The HackerOne Top 10 Vulnerability Types
As a security leader, you’re responsible for a constantly evolving attack surface. The past year has changed the role of the CISO, making it tougher to navigate your operating environment. Distributed decision-making has expanded the volume and variety of risks you must confront, regulators are approaching data privacy with greater scrutiny, and executive teams and boards of directors are starting to think about how information risk impacts strategic planning.
Today's CISO must think about:
Get the Full Report
And for a comprehensive look at the data behind this snapshot, read the 7th Annual Hacker-Powered Security Report.
5% of hackers say that generative Al (GenAI) tools themselves will become a major target for them in the coming years, and 61% said they plan to use and develop hacking tools using GenAl to find more vulnerabilities. Another 62% of hackers said they plan to specialize in the OWASP Top 10 for Large Language Models (LLMs).
Hackers are reporting 13% more critical bugs in 2023, and 15% more high-severity bugs. Critical or high-rated bugs make up 29% of valid bug bounty reports.
While improper access control is the most common vulnerability type across industries at 13%, it has a much greater impact on Telecommunications organizations, with improper access control making up 28% of vulnerability reports for the industry. How does your industry compare?
A code security audit could save you a potential $18,000 on your bounty program. We've seen a 54% increase in pentests since 2022, and a 16% increase in the number of vulnerabilities being surfaced by pentests, with 15% of vulnerabilities found being rated as high or critical severity.
The median cost of a bug on the HackerOne platform is $500, the average cost is $1,048, and the 90th percentile is $3,000.
The Big Picture
Security vulnerabilities are a reality of modern technology. Fortunately for us, hackers are too. This list highlights that hackers are helping mitigate the most serious risks to your business.
Bugs Surfaced: Bug Bounty vs. Pentest
A penetration test (pentest), involves identifying and addressing vulnerabilities, similar to a bug bounty program, but a pentest often leans more toward ensuring an organization adheres to specific compliance and security standards. Bug bounty programs incentivize ethical hackers via monetary rewards for successfully discovering and reporting vulnerabilities or bugs to the application's developer.
Do pentesting and bug bounties serve the same purpose or complement each other? While both approaches engage security researcher communities, their outcomes are distinct.
Questions? We have answers.
How else can we help? Let us know and we’ll get in touch.