Over the past 8 months, Luke (hakluke) Stephens and I have spoken with 10 security executives, surveyed over 550 security professionals, and incorporated insights from HackerOne’s CISO Advisory Board. A key challenge emerged repeatedly in our conversations: security leaders need a better way to measure and justify their investments—one that accounts for the financial impact of mitigated risks.

In this blog, we are excited to announce our white paper on Return on Mitigation (RoM), a framework we designed to quantify the financial impact of security programs in a way that speaks to business leaders.

Why traditional ROI falls short in cybersecurity

Organizations that apply traditional ROI models to cybersecurity often focus on cost-cutting measures like reducing headcount or operational expenses. However, this approach fails to account for security’s primary function: risk reduction and breach prevention.

As one CISO put it in our research:

"Security is often viewed as a cost center, not a revenue driver. ROI doesn’t work because you can’t always show direct returns—it’s about preventing damage, not generating income.”

By nature, security efforts protect revenue, brand reputation, and operational continuity by preventing financial losses rather than generating direct profit. Yet, these benefits are often difficult to quantify, making them harder to justify through traditional financial models.

Introducing the Return on Mitigation (RoM) framework

RoM offers a new way to approach cybersecurity justification by reframing security investments to avoid future losses—much like an insurance policy.

Instead of measuring revenue gained, RoM calculates mitigated losses. Instead of asking, "What revenue did this investment generate?" RoM asks, "What losses did we prevent by investing in cybersecurity measures?"

It does this by factoring in:

• The cost of a breach, using benchmarks like IBM’s Cost of a Data Breach Report
• The likelihood of exploitation, based on real-world vulnerability data we modeled on Verizon's Data Breach Investigations Report
• The cost of mitigation, including program investments and remediation efforts

By replacing traditional ROI’s “net profit” with “avoided losses,” RoM can concretely quantify cybersecurity’s financial impact.

The RoM Calculator: A practical tool for security leaders

One of the biggest takeaways from our research was that security leaders need more than theory—they need tools and models to run these calculations in real-world scenarios.

The first-of-its-kind RoM calculator we developed in this study integrates security program results, the likelihood of exploitation through the concept of Exploitation Likelihood Score (ELS), and industry benchmarks to calculate total mitigation savings. It provides organizations with defensible metrics for demonstrating the value of their security programs.

I had the opportunity to run countless real-world calculations on HackerOne customers to measure the financial impact of their security programs in the last 2 months. The results each time confirm that:

With RoM, it is now possible to demonstrate how every dollar spent on proactive security directly protects the bottom line.

A security leader at a global financial infrastructure provider describes it best:

“RoM allows me to justify a $300,000 investment against a potential $5 million critical breach. With this metric, I can show how mitigating vulnerabilities through continuous security testing prevents costly breaches and justifies spending.”

While the advanced RoM calculator is available to customers, we have also developed a light version that allows anyone to explore the concept and run their calculations using high and critical severity findings. 

HackerOne customers can run RoM calculations in real time

The RoM framework is now available to HackerOne customers, who can use the RoM calculator to measure their security investments in real financial terms.

With the HackerOne AI Copilot, Hai, customers can automate RoM calculations on every vulnerability submitted to the HackerOne platform. This means customers can instantly assess the potential financial impact of each vulnerability and prioritize mitigation efforts based on real risk data. By incorporating things like program history, industry benchmarks, and other key factors—such as assigned CVSS, CVE, or EPSS figures—we can bring in various dimensions to our analysis and make these assumptions as realistic, defensible, and actionable as possible, all within the HackerOne platform. 

And that’s just the beginning!

The future of RoM and how you can contribute

RoM provides security teams with a clear, quantifiable way to demonstrate their impact, making it easier to secure buy-in, budgets, and long-term investment in proactive security measures. However, for RoM to become a widely adopted industry standard, we need ongoing input from security professionals.

We’re actively refining RoM to ensure it remains a practical, defensible, and actionable framework for security investment justification. If you’d like to test the RoM calculator and provide feedback on how we can improve it, contact us (or message me on LinkedIn)— we’d love your insights.

