About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

HackerOne 2025 Year in Review- 1778

HackerOnePosted 4 Months Ago
  • This is a large article with trends from the HackerOne platform. Enjoy!
  • The vulnerability classes section is interesting. Access control issues have increased by 18% (IAC) and 29% (IDOR), while authentication issues have decreased by 9% and privilege escalation by 8%. Another category that has gone up is misconfiguration issues by 29%. SQL injection is down by 23%, code injection by 1% and XSS by 14%. Finally, business logic flaws are up 19% but down 5% in terms of payouts. AI vulnerability reported skyrocketed this year, as expected.
  • For XSS, SQLi, SSRF, and information disclosure, they claim it's because these "commodity" bug classes are reaching a maturity point. Hackbots could have something to do with this. In terms of total reports, XSS remains the most common vulnerability report, which is particularly interesting.
  • They examined bug bounty programs that had lowered payouts for similar types of bugs in the last year. Of these, 73% saw a decline in valid submissions and 50% were without a critical vulnerability in the last year. This indicates that if you pay out less, then you will get less people on your program. What entices researchers? Good scope documents, good triage/response times and fair/consistent payouts. These all build trust that the time is well-spent on the program.
  • They have a table of payouts by industry, divided into severity categories. Crypto/web3 has the highest payouts for bugs. After that is Internet/online services and Computer software. Things like financial services, government and retail are relatively low. The benefit of high rewards is that more people looking at the programs more.
  • The report discusses the exploit likelihood by industry. Bugs in finance are fewer but much likelier to be exploited. Within Government and technology, validated bugs carry a fairly high chance of being exploited in the wild.
  • Overall, an interesting report on the trends of security issues on HackerOne. Thanks for the open data!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed