Annual report analyzes hundreds of thousands of vulnerability data points from the Bugcrowd Platform, revealing explosion of bugs in the wake of AI-accelerated attack surface growth

By: Wael Magdy

Bugcrowd, a leader in crowdsourced cybersecurity, today released "Inside the Mind of a CISO 2025: Resilience in an AI-Accelerated World.” The report analyzes hundreds of thousands of vulnerability data points from thousands of public and private vulnerability disclosure and bug bounty engagements from the previous year. Drawing on real-world vulnerability submissions, expert insights, and battle-tested strategies from the cybersecurity community, this report serves as a vital guide for security leaders navigating exponential attack surface growth due to AI. It empowers Chief Information Security Officers (CISOs) with critical intelligence, enabling them to make data-driven decisions about risk profiles, resource allocation, and strategic security investments. Furthermore, the report emphasizes the crucial role of collective intelligence and continuous offensive security testing as the foundation of organizational resilience against increasingly complex threats.

“We are in a high-stakes innovation race, but with every AI advance, the security landscape becomes exponentially more complex. Attackers are exploiting this complexity, but still targeting foundational layers like hardware and APIs. No single CISO can win this race alone. To thrive, we must move beyond isolated efforts and cultivate a collective resilience of collaboration—pooling our knowledge of the hacker community to outpace emerging threats together,” said Nick McKenzie, CISO, Bugcrowd. “This community-driven approach is the only way to stay ahead. We are excited to contribute to this shared goal with our latest edition of Inside the Mind of a CISO.”

The 2025 report reveals that organizations face growing challenges as applications go through multiple development cycles under pressure to release features quickly, often aided by AI-assisted coding. New attack vectors and often forgotten targets like APIs and hardware are vulnerable and should be a key focus for CISOs today. Separately, critical vulnerability payouts have risen, showing that even in times of budget decreases, security teams are increasingly investing in findings from ethical hackers in their offensive testing programs.

Beyond this, the report touches on other key insights including the persistence of access control failures, the increase in sensitive data exposure vulnerabilities, and how mature security programs are making measurable progress in hardening their systems against severe vulnerabilities.

KEY STATISTICS AND FINDINGS FROM THE REPORT:

88% increase in hardware vulnerabilities amid IoT proliferation

81% of security researchers encountered new hardware vulnerabilities in the past 12 months

32% increase in average payouts for critical vulnerabilities

36% increase in broken access control critical vulnerabilities—now the top category

42% increase in sensitive data exposure critical vulnerabilities

10% increase in API vulnerabilities as attack surfaces expand

Network vulnerabilities doubled

The report goes beyond data, featuring insights on modern challenges from cybersecurity leaders. NFL CISO Tomás Maldonado and Monash University CISO Dan Maslin address securing complex ecosystems, handling AI governance, and translating risk effectively to the board. Other articles feature an expert hacker’s thoughts on AI’s role in hacking and security, a guide to red teaming as a strategic tool, and advice for CISOs to objectively measure security program effectiveness. Collectively, these insights emphasize the importance of offensive security testing and balancing human expertise with AI for true security resilience.

“CISOs often struggle to get board buy-in, trapped in a cycle of pushing security initiatives without a clear measure of success. This report aims to break that cycle by providing evidence-based frameworks to demonstrate tangible security outcomes,” said Trey Ford, Chief Strategy and Trust Officer at Bugcrowd. “By using adversarial testing and objective measurement, security leaders can shift from reactive firefighting to building true resilience. Ultimately, this enables CISOs to confidently articulate their security story and secure resources necessary to protect their organizations.”