AI is of course a mixed blessing for security. ⚖️ The technology is simultaneously an accelerant for vulnerability discovery and a source of novel risks owing to its unpredictable behaviour and interactions with other components. On the positive side of the ledger, OpenAI has publishing an outbound coordinated disclosure policy for disclosing vulnerabilities to third-parties because its models “have already uncovered zero-day vulnerabilities in third-party and open-source software, and we are taking this proactive step in anticipation of future discoveries”. ✅
Conversely, we can point to the 15-year old ‘zombie’ path traversal vulnerability being propagated not only by developers (inadvertently) “but also by LLMs trained on vulnerable code samples scoured from data sets derived from GitHub and Stack Overflow code”. 🧟 And while AI-powered security systems can accelerate “threat detection and response processes”, AI’s hallucination habit raises the spectre of unnecessary and expensive downtime if systems are taken offline because of fictional cyber-attacks, or AI systems recommending unwise security measures based on fabricated data – a topic explored by Dark Reading. 🤖
AI and continuous testing
We’re staying on AI for the next story in our latest roundup aimed at CISOs and security teams – and it still won’t be the last (for good or ill, it’s hard to avoid). Continuous security testing based on intended use cases is a must if organisations want to deploy AI securely at scale, according to Chatterbox Labs CTO Stuart Battersby, who was interviewed recently alongside the AI risk company’s CEO, Danny Coleman, by The Register.🔒 “So the first thing is to think about what is safe and secure for your use case," he explained. “And then what you have to do is not trust the rhetoric of either the model vendor or the guardrail vendor, because everyone will tell you it's super safe and secure.” When it comes to continuous testing of AI systems, by the way, we believe Bug Bounty has an important role to play (after all, Google, Meta, Microsoft, OpenAI and Anthropic all run AI Bug Bounty Programs). 🧠
Relatedly, Javier Castro, CTO of XDR and SIEM protection platform Wazuh, notes that only 42% of CISOs polled by Darktrace profess to have confidence in their AI deployment and truly understand how it fits with their security stack. Writing in Tech Radar, he warns that “many AI-powered solutions operate as black boxes, which goes against the grain of the open source, community-driven threat response the industry is now rightly moving toward”. He prescribes a unified, high-visibility approach, given that “fragmented tools with partial views and proprietary, closed-source alert logic only hinder cybersecurity efforts.”💡
“Gartner’s Hype Cycle emphasises the rising importance of continuous threat exposure management (CTEM), underscoring why red teaming must integrate fully into the DevSecOps lifecycle,” according to a VentureBeat article on conducting AI red teaming and adversarial testing. In our opinion, the increasing role of CTEM also advertises the benefits of consolidating findings from multiple testing mechanisms into a single, unified interface and integrating security testing with attack surface management.🧩
CVE program seeming vulnerable
Two Congressional Democrats have demanded a review of the Common Vulnerabilities and Exposures (CVE) program’s “efficiency and effectiveness” with the scheme limping on after an 11th hour reprieve from the Trump Administration’s swingeing cuts.💰 The pair have asked the Government Accountability Office to “conduct a study of the federal programs designed to support vulnerability management for discovered vulnerabilities and weaknesses in information technology systems.” As well as the “recent near-lapse of CISA’s contract supporting the CVE program”, they cited concerns over the fact that, “in early 2024, funding challenges at NIST resulted in a backlog of thousands of vulnerabilities” in the National Vulnerability Database (NVD). 📂 Funding challenges are a concern across the board for US cyber defences. President Trump’s nominee for National Cyber Director was recently grilled over deep budget cuts at the Cybersecurity and Infrastructure Security Agency (CISA) and the risk entailed to critical infrastructure. And all this against the backdrop of a “heightened threat environment in the United States” following American airstrikes against Iranian nuclear facilities.⚠️
Overwhelmed by vulnerabilities
After we highlighted the problem last month, more evidence has emerged that the much-needed ‘shift left’ in software development is not running entirely smoothly. Devs are feeling overburdened by vulnerability overload, an AI-fuelled acceleration in development and challenges integrating tools, according to a survey by AI security firm Pynt. The poll found that a quarter of developers felt overwhelmed by the sheer volume of vulnerabilities they were having to deal with, while more than a third considered false positives to be the biggest barrier to successfully ‘shifting left’. 🔄
Before we segue to our own recent output, here’s a few more stories that may pique your interest:
🛡️Ukraine war spurred infosec vet Mikko Hyppönen to pivot to drones – The Register
🛡️Vulnerability in Google's password-recovery page that allowed bruteforcing of users’ phone numbers nets researcher $5k bounty – Dark Reading
🛡️Report: CISO scepticism is clouding CEO’s GenAI ambitions – Digit News
🛡️‘Redefining Hacking’: Review of book on red teaming and Bug Bounty hunting in an AI-driven world – Help Net Security
🛡️10 tough cybersecurity questions every CISO must answer – CSO
‘Valuable for frequently updated platforms’
“I’m consistently impressed by the depth of expertise among the hunters,” says the red team lead for one of our US-headquartered customers.💪 Dean Dunbar from revenue AI company Gong told YesWeHack why Bug Bounty is a boon for DevSecOps environments, about a “game-changer” Gong hit upon when finetuning testing conditions, and the benefits of crowdsourced testing, especially compared to time-boxed pentests.⏱️ More than 4,500 companies worldwide leverage Gong’s platform to boost productivity, increase predictability and drive revenue growth.📈
Black Hat USA debut
Next up on our 2025 schedule is the grandaddy of hacker cons, Black Hat USA, where we’ll be debuting as exhibitors. If you’re attending the event, which takes place between 6-7 August in Las Vegas, swing by Booth 2367 to meet the YesWeHack team. They can walk you through our Bug Bounty and vulnerability management platform and explain how crowdsourced security is helping organisations uncover vulnerabilities at scale. We’ll also be giving away some super-cool swag and running a casino-themed ‘Hide and Seek’ CTF challenge. 👀
Read this monthly roundup even sooner by subscribing to CrowdSecWisdom – our LinkedIn newsletter curating news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.
Are you a bug hunter or do you have an interest in ethical hacking? Check out our ethical hacking-focused sister newsletter, Bug Bounty Bulletin – offering hunting advice, interviews with hunters and CTF-style challenges, among other things.