUGCROWD VULNERABILITY TRENDS REPORT 28

Glossary

a b
CrowdMatch: Bugcrowd’s Ethical Hacker: A person who
proprietary AI technology that hacks into a computer network to test/
matches precisely the right trusted evaluate its security rather than to
hackers to a specific program’s needs carry out an act of malice.
Adversary: An individual, group, Bad Actor: Also called a malicious
across hundreds of dimensions,
or organization that actively seeks actor or threat actor, an entity that Ethical Hacking: An authorized
producing tighter engagement and
to compromise the security of a is partially or wholly responsible for attempt to gain unauthorized access
better results.
system or network. an incident that impacts or has the to a computer system, application,
potential to impact an organization’s Crowdsourced Security: An or data.
Adversarial AI: When threat actors
security. organized security approach wherein
target the data sets, algorithms, Exposure: All vulnerabilities and
ethical hackers are incentivized to
or models that an ML system uses Beginner Hacker: Hackers who are risks associated with an organization’s
search for and report vulnerabilities
to deceive and manipulate their new to the concept of crowdsourced networks, systems, applications,
in the assets of a given organization.
calculations, steal data appearing security in general. and data. Exposures encompass the
The power of crowdsourced security
in training sets, compromise potential weaknesses and threats that
Bounty: M onetary rewards offered is derived from the proportion of
their operation, and render them cybercriminals may exploit, resulting
in exchange for a vulnerability finding, active testers per asset/ecosystem
ineffective. in security breaches, data loss, or
discovery, or report. versus more traditional testing
other adverse consequences for an
Ally: A person or entity that supports methods.
Bounty Hunter: A highly skilled organization.
and cooperates with another to
hacker who receives recognition Customer: Organizations that
protect the security of a system or
and compensation in exchange for leverage the Bugcrowd platform
network.

g
reporting bugs, especially those or its associated services.
Application programming pertaining to security exploits and
Cybercriminal: An individual
interface (API): A n API is a way for vulnerabilities.
or group that commits malicious
two or more computer programs to
Breach: A cyberattack in which activities on a system or network with
communicate with each other. It is a Generalist Hacker: Hackers with
sensitive, confidential, or otherwise the intention of stealing sensitive
type of software interface that offers a solid foundation in reconnaissance
protected data have been accessed information or personal data to
a service to other pieces of software. who utilize it to cover attack surfaces
or disclosed in an unauthorized generate profit.
thoroughly, without relying solely on
AI: The simulation of human manner.
Cybersecurity Skill Gap:  large-scale monitoring and tooling.
intelligence processes by machines,
Bug: A software defect that can be The mismatch between the skills They also apply a deep-diving
particularly computer systems, to
exploited to gain unauthorized access employers require in cybersecurity approach to evaluating assets.
execute tasks akin to learning and
or privileges to a computer system. professions and the qualifications
decision-making found in humans. Generative AI: A type of AI
possessed by potential candidates.
Subsets of AI include expert systems, Bug Bounty: B  ug bounty programs technology that can produce various
neural networks, deep learning, allow independent security types of content, including text,
natural language processing, speech researchers to report bugs to an imagery, audio, and synthetic data

d
recognition, and machine vision. In organization and receive rewards or in response to prompts. Generative
cybersecurity, AI is applied in attack compensation. AI models learn the patterns and
surface management, automated structures of their input training data
Bug Hunter: A highly skilled
detection and response, and and then generate new data that have
hacker who receives recognition Deep Diver Hacker: Hackers who
intelligent authentication and fraud similar characteristics.
and compensation in exchange for tend to focus on a particular program,
prevention.
reporting bugs, especially those learn as much as they can about it, GRC: Governance, risk (management),
Asset: Any data, device, or pertaining to security exploits and and provide unique and distinct value. and compliance.
environmental component that vulnerabilities.
DEF CON: A  hacker convention held
supports information-related activities.
annually in Las Vegas, Nevada.

