网安资讯详情 - SecLens 情报雷达

Finding Fast, Fixing Slow: The Rising Exposure Debt

来源： hackerone_blog · 发布时间 2026-05-07 08:13 (UTC+08:00) · 抓取时间 2026-05-07 09:30 (UTC+08:00)

原文链接

摘要

Vulnerability submissions are up 76%. Unresolved criticals grew 25x. HackerOne platform data reveals a widening remediation gap that security teams can't afford to ignore.

正文

Two weeks ago, we published Finding Fast, Fixing Slow: The Crisis of Asymmetric Remediation , where we highlighted that AI-accelerated vulnerability discovery exacerbates the asymmetry between finding vulnerabilities and remediating them. We went back and analyzed HackerOne platform data to determine if this trend is already appearing across our programs. We looked at remediation performance on the HackerOne platform for the twelve months ending March 2026. The analysis covered all vulnerability reports submitted on the platform, with a specific focus on critical-severity findings. Total submissions across the platform grew by approximately 76% during the year, with a sharp increase in early 2026. Critical-severity submissions increased at similar rates, reaching a peak in March 2026. The timing lines up with AI-assisted discovery tools becoming more accessible to the security researcher community, something we noted in the original post. Signal rates stayed relatively consistent throughout this period. This stability indicates that the increase in volume represents a mix of valid and invalid vulnerabilities rather than an influx of AI-generated noise reports. Over the twelve-month period, mean time to remediate (MTTR) across the platform dropped by about 80%, and median MTTR fell by over 70%. Organizations can resolve faster than ever. But here's what caught us off guard. The total number of vulnerabilities resolved each month fell by about 46% over the same period, even as overall submissions grew by 76%. The cumulative backlog of validated but unresolved vulnerabilities grew by more than 21x. We can resolve faster. We just didn't resolve more. Somewhere along the way, we took our eye off the ball. Teams got faster at closing individual issues, but the overall effort going to remediation seem to shrink. The result is a backlog of vulnerabilities that is growing quietly in the background. The cumulative backlog is an important risk indicator in security reporting. The compounding volume of unresolved findings is what shows the debt an organization carries. Unresolved vulnerabilities grew 21x. Unresolved criticals grew 25x. That pattern typically increases the risk of breaches, because it shows discovery velocity outpacing remediation capacity. Organizations are no longer addressing vulnerabilities in a sustainable way, and that creates a widening window for adversaries who can use the same powerful AI discovery tools to find these unpatched surfaces. When you put this alongside the contracting time-to-exploit window, it tells you that threat actors can now weaponize new findings faster than internal teams are processing them. We might assume that even if the overall numbers are slipping, organizations might be prioritizing criticals. The data shows they're not. The same pattern holds. MTTR for critical findings improved by about 73%, but that efficiency only applied to a small subset of total volume. The actual remediation throughput has been dropping significantly. The resolution rate for critical issues fell from over 83% to under 40%. This gap between discovery and resolution caused the backlog of unresolved critical vulnerabilities to grow by about 25x. This trend demonstrates that current remediation capacity is not keeping up with the influx of critical-risk findings. The trends point to a consistent pattern of aggregate resolution rate declining and each month a smaller proportion of vulnerabilities getting fixed. Even as validated findings rise, the total effort going to remediation appears to be shrinking. The data points to a shift in resource allocation. Teams are fixing individual issues faster (suggesting they might be prioritizing selectively), but overall remediation throughput is not scaling with the growing discovery volume. The result is a fast-growing backlog of validated exposures. Without a strategic adjustment to remediation capacity, this trajectory leads to a progressively unmanageable risk profile. In our previous post, we outlined the need for longer-term changes: organizational redesign, better feedback loops for bug class elimination at scale, and stronger validation. Those still matter. But the accelerating backlog demands tactical steps right now, alongside those structural changes. Focus on overall risk reduction. MTTR tells us how fast we fix, not how much risk we're reducing. We need to pair it with resolution rate and the exposure backlog to get a full picture of whether we're reducing overall risk or just resolving faster. Increase remediation capacity where possible. We need dedicated remediation capacity and dedicated sprints to reduce the exposure backlog. Validated vulnerability volumes have grown significantly, and remediation now requires scalable resource allocation and AI-assisted approaches to keep up Put AI to work on the remediation side too. As AI accelerates discovery, remediation needs the same. AI-assisted fix generation, automated regression testing, and agentic workflows help development teams process more findings to keep pace with increased discovery volume. The good news is that we've proven we can remediate faster. Now we need to prioritize doing more of it, continuously. See how H1 Validation helps you cut through the backlog

