HackerOne releases never before seen research on the top 10 most impactful security vulnerabilities reported through its programs – those that have earned hackers on the platform more than US$54 million in bounties.

Based on data from more than 120,000 security vulnerabilities reported across more than 1,400 customer programs globally, HackerOne has launched an interactive site showing vulnerability types with the highest severity scores, the largest total report volumes and the most reported by industry.
“Customers are speaking in one voice through this Forrester study,” said Marten Mickos, CEO of HackerOne. “Hacker-powered pen tests give the best bang for the buck, and the underlying time, security, development and compliance benefits are even stronger. The power of a community of over 400,000 hackers is unsurpassed.”

HackerOne’s Top 10 security vulnerabilities are:

  1. Cross-site Scripting – All Types (dom, reflected, stored, generic)
  2. Improper Authentication – Generic
  3. Information Disclosure
  4. Privilege Escalation
  5. SQL Injection
  6. Code Injection
  7. Server-Side Request Forgery (SSRF)
  8. Insecure Direct Object Reference (IDOR)
  9. Improper Access Control – Generic
  10. Cross-Site Request Forgery (CSRF)

“We see a 40% crossover of the HackerOne Top 10 to the latest version of the OWASP Top 10. Cross-site Scripting (XSS), Information Disclosure, and Injection are all included on both lists. Both assets will be able to help security teams identify the top risks, our just also takes into account volume and bounty values, which we think will be of particular interest to security teams looking to protect against criminal hackers,” Miju Han, Director of Product Management, HackerOne.

“Looking at the cumulative amount of bounties paid for critical and high severity bugs, the total is over 60% of all bounties paid. Interestingly, comparing by volume of reports, there were nearly three times as many high severity bugs reported as critical severity. At the opposite end, low severity reports accounted for just 8% of the bounty total, yet made up nearly 30% of the reported volume,”he added.