The 2022 Hacker-Powered Security Report Reveals Digital Transformation and Cloud Migration Fuel Increase In Vulnerabilities
SAN FRANCISCO, December 8, 2022: HackerOne, the leader in Attack Resistance Management, today announced its community of ethical hackers has discovered over 65,000 software vulnerabilities in 2022. Reports for vulnerability types introduced by digital transformation projects have seen significant growth, with misconfigurations growing by 150% and improper authorization by 45%. Thirty-eight percent of hackers say they think the biggest challenge facing organizations is a lack of in-house skills and expertise, while dealing with growing attack surfaces. Most hackers believe that security automation cannot replace the creativity of humans, with 92% percent saying they can find vulnerabilities scanners can’t.
Now in its 6th year, HackerOne’s 2022 Hacker-Powered Security Report combines insights from the hacking community, looking at hackers’ motivations and expertise, and trends from the world's largest dataset of vulnerabilities. The report reveals average bounty prices in different industries, the most impactful vulnerabilities that customers pay for, and how hackers report these vulnerabilities to organizations.
Other key findings include:
- Hackers are motivated by learning, money, and the mission to build a safer internet. Seventy-nine percent of hackers say they hack to learn, more than those that say they’re in it for the money (72%). Forty-seven percent hack more than they did in 2021.
- Hackers increasingly seek out the most mature programs to work with. Fifty percent of hackers are put off hacking on programs with poor communication and slow response times. Fifty percent of hackers also say they have not reported a vulnerability they found, with 42% saying this is due to a lack of a clear process to report it safely.
- 2022 saw a 45% increase in organizations investing in HackerOne programs, driven by a 400% increase in automotive programs, 156% in telecommunications, and 143% growth in cryptocurrency and blockchain.
- Despite the industry average showing average and median bounty prices have not risen dramatically in the past 12 months, cryptocurrency and blockchain programs saw the average payout increase by 315%, from $6,443 in 2021 to $26,728 in 2022.
“Insights from the hacking community about their experience and expectations teach organizations how to run a best-in-class program that will attract the top hackers,” said Chris Evans, HackerOne’s CISO and Chief Hacking Officer. “HackerOne’s vulnerability data, sourced from our 3,000 customer programs, shows organizations which vulnerabilities their peers incentivize hackers to report. Customers continue to introduce risk during digital transformation projects. The report also shows that hackers are adept at identifying the vulnerabilities introduced so that our customers can fix them before they result in an incident.”
The annual Hacker-Powered Security Report gathers views from more than 5,000 hackers on HackerOne’s platform, and was compiled between September and October 2022. For further information and to download the full report, please visit: https://www.hackerone.com/6th-annual-hacker-powered-security-report
HackerOne closes the security gap between what organizations own and what they can protect. HackerOne's Attack Resistance Management blends the security expertise of ethical hackers with asset discovery, continuous assessment, and process enhancement to find and close gaps in the ever-evolving digital attack surface. This approach enables organizations to transform their business while staying ahead of threats. Customers include The U.S. Department of Defense, General Motors, GitHub, Goldman Sachs, Google, Hyatt, Lufthansa, Microsoft, MINDEF Singapore, Nintendo, PayPal, Slack, Twitter, and Yahoo. In 2021, HackerOne was named as a ‘brand that matters’ by Fast Company.