标签

• author:nidhi-aggarwal
• author:sandeep-singh
• blog-topic:ai
• blog_topic:ai
• blog-topic:exposure-management
• blog_topic:exposure-management
• vendor:hackerone

扩展字段

{
  "authors": [
    "Nidhi Aggarwal",
    "Sandeep Singh"
  ],
  "body_html": "<p dir=\"ltr\">Two weeks ago, we published<a href=\"https://www.hackerone.com/blog/ai-vulnerability-discovery-remediation-gap\" target=\"_blank\"> Finding Fast, Fixing Slow: The Crisis of Asymmetric Remediation</a>, where we highlighted that AI-accelerated vulnerability discovery exacerbates the asymmetry between finding vulnerabilities and remediating them.</p><p dir=\"ltr\">We went back and analyzed HackerOne platform data to determine if this trend is already appearing across our programs. </p><p>We looked at remediation performance on the HackerOne platform for the twelve months ending March 2026. The analysis covered all vulnerability reports submitted on the platform, with a specific focus on critical-severity findings.</p><h2>AI-Driven Acceleration in Submission Volume</h2><p dir=\"ltr\">Total submissions across the platform grew by approximately 76% during the year, with a sharp increase in early 2026. Critical-severity submissions increased at similar rates, reaching a peak in March 2026. The timing lines up with AI-assisted discovery tools becoming more accessible to the security researcher community, something we noted in the original post.</p><p dir=\"ltr\">Signal rates stayed relatively consistent throughout this period. This stability indicates that the increase in volume represents a mix of valid and invalid vulnerabilities rather than an influx of AI-generated noise reports.</p>\n<article class=\"media media--type-image media--view-mode-media-embed-default [&amp;.align-center_img]:mx-auto [&amp;.align-left_img]:my-0 [&amp;.align-left_img]:mr-[2em] [&amp;.align-right_img]:my-0 [&amp;.align-right_img]:ml-[2em]\">\n<div class=\"field field--name-field-media-image field--type-image field--label-visually_hidden\">\n<div class=\"field__label visually-hidden\">Image</div>\n<div class=\"field__item\"> <img alt=\"Total Volume Increase and Critical Volume Increase\" height=\"676\" loading=\"lazy\" sizes=\"(min-width: 1280px) 1200px, (min-width: 1024px) 904px, (min-width: 768px) 700px, (min-width: 640px) 600px, 100vw\" src=\"/sites/default/files/styles/max_1200x1200/public/2026-05/Total-Volume-Increase-and-Critical-Volume-Increase.png.webp?itok=YMj5tcyK\" srcset=\"/sites/default/files/styles/max_400x400/public/2026-05/Total-Volume-Increase-and-Critical-Volume-Increase.png.webp?itok=VknrjHaS 400w, /sites/default/files/styles/max_600x600/public/2026-05/Total-Volume-Increase-and-Critical-Volume-Increase.png.webp?itok=JaK8BVVg 600w, /sites/default/files/styles/max_700x700/public/2026-05/Total-Volume-Increase-and-Critical-Volume-Increase.png.webp?itok=lzkr0VA3 700w, /sites/default/files/styles/max_800x800/public/2026-05/Total-Volume-Increase-and-Critical-Volume-Increase.png.webp?itok=wwgFctyG 800w, /sites/default/files/styles/max_904x904/public/2026-05/Total-Volume-Increase-and-Critical-Volume-Increase.png.webp?itok=9_hDxCpb 904w, /sites/default/files/styles/max_1200x1200/public/2026-05/Total-Volume-Increase-and-Critical-Volume-Increase.png.webp?itok=YMj5tcyK 1200w, /sites/default/files/styles/max_2400x2400/public/2026-05/Total-Volume-Increase-and-Critical-Volume-Increase.png.webp?itok=pkNo33vE 1278w\" width=\"1200\"/>\n</div>\n</div>\n</article>\n<h2 dir=\"ltr\">The Remediation Metrics That Surprised Us</h2><p dir=\"ltr\">Over the twelve-month period, mean time to remediate (MTTR) across the platform dropped by about 80%, and median MTTR fell by over 70%. Organizations can resolve faster than ever.</p><p dir=\"ltr\">But here's what caught us off guard. The total number of vulnerabilities resolved each month fell by about  46% over the same period, even as overall submissions grew by 76%. The cumulative backlog of validated but unresolved vulnerabilities grew by more than 21x.