As herds of animals are more effective at finding food and shelter than a lone wolf, crowdsourced security relies on the "wisdom of the crowd” to identify and resolve security issues more effectively than single internal teams and sophisticated attackers.
“Inside the Platform: Bugcrowd’s Vulnerability Trends Report” documents the steady adoption of public crowdsourced programs based on growing awareness and acceptance of crowdsourced security strategies.
The report revealed that the government is the fastest-growing sector for crowdsourced security in 2023 compared to 2022, with a 151% increase in vulnerability submissions and a 58% increase in Priority 1 rewards for finding critical vulnerabilities.
Nick McKenzie, the CIO & CISO at Bugcrowd, shared that APAC is their fastest-growing market.
“While Governments in the North started adopting crowdsourced security and disclosures from the hacker community within the last couple of years, driven by binding operational directives out of the US, a similar type of mandates or policies have flowed down south and rolled out in Singapore and Australia, for example,” the Bugcrowd executive said.
Keener to crowdsource
Instead of keeping everything in-house, governments and public sector organisations are keener to crowdsource cybersecurity.
McKenzie shares that the Cybersecurity and Infrastructure Security Agency (CISA) collaborated on various approaches to fight against threats and manage software vulnerabilities in their federal ecosystem. He says that CISA recognised that “cybersecurity is at its strongest when the public (hacker community) has their ability to contribute.”
He added that a binding operational directive from the US encouraged us to “listen to the community of hackers, embracing what they are telling us, accepting their submissions, reviewing them, validating them, triaging them in a legally authorised manner.”
Vulnerability Trends Report
McKenzie shares that one of the revelations from Bugcrowd’s Vulnerability Trends Report lets them inside the mind of a hacker.
“The most successful programs we see pay the biggest rewards, but noting that the hacker mindset has quite a few intrinsic motivations. You either get people drawn to a monetary incentive who go to a program or a customer offering big payouts. Another big part of the hacker community is curious, wanting to protect, tinker, solve a problem, and possibly hold the prestige of finding a bug,” he shares.
The report also revealed that industries such as retail (+34%), corporate services (+20%), and computer software (+12%) recorded increases in submissions. McKenzie says that the potential for using AI opens up opportunities for the hacker community and boosts the number of submissions through their platform.
“As companies integrate AI or GenAI into their business processes with new chatbots, smart products, and personalised response, they create new vectors of attack. We are seeing an uptick in AI or GenAI vulnerability submissions,” he adds.
Call to crowdsource
McKenzie says CISOs across all sectors and organisations compete for good security talent. He admits bringing back IT in-house or sourcing it externally is difficult.
“The whole premise of crowdsourcing security is that you are guaranteed a lot of top cyber talent with diverse thinking. We have hundreds of thousands of hackers on our books. Just imagine trying to source that as a CISO or security leader,” McKenzie shares.
He is positive crowdsourcing security helps solve the skills gap problem and shifts it to a talent matching problem. “We are seeing a boom in matching hacker talent on our platform to particular customer business and technology requirements,” he adds.
Key predictions
Three key predictions are drawn from the findings of Bugcrowd’s report. First, the report reveals that integrated supply chain security cannot be ignored.
“It needs more focus shown by previous large-scale events. It needs to be taken seriously. It needs to be well documented and individualised, and it needs newer, continuous vulnerability assurance processes across them to help security leaders with insights into their supply chain health.”
Nick McKenzie
Further, McKenzie says that threat actors will use adversarial AI for faster and more sophisticated attacks.
“This does not mean those attacks will be successful; it just means CISOs or defenders will have more noise to sift through.”
The report also revealed that the human risk factor will become more dangerous. McKenzie warns against insiders and employees victimised by engineering attacks or bypassing internal controls, intentionally or unintentionally.
“Operationally, countering the cyber talent skills gap and helping their security teams scale - organisations will certainly and more broadly adopt the crowdsourcing of human intelligence to continuously weed out unique or previously unidentified vulnerabilities that smaller, less diverse, budget, or talent strapped teams just cannot,” McKenzie shares.
Succeeding with crowdsourced security
Tapping into the power of crowdsourced security has its advantages. For any enterprise to succeed, Bugcrowd suggests accessing the right skill sets on demand, incentivising priority benchmarks, triaging findings quickly at scale, leveraging analytics and metrics for constant program growth, and integrating with existing workflows and systems.