Companies paid $4.2M bug bounties for XSS flaws in 2020

Cross-Site Scripting (XSS) issues are the most common vulnerabilities that received the highest amount of rewards on the HackerOne vulnerability reporting platform.

Cross-Site Scripting (XSS) is the most common vulnerability type and received the highest amount of rewards on the HackerOne vulnerability reporting platform.

XSS vulnerabilities accounted for 18% of all flaws reported by bug hunters, these issues received a total of $4.2 million in bounties paid by companies (+26% from last year).

The Cross Site Vulnerabilites received an average of just $501 per issue.

XSS vulnerabilities can be exploited by threat actors for multiple malicious activities, including account takeover and data theft.

“XSS vulnerabilities are extremely common and hard to eliminate, even for organizations with the most mature application security. XSS vulnerabilities 2are often embedded in code that can impact your production pipeline.” reads The 4th Hacker-Powered Security Report.

“These bugs account for 18% of all reported vulnerabilities, but the average bounty award is just US$501. That means organizations are mitigating this common, potentially painful bug on the cheap.”

Improper Access Control follows XSS in the list of most awarded vulnerability type in 2020, experts observed an increase of 134% in occurrence compared to 2019. Companies paid a total of $4 million in bug bounty rewards through the HackerOne platform.

Information Disclosure accounts for 63% from last year. Companies paid $3 million for reports related to these vulnerabilities.

“Awards for Improper Access Control increased 134% year over year to just over US$4 million. Information Disclosure was not far behind, increasing 63% year over year.” continues the report.

“Both methods expose potentially sensitive data like personally identifiable information. While they range widely in criticality, they can be disastrous if sensitive customer or internal information is leaked by misconfigured permissions.”

Both flaws are very dangerous because they’re nearly impossible to detect using automated tools.

In the third place there are SSRF (Server Side Request Forgery) flaws, experts pointed out that the advent of cloud architecture and unprotected metadata endpoints has rendered these vulnerabilities increasingly critical.

Organizations paid about USD$3 million in SSRF mitigations last year.

Most of the bounties were paid by organizations in the United States with $39.1 million / €33.4 million / ¥273.7 million, accounting for 87% of the total. It is interesting to note that Latin America increased bounty awards by 371%, while all other regions increased awards by at least 68%.

“That growth is even more impressive considering the scale, as those three
countries combined paid out more than $380,000 / €324,000 / ¥2,660,000
in bounties in the past year.” states the report.

In the last year, organizations paid $23.5 million via HackerOne to bug hunters who submitted valid reports for vulnerabilities in the systems of organizations worldwide.

To date, the popular platform already paid $107 million in bug bounties with more than $44.75 million paid within a 12-month.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, bug bounty)

[adrotate banner=”5″]

[adrotate banner=”13″]