vulnerabilities-stats.md

July 2, 2025 ยท View on GitHub

Back to Contents

Hackerone publicly disclosed bugs Stats

Updated analysis of HackerOne vulnerability reports shows 12,618 total issues analyzed from the dataset. All 12,618 issues were successfully classified using automated parsing and categorization.

Issues by type of mistake

ClassificationCountPercentage
User Input Sanitization426733.8
Unclassified+Info+Junk406632.2
Other code issues335026.5
Configuration issues9357.4

Issues sorted by their frequency of occurrence

1 out of 3 issues were related to XSS, Information disclosure, or other code issues. The Hackerone page listing these issues is quite interesting and can be read.

TypeCountPercentage
Other code issues259920.60
XSS216817.18
Information/Source Code Disclosure152112.05
Unclassified+Info+Junk146711.63
Broken/Open Authentication8686.88
SQL Injection5974.73
CSRF Token4683.71
Denial Of Service4583.63
Privilege Escalation3893.08
NULL POINTER + SEGFAULT + Using memory after free()3072.43
HTML/JS/XXE/Content Injections2992.37
Open Redirects2922.31
Insecure reference + Data Leak2632.08
Server Side Request Forgery2361.87
Path traversal2071.64
Buffer overflow1631.29
Clickjacking1291.02
Password Policy670.53
Remote Code Execution580.46
Improper Session management/Fixation480.38
Integer overflow130.10
Brute Force attacks10.01

Some unique vulnerability types

  1. Race conditions based vulnerabilities
  2. Pixel Flood Attack
  3. IDN Homograph Attack
  4. Control Characters in Input leading to interesting outcomes