Top 10 Most Impactful and Rewarded Vulnerability Types | HackerOne

The HackerOne Top 10 Most Impactful and Rewarded Vulnerability Types

The most comprehensive vulnerability database examined to help you better align your security efforts with today’s real world risks.

Intro

HackerOne has one of the largest and most robust databases of valid vulnerabilities, from across diverse industries and attack surfaces. These resolved vulnerabilities represent the real world risk that existed for over 1,400 organizations including technology unicorns, governments, startups, financial institutions and open source projects. Now, for the first time ever, we’re providing our list of the top 10 rewarded vulnerability types as indicated by bounty awards and customer impact.

With over one hundred and twenty thousand security weaknesses, this report represents the most impactful vulnerabilities that have contributed to hackers earning more than $55 million in bounties on the HackerOne platform to date. The data sheds light on the vulnerability types with the highest severity scores on average, and total report volume by vulnerability type segmentable by various industries. Want to see how your industry stacks up? What vulnerabilities are trending up and require your particular attention? Read on to find out.

Need a refresher on your vulnerability types and definitions? Check out our corresponding blog.

Key Takeaways

Trending vulnerabilities: Information Disclosure and security in the cloud

With the explosive pace of organizations adopting hybrid and multi-cloud environments, vulnerabilities like Server Side Request Forgery (SSRF) are poised to thrive. Information Disclosure vulnerabilities known for revealing sensitive information are still common, presenting real risk to organizations, and earning them a spot near the top of our list.

Companies value Privilege escalation, SSRF, and IDOR

Vulnerabilities that fall into the SSRF, Insecure Direct Object Reference (IDOR), and Privilege Escalation, categories earn some of the higher bounties given the risk they pose to an organization. While these are not the most commonly reported vulnerabilities when ranked by volume alone, they are in our Top 10 based on aggregate bounty awards by type, as companies actively incentivize hackers to search for them with competitive bounty awards.

Only 4 vulnerability types are on the OWASP Top 10, XXE is #15

There is 40% crossover of the HackerOne Top 10 to the latest version of the OWASP Top 10. Cross-site Scripting (XSS), Information Disclosure, and Injection are all included on both lists. XML External Entities (XXE), #4 in the Open Web Application Security Project (OWASP) Top 10 clocked in at #15 in our ranking.

Beyond XSS with Business Logic Errors, Code Injection and more

Higher risk vulnerabilities crack the Top 10 when bounty values are considered. Cross-site Scripting, or XSS, continues to be the most common weakness type no matter how it’s measured, earning hackers more than US$8 million in bounties paid. However, lower volume but higher bounty averages for vulnerability types like Business Logic Errors, Code Injection, and others showcase the impact of those vulnerabilities across the diversity of attack surfaces represented on the HackerOne platform.

@Meals

I just found a server-side request forgery bug on a private bounty on HackerOne. I was able to use that to pivot to the company’s internal network. That was a pretty fun bug because it had a severe impact.

Watch Now

The Big Picture

Security vulnerabilities are the reality of modern technology. Whether you seek and sort by OWASP Top 10, Common Weakness Enumeration (CWE), Common Vulnerability Scoring System (CVSS)… the fact is all software has bugs. The HackerOne Top 10 Most Impactful and Rewarded Vulnerability Types highlights the power of hacker-powered security: the biggest risks to your business are uncovered by dedicated, diverse, and incentivized security testing.

Enjoy the deep dive into these interactive data visualizations for this edition of HackerOne Top 10 Vulnerabilities where we focus on those with the highest bounty volumes.

Note: The vulnerability rating taxonomy, which HackerOne maps to the industry standard Common Weakness Enumeration, is used by HackerOne customers and hackers to categorize reported vulnerabilities. Data presented is through 2018.

Total bounties paid by weakness type

Figure Description: Bubble size represents volume of reports, Y-axis represents that Weakness Types percent of the total bounties paid to all The Top 10 Vulnerabilities combined.
Share of Total bounties Paid by Severity and Report Volume by Severity
  • Share of Report Volume by Severity
Total Report Volume by Weakness
Cross-site Scripting 35% 43% 27% 27%
Improper Authentication 22% 15% 27% 27%
Information Disclosure 24% 27% 20% 20%
Privilege Escalation 4% 1% 5% 5%
SQL Injection 2% 7% 2% 2%
Code Injection 2% 1% 1% 1%
Server-Side Request Forgery 1% 0% 0% 0%
Insecure Direct Object Reference 2% 1% 1% 1%
Improper Access Control 3% 2% 1% 1%
Cross-Site Request Forgery 5% 4% 16% 16%


Figure Description: Total report volume by weakness type. Percentages represent the volume of reports, Color showcases the average severity of the vulnerability type.
Total Bounty Amount by Weakness Type

Compare the Bug Bounty Value of to

@NGALOG

The reason I hack is because I like the challenge. I think this is some kind of intellectual challenge for me because hacking is like finding something that others will not be able to find and thinking like how some others may not be able to think.

Watch Now
Cross-Site Scripting Bounties Paid and Report Volume
Total Report Volume By Weakness

Methodology

The first edition of the HackerOne Top 10 Most Impactful and Rewarded Vulnerability Types was based off of HackerOne’s proprietary data examining more than 120,000 unique security weaknesses resolved on the HackerOne platform through the 2018 calendar year. Vulnerabilities included in The Top 10 report were reported by the hacker community through vulnerability disclosure, public and private bounty programs, and all vulnerability classifications were done by or confirmed by HackerOne customers, including weakness type, impact and severity.