Crowdsourced security on the rise: YesWeHack bug bounty platform continues to grow strongly
YesWeHack, Europe’s leading bug bounty platform, today announced exponential growth in Europe, with turnover growing by 100% in 2020. During the same period, the number of completed bug bounty programs increased by 120% and the volume of identified vulnerabilities more than doubled. This growth underscores YesWeHack’s position as a leading global player in crowdsourced security and confirms its position as the only aviable alternative to American platforms.
Crowdsourced security for all
The technology sector was the first market to adopt the crowdsourced security model, and remains the most significant market for YesWeHack. This is followed by the finance and insurance sectors, which respectively represent 35% and 26% of the Bug Bounty programs launched on the platform in 2020.
Meanwhile, the global pandemic has dramatically accelerated the growth of Bug Bounty in other sectors. To cope with the crisis, many organization shave reinvented their operating models by digitizing their activities. Given the new risks and the importance of cybersecurity in the economic survival of companies, an increasing number of chief information security officers (CISOs) have turned to Bug Bounty. As a result, crowdsourced security is rapidly gaining tractionin a multitude of business sectors. This includes retail (13%), media and entertainment (6%), transportation (6%), government (4%), utilities (3%), and telecommunications (3%).
Twice as many vulnerabilities detected in 2020
The YesWeHack hacker community identified twice as many vulnerabilities in 2020 compared to 2019. Some 30% of the reported vulnerabilities on the YesWeHack platform were qualified as ‘high’or ‘critical’, meaning they would have had a devastating impact had they been exploited by pirates.For example, exposingall customer data or entirely compromising an infrastructure.
In terms of the types of vulnerabilities detected, we note that the evolution of technologies has led to a slight but constant increase in vulnerabilities resulting from implementation or design flaws (secure design & access control) that reduce the number of so-called technical vulnerabilities (input issues). This trend is expected to increase in the coming years as the hardening of the development frameworks continues.
YesWeHack builds a ‘win/win’relationship between its customers and ethical hackers
The reason for the popularity of the YesWeHack platform among ethical hackers can be attributed in part to the efficiency of the programs. During 2020, for example, 55% of vulnerabilities werepaid for less than one week after the report was submitted. Moreover, 87% were paid within 28 days. It is also note worthy that the highest bonus paid to a YesWeHack hunter in 2020 was €10,000.
The time it takes to resolve vulnerabilities has also dropped significantly. Indeed, the average resolution time in 2020 was 44 days compared to 109 days in 2019. In addition, almost70% of the vulnerabilities detected in 2020 by YesWeHack researchers were fixed within 28 days of acceptance. This increase can be attributed in part tothe progressive integration of Bounty Bug within the software development lifecycle (SDLC).
This fluid exchange between customers and YesWeHack’s ethical hackers creates a true ‘win-win’ collaboration. From a customer perspective, they retain their own pool of researchers, display a high rate of validated vulnerabilities, and improve their operational security posture. From the researcher perspective, he or she works on properly managed programs and is quickly rewarded for their work.
Ethical hackers will play a central role in 2021
2020 marked a historical turning point for the ethical hacking market. Organizational understanding of the strategy has matured, and during 2021 an increasing number will put crowdsourced security at the heart of their security strategy to protect exposed assets.
The attack surface is also likely to broaden during 2021 and beyond. Romain Lecoeuvre, CTO and co-founder of YesWeHack, warns that organizations cannot guarantee the security of their growing volume of third-party interactions, such as with logistics, customers, suppliers, service providers, and finance: “These interactions rapidly increase a company’s attack surface and complicate the security of their digital footprint. Left unchecked, these new exposures can quickly become the target of future cyber-attacks.”
Guillaume Vassault-Houlière, CEO and co-founder of YesWeHack, also believes that ethical hackers will have a vital role to play in 2021 and predicts a significant adoption of vulnerability disclosure policies (VDPs). He says,“Digital acceleration has always been about the product, not the users. However, users are now arguing strongly for transparency and security from digital players. The public’s recent enthusiasm for the Signal application in the face of mistrust for WhatsApp illustrates this very clearly.
Companies will therefore have to set up VDPs so their products can be tested by ethical hackers. This way, they can effectively regain the trust of users and demonstrate total transparency. Governments also have a role to play in securing their digital data and will need to raise the issue of responsible disclosure of vulnerabilities. Make no mistake, Europe urgently needs to put crowdsourced security at the heart of its cybersecurity recommendations.”
Full infographic here.
YesWeHack is a Global Bug Bounty & VDP platform. The platform brings together companies that want to close security gaps in their digital infrastructure with over 20,000 ethical hackers, known as “hunters”. The hunters act according to the rules and specifications of the customer and are paid on a success-based basis. In addition to the Bug Bounty platform, YesWeHack offers support in creating a Vulnerability Disclosure Policy (VDP) as well as a job exchange for IT security experts. Dojo, a learning platform for ethical hackers, and a training platform for educational institutions (YesWeHackEDU) are also part of the offering. Companies and organizations such as Deezer, BlaBlaCar, Paris Airport and the French Ministry of Defence rely on YesWeHack. YesWeHack was founded in France in 2013. The company is headquartered in Paris. More information at http://www.yeswehack.com
The post Crowdsourced security on the rise: YesWeHack bug bounty platform continues to grow strongly appeared first on Hakin9 – IT Security Magazine.
