Hacker-powered security report: firms turn to human intelligence amid rising AI threats
HackerOne, the leader in human-powered security, today published its eighth-annual 2024 Hacker-Powered Security Report, which proves that in the last 12 months, the security researcher community has further matured its skill sets to meet customer demand. Nearly 10% of security researchers now specialise in AI technology as 48% of security leaders consider AI to be one of the greatest risks to their organisations.
HackerOne’s Hacker-Powered Security Report combines perspectives from the researcher community, customers, and security leaders with insights from the world’s largest database of vulnerabilities. The report explores how security-focused organisations integrate human expertise with technology and AI for a defence-in-depth strategy. The report highlights:
AI is a threat and an opportunity: More than two-thirds (68%) of security professionals said an external and unbiased review of AI implementations is the most effective way to mitigate AI safety and security risks overall. There has been a 171% increase in AI assets in scope on the HackerOne platform, with 55% of all AI vulnerabilities reported being AI safety issues.
Cross-site scripting (XSS) and misconfigurations remain the top most-reported weaknesses: Pentests and bug bounties also continue to be the top engagements identifying these issues. Pentests uncover more systemic or architectural vulnerabilities like misconfigurations. For bug bounty, security researchers focus on real-world attack vectors, user-level issues, and business logic flaws, with XSS as the most commonly discovered weakness.
Technologically advanced industries are more likely to reduce common vulnerabilities during development compared to other industries: Security-mature and tech-focused industries like online services, retail, and e-commerce are actively reducing common vulnerabilities as opposed to more traditional industries. Web3 companies also have 65% fewer reports for XSS than the industry average.
Crypto bounties continue to raise the bar: Crypto and blockchain organisations continue to pay well above the average for vulnerabilities, with bounties in the 95th percentile reaching $1 million. Internet and online services, retail and e-commerce, and computer software offer the next highest average payouts.
Income and education opportunities are top motivators for researchers: While security researchers predominantly hack to improve their income potential (77%), the opportunity to learn new skills and further their abilities motivates many (64%).
“Even the most sophisticated automation can’t match the ingenuity of human intelligence,” said Chris Evans, HackerOne CISO and Chief Hacking Officer. “The 2024 Hacker-Powered Security Report proves how essential human expertise is in addressing the unique challenges posed by AI and other emerging technologies. The report also provides guidance on building productive relationships between organisations and security researchers so the most novel and elusive vulnerabilities can be effectively found and fixed.”
The Hacker-Powered Security Report is based on data from HackerOne’s vulnerability database and includes insights from HackerOne customers, a panel of 500 global security leaders, and more than 2,000 hackers on the platform. It was compiled between June 2023 and August 2024. For further information, download the full report here and join our webinar, on November 21st.