HackerOne report reveals AI risks dominate security concerns

HackerOne has published its latest Hacker-Powered Security Report, revealing an increased concern over AI risks among security professionals and highlighting a trend towards using AI tools and focusing on mobile devices.

The report draws insights from over 2,000 security researchers, 50 customers, and over 500,000 vulnerability reports found in HackerOne's database. One key finding is that 48% of security professionals consider AI the most significant security threat to their organisations.

Security professionals expressed specific concerns with the potential leaking of training data, which 35% cited as a primary risk. Additionally, 33% are wary of the unauthorised usage of AI within their organisations, while 32% are concerned about outsiders hacking AI models.

The report also notes a maturation within the hacker community, as skill sets are increasingly directed towards mobile technology, APIs, and AI deployments. Nearly 10% of researchers are now specialising in AI, a shift driven by the rising demand for AI testing engagements.

A substantial majority of security professionals, 67%, believe that an external and unbiased review of Generative AI (GenAI) is vital for identifying safety and security issues, aligning with the growing interest in AI red teaming.

Chris Evans, CISO and Chief Hacking Officer at HackerOne, remarked, "Even the most sophisticated automation can't match the ingenuity of human intelligence. The 2024 Hacker-Powered Security Report proves how essential human expertise is in addressing the unique challenges posed by AI and other emerging technologies. The report also provides guidance on building productive relationships between organisations and security researchers so the most novel and elusive vulnerabilities can be effectively found and fixed."

The gathered data indicates a 171% increase in AI assets under review on the HackerOne platform over the past year, with 55% of AI vulnerabilities reported being AI safety issues.

Despite the focus on AI, traditional technological issues persist, as cross-site scripting (XSS) and misconfigurations remain the most commonly reported weaknesses. These vulnerabilities surface primarily through pen-testing and bug bounty programmes, with pen-tests identifying more systemic issues.

The study reveals that technologically advanced industries, such as online services, retail, and e-commerce, are more successful in reducing common vulnerabilities during development stages compared to other sectors. Notably, Web3 companies have 65% fewer XSS reports than the industry standard.

The report states that crypto and blockchain organisations offer significantly higher compensation for vulnerabilities. Bounties in the 95th percentile can reach USD $1 million, with internet services, retail, and computer software not far behind.

Security researchers are largely motivated by economic and educational factors. 77% hack to improve their income and 64% seek opportunities to learn new skills.

The Hacker-Powered Security Report incorporates perspectives from an extensive database and insights from global security leaders and HackerOne customers. The findings were compiled between June 2023 and August 2024.