The number of white hat hackers who find security vulnerabilities and warn companies about them, usually to earn a bug bounty, increased by 63% in 2020, according to the latest annual Hacker report.
The number of ethical hackers reporting bugs or vulnerabilities to enterprises has increased by 143% since 2018, demonstrating that hackers and IT security teams are working together much more frequently to manage cyber threats.
The report, published on 9 March by security platform HackerOne, also found that more than one-third (38%) of hackers have spent more time hacking since the start of the pandemic, with many zeroing in on emerging threats that have arisen from the shift to remote working and organisations’ consequent digital transformations.
For example, as more enterprises moved to the cloud, reports of misconfiguration vulnerabilities rose by 310%, reflecting how attack surfaces have shifted because of the pandemic.
The report said that, on average, the top hackers were reporting bugs across 20 different vulnerability categories, with a 53% rise in submissions for both improper access control and privilege escalation.
“This year’s Hacker report demonstrates the depth of vulnerability insights that hackers bring to a security program,” said Jobert Abma, co-founder of HackerOne. “We are seeing huge growth in vulnerability submissions across all categories and an increase in hackers specialising across a wider variety of technologies.
“As we see slower growth in some common vulnerabilities that are easily found and fixed, we are seeing hackers be more creative in their attempt to discover new attack vectors. Every time a hacker links several low-severity vulnerabilities together to help a customer avoid a breach, or finds a unique bypass to a software patch, it proves that machines will never truly outpace humankind.”
The report also found that the number of hackers that did not report a bug due to a lack of clear reporting processes or previous negative experiences had fallen to half – an improvement on the 2020 Hacker report, which found that nearly two-thirds had found bugs and chosen not to report them.
In terms of hackers’ motivation, a survey conducted by HackerOne included in the report showed that its community of white-hat hackers were largely motivated by a mixture of bounties and learning opportunities.
For example, hackers earned over $40m in bug bounties – monetary awards given to those who find and report valid security weaknesses to organisations for safe resolution – last year, bringing total hacker earnings to date to over $100m.
In March 2019, 19-year-old Argentinian hacker Santiago Lopez, who started reporting security weaknesses through HackerOne’s bug bounty programme in 2015, became the world’s first hacker to become a millionaire through legal hacking activities.
Six months later, in August 2019, five more ethical hackers – including Briton Mark Litchfield – were also recognised as millionaires, having at that point collectively discovered nearly 5,000 vulnerabilities. The 2021 Hacker report noted that nine hackers have now become millionaires, with one passing the $2m mark in 2020.
As well as bounties, education continues to be a top driver for hackers, said the report, with 85% doing it to learn, 62% doing it to advance their career, and 33% already having leveraged their skills to secure a job.
Of all hackers, the vast majority (82%) hack only part-time, and just over half (55%) are under the age of 25.
“Traditional solutions can no longer keep pace with the dual requirements of speed and security,” the report concluded. “Internal security teams struggle to scale their skills and expertise with the growing and agile attack surfaces brought on by rapid digital transformation and remote working.
“Inviting hackers to share their insights means security teams can extend their reach and expertise to be better prepared for emerging threats.”
According to HackerOne’s Hacker trends and security in 2021 report from December 2020, the top three vulnerabilities that year were cross-site scripting (23%), information disclosure (18%) and improper access control (10%).
“Due to the Covid-19 pandemic, I’ve seen an influx of bug bounty hunters in various programs,” Singapore-based hacker Samuel Eng told HackerOne. “I noticed that many programs hardened really quickly at the start of the pandemic, especially common vulnerability classes such as XSS, SQL injections and basic authentication bypasses.”
He added that organisations should focus on authentication bypasses and access control issues in 2021.
