The 9th Edition Hacker-Powered Security Report highlights a 210% increase in valid AI-related vulnerability reports and the growing integration of AI within cybersecurity operations. It emphasizes the evolving collaboration between human researchers and AI tools, focusing on rising threats like prompt injection and the critical role of bug bounty programs in improving security defenses. #PromptInjection #AgenticAI #BugBountyPrograms
Keypoints
- The annual report is structured into three main parts: AIβs transformative impact on cybersecurity, the human advantage in cybersecurity, and building best-in-class security programs, each providing insights from data, research, and industry trends.
- The Executive Summary and About sections emphasize a significant rise in AI-related vulnerabilities, researcher upskilling, and the increasing concern among organizations regarding AI security risks.
- Part I discusses the expansion of AI in security workflows, highlighting a 210% increase in valid AI vulnerability reports and the rise of attack techniques such as prompt injection, which surged 540% in 2025.
- It also details HackerOneβs agentic AI system, Hai, which 90% of customers use to save time and improve program operations, alongside research on AI tools adopted by hackers including web-based LLMs and local models.
- The rise of hackbots marks a shift towards autonomous offensive security, with 49% of hackbot reports validated and mixed perceptions about their long-term impact on cyber defense and bug bounty fairness.
- Part II focuses on the complementary roles of humans and AI, showing AIβs limitations in detecting complex vulnerabilities like business logic flaws and privilege escalation, where human insight remains crucial.
- The HackerOne community is diverse, global, and multidisciplinary, with varying time commitments and growing maturity, including many researchers earning six-figure rewards annually.
- Part III reviews security program effectiveness, with a $81M total bounty payout in 2025, observations on maturing identity and access control vulnerabilities, and the importance of defense-in-depth strategies.
- Authorization-related vulnerabilities have increased over five years, and business logic errors are rising but often undervalued, indicating a need for adjusted prioritization and payout strategies.
- Data shows that reductions in bounty payouts correlate with decreased valid vulnerability reports, underscoring the importance of incentives in maintaining active and effective security research participation.
- The five-year trend signals that focusing on automation for commodity bugs and human expertise on identity, access, and design-level flaws embodies the winning cybersecurity strategy moving forward.
Source: Awesome Annual Security Reports - The reports in this collection are limited to content which does not require a paid subscription, membership, or service contract. (https://github.com/jacobdjwilson/awesome-annual-security-reports/)