How human ingenuity continues to outpace automated security tools
10% of security researchers now specialize in AI technology as 48% of security leaders consider AI to be one of the greatest risks to their organizations, according to HackerOne.
HackerOne’s report combines perspectives from the researcher community, customers, and security leaders. It explores how security-focused organizations integrate human expertise with technology and AI for a defense-in-depth strategy.
AI is a threat and an opportunity
67% of security professionals said an external and unbiased review of AI implementations is the most effective way to mitigate AI safety and security risks overall.
There has been a 171% increase in AI assets in scope on the HackerOne platform, with 55% of all AI vulnerabilities reported being AI safety issues. AI safety issues often have a lower barrier to entry for valid reporting and present a different risk profile compared to traditional security vulnerabilities.
The reduced barriers to entry for AI safety reports means bounties for these reports are slightly lower, with an average payout of $401, versus $689 for AI security programs. While AI safety vulnerabilities are currently in scope for a limited number of programs, the volume of reports is notably higher, making AI safety one of the top five reported vulnerabilities.
64% of respondents believe GenAI will have a major impact on their organization, with 62% confident in their ability to secure its use. Additionally, 70% believe that AI legislation will help enhance safety and security.
However, 51% are concerned about the reputational risks tied to AI, and another 51% highlight that basic security practices are being overlooked in the rush to implement GenAI.
AI and automation are powerful efficiency tools, saving organizations an average of $2.2 million per breach by helping to detect and contain breaches faster, reducing overall impact. Companies without AI and automation face longer response times and higher breach costs.
Crypto bounties continue to raise the bar
Pentests and bug bounties also continue to be the top engagements identifying these issues. Pentests uncover more systemic or architectural vulnerabilities like misconfigurations. For bug bounty, security researchers focus on real-world attack vectors, user-level issues, and business logic flaws, with XSS as the most commonly discovered weakness.
Security-mature and tech-focused industries like online services, retail, and e-commerce are actively reducing common vulnerabilities as opposed to more traditional industries. Web3 companies also have 65% fewer reports for XSS than the industry average.
Crypto and blockchain organizations continue to pay well above the average for vulnerabilities, with bounties in the 95th percentile reaching $1 million. Internet and online services, retail and e-commerce, and computer software offer the next highest average payouts.
More of the security researcher community is choosing the flexibility of a full-time career as security researchers are dedicating more hours to developing their skills. 30% now hack full-time, up from 24% in 2023, and 44% spend over 20 hours a week hacking, compared to 35% the previous year.
While security researchers predominantly hack to improve their income potential (77%), the opportunity to learn new skills and further their abilities motivates many (64%).
Organizations are now calling on the community to test a wider range of products and technologies. 56% of researchers also specialize in APIs, while almost 10% now focus on AI and large language models (LLMs).
“Even the most sophisticated automation can’t match the ingenuity of human intelligence,” said Chris Evans, HackerOne CISO and Chief Hacking Officer. “The 2024 Hacker-Powered Security Report proves how essential human expertise is in addressing the unique challenges posed by AI and other emerging technologies. The report also provides guidance on building productive relationships between organizations and security researchers so the most novel and elusive vulnerabilities can be effectively found and fixed.”