</p><p dir=\"ltr\">We can resolve faster. We just didn't resolve more. Somewhere along the way, we took our eye off the ball. Teams got faster at closing individual issues, but the overall effort going to remediation seem to shrink. The result is a backlog of vulnerabilities that is growing quietly in the background.</p>\n<article class=\"media media--type-image media--view-mode-media-embed-default [&amp;.align-center_img]:mx-auto [&amp;.align-left_img]:my-0 [&amp;.align-left_img]:mr-[2em] [&amp;.align-right_img]:my-0 [&amp;.align-right_img]:ml-[2em]\">\n<div class=\"field field--name-field-media-image field--type-image field--label-visually_hidden\">\n<div class=\"field__label visually-hidden\">Image</div>\n<div class=\"field__item\"> <img alt=\"Median MTTR Reduction\" height=\"676\" loading=\"lazy\" sizes=\"(min-width: 1280px) 1200px, (min-width: 1024px) 904px, (min-width: 768px) 700px, (min-width: 640px) 600px, 100vw\" src=\"/sites/default/files/styles/max_1200x1200/public/2026-05/Median-MTTR-Reduction.png.webp?itok=1GgHSpXA\" srcset=\"/sites/default/files/styles/max_400x400/public/2026-05/Median-MTTR-Reduction.png.webp?itok=TwzStn9R 400w, /sites/default/files/styles/max_600x600/public/2026-05/Median-MTTR-Reduction.png.webp?itok=GBz-uxJb 600w, /sites/default/files/styles/max_700x700/public/2026-05/Median-MTTR-Reduction.png.webp?itok=qlL4UGZP 700w, /sites/default/files/styles/max_800x800/public/2026-05/Median-MTTR-Reduction.png.webp?itok=D9mbknhk 800w, /sites/default/files/styles/max_904x904/public/2026-05/Median-MTTR-Reduction.png.webp?itok=kocq_eJq 904w, /sites/default/files/styles/max_1200x1200/public/2026-05/Median-MTTR-Reduction.png.webp?itok=1GgHSpXA 1200w, /sites/default/files/styles/max_2400x2400/public/2026-05/Median-MTTR-Reduction.png.webp?itok=a6RocRgi 1278w\" width=\"1200\"/>\n</div>\n</div>\n</article>\n<article class=\"media media--type-image media--view-mode-media-embed-default [&amp;.align-center_img]:mx-auto [&amp;.align-left_img]:my-0 [&amp;.align-left_img]:mr-[2em] [&amp;.align-right_img]:my-0 [&amp;.align-right_img]:ml-[2em]\">\n<div class=\"field field--name-field-media-image field--type-image field--label-visually_hidden\">\n<div class=\"field__label visually-hidden\">Image</div>\n<div class=\"field__item\"> <img alt=\"Total and Critical Resolved Trends\" height=\"676\" loading=\"lazy\" sizes=\"(min-width: 1280px) 1200px, (min-width: 1024px) 904px, (min-width: 768px) 700px, (min-width: 640px) 600px, 100vw\" src=\"/sites/default/files/styles/max_1200x1200/public/2026-05/Total-and-Critical-Resolved-Trends.png.webp?itok=on0ZuDCJ\" srcset=\"/sites/default/files/styles/max_400x400/public/2026-05/Total-and-Critical-Resolved-Trends.png.webp?itok=Anfi2FJ9 400w, /sites/default/files/styles/max_600x600/public/2026-05/Total-and-Critical-Resolved-Trends.png.webp?itok=Qq2EtRLU 600w, /sites/default/files/styles/max_700x700/public/2026-05/Total-and-Critical-Resolved-Trends.png.webp?itok=MSMBGrBD 700w, /sites/default/files/styles/max_800x800/public/2026-05/Total-and-Critical-Resolved-Trends.png.webp?itok=b086bVME 800w, /sites/default/files/styles/max_904x904/public/2026-05/Total-and-Critical-Resolved-Trends.png.webp?itok=P1yQqz67 904w, /sites/default/files/styles/max_1200x1200/public/2026-05/Total-and-Critical-Resolved-Trends.png.webp?itok=on0ZuDCJ 1200w, /sites/default/files/styles/max_2400x2400/public/2026-05/Total-and-Critical-Resolved-Trends.png.webp?itok=Xz7sKYz_ 1278w\" width=\"1200\"/>\n</div>\n</div>\n</article>\n<h2 dir=\"ltr\">Exposure Debt is Rising, and We Let It </h2><p dir=\"ltr\">The cumulative backlog is an important risk indicator in security reporting. The compounding volume of unresolved findings is what shows the debt an organization carries.</p><p dir=\"ltr\">Unresolved vulnerabilities grew 21x. Unresolved criticals grew 25x. That pattern typically increases the risk of breaches, because it shows discovery velocity outpacing remediation capacity. Organizations are no longer addressing vulnerabilities in a sustainable way, and that creates a widening window for adversaries who can use the same powerful AI discovery tools to find these unpatched surfaces. When you put this alongside the contracting <a href=\"https://zerodayclock.com/\" target=\"_blank\">time-to-exploit</a> window, it tells you that threat actors can now weaponize new findings faster than internal teams are processing them.</p>\n<article class=\"media media--type-image media--view-mode-media-embed-default [&amp;.align-center_img]:mx-auto [&amp;.align-left_img]:my-0 [&amp;.align-left_img]:mr-[2em] [&amp;.align-right_img]:my-0 [&amp;.align-right_img]:ml-[2em]\">\n<div class=\"field field--name-field-media-image field--type-image field--label-visually_hidden\">\n<div class=\"field__label visually-hidden\">Image</div>\n<div class=\"field__item\"> <img alt=\"Exposure Backlog Over Time (All Severities)\" height=\"676\" loading=\"lazy\" sizes=\"(min-width: 1280px) 1200px, (min-width: 1024px) 904px, (min-width: 768px) 700px, (min-width: 640px) 600px, 100vw\" src=\"/sites/default/files/styles/max_1200x1200/public/2026-05/Exposure-Backlog-Over-Time-%28All-Severities%29.png.webp?itok=60YEaYok\" srcset=\"/sites/default/files/styles/max_400x400/public/2026-05/Exposure-Backlog-Over-Time-%28All-Severities%29.png.webp?itok=GJyJnNpZ 400w, /sites/default/files/styles/max_600x600/public/2026-05/Exposure-Backlog-Over-Time-%28All-Severities%29.png.webp?itok=M_NXaxTE 600w, /sites/default/files/styles/max_700x700/public/2026-05/Exposure-Backlog-Over-Time-%28All-Severities%29.png.webp?itok=bJnaQno9 700w, /sites/default/files/styles/max_800x800/public/2026-05/Exposure-Backlog-Over-Time-%28All-Severities%29.png.webp?itok=DUK2YSlT 800w, /sites/default/files/styles/max_904x904/public/2026-05/Exposure-Backlog-Over-Time-%28All-Severities%29.png.webp?itok=et3FITqd 904w, /sites/default/files/styles/max_1200x1200/public/2026-05/Exposure-Backlog-Over-Time-%28All-Severities%29.png.webp?itok=60YEaYok 1200w, /sites/default/files/styles/max_2400x2400/public/2026-05/Exposure-Backlog-Over-Time-%28All-Severities%29.png.webp?itok=yIb0vzST 1278w\" width=\"1200\"/>\n</div>\n</div>\n</article>\n<h2 dir=\"ltr\">Critical-Severity Vulnerabilities Aren’t Escaping This Trend</h2><p dir=\"ltr\">We might assume that even if the overall numbers are slipping, organizations might be prioritizing criticals. The data shows they're not. The same pattern holds.</p><p dir=\"ltr\">MTTR for critical findings improved by about 73%, but that efficiency only applied to a small subset of total volume. The actual remediation throughput has been dropping significantly. The resolution rate for critical issues fell from over 83% to under 40%. This gap between discovery and resolution caused the backlog of unresolved critical vulnerabilities to grow by about 25x. This trend demonstrates that current remediation capacity is not keeping up with the influx of critical-risk findings.</p>\n<article class=\"media media--type-image media--view-mode-media-embed-default [&amp;.align-center_img]:mx-auto [&amp;.align-left_img]:my-0 [&amp;.align-left_img]:mr-[2em] [&amp;.align-right_img]:my-0 [&amp;.align-right_img]:ml-[2em]\">\n<div class=\"field field--name-field-media-image field--type-image field--label-visually_hidden\">\n<div class=\"field__label visually-hidden\">Image</div>\n<div class=\"field__item\"> <img alt=\"Exposure Backlog Over Time (Criticals)\" height=\"676\" loading=\"lazy\" sizes=\"(min-width: 1280px) 1200px, (min-width: 1024px) 904px, (min-width: 768px) 700px, (min-width: 640px) 600px, 100vw\" src=\"/sites/default/files/styles/max_1200x1200/public/2026-05/Exposure-Backlog-Over-Time-%28Criticals%29.png.webp?itok=ufk48QvY\" srcset=\"/sites/default/files/styles/max_400x400/public/2026-05/Exposure-Backlog-Over-Time-%28Criticals%29.png.webp?itok=MndNfVBE 