BugCrowd reports increase in critical vulnerabilities found in 2021

A new Bugcrowd report has revealed significant increases in the number of critical vulnerabilities reported in 2021. 

The company's 2022 Priority One report covers a variety of security trends over the last year. The report said their platform experienced a 185% increase in the last 12 months for Priority One (P1) submissions with financial services companies. Bugcrowd said P1 submissions involve vulnerabilities that cause a privilege escalation from unprivileged to admin or allow for remote code execution, financial theft, and more. Overall, P1 vulnerabilities increased 186% in 2021. 

Bugcrowd founder Casey Ellis added that the global shift to remote work prompted organizations to put more assets online. That led to more investment in ethical hackers, and Bugcrowd saw that 24% of all valid submissions for the year involved P1 and P2 threats. P2 threats are vulnerabilities that affect the security of software and impact the processes it supports.

Ellis noted that nation-state hackers have also become far more brazen and less concerned about stealth, using attacks on known vulnerabilities far more frequently in 2021. 

"Significantly, we've seen a democratization of such threats due to an emerging ransomware economy and a continued blurring of lines between state actors and e-Crime organizations," Ellis said. "All of which, combined with growing and more lucrative attack surfaces, have made for a highly combustible environment. In 2022, we expect more of the same."

Even P3 submissions, which involve vulnerabilities that affect multiple users and require little or no user interaction to trigger, saw year-over-year increases in 2021.

Submissions were up 82% overall while payouts for those submissions were up 106%. The software sector saw total payouts increase by 73% as well. Submissions for the government sector were up 1000% in 2021 through Q3 compared to 2020. 

Bugcrowd also found that cross site scripting was the most commonly identified vulnerability type and sensitive data exposure moved up to #3 from #9 on the Top 10 list. 

"There was some change at the top in 2021, where Cross-Site Scripting overtook Broken Access Control as the most commonly identified vulnerability type, reverting to the 2019 top two and reflecting the rapid deployment of home-grown web applications throughout 2020 and 2021," Bugcrowd explained. 

"In third place, Sensitive Data Exposure involving Internal Assets leapt six places from ninth last year, brought on by an increased emphasis on scanning as a means of uncovering vulnerabilities. This was a direct consequence of the expansion and increased complexity of attack surfaces during pandemic-induced digital transformation, as well as the speed at which this transformation took place. The changes in the top 10 most commonly identified vulnerability types demonstrates the natural life cycle of vulnerability categories and the "cat and mouse" nature of the interaction between builders and breakers: the Crowd is incentivized to find new, prevalent vulnerability types, those vulnerabilities are eventually addressed by automated tools (causing incentives to fall), and then new vulnerability types emerge that the Crowd is highly incentivized to find."