Imagine the scene: a serious vulnerability emerges that affects organizations worldwide, allowing unauthorized access to highly sensitive data. This scenario happened in late 2021 when a popular open source tool released a critical vulnerability called Log4Shell.
So what exactly happened? Log4Shell is a software vulnerability found in Apache Log4j, a widely used Java library for logging error messages in applications. This sent organizations into panic mode as they raced to find out if they were vulnerable.
Amid the panic, the hacker community sprang into action, tracking vulnerability across the internet and providing real-time reporting at the heart of remediation efforts.
A quick response window is incredibly valuable with a vulnerability like Log4Shell. For some organizations, the choice is either to act quickly or be the victim of a breach. When a significant new vulnerability is discovered, being connected to the ethical community is an added safety net for organizations.
The platform adapts to the situation. In the case of Log4Shell, the hacking community submitted hundreds of vulnerability reports within 24 hours of public disclosure, showing how widespread the vulnerability was.
A few months later, where are we with the Log4Shell problem? We’ve seen thousands of reports, and a total of 398 unique reports have received a bounty so far. The total outstanding bonuses on our platform alone is $1,284,847.
That’s a lot of money awarded to hackers, but on the other hand, it’s a small price to pay compared to the cost of a breach – averaged out to $4 million by IBM. Although the overall volume has slowed, hackers continue to find a handful of Log4Shell vulnerabilities every day.
On the corporate side, prompt communication and remediation will attract more hackers to a bug bounty program. It’s a win-win scenario for hackers and businesses: client programs are bidding for the time hackers spend looking for security vulnerabilities. Customers not only bid by trying to offer the highest bounties, but also by performing their programs at a high level.
Hackers are jumping at the chance to help support the industry in the face of such large-scale threats. The global hacking community offers a diverse range of ideas and a variety of viewpoints, backgrounds and experiences, all of which are extremely helpful in gaining broad and in-depth coverage.
Simply put, humans demonstrate a level of creativity and intuition that automated tools and scanners cannot. Perhaps AI will improve software longer term, but for the foreseeable future, companies will need to remain in strong partnership with the hacker community to stay on top of threats.
Organizations should not take hacking solutions for granted. The pirates might rush to our aid, but it was also an incredibly stressful time for them. It is essential that hackers feel heard and valued. Disclosure of vulnerabilities can sometimes be a messy process and Vulnerability Disclosure Policies (VDPs) have sufficient guidelines to ensure protection for the hacking community and organizations.
With increasing digital transformation and migration to the cloud, we will inevitably see more vulnerabilities emerge. As shown by our 2022 Attack Resistance Reportone-third of global enterprises observe less than 75% of their total attack surface, making them vulnerable to external threats in an era of rapid digital transformation and development.
The companies that stay ahead will be the ones that continue to ensure their security is constantly evolving, and working with hackers is the best way to have a constant eye to spot, identify, and fix flaws before bad actors can. exploit them.
Chris Evans is CISO and Director of Hacking at HackerOne, an ethical hacking and bug bounty platform.