Bug Bounties, Threat Intelligence

Most ethical hackers identifying vulnerabilities they did not see before the pandemic

BERLIN, GERMANY – JANUARY 25: In this photo illustration a young man types on an illuminated computer keyboard typically favored by computer coders on January 25, 2021 in Berlin, Germany. 2020 saw a sharp rise in global cybercrime that was in part driven by the jump in online retailing that ensued during national lockdowns as governments soug...

Bugcrowd on Tuesday released new research that found some 80% of ethical hackers have recently identified a vulnerability they had not encountered before the pandemic.

In its annual survey of ethical hackers, Bugcrowd also found that 91% say that point-in-time testing cannot secure companies year-round.

“Point-in-time testing is testing at a particular moment, say just before launch, versus continuous testing which is what we recommend,” said Casey Ellis, founder and CTO at Bugcrowd. “Continuous testing can include from development through market launch and beyond to ensure a strong security posture.”

The report analyzes survey responses and research conducted by Bugcrowd from May 1, 2020, to Aug. 31, 2021, in addition to millions of proprietary data points collected on vulnerabilities from 2,961 security programs. Some other top-level findings from the study include:

  • 74% percent of ethical hackers agree vulnerabilities have increased since the onset of the pandemic.
  • 71% report they earn more now that most companies work remotely.
  • 45% say a lack of scope inhibits the discovery of critical vulnerabilities.

Ellis said companies often don’t let security researchers conduct full tests, limiting targets and access.

“Limiting scope is like asking your doctor only to perform half of your annual physical,” Ellis said. “Companies do this because they have a false sense of security as to what is secure and/or what is most vulnerable, they are scared about finding too many vulnerabilities, and they think they know their environment better than anyone else.”

Tim Wade, technical director of the CTO Team at Vectra, said having 91% of security testers say that point-in-time testing cannot secure companies year-round reflects what software delivery professionals have known for years: shorter, more agile cycles improve quality. 

“Rapid, smaller scope engagements with an opportunity to incrementally measure capabilities over time will almost certainly move the needle for organizations,” Wade said.

There’s little question that the vulnerability landscape has shifted since the start of the pandemic, said Jake Williams, co-founder and CTO at BreachQuest. As the majority of knowledge workers moved from on-premises to remote work, Williams said network architecture fundamentally shifted.

“We view security as the intersection of confidentiality, integrity, and availability,” he said. “The shift to remote work happened so quickly that most organizations only worked on availability without worrying about the other aspects of security. Vulnerabilities caused by the rapid transition to remote work will certainly continue to be discovered. Security leaders should review this report as a beginning, not an end.”

Doug Britton, CEO Haystack Solutions, said the Bugcrowd report highlights a trend that we can almost witness in real-time as the volumes of various breaches and malware attacks are making headlines at a regular pace.

“We’re fortunate to have ethical hackers fighting this battle, but we need continued investment in the next generation of cyber professionals as well,” Britton said. “We have the technology and tools to find this talent, even in tight labor markets and need to take action to ensure we keep threats in check.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.