There was an alarming surge of user-submitted web vulnerability submissions in 2023—with a 30% increase compared to 2022—as open-scoped bug bounty programs evolved, according to a report from Bugcrowd.

The study found API submissions, which report vulnerabilities or potential security issues involving application programming interfaces (APIs), rose by 18%, while Android submissions increased by 21% and Apple iOS submissions grew by 17%.

Bugcrowd’s report, compiled from millions of proprietary data points and vulnerabilities, also highlighted the government sector’s growth in crowdsourced security, showing a 151% increase in vulnerability submissions and a 58% rise in Priority 1 (P1) rewards.

These rewards are typically associated with the most severe and impactful security issues that could potentially lead to serious consequences if exploited.

Programs with open scopes, offering higher rewards, proved most successful, indicating the impact of crowdsourced solutions like penetration-testing-as-a-service (PTaaS), managed bug bounties and vulnerability disclosure programs.

Enterprises increasingly favored public crowdsourced programs, with financial services and government sectors leading in P1 payouts.

P1 vulnerabilities often involve critical security flaws that, if exploited by malicious actors, could result in significant data breaches, system compromises, or other severe consequences for the affected organization.

Callie Guenther, senior manager of cyber threat research at Critical Start, said from a threat intelligence perspective, the findings underscored a critical escalation in the cybersecurity threat landscape.

“This trend demands a strategic reevaluation of existing security frameworks,” she said. “Government organizations should adopt a more proactive and dynamic approach to cybersecurity.”

This involves not only bolstering detection and response capabilities through advanced AI and machine learning systems but also ensuring that these systems are ethically designed to counter AI-driven attacks.

“The alarming rise in submissions points to a broader issue: the increasing sophistication and frequency of cyber-attacks, possibly state-sponsored or from highly organized cybercriminal groups,” Guenther said.

This necessitates a shift towards a zero-trust architecture and more rigorous network segmentation to contain breaches effectively.

She added that the trend towards open-scoped bug bounty programs, while beneficial in uncovering a wider range of vulnerabilities, introduces additional risks and challenges.

John Bambenek, president at Bambenek Consulting, said any bug bounty program needs to be backed with the software engineering expertise to help resolve issues quickly.

“Simply taking reports that sit on a desk aren’t getting the job done,” he explained. “An open-scoped program means you are opening the floodgates for reports.”

He noted that while this is a good thing, engineering needs to be prepared to resolve the reports to minimize multiple researchers reporting the same vulnerability simply because it continues to exist for months after the initial report.

“Incident responders and the security operations center should also be using AI in a support role to help research events quickly by automating as much of the analysis as possible,” Bambenek said.

Guenther added that organizations must carefully balance the need for comprehensive security testing with the potential exposure of sensitive systems.

“This decision should be guided by a thorough risk assessment, taking into consideration the organization’s risk tolerance, resource availability, and legal implications,” she said.

From her perspective, the human element in cybersecurity is becoming increasingly pivotal.

“The rise in insider threats and social engineering attacks suggests a pressing need for comprehensive security awareness training tailored to various roles within an organization,” she said. “Creating a security-conscious culture is no longer optional but a necessity.”

John Gallagher, vice president of Viakoo Labs at Viakoo, said with the rise of AI-driven social engineering attacks, employee training needs to show what is possible.

“Voice recordings or videos can be fake, public sources of personal information can be combined to create an illusion–all communications should be questioned,” he said.

In addition, employee training needs to emphasize that all parts of the company (not just IT) are targets for cybercriminals, and that best practices always apply to all job functions.

“Threat actors are using AI as a force multiplier, and so should enterprises in defending against these attacks,” he noted.

More specifically, automation is needed to close the “window of vulnerability” that threat actors operate in, metrics are needed to base improvements on and more cross-functional coordination is needed to remove siloed security operations.