Ethical hackers flex their muscles in 2022

Ethical hackers working through HackerOne programmes discovered more than 65,000 software vulnerabilities in 2022 – 21% up on 2021 – and over 120,000 customer vulnerabilities, with reports for vulnerability types introduced by digital transformation projects skyrocketing as misconfiguration vulnerabilities grew by 150% and improper authorisation vulnerabilities grew by 45%.

This is according to HackerOne’s annual end-of-year wrap report, Hacker-powered security, which has been taking the temperature of over 5,000 hackers for six years now, combining their insights, exploring their motivations and expertise, and extrapolating trends from the organisation’s growing library of vulnerabilities to reveal an in-depth picture of the hacking scene.

“Insights from the hacking community about their experience and expectations teach organisations how to run a best-in-class programme that will attract the top hackers,” said Chris Evans, HackerOne’s chief information security officer and chief hacking officer.

“HackerOne’s vulnerability data, sourced from our 3,000 customer programmes, shows organisations which vulnerabilities their peers incentivise hackers to report. Customers continue to introduce risk during digital transformation projects. The report also shows that hackers are adept at identifying the vulnerabilities introduced so that our customers can fix them before they result in an incident.”

At the top line, HackerOne said it saw a 45% increase in organisations investing in its programmes in 2022, driven by the automotive industry, telecoms, and cryptocurrency and blockchain sectors.

Average bug bounty payouts from these programmes did not rise dramatically – likely due to wider macroeconomic factors – although programmes relating to the crypto and blockchain sectors did substantially increase their payouts, from an average of almost $6,500 in 2021 to almost $27,000 in 2022.

“Customers continue to introduce risk during digital transformation projects. Hackers are adept at identifying the vulnerabilities introduced so that our customers can fix them before they result in an incident”

Hackers working through HackerOne have now earned more than $230m to date, and 22 hackers have now earned over $1m in bounties, up from nine this time last year.

According to the report, the past 12 months have proved that it is quite simply impossible for security automation to replace the creativity of humans – no matter how loudly security automation specialists are shouting about it.

Almost all hackers – 92% in fact – say they can reach the parts that automation cannot, exposing the extent of what HackerOne terms the “attack resistance gap”. This is the gap between what organisations are able to protect and what they should be protecting, and the main factors that contribute to it are incomplete visibility of IT assets, insufficient testing and a lack of skills. HackerOne reckons most organisations are covering at best between 50% and 60% of their possible attack surface.

Hackers working with HackerOne – 70% of whom do it on a part-time basis while holding down other jobs – said they were chiefly motivated by learning (79%), getting paid (72%) and having fun (59%). Meanwhile, 59% also said they hacked to advance their career, 56% hacked for the challenge and 46% did it “to protect and defend”. Only 28% cited fame and recognition as motivations.

On his motivations, Jonathan Bouman, a Netherlands-based hacker interviewed for the report, said: “I’m a doctor when I’m not hacking and am motivated by the desire to do good in the world. There are many similarities between medicine and hacking; as a doctor, you’re trained to do threat modelling on humans, and sharing knowledge is what leads us to detect new diseases or discover new treatments. I bring this curiosity and collaborative approach to bug hunting.”

Demonstrating the value a good hacker can bring to an organisation’s IT team, the 2022 report also looked into the impact of ethical hacking on cyber careers, with some interesting findings. About 35% of respondents said they had actually secured a cyber security job based off their hacking experience and a similar number said they were using their experience on their CVs. For 25%, hacking had helped them get a promotion or progress their career.

“Hacking gave me a career because I dropped out of school, so my HackerOne profile was my resumé,” said Roni Carta, a France-based hacker. “I now work as a senior security engineer at European DIY, gardening and housing marketplace ManoMano, and I wouldn’t have got that job without my hacking experience. I now run the bug bounty programme and encourage other young hackers to develop their skills.”

HackerOne also asked its hackers what attracted them to the programmes they work on. It turned out bounties are the biggest attraction, with 65% saying they had chosen a programme based on the rewards on offer. Other top priorities included the challenge and opportunity to learn, the varied scope of the programme, and how quick the programme owner was to resolve bugs or issue bounties for them. Brand awareness was also a significant factor, with almost 38% saying they hacked on certain programmes because they liked the brand – and 4% because they disliked it.

Turn-offs included programmes with limited scope, low bounties, slow response times and communication, and slow payments. Hackers also rely on negative reviews when selecting programmes, and don’t like being made to sign non-disclosure agreements. Disliking the brand was also cited by many.

HackerOne said it was clear that the most mature programmes and organisations were most likely to attract the most talented hackers, as was a certain measure of honesty and transparency among programme operators.

Alex Chapman, a UK-based hacker interviewed for the report, said: “Disclosure helps us all learn. By disclosing security vulnerabilities, organisations can help increase overall security. Public disclosure demonstrates that an organisation has a high level of security maturity and will be a programme worth hacking on.”