The HackerOne Top 10 Most Impactful and Rewarded Vulnerability Types – 2020 Edition

Cross-site Scripting (XSS) continues to be the most awarded vulnerability type with US$4.2 million in total bounty awards, up 26% from the previous year.

XSS vulnerabilities are extremely common and hard to eliminate, even for organizations with the most mature application security. XSS vulnerabilities are often embedded in code that can impact your production pipeline.

These bugs account for 18% of all reported vulnerabilities, but the average bounty award is just US$501. That means organizations are mitigating this common, potentially painful bug on the cheap.

Awards for Improper Access Control increased 134% year over year to just over US$4 million. Information Disclosure was not far behind, increasing 63% year over year.

Both methods expose potentially sensitive data like personally identifiable information. While they range widely in criticality, they can be disastrous if sensitive customer or internal information is leaked by misconfigured permissions.

These vulnerabilities are prevalent because they’re nearly impossible to detect using automated tools. Hacker-powered security provides a relatively inexpensive and extremely effective method for mitigating these vulnerabilities.

An SSRF exploit that causes connections to external third-party systems might result in malicious onward attacks that appear to originate from the organization hosting the vulnerable application, leading to potential legal liabilities and reputational damage.

Previously, SSRF bugs were fairly benign, as they only allowed internal network scanning and sometimes access to internal admin panels. But in this era of rapid digital transformation, the advent of cloud architecture and unprotected metadata endpoints has rendered these vulnerabilities increasingly critical.

In fact, SSRF can lead to total compromise of the systems they’re found on and allow further access to the target’s cloud infrastructure.

Thanks to VDP and bug bounty programs, organizations are increasingly able to find and mitigate these bugs before they can be exploited. Overall, organizations spent about USD$3 million mitigating SSRF last year — compared to the millions they would have needed to spend if an SSRF attack had been carried out by a bad actor.

In years past, SQL injection was one of the most common vulnerability types. However, our data indicate that it’s been dropping year-over-year.

Modern security frameworks and methods, including the central role of hackers, have rendered this bug nearly a thing of the past. SQL injection tends to occur when organizations aren’t monitoring which apps are mapped to a database and how they interface. By shifting security left, organizations are leveraging hackers and other methods to proactively monitor attack surfaces and prevent bugs from entering code.

Of the top 10 most awarded weakness types, only Improper Access Control, Server-Side Request Forgery (SSRF), and Information Disclosure saw their average bounty awards rise more than 10%. The others fell in average value or were nearly flat.

Unlike traditional security tools and methods, which become more expensive and cumbersome as your goals change and your attack surface expands, hacker-powered security is actually more cost-effective as time goes on. With hackers, it’s becoming less expensive to prevent bad actors from exploiting the most common bugs.