Organisations fail to see benefit of ethical hacking - report
HackerOne, the expert in Attack Resistance, has revealed data that found half (52%) of security professionals would rather accept the presence of undiscovered vulnerabilities than work with hackers, and 60% stated hackers cannot be fully trusted.
This gap in trust between organisations and hackers creates blindspots as organisations fail to receive essential vulnerability information to reduce security risk.
Preliminary findings from the 7th annual Hacker-Powered Security Report revealed that the lack of a clear channel to disclose a vulnerability at an organisation was the top reason cited by hackers who did not report a vulnerability they discovered.
Organisations that do follow disclosure best practices continue to benefit from hacker engagement. As the cost of the average data breach hits $4.45M, three-quarters of HackerOne customers (73%) say hackers have helped them avoid a significant cybersecurity incident.
Chris Evans, Chief Hacking Officer and CISO at HackerOne, says, "When hackers have no clear channel to disclose vulnerabilities, everyone suffers. Our research reveals a stigma that needs to be broken if we want to maintain the safety and security of the internet.
"There's no question cyber criminals inflict significant societal damage, but the majority of individuals engaged in hacking are law-abiding citizens seeking to learn, make the internet safer, and earn a livelihood. Our customers recognise that accepting vulnerabilities exist and allowing ethical hackers to test their systems builds trust with their customers and stakeholders and reduces their chance of a costly breach."
Despite challenges, hacking as a profession continues to build momentum. Hackers are dedicated to further building their skills, with 60% of hackers confirming they view hacking as their career, up from 41% last year, and 61% of hackers are dedicated to learning and developing hacking tools with Generative AI (GenAI) to find more vulnerabilities faster.
Roni Carta, HackerOne hacker, says, "A lot of what you see in movies or on TV is wrong from the process of hacking to how hackers behave. We're part of a huge global community, so we don't all fit a particular stereotype."
"Right now, I'm focused on understanding GenAIs potential impact and how it can influence the cybersecurity landscape. While I use GenAI daily to enhance my hacking techniques, I'm also investing time in learning how to hack this technology. With every new innovation, new attack surfaces emerge, and it's essential cybersecurity evolves in rhythm with these advancements."
HackerOne regularly releases commentary and research on hacking. At the end of 2022, HackerOne revealed in its 2022 Hacker-Powered Security Report that:
- Hackers are motivated by learning, money, and the mission to build a safer internet. 79% of hackers say they hack to learn, more than those that say they’re in it for the money (72%). 47% hack more than they did in 2021.
- Hackers increasingly seek out the most mature programs to work with. 50% of hackers are put off hacking on programs with poor communication and slow response times. 50% of hackers also say they have not reported a vulnerability they found, with 42% saying this is due to a lack of a clear process to report it safely.
- 2022 saw a 45% increase in organisations investing in HackerOne programs, driven by a 400% increase in automotive programs, 156% in telecommunications, and 143% growth in cryptocurrency and blockchain.
- Despite the industry average showing average and median bounty prices have not risen dramatically in the past 12 months, cryptocurrency and blockchain programs saw the average payout increase by 315%, from $6,443 in 2021 to $26,728 in 2022.