Finding Fast, Fixing Slow: The Rising Exposure Debt
Two weeks ago, we published Finding Fast, Fixing Slow: The Crisis of Asymmetric Remediation, where we highlighted that AI-accelerated vulnerability discovery exacerbates the asymmetry between finding vulnerabilities and remediating them.
We went back and analyzed HackerOne platform data to determine if this trend is already appearing across our programs.
We looked at remediation performance on the HackerOne platform for the twelve months ending March 2026. The analysis covered all vulnerability reports submitted on the platform, with a specific focus on critical-severity findings.
AI-Driven Acceleration in Submission Volume
Total submissions across the platform grew by approximately 76% during the year, with a sharp increase in early 2026. Critical-severity submissions increased at similar rates, reaching a peak in March 2026. The timing lines up with AI-assisted discovery tools becoming more accessible to the security researcher community, something we noted in the original post.
Signal rates stayed relatively consistent throughout this period. This stability indicates that the increase in volume represents a mix of valid and invalid vulnerabilities rather than an influx of AI-generated noise reports.
The Remediation Metrics That Surprised Us
Over the twelve-month period, mean time to remediate (MTTR) across the platform dropped by about 80%, and median MTTR fell by over 70%. Organizations can resolve faster than ever.
But here's what caught us off guard. The total number of vulnerabilities resolved each month fell by about 46% over the same period, even as overall submissions grew by 76%. The cumulative backlog of validated but unresolved vulnerabilities grew by more than 21x.
We can resolve faster. We just didn't resolve more. Somewhere along the way, we took our eye off the ball. Teams got faster at closing individual issues, but the overall effort going to remediation seem to shrink. The result is a backlog of vulnerabilities that is growing quietly in the background.
Exposure Debt is Rising, and We Let It
The cumulative backlog is an important risk indicator in security reporting. The compounding volume of unresolved findings is what shows the debt an organization carries.
Unresolved vulnerabilities grew 21x. Unresolved criticals grew 25x. That pattern typically increases the risk of breaches, because it shows discovery velocity outpacing remediation capacity. Organizations are no longer addressing vulnerabilities in a sustainable way, and that creates a widening window for adversaries who can use the same powerful AI discovery tools to find these unpatched surfaces. When you put this alongside the contracting time-to-exploit window, it tells you that threat actors can now weaponize new findings faster than internal teams are processing them.
Critical-Severity Vulnerabilities Aren’t Escaping This Trend
We might assume that even if the overall numbers are slipping, organizations might be prioritizing criticals. The data shows they're not. The same pattern holds.
MTTR for critical findings improved by about 73%, but that efficiency only applied to a small subset of total volume. The actual remediation throughput has been dropping significantly. The resolution rate for critical issues fell from over 83% to under 40%. This gap between discovery and resolution caused the backlog of unresolved critical vulnerabilities to grow by about 25x. This trend demonstrates that current remediation capacity is not keeping up with the influx of critical-risk findings.
Underlying Structural Patterns
The trends point to a consistent pattern of aggregate resolution rate declining and each month a smaller proportion of vulnerabilities getting fixed. Even as validated findings rise, the total effort going to remediation appears to be shrinking.
The data points to a shift in resource allocation. Teams are fixing individual issues faster (suggesting they might be prioritizing selectively), but overall remediation throughput is not scaling with the growing discovery volume.
The result is a fast-growing backlog of validated exposures. Without a strategic adjustment to remediation capacity, this trajectory leads to a progressively unmanageable risk profile.
What Has to Change
In our previous post, we outlined the need for longer-term changes: organizational redesign, better feedback loops for bug class elimination at scale, and stronger validation. Those still matter. But the accelerating backlog demands tactical steps right now, alongside those structural changes.
- Focus on overall risk reduction. MTTR tells us how fast we fix, not how much risk we're reducing. We need to pair it with resolution rate and the exposure backlog to get a full picture of whether we're reducing overall risk or just resolving faster.
- Increase remediation capacity where possible. We need dedicated remediation capacity and dedicated sprints to reduce the exposure backlog. Validated vulnerability volumes have grown significantly, and remediation now requires scalable resource allocation and AI-assisted approaches to keep up
- Put AI to work on the remediation side too. As AI accelerates discovery, remediation needs the same. AI-assisted fix generation, automated regression testing, and agentic workflows help development teams process more findings to keep pace with increased discovery volume.
The good news is that we've proven we can remediate faster. Now we need to prioritize doing more of it, continuously.
About the Authors
