According to a new report by HackerOne, ethical hackers have reported over 66,000 software vulnerabilities to organizations in 2021, up by 20% from 2020.
Each year, HackerOne publishes the Hacker-Powered Security Report on the latest insights from the world’s largest database of vulnerabilities. Its latest edition reveals the optimistic trend of increasing organizational cybersecurity awareness as much more organizations appear to prioritize vulnerability management in the past 12 months.
According to the report, more than 66,000 valid vulnerabilities were detected by ethical hackers in 2021, with a 264% YoY increase in bugs discovered via penetration tests. At the same time, 47% more security flaws were detected by Vulnerability Disclosure Programs.
In addition to the positive trend of increased organizational awareness, HackerOne points to the expansion of attack surfaces caused by digital transformation and cloud migration as another likely reason for the noticeable surge in vulnerabilities.
The Hacker-Powered Security Report also includes the top ten vulnerabilities detected on the platform, with cross-site scripting as the top vulnerability in 2021. With a 58% YoY increase, information disclosure runs a close second, while improper access control rounds out the top three.
The report also found that business logic errors saw the most significant increase in reports, up 67% from 2020.
Rising rewards for bug bounties
When it comes to bug bounty rewards, the median price of a critical bug rose 20% from $2,500 in 2020 to $3,000 in 2021. Meanwhile, the average bounty price paid by organizations to ethical hackers for a newfound critical bug rose by 13%, and by 30% for a high severity flaw.
“Even the most conservative organizations are recognizing the power of the outsider point of view,” said Chris Evans, the CISO and Chief Hacking Officer of HackerOne.
“Across the board, we’re seeing customers using vulnerability report data to inform their software development lifecycles. Organizations are catching issues earlier, and remediating them, at greatly reduced cost by focusing on improvements to developer education, source code integrations, and development frameworks.”
More from CyberNews
Subscribe to our newsletter