Software vulnerabilities increased by 20% in 2021 compared with 2020, according to a new report by HackerOne.
The bug bounty platform said its hackers had uncovered over 66,000 valid vulnerabilities this year, while hacker-powered pentests detected a 264% rise in reported vulnerabilities in 2021 compared to 2020. Additionally, there was a 47% increase in vulnerabilities detected by Vulnerability Disclosure Programs.
The surge in vulnerabilities has partly been driven by the increase in organizations adopting hacker-powered security testing programs, according to the report. For example, there was a 62% increase in financial services programs and an 89% rise in government programs, including a bug bounty challenge by the UK’s Ministry of Defence.
HackerOne said another factor is the expansion of attack surfaces brought about by digital transformation and cloud migration during the pandemic.
The most commonly discovered bug was cross site scripting, as it was in 2020. However, there were significant increases in reports of information disclosure (58%) and business logic errors (67%). Of all the vulnerabilities reported, 26% were considered critical, 36% medium severity, and 34% low severity.
Encouragingly, the median time to resolution fell by 19%, from 33 days in 2020 to 26.7 days in 2021 across all industries. Retail and e-commerce even saw time-to-remediation drop by more than 50% in this period.
The report also found that the median price of a critical bug rose by 20%, from $2500 in 2020 to $3000 in 2021. Additionally, the average bounty price for a critical bug rose by 13% and by 30% for a high severity rated bug this year.
Chris Evans, CISO and chief hacking officer at HackerOne, commented: “Even the most conservative organizations are recognizing the power of the outsider point of view.
“We’ve continued to see high growth in the financial services sector, for example. Measuring and quantifying risk is their business, and they’re seeing that both risk and business outcome is better if they embrace hackers. Across the board, we’re seeing customers using vulnerability report data to inform their software development lifecycles. Organizations are catching issues earlier, and remediating them, at greatly reduced cost by focusing on improvements to developer education, source code integrations, and development frameworks.”
James Coker Reporter, Infosecurity Magazine