h
Assets generally include hardware,

c
software, and confidential information. DevOps: A methodology in the
software development and IT industry
Asymmetric Intent: C  yberwarfare
that integrates and automates the
that seeks to inflict a proportionally
work of software development and IT Hacker: Someone who uses
large amount of damage compared
Chief Information Security operations as a means for improving technical knowledge to achieve a
to the resources used by targeting
Officer (CISO): The senior-level and shortening the SDLC. goal or overcome an obstacle within
the victim’s most vulnerable security
executive within an organization a computer system by non-standard
measure. Digital Transformation: The
responsible for establishing and means.
process of fundamentally changing
Attack Surface: T  he sum of maintaining the enterprise’s vision,
an organization through technology Hacking Policy Council: An
the different points in a software strategy, and program to ensure
and culture to improve/replace what organization that strives to create
environment where an unauthorized assets and technologies are
existed before. a more favorable legal environment
user can enter or extract data. adequately protected.
for vulnerability disclosure and
Minimizing the attack surface is Disclosure: The practice of
Critical Vulnerabilities and management, bug bounties,
a basic security measure. reporting security flaws in computer
Exposures (CVE): A list of publicly independent repair for security,
software or hardware.
Attacker: An individual or group disclosed security flaws. good-faith hacking, and pen testing.
that performs malicious activities to
Crowd Fear: T he fear of an Human Element: The role people
destroy, expose, alter, disable, steal,

e
unmanageable and overwhelming play in the design, implementation,
or gain unauthorized access to or
number of submissions once a and operation of technology systems,
make unauthorized use of an asset.
program goes public. as well as their potential to introduce
vulnerabilities or mitigate risks.
Crowd Washing: T  he purposeful
Engagement: Measurable indicators
and sometimes deceptive attempt
of the level of interest, involvement,
by a vendor to make their offerings
and influence that a crowdsourced
sound more modern and impactful
security program generates among
than they really are.
ethical hackers or custom-designed
pen testing solutions tailored to an
organization’s unique needs.

BUGCROWD VULNERABILITY TRENDS REPORT 29

i o
Recon Hacker: Hackers who focus The Disclose.io Project:
on identifying issues across the A collaborative, open source
largest scope possible, so these and vendor-agnostic project to
individuals often discover P2/P3 standardize best practices for
Inflation: T
 he measure of how much Open Scope: A  bounty program
issues that would not typically be providing a safe harbor for security
more expensive a set of goods and with no limitations on what hackers
found in a pen test. researchers within bug bounty and
services has become over a certain can or cannot test, so long as the
VDPs.
period, usually a year. target/asset belongs to the specified Risk: The potential for loss, damage,
organization. or negative consequences resulting Threat Actor: An individual, group,
Internet of Things (IoT): A  ny
from threats to the confidentiality, or organization that poses a potential
device (often called a smart or
integrity, or availability of information risk to the security of information or
connected device) that connects to

p
or systems. systems through malicious activities.
and exchanges information over the
internet. Triage: The process of validating
a vulnerability submission from a raw

s
Incident Response: A term used
submission to a valid, easily digestible
to describe the process by which an Payout: The money paid to a report.
organization handles a data breach researcher once their vulnerability
or cyberattack, including the way an submission has been validated.
organization attempts to manage the Software as a Service (SaaS): 

v
consequences of an incident so that P1—Critical: Vulnerabilities that A software licensing and delivery
damage, recovery time, and costs are cause a privilege escalation from model in which software is licensed
limited, and collateral damage, such unprivileged to admin or allow for on a subscription basis and is
as brand reputation, is kept to remote code execution, financial centrally hosted.
theft, etc. Valid: The state of a vulnerability
a minimum.
Scope: Outlines the rules of that has been tested and confirmed
IT Asset Management: T  he P2—High: Vulnerabilities that affect engagement for a bounty program. as real.
process of cataloging, tracking, the security of the software and the This includes a clearly defined testing
processes it supports. Vulnerability Rating Taxonomy
and maintaining an organization's parameter to inform researchers what
(VRT): The official standard used by
technology assets. Penetration Testing/Pen Testing: they can and cannot test, as well
Bugcrowd for assessing, prioritizing,
A simulated cyberattack done by as the payout range for accepted
and benchmarking the severity of
authorized hackers who test and vulnerabilities.
security vulnerabilities.

