Top 10 Weaknesses Found by Bug Bounty Hunters

Cross-site scripting, improper authentication and information disclosure were the top three vulnerabilities found by ethical hackers in 2018, according to a report.
The report analyzed 120,000 security weaknesses reported in 1,400 bug bounty programs. Executives at participating companies paid hackers a total of $54 million in bounty awards.

More than individual fixes, insight on organization’s most common cybersecurity flaws represents the more valuable takeaway from bug bounty programs.

In an age where data breaches and cyber risks impact brand reputation as well as finances, companies are relying on ethical hackers to spot weak points before the bad guys do. In 2018, awards for site vulnerabilities jumped 33% year over year, rising to an average award of $20,000, according to HackerOne.

In its recent report, HackerOne found a 40% crossover between its top 10 and a similar list produced by the Open Web Application Security Project (OWASP). Cross-site scripting (XSS), information disclosure, and code injection were included on both lists.

Top 10 cybersecurity weaknesses % of paid bounties
1. Cross-site Scripting – All Types (dom, reflected, stored, generic) 27.9
2. Improper Authentication – Generic 14.58
3. Information Disclosure 13.38
4. Privilege Escalation 9.44
5. SQL Injection 6.6
6. Code Injection 6.04
7 .Server-Side Request Forgery (SSRF) 5.69
8. Insecure Direct Object Reference (IDOR) 5.53
9. Improper Access Control – Generic 5.42
10. Cross-Site Request Forgery (CSRF) 5.42

As of last year, Google had paid out $12 million in rewards to ethical hackers in 113 countries, as part of the bug bounty program it established in 2010.

Intel, a more recent entrant to the bug bounty bandwagon, announced in 2018 it would pay up to $250,000 for cybersecurity faults.

This post was originally published by CIO DIVE on

Related posts