HackerOne’s Top 10 security vulnerabilities

Photo by Markus Spiske on Unsplash
Singapore, @mcgallen #microwireinfo, June 13, 2019 – Today, HackerOne releases never before seen research on the top 10 most impactful security vulnerabilities reported through its programs – those that have earned hackers on the platform more than US$54 million in bounties.

Based on data from more than 120,000 security vulnerabilities reported across more than 1,400 customer programs globally, HackerOne has launched an interactive site showing vulnerability types with the highest severity scores, the largest total report volumes and the most reported by industry.

HackerOne’s Top 10 security vulnerabilities are:

    1. Cross-site Scripting – All Types (dom, reflected, stored, generic)
    2. Improper Authentication – Generic
    3. Information Disclosure
    4. Privilege Escalation
    5. SQL Injection
    6. Code Injection
    7. Server-Side Request Forgery (SSRF)
    8. Insecure Direct Object Reference (IDOR)
    9. Improper Access Control – Generic
    10. Cross-Site Request Forgery (CSRF)
“We see a 40% crossover of the HackerOne Top 10 to the latest version of the OWASP Top 10. Cross-site Scripting (XSS), Information Disclosure, and Injection are all included on both lists. Both assets will be able to help security teams identify the top risks, our just also takes into account volume and bounty values, which we think will be of particular interest to security teams looking to protect against criminal hackers,” Miju Han, Director of Product Management, HackerOne. “Looking at the cumulative amount of bounties paid for critical and high severity bugs, the total is over 60% of all bounties paid. Interestingly, comparing by volume of reports, there were nearly three times as many high severity bugs reported as critical severity. At the opposite end, low severity reports accounted for just 8% of the bounty total, yet made up nearly 30% of the reported volume. We are fortunate to have such a comprehensive data set that allows us to share with our customers and the industry which vulnerabilities are likely to be the most expensive.”
Check out what vulnerabilities are most impactful to your industry at the The HackerOne Top 10 Most Impactful Vulnerability Types website.

About HackerOne
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be exploited. More Fortune 500 and Forbes Global 1000 companies trust HackerOne than any other hacker-powered security alternative. The U.S. Department of Defense, General Motors, Google, Twitter, GitHub, Nintendo, Lufthansa, Microsoft, MINDEF Singapore, Panasonic Avionics, Qualcomm, Starbucks, Dropbox, Intel, the CERT Coordination Center and over 1,400 other organizations have partnered with HackerOne to find over 120,000 vulnerabilities and award over US$54M in bug bounties. HackerOne is headquartered in San Francisco with offices in London, New York, the Netherlands, and Singapore.

###