Searching for vulnerabilities in the United States increases the number of bug reports by 10 times
A September 2020 directive to US government agencies to create vulnerability disclosure policies led to an increase in bug reporting activity: the federal sector saw a 1,000% increase in valid vulnerability submissions in the first three quarters of 2021, according to Bugcrowd.
Security researchers have spent more time working remotely over the past two years, allowing more time to be spent on research activities. The government sector has benefited from the trend which, along with the mandate of the United States Department of Homeland Security “Binding Operational Directive 20-01“, led researchers to provide many more bug reports in 2021 than the previous year, reports Bugcrowd in the 2022 edition of its annual report”Priority one report“, published today.
The reaction to the directive started small but quickly accelerated through 2021, exposing the large attack surface of government agencies and points within their infrastructure that have remained relatively untested, says Casey Ellis, Founder and CTO of Bugcrowd.
“I don’t think the government has any unique difficulties in dealing with vulnerability,” he says. “Companies that have been around for a long time and have grown organically and inorganically, the first thing they find out is that they don’t know where their business is, and the government is no different. These things together really contributed to that 10x – that’s a huge attack surface that’s now being looked at.”
The government sector is not alone. The financial industry has seen almost double the number of bug reports, with valid submissions increasing by 82% in the first three quarters of 2021, Bugcrowd says in its report. Overall, Bugcrowd and other bug bounty programs – as well as independent enterprise bug bounties – have seen bounties increase over time and a shift in researchers’ attention to the most vulnerabilities. reviews.
Bugcrowd has also witnessed the herd mentality in vulnerability research. Following a public vulnerability disclosure, hackers often focus their own efforts on the same category of security issues. The disclosure of Log4j, for example, led to a flurry of platform testing for similar issues. This resulted in more than 1,200 reports, including at least 500 were valid issues reported to company customers. Refocusing on the last major problem earned a researcher $90,000.
“These shifts are like all the people standing around a garden party, waiting for someone to step in,” Ellis says. “We’ve seen a lot…more attention on critical remote access issues.”
Priority 1 and 2 issues — essentially critical and high-severity issues in Bugcrowd’s taxonomy — accounted for 24% of all reported issues, according to the report. Cross-site scripting and broken access controls continued to be the top classes of vulnerabilities discovered by researchers, but exposure to sensitive data became the third most common problem, up from number 9 in 2020.
Payments are also up across all sectors. Financial services paid more than double (106%) the dollar volume for problems discovered by researchers, while software companies paid 73% more in 2021, compared to the previous year.
Not all vulnerabilities had to be new to earn a bounty — companies track down all unpatched issues, even if those issues aren’t new. So-called n-day vulnerabilities have, in many ways, become more important than 0-day vulnerabilities, Bugcrowd says in the report.
The Log4j vulnerability is also an example of a long-tail security flaw that attackers will continue to exploit in the future. The Log4j review sparked a lot of white hat and black hat activity, Ellis says.
“Sophisticated attackers have always been equated with exotic exploits and stealth, but I think it’s clear that’s not always the case anymore,” he says. “As an attacker, whether you’re a government or not, your take has to justify your cost. Why burn a million dollars 0-day when something you can download for free works just as well.”
The impact of new research on the interests of hackers – and the momentum it generates within the research community – is worth studying to determine which types of vulnerabilities are most likely to be discovered. and operated in the future, says Ellis.
“Researchers and the hacker community definitely work like a herd – they listen to each other, and where they find success, they conduct new research,” he says, adding that it’s not about than rational economy. “Their goal is to find unique vulnerabilities and then get paid for it.”