A US court ruling earlier in the year could have a chilling effect on responsible vulnerability disclosure, according to Jerry Archer, co-founder of the Cloud Security Alliance.
Archer was referring to how the conviction of former Uber CISO Joe Sullivan was upheld by an appeals court in March, on charges relating to an attempted data-breach cover-up. Sullivan and his team had made the hackers responsible for the breach sign a non-disclosure agreement and paid them what they characterised as Bug Bounty payments. “The ruling takes power away from private organizations to manage their own computer systems by interpreting the federal Computer Fraud and Abuse Act (CFAA) to prohibit them from retroactively authorizing access to their systems,” wrote Archer in Infosecurity Magazine. He therefore envisaged that good-faith reporting of vulnerabilities might be delayed (as time-to-exploitation only shrinks) by efforts to obtain pre-authorisation – or deterred altogether by the threat of prosecution.
‘Lack of trust’
Many red teamers “rarely use AI beyond basic tasks” because of “a lack of trust in the products”, reveals a UK government report on commercial offensive cyber capabilities that focuses on the red team sub-sector. However, AI was broadly seen as a game-changer for streamlining processes and cutting costs. Many of the 18 red teams interviewed as part of the study wanted to automate repetitive security tasks such as attack surface management, penetration testing and vulnerability assessment in order to “free up expensive human resource to focus on analysis”. There was also “some scepticism” about increasingly numerous certifications and courses around OffSec “due to a perceived lack of quality”.
“Offensive cybersecurity (OffSec) gives organisations a strategic edge,” according to a PwC report entitled ‘When offence becomes the best defence’. “By simulating real-world attacks, it helps identify and mitigate vulnerabilities before adversaries can exploit them,” it continued. These techniques, which include penetration testing, red teaming and attack simulations, transform “risk into actionable insight”. As such, “this shift from reactive to proactive security is not just a tactical upgrade, it’s a necessity.”
Turning a blind API
Do you find it difficult to keep abreast of your APIs? It seems you are not alone. Only one in five CISOs (19%) have full visibility of the often numerous APIs in use across their organisation, according to an API risk report from Salt Security. Similarly concerning is the fact that 90% of respondents to the survey (300 CISOs) couldn’t be sure that they were free of unknown or unmanaged APIs. And far from continuously monitoring these digital assets, most companies audit APIs every 4-12 weeks.
You might be unsurprised to learn that the longstanding cyber skills gap is showing no signs of shrinking. According to Accenture’s State of Cybersecurity Resilience 2025 report, 83% of IT executives said the skills shortage was a serious impediment to achieving a strong security posture. (Pro tip: Much of your OffSec capacity can be productively outsourced and your existing workforce’s security skills upgraded via Bug Bounty). Inevitably, the report also had a few insights into AI, such as 90% of companies professing to lack the maturity to counter today’s AI-enabled threats.
That just leaves a quintet of interesting articles we’ve spotted that, in the interests of brevity, we’ll list as bullet (or rather ‘padlock’) points:
🔒 Proof-of-Concept in 15 minutes? AI turbocharges exploitation – Dark Reading
🔒 80% of CISOs call for regulation of DeepSeek in the UK – TechHQ
🔒 Personal liability concerns persist for CISOs – Dark Reading
🔒 The Wild West of agentic AI – an attack surface CISOs can’t afford to ignore – SecurityWeek
🔒 Why testing AI models in isolation misses the real security risk – Mindgard CEO and CTO Peter Garraghan in SC Media UK
Major milestone for YesWeHack
Big news for us and our customers now: YesWeHack is proud to announce our very first acquisition. 🚀 Founded in 2021, Sekost empowers SMEs to regain control of their digital exposure through innovative remote cybersecurity audit solutions. Together, we’re uniting around a common vision: bringing innovation and technical excellence to protect organisations of all sizes in an ever-changing digital landscape. We’re thrilled to support the growth of a high-potential French company and to kick off this new chapter together! Find out more. 🤝
Putting the ‘success’ into Bug Bounty customer success management
Bug Bounty Programs offer the continuous and adaptive qualities that the aforementioned PwC report cites as desirable in security testing mechanisms. With that nimble segue to YesWeHack’s latest content, we’d like to flag a new article about customer success management (CSM), which is as pivotal to the performance of #BugBounty Programs as the triage service. 🧠 In an interview we initially published in our Bug Bounty Report 2025, our head of CSM, Selim Jaafar, explains how his team helps customers continually optimise their programs to meet their evolving security goals. 💡
Another key variable in the output quality of Bug Bounty Programs is the degree to which organisations – supported by the CSM team – can keep hunters engaged. This has been central to Ferrero’s Bug Bounty success, according to members of the sweet-packaged food multinational’s security team.🍬 In a video interview we’ve now published on our blog, Vittorio Addeo and Giulio Maria Gravante flag the variables you should pay attention to when it comes to leveraging this human resource for maximum effect. 💡
How can SecOps teams best mobilise their resources to efficiently remediate and learn from vulnerabilities? 🤔 Instalment #3 in our series on continuous threat exposure management offers insights into the final stage of the CTEM cycle: mobilisation, which follows the scoping, discovery, prioritisation and validation steps.💡
🤘 Meet the YesWeHack team 🤘
Our events schedule is looking busy. If you happen to be in the countries or regions in question, then we hope you’ll consider coming to see us (or participating, in the case of the hackathon) at the following events. We’ll happily answer questions about, or show you a demo of, our Bug Bounty and vulnerability management platform:
📍 SPIRITCYBER 2025 IoT Hackathon – Singapore, four-week qualifying round: 15 September-15 October (online) | Live finals: 22-23 October (Singapore) | registration open for anyone who wants to participate
📍 INDOSEC – Jakarta, Indonesia | 16-17 September | booth E8
📍 Public Sector Cyber Security Conference and Exhibition 2025 – Manchester, UK | 17 September
📍 ECSO’s Annual CISO Meetup – Valencia, Spain | 23-24 September
📍 ROOTCON – Philippines | 24-26 September | booth G1
📍 CyberDSA – Kuala Lumpur, Malaysia | 30 September-2 October | booth 6141
📍 it-sa Expo&Congress – Nuremberg, Germany | 7 - 9 October | booth 7-446
📍 Les Assises de la cybersécurité – Monaco, 8-11 October, booth KO5
Read this monthly roundup even sooner by subscribing to CrowdSecWisdom – our LinkedIn newsletter curating news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.
Are you a bug hunter or do you have an interest in ethical hacking? Check out our ethical hacking-focused sister newsletter, Bug Bounty Bulletin – offering hunting advice, interviews with hunters and CTF-style challenges, among other things.