A September 2020 directive to US government agencies to create vulnerability disclosure policies has driven a surge in bug-reporting activities: The federal sector saw a 1,000% increase in valid vulnerability submissions in the first three quarters of 2021, according to Bugcrowd.
Security researchers have spent more time working remotely over the past two years, which has allowed for more time to allocate toward research activities. The government sector has benefited from the trend, which, along with the mandate from the US Department of Homeland Security's "Binding Operational Directive 20-01," has led researchers to deliver significantly more bug reports in 2021 than the previous year, Bugcrowd reports in the 2022 edition of its annual "Priority One Report," released today.
The reaction to the directive started small but quickly accelerated through 2021, exposing government agencies' large attack surface area and spots within their infrastructure that remained relatively untested, says Casey Ellis, Bugcrowd's founder and chief technology officer.
"I don't think the government has unique difficulties in vulnerability management," he says. "Companies that have been around for a long time, and they have had organic and inorganic growth, the first thing that they discover is that they don't know where their stuff is, and the government is no different. Those things together really contributed to that 10x — it is a vast attack surface that is now being looked at."
The government sector is not alone. The financial sector saw nearly double the number of bug reports, with valid submissions growing by 82% in the first three quarters of 2021, Bugcrowd states in its report. Overall, Bugcrowd and other bug-bounty programs — along with independent corporate bug bounties — have seen bounties increase over time and a shift in researcher focus to the most critical flaws.
Bugcrowd has also witnessed herd mentality in vulnerability research. Following a public vulnerability disclosure, hackers often focus their own efforts on the same class of security issues. The Log4j disclosure, for example, resulted in a surge of platform testing for similar issues. This led to more than 1,200 reports, of which at least 500 were valid issues reported to the company's clients. Refocusing on the latest significant issue earned one researcher $90,000.
"Those shifts are like all the people standing around at a backyard party, waiting for someone to jump in," Ellis says. "We saw a lot ... more focus on critical remote access issues."
Priority 1 and 2 issues — essentially the critical and high-severity issues in Bugcrowd's taxonomy — accounted for 24% of all reported issues, according to the report. Cross-site scripting and broken access controls continued to be the top classes of vulnerabilities researchers discovered, but sensitive data exposure became the third most-common issue, up from the No. 9 slot in 2020.
Payouts are on the rise across industries as well. Financial services paid more than double (106%) the dollar volume for issues discovered by researchers, while software companies paid 73% more in 2021, compared with the previous year.
Not all vulnerabilities had to be new to earn a bounty — companies are looking for any unpatched issues, even if those issues are not new. So-called "n-day" vulnerabilities have, in many ways, become more important than 0-day vulnerabilities, Bugcrowd states in the report.
The Log4j vulnerability is also an example of a security flaw with a long tail that attackers will continue to exploit in the future. The Log4j advisory triggered a great deal of white hat and black hat activity, Ellis says.
"Sophisticated attackers have always been equated with exotic exploits and stealth, but I think it is clear that that is not always the case anymore," he says. "As an attacker, regardless of whether you are a government, your take has to justify your cost. Why burn a million-dollar 0-day when something you can download for free works just as well."
The impact of new research on hackers' interests — and the momentum it produces within the research community — are worth studying to figure out what types of vulnerabilities are most likely to be discovered and exploited in the future, Ellis says.
"The researchers and the hacker community, they do definitely operate as a herd — they listen to each other, and where they are seeing success, they run with new research," he says, adding that it's just rational economics. "Their goal is to find vulnerabilities that are unique and then get paid for it."