HackerOne Reveals Results of ‘Top 10 Security Vulnerabilities’ Report

​Media Release:

HackerOne’s white hat hackers continue to collect millions of dollars in bug bounty rewards, now at US$54 million — and growing

(SDN) — ON June 13, HackerOne made public what it described as a “never before seen research” naming cyberworld’s top 10 most impactful security vulnerabilities.

HackerOne collected the vulnerabilities through its programs — those that have earned hackers on the platform more than US$54 million in bounties.

The platform has a pool of hundreds of thousands of ethical hackers, also known as white hat hackers, whom HackerOne engaged to discover security vulnerabilities in many major organizations, public and private.

Based on data from more than 120,000 security vulnerabilities reported across more than 1,400 customer programs globally, HackerOne has launched an interactive site showing vulnerability types with the highest severity scores, the largest total report volumes and the most reported by industry.

“Customers are speaking in one voice through this Forrester study,” said Marten Mickos, CEO of HackerOne.

Sourced from the HackerOne portal, here are four of its top bug bounty hunters:

From left: Jack Cable, Arne Swinnen, Franz Rosen, and Peter Yaworksi. HackerOne’s bug bounty hunters have already amassed more than US$50 million prize money.

“Hacker-powered pen tests give the best bang for the buck, and the underlying time, security, development and compliance benefits are even stronger. The power of a community of over 400,000 hackers is unsurpassed.”

Here are HackerOne’s Top 10 security vulnerabilities:

Cross-site Scripting – All Types (dom, reflected, stored, generic)

  • Improper Authentication — Generic
  • Information Disclosure
  • Privilege Escalation
  • SQL Injection
  • Code Injection
  • Server-Side Request Forgery (SSRF)
  • Insecure Direct Object Reference (IDOR)
  • Improper Access Control – Generic
  • Cross-Site Request Forgery (CSRF)

“We see a 40% crossover of the HackerOne Top 10 to the latest version of the OWASP Top 10. Cross-site Scripting (XSS), Information Disclosure, and Injection are all included on both lists. Both assets will be able to help security teams identify the top risks, our just also takes into account volume and bounty values, which we think will be of particular interest to security teams looking to protect against criminal hackers,” Miju Han, director of Product Management, HackerOne.

“Looking at the cumulative amount of bounties paid for critical and high severity bugs, the total is over 60% of all bounties paid. Interestingly, comparing by volume of reports, there were nearly three times as many high severity bugs reported as critical severity. At the opposite end, low severity reports accounted for just 8% of the bounty total, yet made up nearly 30% of the reported volume. We are fortunate to have such a comprehensive data set that allows us to share with our customers and the industry which vulnerabilities are likely to be the most expensive.” (SDN/HackerOne)


Check out what vulnerabilities are most impactful to your industry at the The HackerOne Top 10 Most Impactful Vulnerability Types website.

About HackerOne

HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be exploited. More Fortune 500 and Forbes Global 1000 companies trust HackerOne than any other hacker-powered security alternative. The U.S. Department of Defense, General Motors, Google, Twitter, GitHub, Nintendo, Lufthansa, Microsoft, MINDEF Singapore, Panasonic Avionics, Qualcomm, Starbucks, Dropbox, Intel, the CERT Coordination Center and over 1,400 other organizations have partnered with HackerOne to find over 120,000 vulnerabilities and award over US$54M in bug bounties.

HackerOne is headquartered in San Francisco with offices in London, New York, the Netherlands, and Singapore. (@)

Featured image a hacker courtesy of The Digital Artist on Pixabay.

Don't be shy, comments are welcome! Thank you.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: