From the previous articles on AI security and safety and organizations efforts for AI Red Teaming, the defense-in-depth strategy was discussed from the organization’s perspectives. It is also important to gather the perspectives of external security researchers as shared out by them in online publications and company disclosed feedback. Security research is a full-time career and one that requires constant upskilling. Many of them spend twenty hours a week hacking. While earning money is a key motivator, hacking itself helps them to both improve and advance their career. It is important to highlight the security researcher community’s commitment to making a positive impact to organizations and end-users.

Initially most hacking activity focused on web applications as fortified by the development of OWASP Top 10 list, but the landscape is shifting to more products and technologies including chatbots. As more security researchers include AI products in their testing, they still need to prioritize their picks within the emerging products. About 88% of security researchers are targeting web applications, more than half target web APIs, and about a third target mobile applications. These numbers give an indication for the requirement and current participation in emerging applications with AI models.

Security researchers excel in reconnaissance and manual exploitation that automated scanners can’t match. As they uncover unsecured or overlooked domain or spot a unique vulnerability from an outsider’s view or perform exploit chaining where initial gains can lead to significant breaches, they are blending their strengths with GenAI for high-impact exploits. For example, security researchers are using GenAI to close the gap between the discovery of an exploit and a detailed higher-quality report of the same.

The trouble with scanners is that there are a lot of false positives and noise, but a report filed by a security researcher gets attention because of the information and context and organizations strive to provide response following an expected timeline for acknowledgement, triage, and resolution. The stronger the relationship is between the organization and the security researchers, the more impactful the program becomes. Prompt response to security researchers and with respect and professionalism even when a report is invalid or duplicate, encourages this ongoing collaboration. Bounties top the list to draw them in and low bounties often discourage them. As they juggle companies that they work with, excellent communication and safe harbor legal protections retain them.

Researchers often talk about the bounty table, but they invest in programs that give back to them in the way the organizations communicate and the time to fix. Beyond this, they value strong relationships with security teams and are discouraged by negative peer reviews. This underscores how significant the perception is for attracting security researchers for an organization to scale a program effectively.