- Cross-site scripting, improper authentication and information disclosure were the top three vulnerabilities found by ethical hackers in 2018, according to a report from HackerOne.
- The report analyzed 120,000 security weaknesses reported in 1,400 bug bounty programs. Executives at participating companies paid hackers a total of $54 million in bounty awards.
- With the expanding adoption of hybrid and multi-cloud environments, the report found vulnerabilities like Server Side Request Forgery (SSRF) are poised to grow.
More than individual fixes, insight on organization's most common cybersecurity flaws represents the more valuable takeaway from bug bounty programs.
In an age where data breaches and cyber risks impact brand reputation as well as finances, companies are relying on ethical hackers to spot weak points before the bad guys do. In 2018, awards for site vulnerabilities jumped 33% year over year, rising to an average award of $20,000, according to HackerOne.
In its recent report, HackerOne found a 40% crossover between its top 10 and a similar list produced by the Open Web Application Security Project (OWASP). Cross-site scripting (XSS), information disclosure, and code injection were included on both lists.
|HackerOne's Top 10 cybersecurity weaknesses||% of paid bounties|
|1. Cross-site Scripting - All Types (dom, reflected, stored, generic)||27.9|
|2. Improper Authentication - Generic||14.58|
|3. Information Disclosure||13.38|
|4. Privilege Escalation||9.44|
|5. SQL Injection||6.6|
|6. Code Injection||6.04|
|7 .Server-Side Request Forgery (SSRF)||5.69|
|8. Insecure Direct Object Reference (IDOR)||5.53|
|9. Improper Access Control - Generic||5.42|
|10. Cross-Site Request Forgery (CSRF)||5.42|
As of last year, Google had paid out $12 million in rewards to ethical hackers in 113 countries, as part of the bug bounty program it established in 2010.
Intel, a more recent entrant to the bug bounty bandwagon, announced in 2018 it would pay up to $250,000 for cybersecurity faults.