HackerOne has released never before seen research on the top 10 most impactful security vulnerabilities reported through its programs – those that have earned hackers on the platform more than US$54 million in bounties.
Based on data from more than 120,000 security vulnerabilities reported across more than 1,400 customer programs globally, HackerOne has launched an interactive site showing vulnerability types with the highest severity scores, the largest total report volumes and the most reported by industry.
HackerOne’s Top 10 security vulnerabilities are:
- Cross-site scripting – all types (dom, reflected, stored, generic)
- Improper authentication – generic
- Information disclosure
- Privilege escalation
- SQL injection
- Code injection
- Server-side request forgery (SSRF)
- Insecure direct object reference (IDOR)
- Improper access control – generic
- Cross-site request forgery (CSRF)
Miju Han, Director of Product Management at HackerOne, said: “We see a 40% crossover of the HackerOne top 10 to the latest version of the OWASP top 10. Cross-site scripting (XSS), information disclosure and Injection are all included on both lists. Both assets will be able to help security teams identify the top risks, ours also takes into account volume and bounty values, which we think will be of particular interest to security teams looking to protect against criminal hackers.”
Miju continues: “Looking at the cumulative amount of bounties paid for critical and high severity bugs, the total is over 60% of all bounties paid. Interestingly, comparing by volume of reports, there were nearly three times as many high severity bugs reported as critical severity. At the opposite end, low severity reports accounted for just 8% of the bounty total yet made up nearly 30% of the reported volume. We are fortunate to have such a comprehensive data set that allows us to share with our customers and the industry which vulnerabilities are likely to be the most expensive.”
Check out what vulnerabilities are most impactful to your industry at the The HackerOne Top 10 Most Impactful Vulnerability Types website: https://www.hackerone.com/resources/top-10-vulnerabilities