A new State of The Crowdsourced Security in 2019 study reports a 92 percent increase in total vulnerabilities reported over the previous year. The average payout per vulnerability increased this year by a whopping 83 percent, with average payouts for critical vulnerabilities reaching $2,669.92 — a 27 percent increase over last year.
Mega-bugs like ETERNALBLUE, Double Kill, Meltdown, Spectre, and the vulnerability in Apache Struts2 — which was responsible for the Equifax breach — just a few examples of bugs that were exploited in ways that made headlines and left many systems, users and companies devastated.
Additional key findings in the Bugcrowd study include:
- In the first half of 2019, there was a 29 percent increase in the number of programs launched in versus the same time the year before and a 50 percent increase in public programs launched. Why: More companies are reaching security maturity and taking their programs public as a part of their corporate social responsibility on the Internet.
- Submissions have increased 92 percent overall, with submissions on IoT targets increasing more than any other at 384 percent. Why: More IoT targets + more security researchers specializing in IoT = more submissions. Unfortunately, the issue of systemic vulnerability in the IoT space is still a very real problem.
- In line with this, payouts on IoT targets were second highest, following payouts on web which remained highest.
Top Five Vulnerabilities Over the Last Year
- Broken Access Control
- Sensitive Data Exposure
- Server Security Misconfiguration
- Broken Authentication & Session Management
- Cross-Site Scripting
Understanding the most common vulnerabilities is important for the defenders who continuously face the challenge of making remediation decisions around vulnerabilities without access to all of the facts, and a key point of learning for bug hunters, especially those who are just getting started with bug hunting.