fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Pandemic Year Increases Bug Bounties And Report Submissions

Pandemic Year Increases Bug Bounties And Report Submissions

Vulnerability submissions have increased over the past 12 months on at least one crowdsourced security platform, with critical issue reports recording a 65% jump.

The data comes from the Bugcrowd platform and also reflects growth in payouts as ethical hackers are hunting down more critical vulnerabilities by chaining bugs and developing proof-of-concept exploit code.

Wait time for critical bug report

Bugcrowd says that companies offering consumer services and in the media industry receive critical reports for critical issues in less than a day.

For organizations in the government and automotive sectors, high-risk bugs are submitted in a matter of days and often represent “far higher stakes.”

Time to first critical, high-priority bug report

More submissions, better bounties

This year, submissions for vulnerability submissions through Bugcrowd recorded a 50% increase, while for Priority 1 (the most critical) reports there was a growth of 65%.

Web apps remain in the hackers’ top preferences, although they are diversifying the targets to stay competitive.

Also Read: Trusted Data Sharing Framework IMDA Announced In Singapore

“In the last year, Bugcrowd saw submissions to all targets increase, though notably API vulnerabilities doubled, while those found in Android targets more than tripled”

– Bugcrowd

Between January and October 2020, organizations in the financial services saw more submissions than through the entire 2019. Payouts for P1 vulnerabilities in this sector doubled in the second quarter of this year.

Threat actors also intensified their attacks, driving companies to increase payouts for severe issues. Overall, payouts for critical vulnerabilities (P1) spiked by 31% from the first to the second quarter. The same happened for P2 bugs between Q2 and Q3.

Trends in bugs reported

At the top of the list of most submitted vulnerabilities through Bugcrowd is the human-driven broken access controls, taking down cross-site scripting (XSS).

Subdomain takeover also jumped two positions on the list, from six to four, the reason behind the jump being the hackers’ increased use of automation for their bug hunting sessions.

One trend prefiguring in bug hunting is the “outside in” approach that opens the bounty scope to obscure or forgotten assets (shadow IT) that expand a company’s cyber risk.

Bugcrowd observed this trend with companies that have a mature cybersecurity program, recognizin that their attack surface changed so frequently that it led to assets being overlooked.

Companies fitting this profile have added Attack Surface Management (ASM) to their crowdsourced security solution, to allow bug hunters to run reconnaissance activity and uncover unknown assets they own that may pose a risk.

ASM to crowdsourced security solution

Although zero-day vulnerabilities grab all the attention as they are typically associated with attacks from an advanced persistent threat (APT – usually government-backed hackers), most of the time these adversaries rely on known exploits.

“Bugcrowd data shows that our hunters were uncovering these vulnerabilities as they were deployed by the APT, acting as an important line of defense that ultimately overlaps with national security”

One example in the report refers to the remote code execution vulnerabilities in F5’s BIG-IP solutions (CVE-2020-5902). Bugcrowd says that bounty hunters had reported the issue on the platform before it was announced.

Also Read: The Importance Of Knowing Personal Data Protection Regulations

Bugcrowd notes that the changes recorded this year are in tune with the challenges of remote work imposed by the pandemic. By spending more time at home bug hunters were able to be more active and find higher-severity bugs as well as submit better quality reports.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us