Imagine the scene: a serious vulnerability is emerging that affects organizations around the world, allowing unauthorized access to highly sensitive data. This scenario occurred in late 2021, when a popular open source tool published a critical vulnerability called Log4Shell.
So what exactly happened? Log4Shell is a software vulnerability discovered in Apache Log4j, a widely used Java library for logging application error messages. This sent organizations into a state of panic as they tried to find out if they were vulnerable.
Amid panic, the hacking community has taken action to pursue online vulnerabilities and provide real-time reports that are central to removal efforts.
The quick response window is incredibly valuable with a vulnerability like Log4Shell. For some organizations, the choice is either to move fast or to fall victim to a violation. When significant new vulnerabilities are identified, liaison with the ethical community is an additional security network for organizations.
The platform adapts to the situation. In the case of Log4Shell, the hacker community sent hundreds of vulnerability reports within 24 hours of public disclosure, showing how far and wide the vulnerability was.
A few months later, where are we with the Log4Shell problem? We have seen thousands of reports and a total of 398 unique reports have received an award so far. The total prize money on our platform alone is $ 1,284,847.
This is a lot of money given to hackers, but on the other hand, it is a small price to pay compared to the price of a breakthrough – calculated on an average of $ 4 million from IBM. Although the overall volume has slowed, hackers continue to find a handful of Log4Shell vulnerabilities every day.
From a business perspective, fast communication and removal will attract more hackers to the bug reward program. This is a win-win scenario for both hackers and businesses – client programs bid for the time spent by hackers looking for security vulnerabilities. Clients bid not only by trying to offer the biggest prizes, but also by performing their programs to a high standard.
Hackers take the opportunity to help support the industry when it comes to such large-scale threats. The global hacking community offers a diverse range of insights and a variety of perspectives, experiences and experiences, all of which are extremely useful for getting broad and in-depth coverage.
In other words, people show a level of creativity and intuition that automated tools and scanners cannot. Artificial intelligence may improve software in the long run, but in the foreseeable future, businesses will need to remain stable partners with the hacking community to be on top of threats.
Organizations should not take hacking decisions for granted. Hackers may rush to our aid, but it was also an incredibly stressful time for them. It is extremely important for hackers to feel heard and valued. Vulnerability detection can sometimes be a vague process, and Vulnerability Policy (VDP) has sufficient guidance to ensure the protection of the hacker community and organizations.
With the growing digital transformation and cloud migration, we will inevitably see more vulnerabilities emerge. As shown by ours 2022 Attack Resistance Reportone third of global businesses account for less than 75% of their total attack area, making them vulnerable to external threats in a time of rapid digital transformation and development.
The businesses that will eventually stay ahead will be the ones that continue to ensure that their security is constantly evolving, and working with hackers is the best way to have a permanent eye to detect, identify and correct deficiencies before bad participants to be able to exploit them.
Chris Evans is a CISO and CEO of Hacker HackerOneethical hacking platform and error reward.