Vulnerability management reboot sought, CISOs more influential in boardroom, Trump’s cyber overhaul – OffSec roundup for CISOs

February 7, 2025

Vulnerability or bug management cycle

“The entire lifecycle of managing vulnerabilities feels off to me,” a security leader observed in a study documented by a security expert formerly employed by Google and GitHub.

The study kicks off our latest roundup of OffSec and SecOps news we think might interest CISOs, security teams and security-conscious devs. 🛡️💻 Maya Kaczorowski, who quizzed 57 security leaders about “what sucks in security?”, noted that security pros too often lacked “a reasonable process to ingest, dedupe, prioritize and assign vulns at scale, across their environment, cross-functionally”. Another participant observed: “We are at the point for vulnerability management that we were in 2010 with EDR.” Vulnerability management was pain point #2 alongside ticket-based and inconsistent access management (#1) and obtaining and using SaaS logs (#3). 😩

Vulnerability surge accelerates

It’s perhaps unsurprising that the number of unique vulnerabilities discovered is growing with each passing year 📈 After all, the code in which security flaws lurk is constantly increasing. And despite rising adoption of DevSecOps practices and laudable secure-by-design initiatives like Content Security Policy (CSP) or Cross-Origin Resource Sharing (CORS), hackers simply find ever-more ingenious ways to find weaknesses. 🧐 But it’s still noteworthy that the 2024 rise in the volume of new Common Vulnerabilities and Exposures (CVE) records far outpaced previous year-on-year rises. Jerry Gamblin, maintainer of CVE.ICU, kindly offered some context for the numbers in our article on the CVE surge. 🙏

Rise in CVEs and vulnerabilities 2005-2025

CISO-CEO collabs more common

CISOs are increasingly influential at boardroom level, according to new research that reflects shifting corporate priorities. 🧐 A study from Splunk, the provider of digital resilience software, revealed that 82% of CISOs now report directly to the CEO, a marked increase on the 47% who did so in 2023. An almost identical proportion – 83% – participate in board meetings somewhat often or most of the time. Interestingly, there were significant gaps in the likelihood of CISOs versus board members deeming the following as top priorities: innovation with emerging technologies (52% of CISOs versus 33% of board members) and upskilling or reskilling security employees (51% versus 27%). 📚 “As cybersecurity becomes increasingly central to driving business success, CISOs and their boards have more opportunities to close gaps, gain greater alignment, and better understand each other in order to drive digital resilience,” said Michael Fanning, chief information security officer at Splunk. 🔐

Boardroom, empty chairs

CISA mission streamlined

Despite its critical role in national security, CISO has reportedly not been exempted, as was expected, from the Trump administration’s offer to government employees to accept a buyout of their jobs. Meanwhile, SANS Institute cybersecurity instructor Moses Frost has likened President Trump’s dismissal of all advisors from the Department of Homeland Security’s Cyber Safety Review Board (CSRB) to firing federal investigators in the middle of an investigation into airline disasters. ✈️ The CSRB was still conducting an inquiry into US telco breaches by Chinese state-sponsored hackers, and had previously published detailed reports into the Log4Shell vulnerability, LAPSUS$ attacks and the Microsoft Exchange Online breach. Frost’s incredulous reaction was referenced in investigative InfoSec reporter Brian Krebs’ article on a flurry of executive orders that stymied various Biden-era cybersecurity initiatives. Trump also cancelled a Biden executive order on artificial intelligence that emphasised the importance of mitigating safety and security risks. South Dakota Governor and Senate-confirmed new DHS director Kristi Noem said that CISA needed to be “much more effective, smaller, more nimble, to really fulfill their mission” to harden federal IT systems, and criticised the agency for veering “far off mission” by fighting misinformation. 🏛️

White House

Lessons from red-teaming 100 generative AI products

Leveraging generative AI in cybersecurity might intrinsically entail more automation, but the human element of AI red teaming is still crucial, according to Microsoft research that presents an “internal threat model ontology” on the subject. 🧑 This was one of eight Lessons from red-teaming 100 generative AI products, established by dozens of Microsoft security experts. The other seven? Understand what the system can do and where it is applied; you don’t have to compute gradients to break an AI system; AI red teaming is not safety benchmarking; automation can help cover more of the risk landscape; responsible AI harms are pervasive but difficult to measure; LLMs amplify existing security risks and introduce new ones; and the work of securing AI systems will never be complete (so no different to any other system then!). 🤖

Other articles of note we’ve spotted in the press recently:

The persistent cyber skills gap, complex supply chains and the “disharmony” between “complex or convoluted” regulations are among the greatest cyberspace issues of concern – World Economic Forum’s Global Cybersecurity Outlook 2025

40% of organisations have an acute shortage of cyber skills around AI and other emerging technologies – CSO Online

Is DeepSeek AI safe? Or is it just a data minefield waiting to blow up?Tech Radar

Bug Bounty Report 2025

YesWeHack Bug Bounty Report 2025

We’ve learned a few things about CISOs’ priorities and pain points based on conversations with customers and the ‘hacktivity’ on our Bug Bounty platform. 🧠 As we celebrate our 10th anniversary this year, we’ve decided to share what we’ve heard in interviews with customers and hunters, along with insights based on tens of thousands of vulnerability reports that they’ve resolved over the past 12 months. The upshot is the YesWeHack Bug Bounty Report 2025: a one-click download detailing, among other things:

✅ The drivers behind growing adoption of crowdsourced security testing worldwide 🌍

✅ What 2024’s Bug Bounty stats – such as the most common CWEs and highest payouts – tell us about vulnerability trends and the Bug Bounty model 🐞

✅ Interviews with the heads of our triage and customer success management teams 🎙️

✅ A recap of a record year for YesWeHack live hacking events 🏆

✅ And the merits and challenges of leveraging Bug Bounty to secure open source 🔓

Brands that harden their scopes during two-day live hacking events can remediate numerous vulnerabilities in a very short space of time. 🚀 We’ve recently published highlights from one such event (see the video above), which we held in Buenos Aires, with Banco Galicia, the Argentinian bank, providing the targets. Another recent video filmed at one of our live Bug Bounty events, meanwhile, sees two security pros from iconic sweet-packaged food brand Ferrero discuss the benefits of Bug Bounty more generally and their experiences with YesWeHack (watch the video below). The event in question made history as Italy’s first-ever live Bug Bounty in September.

The 24-month implementation window for the Digital Operational Resilience Act (DORA) closed recently. As of 17 January, financial institutions operating within the EU were supposed to be compliant with these exacting new cyber rules. Mindful that compliance is an ongoing journey of improvement not just a destination, we’ve outlined five ways the YesWeHack platform can help financial service entities cost-effectively strengthen their alignment with the DORA framework.💡

EU flag

We’d like to flag some coverage of YesWeHack outside of our own channels, starting with an interview by Paris Normandie (written in French) with our distinguished co-founder and CEO Guillaume Vassault-Houlière. And, writing in The Edge Singapore, our APAC CEO Kevin Gallerin answered the question: “Are Bug Bounty Programs the solution to rising cybersecurity threats in Southeast Asia?” (Spoiler alert: Yes, they are part of the solution!)

Read this monthly roundup even sooner by subscribing to CrowdSecWisdom – our LinkedIn newsletter curating news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.

Are you a bug hunter or do you have an interest in ethical hacking? Check out our ethical hacking-focused sister newsletter, Bug Bounty Bulletin – offering hunting advice, interviews with hunters and CTF-style challenges, among other things.