Bug bounty programs can make you wealthy; one teen is a millionaire from discovering vulnerabilities. Now we have a better idea of which skills (and which bugs squished) will get you paid in these programs.
HackerOne recently released a study on which vulnerability types rack up the biggest payouts in these bug bounty programs (and which are most impactful). Curiously, HackerOne says only four of its top ten vulnerabilities overlap with the Open Web Application Security Project (OWASP) top ten, which is defined as “a broad consensus about the most critical security risks to web applications.” From that, we can infer that those individuals who have input into which vulnerabilities are most critical may not always be participating in (or advising) bug bounty programs.
Cross-site scripting, or XSS, was the most reported vulnerability. HackerOne tracks various industries, and XSS was far and away the best-paying type of bug bounty around, as well. In just about every industry or technology HackerOne tracks, XSS reports were listed as either “critical” or “high” severity. If you want to get paid the most (and get paid more often) master fixing XSS vulnerabilities.
“Improper authentication” was the second-most-reported vulnerability, with a high number of lucrative bug bounty programs in the financial services and insurance sector. (It's also one of the most critical bugs reported in the cryptocurrency field; seems like blockchain has some work to do.)
“Information disclosure vulnerabilities known for revealing sensitive information are still common, presenting real risk to organizations,” writes HackerOne, noting it’s a trending vulnerability. Along with XSS, it’s one of the few paying vulnerabilities that also populates the OWASP top ten. The electronics and semiconductor industry had the highest number of critical information disclosure bugs (which just so happen to pay the best, too).
From there, things throttle down a bit. The fourth-most-reported type of bug bounty, “privilege escalation,” doesn’t have a large number of “critical” or “high” severity bounty programs, but HackerOne says: “While these are not the most commonly reported vulnerabilities when ranked by volume alone, they are in our Top 10 based on aggregate bounty awards by type, as companies actively incentivize hackers to search for them with competitive bounty awards.” Most industries tracked by HackerOne have “medium” or “low” priority privilege escalation bounties, suggesting it’s a volume play if you want to earn from this type of bug.
SQL injection (a technique to inject code into data-driven applications) rounds out the top five. Most industries tracked in this study have a low volume of low-priority SQL injection bounties. Aviation and aerospace is the lone standout, where a higher percentage of “medium” severity bug bounty programs related to SQL injection exist.
Rounding out the top ten on HackerOne’s bug bounty list are code injection, server-side request forgery, insecure direct object reference, improper access control, and cross-site request forgery. All of the bottom five have a low volume of payouts, but some bug bounty programs (such as cross-site referencing forgery) pay well. Choose your targets and opportunities carefully.