valid issues were found across 1,300+ customer programs
of these are rated high or critical
“We don’t have a cybersecurity problem. We have a software quality problem.”
– Jen Easterly, Director of CISA
The good news? There’s a clear path to stronger security. HackerOne data shows that the top ten vulnerabilities reported to customer programs are common and mostly preventable with proactive measures. Catching these issues early in the SDLC can significantly cut down on bounty costs. Check how your industry stacks up against the average for common vulnerabilities and how you can mitigate against them.
Get researcher insights, customer testimonials, industry data, analysis and advice, and more.
Featured vulnerability: Insecure direct object reference (IDOR) (up 47% from 2023)
IDOR (insecure direct object reference) vulnerabilities are particularly prevalent in financial services because of their complex, multi-layered applications that manage sensitive data, like personal financial information and transactions. The frequent user actions, such as money transfers and account access, heighten the risk of IDOR exploits when access controls are weak, making them prime targets for bug bounty hunters.
Recommendations:
Featured vulnerability: Cross-site scripting (XSS) (up 17% from 2023)
Government agencies see a much higher rate of XSS vulnerability reports than the industry average. This is likely due to their many complex web environments, as they manage a wide range of websites and services for various public functions.
Recommendations:
Featured vulnerability: Improper authentication (up 55% from 2023)
Telecom organizations manage vast networks with millions of connected users and devices, making authentication across such a complex infrastructure prone to misconfigurations or weak implementations.
Recommendations:
Featured vulnerability: Information disclosure (up 71% from 2023)
The complexity of e-commerce platforms, featuring dynamic websites and applications, increases the risk of information leaks through improperly secured APIs, mishandled user inputs, and flawed data management practices.
Recommendations:
Featured vulnerability: SQL injection (up 93% from 2023)
The industry still relies on legacy systems developed before modern security practices became widespread. These older systems often lack proper input validation and secure coding, making them vulnerable to SQL injection, especially with the growing demand for web and mobile interfaces.
Recommendations:
Featured vulnerability: Misconfiguration (up 69% from 2023)
This sector typically relies on complex content delivery networks (CDNs) and streaming platforms to distribute their content globally, which can lead to misconfigurations, especially when it comes to security settings and access controls.
Recommendations:
Featured vulnerability: Privilege escalation (down 2% from 2023)
Software products often serve a range of user roles, from regular users to administrators, each needing different access levels. Inconsistent permission checks, especially in enterprise software, can open the door for attackers to escalate privileges.
Recommendations:
Featured vulnerability: Improper access control (up 28% from 2023)
The push to scale quickly and roll out new features makes it tough to enforce strict access controls consistently. Agile development practices, with continuous integration and deployment, often prioritize speed and innovation over rigorous security checks, which can lead to access control vulnerabilities slipping through.
Recommendations:
Featured vulnerability: Business logic errors (up 37% from 2023)
With their complex, experimental business models and intricate transaction mechanisms, it’s tough for crypto and blockchain organizations to secure against edge cases or unintended uses, meaning any flaws or logic errors are hard to fix.
Recommendations:
Featured vulnerability: Open redirect (up 92% from 2023)
Travel and hospitality organizations rely heavily on marketing, often embedding referral and affiliate links. Attackers may exploit open redirect vulnerabilities by tampering with these links to lead users to malicious sites.
Recommendations:
The vulnerabilities organizations allocate their budgets to don’t always align with the volume of reports for those vulnerabilities.
Identify the critical systems, applications, and data that will be in scope for the program, prioritizing high-value assets.
As your program evolves, monitor report volume, payout levels, and researcher feedback to adjust budgets over time.
Prepare for unexpected high-severity vulnerabilities by having a buffer in the budget for critical vulnerabilities that may require higher-than-anticipated payouts, ensuring that you can address major security threats without financial constraints.