Increasingly, retail and hospitality applications are under attack by malicious threat actors exploiting web vulnerabilities. Thankfully, there’s a huge community of talented andtenacious ethical hackers who specialize in the retail and hospitality industries and can bring to your organization’s security. Thousands of the world’s most influential brands — including Hyatt, Beiersdorf, A.S. Watson, Delivery Hero, Mercado Libre, and Starbucks — trust hackers to deliver impactful findings and vulnerabilities.
Hackers Focused on Retail and Hospitality
According to the 7th Annual Hacker-Powered Security Report: Retail, Hospitality, and Entertainment Edition, retail platforms remain popular as targets for ethical hackers, with 48% of hackers spending time on them, but this is a decrease from 54% in 2022. Meanwhile, travel and hospitality sees 32% of hackers spending time on their programs. See how retail and hospitality compare to other industries hackers are focused on.
How Much Can You Expect to Pay for a Bug?
The median price of a bug on the HackerOne platform is $500, up from $400 in 2022. The average bounty in the 90th percentile is up from $2,500 to $3,000. Retail has seen a bigger increase in average bounties than travel and hospitality, with the top bounty in this industry having increased from $2,000 to $3,000. Bounties in travel and hospitality are significantly lower than in retail brands, as this sector is more conservative and not as mature when it comes to bug bounty implementation.
The Most Common Vulnerabilities in Retail and Hospitality
We’ve taken a look at the top ten vulnerabilities reported on the HackerOne platform across all HackerOne products and calculated what percentage of the total reports is attributable to each vulnerability type. And we’ve cross-referenced that by industry so you can see how your industry compares to the platform average when it comes to types of vulnerability reports received.
Cross-site scripting (XSS)—the largest category overall— is broken out into its different subtypes, so improper access control is the number-one vulnerability on the list,
comprising 13% of all valid vulnerabilities reported through the HackerOne platform. In the chart below, you can see the areas in which retail and hospitality fall above or below the average in comparison to other industries.
Fixing Bugs and Measuring Success
Recently, we’ve seen a significant 28% improvement in the time it takes to remediate a vulnerability once reported—from an average of 35.5 days down to 25.5 days. Retail has seen the biggest improvement in time-to-remediate, with a 50% improvement since 2022. Travel and hospitality has also seen an improvement of 37%.
Retail Diagnosis
Retail businesses are typically using new systems and are constantly refreshing. We see fewer improper access control vulnerabilities than the average because there is less nuance in their authentication mechanisms than more compliance-driven industries: a straight-forward log-in to an account. Information disclosure and cross-site scripting are in higher volumes, and the overall numbers of vulnerabilities are daily high because there are a lot of parallels between retail sites, so testing for one will be very similar to testing for the next—meaning it’s easy to replicate methods across hundreds of sites.
Hospitality Diagnosis
The higher-than-average volume of cross-site scripting reports for travel and hospitality businesses is attributable to their huge attack surfaces. Frequent mergers and acquisitions in this industry add to an existing attack surface, and it’s not uncommon for each hotel property to have its own web presence. Findings for information disclosure and IDOR are also higher because this industry has a strong customer loyalty focus, so ensuring customer data is secure is a particular priority.
Leveling Up Retail and Hospitality Security With Hackers
While there have been considerable security improvements in both retail and hospitality, these industries continue to expand their attack surfaces and increase exploitable risks throughout their assets. HackerOne’s community of ethical hackers is at the ready, specializing in retail and hospitality bugs and prepared to deliver impactful findings. To learn more, contact the experts at HackerOne.