2021 another record-breaker for vulnerability disclosure

Limited technical skills required

Indeed, approximately 90% of all new CVEs logged on the NVD in 2021 could be exploited by threat actors with limited technical skills, while 54% of new bugs were classed as having high availability, which means they are readily accessible and exploitable. Moreover, CVEs that require no user interaction – such as clicking on a malicious link or downloading a tainted file – now account for 61% of the total volume.

There is also the added complication that seeing a vulnerability has been classed as being of low-impact could mean security teams with responsibility for patching their systems pass over them in favour of fixing high-impact, critical flaws that attract more attention.

However, Glass’s team did find some reasons to be cheerful, with the number of new CVEs that require no elevated privileges to exploit dropping for the third year on the trot, down to 55% of the total number, from 59% last year and 66% in 2019. Additionally, the number of new vulnerabilities with a high confidentiality rating, meaning they are considered likely to put confidential data at risk of exposure, dropped from 59% to 53%.

Redscan’s figures were pulled at 9am GMT on 8 December 2021, so the final figures for the year will almost certainly vary – particularly after Microsoft’s final scheduled Patch Tuesday release of the year, which will drop on 14 December.

Meanwhile, ethical hacking and penetration testing specialist HackerOne has also reported a bumper year for vulnerabilities, with hackers working through its platform reporting more than 66,000 valid vulnerabilities in 2021, up 20% on 2020, as pandemic-induced digital transformation efforts, and outsourcing to third parties and cloud providers, continue to expose more attack surfaces.

In its annual Hacker-powered security report, HackerOne said it also found bug bounty prices for high- and critical-rated vulnerabilities are also on the rise – critical bugs now fetch $3,000 (£2,270/€2,652) on average, up from $2,500 in 2020 – and positively, users are getting quicker at remediating them.

“Even the most conservative organisations are recognising the power of the outsider point of view,” said Chris Evans, HackerOne’s newly appointed chief information security officer and chief hacking officer. “We’ve continued to see high growth in the financial services sector, for example.

“Measuring and quantifying risk is their business, and they’re seeing that both risk and business outcome is better if they embrace hackers. Across the board, we’re seeing customers using vulnerability report data to inform their software development lifecycles.

“Organisations are catching issues earlier, and remediating them, at greatly reduced cost by focusing on improvements to developer education, source code integrations and development frameworks,” he said.

HackerOne also revealed that the adoption of hacker-led security initiatives is up across all surveyed verticals, with a 34% increase in customer programmes this year. The most widespread bugs reported on its platform were cross-site scripting vulnerabilities, although other categories of vulnerability are also on the rise.