Companies paid $4.2M bug bounties for XSS flaws in 2020Security Affairs

Cross-site scripting (XSS) issues are the most common vulnerabilities that have received the most awards on the HackerOne vulnerability reporting platform.

Cross-site scripting (XSS) is the most common form of vulnerability and has received the most awards on HackerOne’s vulnerability reporting platform.

XSS vulnerabilities are responsible for 18% of all deficiencies reported by bug hunters; these problems were rewarded by companies with a total of $4.2 million (+26% compared to the previous year).

Cross-site vulnerabilities received an average of only $501 per issue.

XSS vulnerabilities can be exploited by attackers for all kinds of malicious activities, including account hijacking and data theft.

XSS vulnerabilities are very common and difficult to fix, even for the most advanced application security organizations. XSS 2 vulnerabilities are often embedded in code that can jeopardize your production line. Read number four. Security report based on hacker attacks.

These bugs are responsible for 18% of all discovered vulnerabilities, but the average reward is only $501. This means that organizations can mitigate this common and potentially painful mistake at a fraction of the cost.

In the list of the most rewarded vulnerabilities in 2020, compared to 2019, XSS is followed by poor access control, with experts observing a 134% increase in the number of cases. Companies paid a total of $4 million in error money via the HackerOne platform.

Disclosure of information is 63% compared to last year. Companies paid $3 million for reports on these vulnerabilities.

Rewards for poor access control increased by 134% a year to just over $4 million. Not far behind is the disclosure, which increased by 63% on an annual basis.

Both methods reveal potentially sensitive data, such as personal information. Although they have a wide range of criticisms, they can be catastrophic if confidential customer information or internal information leaks as a result of misconfigured permissions.

These two defects are very dangerous because they are almost impossible to detect with automated tools.

Thirdly – SSRF (spoofing requests on the server side) – experts noted that with the advent of cloud architecture and unprotected metadata terminals, these vulnerabilities are becoming increasingly critical.

Last year, organizations contributed about $3 million to disaster preparedness.

Most of these funds were contributed by organisations in the United States of America for an amount of $39.1 million. The total value of the project amounts to 33.4 million USD / 33.4 million EUR / 273.7 million RMB, or 87% of the total. It is interesting to note that Latin America has increased its premiums by 371%, while all other regions have increased their premiums by at least 68%.

This growth is even more impressive given the size of the transaction, as these three
countries together paid more than USD 380,000 / EUR 324,000 / Yen 2,660,000
in cash last year.

Last year, organizations paid $23.5 million to bug hunters through HackerOne, providing valuable reports on vulnerabilities in the systems of organizations around the world.

To date, the popular platform has already paid $107 million for bugs, of which more than $44.75 million in 12 months.

Pierluigi Paganini

(Security issues – Hacking, Bug-Bounty)




Related Tags: