US Search for Vulnerabilities Drives 10x Increase in Bug Reports

  /     /     /  
Publicated : 23/11/2024   Category : security


US Search for Vulnerabilities Drives 10x Increase in Bug Reports


Cross-site scripting and broken access controls continued to be the top classes of vulnerabilities researchers discovered, according to Bugcrowds annual vulnerability report.



A September 2020 directive to US government agencies to create vulnerability disclosure policies has driven a surge in bug-reporting activities: The federal sector saw a 1,000% increase in valid vulnerability submissions in the first three quarters of 2021, according to Bugcrowd.
Security researchers have spent more time working remotely over the past two years, which has allowed for more time to allocate toward research activities. The government sector has benefited from the trend, which, along with the mandate from the US Department of Homeland Securitys 
Binding Operational Directive 20-01
, has led researchers to deliver significantly more bug reports in 2021 than the previous year, Bugcrowd reports in the 2022 edition of its annual
Priority One Report
, released today.
The reaction to the directive started small but quickly accelerated through 2021, exposing government agencies large attack surface area and spots within their infrastructure that remained relatively untested, says Casey Ellis, Bugcrowds founder and chief technology officer.
I dont think the government has unique difficulties in vulnerability management, he says. Companies that have been around for a long time, and they have had organic and inorganic growth, the first thing that they discover is that they dont know where their stuff is, and the government is no different. Those things together really contributed to that 10x — it is a vast attack surface that is now being looked at.
The government sector is not alone. The financial sector saw nearly double the number of bug reports, with valid submissions growing by 82% in the first three quarters of 2021, Bugcrowd states in its report. Overall, Bugcrowd and other bug-bounty programs — along with independent corporate bug bounties —
have seen bounties increase over time
and
a shift in researcher focus to the most critical flaws
.
Bugcrowd has also witnessed herd mentality in vulnerability research. Following a public vulnerability disclosure, hackers often focus their own efforts on the same class of security issues. The Log4j disclosure, for example, resulted in a surge of platform testing for similar issues. This led to more than 1,200 reports, of which
at least 500 were valid issues reported to the companys clients
. Refocusing on the latest significant issue earned one researcher $90,000.
Those shifts are like all the people standing around at a backyard party, waiting for someone to jump in, Ellis says. We saw a lot ... more focus on critical remote access issues.
Priority 1 and 2 issues — essentially the critical and high-severity issues in Bugcrowds taxonomy — accounted for 24% of all reported issues, according to the report. Cross-site scripting and broken access controls continued to be the top classes of vulnerabilities researchers discovered, but sensitive data exposure became the third most-common issue, up from the No. 9 slot in 2020.
Payouts are on the rise across industries as well. Financial services paid more than double (106%) the dollar volume for issues discovered by researchers, while software companies paid 73% more in 2021, compared with the previous year.
Not all vulnerabilities had to be new to earn a bounty — companies are looking for any unpatched issues, even if those issues are not new. So-called n-day vulnerabilities have, in many ways, become more important than 0-day vulnerabilities, Bugcrowd states in the report.
The Log4j vulnerability is also an example of a security flaw with a long tail that attackers will continue to exploit in the future. The Log4j advisory triggered a great deal of white hat and black hat activity, Ellis says.
Sophisticated attackers have always been equated with exotic exploits and stealth, but I think it is clear that that is not always the case anymore, he says. As an attacker, regardless of whether you are a government, your take has to justify your cost. Why burn a million-dollar 0-day when something you can download for free works just as well.
The impact of new research on hackers interests — and the momentum it produces within the research community — are worth studying to figure out what types of vulnerabilities are most likely to be discovered and exploited in the future, Ellis says.
The researchers and the hacker community, they do definitely operate as a herd — they listen to each other, and where they are seeing success, they run with new research, he says, adding that its just rational economics. Their goal is to find vulnerabilities that are unique and then get paid for it.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
US Search for Vulnerabilities Drives 10x Increase in Bug Reports