HackerOne published its eighth-annual
2024 Hacker-Powered Security Report which proves that in the
last 12 months, the security researcher community has further matured its skill
sets to meet customer demand. Nearly 10% of security researchers now specialize
in AI technology as 48% of security leaders consider AI to be one of the
greatest risks to their organizations.
HackerOne's Hacker-Powered Security Report combines perspectives
from the researcher community, customers, and security leaders with insights
from the world's largest database of vulnerabilities. The report explores how
security-focused organizations integrate human expertise with technology and AI
for a defense-in-depth strategy. The report highlights:
- AI is a
threat and an opportunity: More than
two-thirds (68%) of security professionals said an external and unbiased
review of AI implementations is the most effective way to mitigate AI
safety and security risks overall. There has been a 171% increase in AI
assets in scope on the HackerOne platform, with 55% of all AI
vulnerabilities reported being AI safety issues.
- Cross-site
scripting (XSS) and misconfigurations remain the top most-reported
weaknesses: Pentests
and bug bounties also continue to be the top engagements identifying these
issues. Pentests uncover more systemic or architectural vulnerabilities
like misconfigurations. For bug bounty, security researchers focus on
real-world attack vectors, user-level issues, and business logic flaws,
with XSS as the most commonly discovered weakness.
- Technologically
advanced industries are more likely to reduce common vulnerabilities
during development compared to other industries: Security-mature and tech-focused industries like
online services, retail, and e-commerce are actively reducing common
vulnerabilities as opposed to more traditional industries. Web3 companies
also have 65% fewer reports for XSS than the industry average.
- Crypto
bounties continue to raise the bar: Crypto and blockchain organizations continue to pay well above the
average for vulnerabilities, with bounties in the 95th percentile reaching
$1 million. Internet and online services, retail and e-commerce, and
computer software offer the next highest average payouts.
- Income and
education opportunities are top motivators for researchers: While security researchers predominantly hack to
improve their income potential (77%), the opportunity to learn new skills
and further their abilities motivates many (64%).
The Hacker-Powered Security Report is based on data from
HackerOne's vulnerability database and includes insights from HackerOne
customers, a panel of 500 global security leaders, and more than 2,000 hackers
on the platform. It was compiled between June 2023 and August 2024.