l
evaluate the security vulnerabilities Security Landscape: The entirety
of the target organization’s computer Vulnerability: A security flaw
of potential and identified cyber risks
systems, networks, and application or weakness found in software or
affecting a particular sector, group of
infrastructure. in an operating system that can lead
users, time period, etc.
Lapsu$: A  n international extortion- to security concerns.
focused hacker group known for Platform/SaaS Platform: Security Research: The study
Bugcrowd is an all-in-one SaaS Vulnerability Disclosure
its various cyberattacks against of technology, algorithms, and
platform that combines actionable, Program (VDP): Clear guidelines
companies and government agencies. systems that protect the security and
contextual intelligence with the for researchers to submit security
integrity of computer systems, the
Limited Scope: A  bug bounty skills and experience of the world’s vulnerabilities to organizations while
information they store, and the people
program that includes only a single most elite hackers to help leading also helping organizations mitigate
who use them.
or specific target(s). organizations solve security risk by supporting and enabling
challenges, protect customers, Security Researcher: The diverse the disclosure and remediation
and make the digitally connected group of skilled participants who hunt of vulnerabilities before they are

m
world a safer place. for vulnerabilities using the Bugcrowd exploited. VDPs usually contain a
platform. These trusted experts are program scope, safe harbor clause,
Point-in-Time Assessment/ sometimes referred to as white hats and method of remediation.
Security Testing: A point-in-time or ethical hackers.
Malicious Hacker: S  omeone who review of a company’s technology,
people, and processes to identify Software Bill of Materials: A list

w
is actively working to disable security
problems. Such assessments can of all the open source and third-party
systems with the intent of either taking
find vulnerabilities existing at a single components present in a codebase.
down a system or stealing information.
moment but fail to monitor activity Software Development Lifecycle
Mergers and Acquisitions: between assessments. (SDLC): A structured process that Wide Scope: A bounty program that
Business transactions in which the
Program: A  program—which enables the production of high-quality, includes a wildcard in the in-scope
ownership of companies, business
can be public or private—permits low-cost software in the shortest targets.
organizations, or their operating units
independent researchers to discover possible time.
are transferred to or consolidated White Hat Hacker: A computer
with another company or business and report security issues that Specialist Hacker: A hacker with security expert who uses pen testing
organization. affect the confidentiality, integrity, or unique and rare skill sets and who skills to help secure an organization’s
availability of customer or company typically has years of experience in networks and information system
Model: A program that analyzes information and rewards them for a particular technology (e.g., APIs, AI, assets. A white hat hacker is also
mathematical representations of being the first to discover a bug. IoT, and Web3) or a specific Bugcrowd known as an ethical hacker. White
relationships between variables to
Program Brief: A  single-page VRT category. hat hackers work with information
make predictions or decisions in AI
researcher-facing document that technology and network operations
systems. Submission: The report a researcher
contains all relevant information teams to fix vulnerabilities before
submits to Bugcrowd describing the
regarding a bounty program (what black hat hackers discover them.
vulnerability or bug they found.
is in/out of scope, rewards, how White hat hackers operate with the

n
submissions will be rated, instructions permission of the organization and
for accessing or testing the within the set boundaries.

t
application, etc.). This is drafted with
National Institute of Standards the Bugcrowd team after the initial
and Technology (NIST): An agency kickoff call.
of the United States Department Target: A web or mobile application,
of Commerce whose mission is to hardware, or API that the Crowd tests

r
promote American innovation and for vulnerabilities.
industrial competitiveness.
The Crowd: The global community
of white hat hackers on the
Ransomware: A  type of malware Bugcrowd platform who compete
designed to extort money from its to find vulnerabilities in bug bounty
victims, who are blocked or prevented programs.
from accessing data on their systems.

BUGCROWD VULNERABILITY TRENDS REPORT 30

I N S I D E T H E P L AT F O R M