The HackerOne Top 10 Most Impactful and Rewarded Vulnerability Types – 2020 Edition
As a security leader, you’re responsible for a constantly evolving attack surface. The past year has changed the role of the CISO, making it tougher to navigate your operating environment. Distributed decision-making has expanded the volume and variety of risks you must confront, regulators are approaching data privacy with greater scrutiny, and executive teams and boards of directors are starting to think about how information risk impacts strategic planning.
Security leaders are looking for creative ways to meet these demands.
Vulnerability disclosure policies (VDPs) have emerged as a powerful solution. VDPs quickly establish a process for receiving vulnerability reports from hackers and security researchers. But what are the hackers finding? How are they changing the security landscape? And what do security leaders need to know?
HackerOne maintains the most authoritative database of vulnerabilities in the industry. We’re here to help you make smarter decisions about vulnerability mitigation and remediation, and to empower you to allocate your resources efficiently.
To that end, we’re providing a list of the top 10 vulnerability types as indicated by bounty awards and customer impact to help you understand the most common, formidable security risks you’re facing.
Get the Full Report
And for a comprehensive look at the data behind this snapshot, read The 4th Hacker-Powered Security Report.
Cross-site Scripting (XSS) continues to be the most awarded vulnerability type with US$4.2 million in total bounty awards, up 26% from the previous year.
XSS vulnerabilities are extremely common and hard to eliminate, even for organizations with the most mature application security. XSS vulnerabilities are often embedded in code that can impact your production pipeline.
These bugs account for 18% of all reported vulnerabilities, but the average bounty award is just US$501. That means organizations are mitigating this common, potentially painful bug on the cheap.
Awards for Improper Access Control increased 134% year over year to just over US$4 million. Information Disclosure was not far behind, increasing 63% year over year.
Both methods expose potentially sensitive data like personally identifiable information. While they range widely in criticality, they can be disastrous if sensitive customer or internal information is leaked by misconfigured permissions.
These vulnerabilities are prevalent because they’re nearly impossible to detect using automated tools. Hacker-powered security provides a relatively inexpensive and extremely effective method for mitigating these vulnerabilities.
An SSRF exploit that causes connections to external third-party systems might result in malicious onward attacks that appear to originate from the organization hosting the vulnerable application, leading to potential legal liabilities and reputational damage.
Previously, SSRF bugs were fairly benign, as they only allowed internal network scanning and sometimes access to internal admin panels. But in this era of rapid digital transformation, the advent of cloud architecture and unprotected metadata endpoints has rendered these vulnerabilities increasingly critical.
In fact, SSRF can lead to total compromise of the systems they’re found on and allow further access to the target’s cloud infrastructure.
Thanks to VDP and bug bounty programs, organizations are increasingly able to find and mitigate these bugs before they can be exploited. Overall, organizations spent about USD$3 million mitigating SSRF last year — compared to the millions they would have needed to spend if an SSRF attack had been carried out by a bad actor.
In years past, SQL injection was one of the most common vulnerability types. However, our data indicate that it’s been dropping year-over-year.
Modern security frameworks and methods, including the central role of hackers, have rendered this bug nearly a thing of the past. SQL injection tends to occur when organizations aren’t monitoring which apps are mapped to a database and how they interface. By shifting security left, organizations are leveraging hackers and other methods to proactively monitor attack surfaces and prevent bugs from entering code.
Of the top 10 most awarded weakness types, only Improper Access Control, Server-Side Request Forgery (SSRF), and Information Disclosure saw their average bounty awards rise more than 10%. The others fell in average value or were nearly flat.
Unlike traditional security tools and methods, which become more expensive and cumbersome as your goals change and your attack surface expands, hacker-powered security is actually more cost-effective as time goes on. With hackers, it’s becoming less expensive to prevent bad actors from exploiting the most common bugs.
The Big Picture
Security vulnerabilities are a reality of modern technology. Fortunately for us, hackers are too. This list highlights that hackers are helping mitigate the most serious risks to your business.
|Weakness type||Bounties total financial rewards amount||YOY % change|
|2||Improper Access Control - Generic||$4,013,316||134%|
|4||Server-Side Request Forgery (SSRF)||$2,995,755||103%|
|5||Insecure Direct Object Reference (IDOR)||$2,264,833||70%|
|8||Improper Authentication - Generic||$1,371,863||36%|
|10||Cross-Site Request Forgery (CSRF)||$662,751||-34%|
Average bounty payout per industry for critical vulnerabilities
This edition of the HackerOne Top 10 Most Impactful and Rewarded Vulnerability Types was based on HackerOne’s proprietary data examining security weaknesses resolved on the HackerOne platform between May 2019 and April 2020. Vulnerabilities included here were reported by the hacker community through vulnerability disclosures and public and private bounty programs. All vulnerability classifications were made or confirmed by HackerOne customers, including weakness type, impact, and severity.
Note: The vulnerability rating taxonomy, which HackerOne maps to the industry standard Common Weakness Enumeration, is used by HackerOne customers and hackers to categorize reported vulnerabilities. Data presented here is from May 2019 through April 2020.
Questions? We have answers.
How else can we help? Let us know and we’ll get in touch.