Hacker-Powered Security Report: Firms Turn to Human Intelligence Amid Rising AI Threats

67% of respondents believe an external, unbiased review of GenAI is the most effective way to uncover AI safety and security issues as AI red teaming gathers momentum

SAN FRANCISCO--()--HackerOne, the leader in human-powered security, today published its eighth-annual 2024 Hacker-Powered Security Report which proves that in the last 12 months, the security researcher community has further matured its skill sets to meet customer demand. Nearly 10% of security researchers now specialize in AI technology as 48% of security leaders consider AI to be one of the greatest risks to their organizations.

HackerOne’s Hacker-Powered Security Report combines perspectives from the researcher community, customers, and security leaders with insights from the world’s largest database of vulnerabilities. The report explores how security-focused organizations integrate human expertise with technology and AI for a defense-in-depth strategy. The report highlights:

  • AI is a threat and an opportunity: More than two-thirds (68%) of security professionals said an external and unbiased review of AI implementations is the most effective way to mitigate AI safety and security risks overall. There has been a 171% increase in AI assets in scope on the HackerOne platform, with 55% of all AI vulnerabilities reported being AI safety issues.
  • Cross-site scripting (XSS) and misconfigurations remain the top most-reported weaknesses: Pentests and bug bounties also continue to be the top engagements identifying these issues. Pentests uncover more systemic or architectural vulnerabilities like misconfigurations. For bug bounty, security researchers focus on real-world attack vectors, user-level issues, and business logic flaws, with XSS as the most commonly discovered weakness.
  • Technologically advanced industries are more likely to reduce common vulnerabilities during development compared to other industries: Security-mature and tech-focused industries like online services, retail, and e-commerce are actively reducing common vulnerabilities as opposed to more traditional industries. Web3 companies also have 65% fewer reports for XSS than the industry average.
  • Crypto bounties continue to raise the bar: Crypto and blockchain organizations continue to pay well above the average for vulnerabilities, with bounties in the 95th percentile reaching $1 million. Internet and online services, retail and e-commerce, and computer software offer the next highest average payouts.
  • Income and education opportunities are top motivators for researchers: While security researchers predominantly hack to improve their income potential (77%), the opportunity to learn new skills and further their abilities motivates many (64%).

“Even the most sophisticated automation can’t match the ingenuity of human intelligence,” said Chris Evans, HackerOne CISO and Chief Hacking Officer. “The 2024 Hacker-Powered Security Report proves how essential human expertise is in addressing the unique challenges posed by AI and other emerging technologies. The report also provides guidance on building productive relationships between organizations and security researchers so the most novel and elusive vulnerabilities can be effectively found and fixed.”

The Hacker-Powered Security Report is based on data from HackerOne’s vulnerability database and includes insights from HackerOne customers, a panel of 500 global security leaders, and more than 2,000 hackers on the platform. It was compiled between June 2023 and August 2024. For further information, download the full report here and join our webinar, on November 21st.

About HackerOne

HackerOne is the global leader in human-powered security, harnessing the creativity of the world’s largest community of security researchers with cutting-edge AI to protect your digital assets. The HackerOne Platform combines the expertise of an elite security researcher community and the most up-to-date vulnerability database to pinpoint critical security flaws across your attack surface. HackerOne’s integrated solutions, including bug bounty, pentesting, code security audits, spot checks, and AI red teaming, provide continuous vulnerability discovery and management throughout the software development lifecycle. HackerOne is trusted by industry leaders such as Coinbase, General Motors, GitHub, Goldman Sachs, Hyatt, PayPal, and the U.S. Department of Defense. HackerOne was named a Best Workplace for Innovators by Fast Company in 2023 and a Most Loved Workplace for Young Professionals in 2024.

Contacts

Alyssa Pallotti
Touchdown PR for HackerOne
press@hackerone.com
512-599-4015

Contacts

Alyssa Pallotti
Touchdown PR for HackerOne
press@hackerone.com
512-599-4015