Inside the Mind of a Hacker 2026 : profils, motivations et impact de l’IA

Source : Bugcrowd – rapport « Inside the Mind of a Hacker », Volume 9, 2026. Contexte : étude et entretiens avec plus de 2 000 hackers de la plateforme Bugcrowd sur la démographie, les motivations, le travail en équipe et l’usage de l’IA. – Le rapport défend l’ère de « l’intelligence augmentée humaine » où la créativité humaine se combine à l’IA. Les hackers se disent fiers à 98% de leur travail et considèrent à 95% que le hacking est un art. Le public et les entreprises perçoivent différemment les hackers, ces dernières les voyant davantage comme un atout. Les motivations sont multi-factorielles (finance, opportunités, nouvelles expériences), avec 85% privilégiant le signalement d’une vulnérabilité critique plutôt que le gain financier en cas d’absence de canal clair. Environ 1 sur 5 s’identifie comme neurodivergent.

BugCrowd Bug Bounty Disclosure: P4 - Publicly accessible phpinfo() exposes detailed server configuration - MattKingst - RedPacket Security

PHPInfo exposed in a easy to guess endpoint

BugCrowd Bug Bounty Disclosure: P2 - IDOR that allows disclosing Username,Email,PIN,FirstName,LastName,UEI,FirmName,Address,PhoneNumbers etc of PROSAMS application users. - RedPacket Security

An Insecure Direct Object Reference (IDOR) was discovered in the NASA system via the PROSAMS (Proposal Submissions and Awards Management System) application.

BugCrowd Bug Bounty Disclosure: P3 - Internal scan through SSRF in NASA Worldwind API - RedPacket Security

A Server-Side Request Forgery was identified in the NASA WorldWind WMS GetMap endpoint via the SLD parameter. By supplying an SLD URL, the service fetched and

BugCrowd Bug Bounty Disclosure: P4 - Unauthenticated Metrics Endpoint Exposes Sensitive Internal Grafana & NASA Infrastructure Data - whitebear_0one - RedPacket Security

An unauthenticated metrics endpoint if it is publicly accessible and exposes sensitive Prometheus-style metrics related to internal Grafana / InfluxDB systems

BugCrowd Bug Bounty Disclosure: P4 - NASA NLSP API discloses internal usernames and system role mappings to unauthenticated users - c3L0Mu1d3R - RedPacket Security

A public API endpoint on the NASA NLSP domain discloses internal user identifiers, usernames, and detailed role/group assignments without requiring

BugCrowd Bug Bounty Disclosure: P5 - Server-Side Request Forgery (SSRF) → Local File Read (High / Critical) - Ninadgowda - RedPacket Security

Condition does not exist at this time.

Log In ‹ NASA Science — WordPress

BugCrowd Bug Bounty Disclosure: P5 - Reflected Cross Site Scripting (XSS) Via POST request on adapt-public.aetc.appdat.jsc.nasa.gov - Kent_Shane14 - RedPacket Security

This is self - XSS

BugCrowd Bug Bounty Disclosure: P5 - Content Spoofing via Unsanitized Input | Email Injection - Asad_Ali - RedPacket Security

There is no established risk