400w, /sites/default/files/styles/max_600x600/public/2026-05/Exposure-Backlog-Over-Time-%28Criticals%29.png.webp?itok=dn9X9udS 600w, /sites/default/files/styles/max_700x700/public/2026-05/Exposure-Backlog-Over-Time-%28Criticals%29.png.webp?itok=2D-MapeC 700w, /sites/default/files/styles/max_800x800/public/2026-05/Exposure-Backlog-Over-Time-%28Criticals%29.png.webp?itok=yotDsTQr 800w, /sites/default/files/styles/max_904x904/public/2026-05/Exposure-Backlog-Over-Time-%28Criticals%29.png.webp?itok=rcR_1Xws 904w, /sites/default/files/styles/max_1200x1200/public/2026-05/Exposure-Backlog-Over-Time-%28Criticals%29.png.webp?itok=ufk48QvY 1200w, /sites/default/files/styles/max_2400x2400/public/2026-05/Exposure-Backlog-Over-Time-%28Criticals%29.png.webp?itok=Uw4_UhRC 1278w\" width=\"1200\"/>\n</div>\n</div>\n</article>\n<h2 dir=\"ltr\">Underlying Structural Patterns</h2><p dir=\"ltr\">The trends point to a consistent pattern of aggregate resolution rate declining and each month a smaller proportion of vulnerabilities getting fixed. Even as validated findings rise, the total effort going to remediation appears to be shrinking.</p><p dir=\"ltr\">The data points to a shift in resource allocation. Teams are fixing individual issues faster (suggesting they might be prioritizing selectively), but overall remediation throughput is not scaling with the growing discovery volume. </p><p dir=\"ltr\">The result is a fast-growing backlog of validated exposures. Without a strategic adjustment to remediation capacity, this trajectory leads to a progressively unmanageable risk profile.</p><h2 dir=\"ltr\">What Has to Change</h2><p dir=\"ltr\">In our previous post, we outlined the need for longer-term changes: organizational redesign, better feedback loops for bug class elimination at scale, and stronger validation. Those still matter. But the accelerating backlog demands tactical steps right now, alongside those structural changes.</p><ul><li aria-level=\"1\" data-list-item-id=\"e489d0ece0e6ff8d65b2d9869b2868282\" dir=\"ltr\"><strong>Focus on overall risk reduction.</strong> MTTR tells us how fast we fix, not how much risk we're reducing. We need to pair it with resolution rate and the exposure backlog to get a full picture of whether we're reducing overall risk or just resolving faster.</li><li aria-level=\"1\" data-list-item-id=\"e46c95660bade07155d04f9fc3f447ae1\" dir=\"ltr\"><strong>Increase remediation capacity where possible.</strong> We need dedicated remediation capacity and dedicated sprints to reduce the exposure backlog. Validated vulnerability volumes have grown significantly, and remediation now requires scalable resource allocation and AI-assisted approaches to keep up</li><li aria-level=\"1\" data-list-item-id=\"e2664172f4b636e0583309fe903a58738\" dir=\"ltr\"><strong>Put AI to work on the remediation side too.</strong> As AI accelerates discovery, remediation needs the same. AI-assisted fix generation, automated regression testing, and agentic workflows help development teams process more findings to keep pace with increased discovery volume.</li></ul><p dir=\"ltr\">The good news is that we've proven we can remediate faster. Now we need to prioritize doing more of it, continuously.</p><p dir=\"ltr\"><a class=\"cta-primary-wysiwyg\" href=\"https://www.hackerone.com/resources/pf/col/home/h1-validation-solution-brief\">See how H1 Validation helps you cut through the backlog</a></p>",
  "hero_image": "https://www.hackerone.com/sites/default/files/styles/og_image/public/2026-05/More-Images-Claude-Mythos-%282%29.png.jpg?itok=J_yzTfi-",
  "listing_image": "https://www.hackerone.com/sites/default/files/styles/max_500x500/public/2026-05/More-Images-Claude-Mythos-%282%29.png.webp?itok=qS-WDFxz",
  "listing_solutions": [],
  "listing_topics": [
    "AI",
    "Exposure Management"
  ],
  "modified_time": null,
  "taxonomy": {
    "blog_topic": [
      "AI",
      "Exposure Management"
    ]
  }
}