HackerOne is revealing the top 10 most impactful security vulnerabilities which have earned hackers over $54 million in bounties.
Based on the 120,000+ security vulnerabilities that hackers have reported across over 1,400 HackerOne customer programs, the data represents real-world risks that existed in organisations, including technology unicorns, governments, start-ups, financial institutions and open source projects.
HackerOne has launched an interactive site showing the vulnerability types with the highest severity scores, the largest total report volumes and the most reported by industry.
HackerOne’s top 10 security vulnerabilities ranked by total bounties paid on the platform are:
- Cross-site Scripting – All Types (dom, reflected, stored, generic)
- Improper Authentication – Generic
- Information Disclosure
- Privilege Escalation
- SQL Injection
- Code Injection
- Server-Side Request Forgery (SSRF)
- Insecure Direct Object Reference (IDOR)
- Improper Access Control – GenericHi
- Cross-Site Request Forgery (CSRF)
Miju Han, Director of Program Management at HackerOne:
“We see a 40% crossover of the HackerOne Top 10 to the latest version of the OWASP Top 10. Cross-site Scripting (XSS), Information Disclosure, and Injection are all included on both lists. Both assets will be able to help security teams identify the top risks, our just also takes into account volume and bounty values, which we think will be of particular interest to security teams looking to protect against criminal hackers.”
“Looking at the cumulative amount of bounties paid for critical and high severity bugs, the total is over 60% of all bounties paid. Interestingly, comparing by volume of reports, there were nearly three times as many high severity bugs reported as critical severity. At the opposite end, low severity reports accounted for just 8% of the bounty total, yet made up nearly 30% of the reported volume. We are fortunate to have such a comprehensive data set that allows us to share with our customers and the industry which vulnerabilities are likely to be the most expensive.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.