To learn more, you can read the full white paper and join HackerOne’s webinar, “Quantify the Financial Impact of Cybersecurity with Return on Mitigation,” on March 12, 2025. In this webinar, we’ll discuss real-world applications of RoM and how you can use it in your organization!

How do you justify a cybersecurity investment? It’s a question every security leader struggles with. The problem is that the traditional Return on Investment (ROI) model simply doesn’t work in cybersecurity. Unlike traditional investments that generate direct revenue, security spending is all about risk reduction, breach prevention, and avoiding financial losses.

But how do you quantify the value of something that hasn't happened?

For the fifth year in a row, HackerOne published a report that provides insights from the world’s largest database of vulnerabilities and bug bounty customer programs. Here are the top five findings:

1. The adoption of ethical hacker programs is growing across all industries, with a 34% increase in total customer programs in 2021. The traditionally conservative industries of financial services and government continue to lead in the adoption of these testing programs, with a 62% increase in financial services programs and an 89% increase of government programs, led this year by the UK’s Ministry of Defence and Singapore’s GovTech agency.
    
2. Hackers reported 21% more vulnerabilities in 2021 than in 2020. While traditional bug bounty saw a 10% increase in valid vulnerability reports, Vulnerability Disclosure Programs (VDPs) saw a 47% increase, and reports from hacker-powered pentests rose by 264%.
    
3. The median price of a critical bug rose 20% from $2,500 in 2020 to $3,000 in 2021. The average bounty price for a critical bug rose by 13%, and by 30% for a high severity-rated bug. 
    
4. In the past year, the industry-wide median time to resolution fell by 19% from 33 days to 26.7 days, with some industries such as retail and e-commerce seeing time-to-remediation dropping by more than 50%.
    
5. The number-one most discovered bug on HackerOne continues to be Cross Site Scripting, but other bug categories have seen a significant increase since 2020. Information Disclosure saw a 58% increase in valid reports and Business Logic Errors had a 67% increase, giving them a spot on the HackerOne Top 10 for the first time. 

Join HackerOne’s new CISO, Chris Evans, to delve into the findings of the report at a free webinar where you’ll discover the fastest-growing vulnerability categories, how bounty prices are changing year over year, and which industries are fastest to fix. Read the full 2021 Hacker-Powered Security Report: Industry Insights here.

In times of uncertainty, security becomes an ever more pressing priority. The stakes are high: organizations are more reliant on technology than ever and anyone relying on technology can lose everything in a data breach. But some of the most recent vulnerabilities have one thing in common: they were detected, discovered and reported by friendly hackers who can think like attackers.

“This year, organizations worldwide were forced to go digital with their product offerings and services,” said HackerOne Senior Director of Product Management Miju Han. “Businesses scrambled to find new revenue streams, creating digital offerings for customers whose lifestyles had dramatically changed. Tens of millions of workers started working remotely whether or not they were ready. With this accelerated pace of digital transformation, CISOs had to quickly facilitate new needs while ensuring the security of existing systems. Faced with these obstacles, security leaders have gained newfound appreciation for hacker-powered security as a nimble, scalable, and cost-effective solution to augment their own resources and offer a pay-for-results approach that’s more justifiable under tightened budgets.”

HackerOne maintains the most authoritative database of vulnerabilities in the industry. With over 200,000 valid vulnerabilities found by hackers, HackerOne took a look into this data to glean insights from the top 10 most impactful and rewarded vulnerability types.

HackerOne’s Top 10 Most Impactful and Rewarded Vulnerability Types of 2020, in descending order, are:

1. Cross-site Scripting (XSS)
2. Improper Access Control
3. Information Disclosure
4. Server-Side Request Forgery (SSRF)
5. Insecure Direct Object Reference (IDOR)
6. Privilege Escalation
7. SQL Injection
8. Improper Authentication
9. Code Injection
10. Cross-Site Request Forgery (CSRF)

Taking a closer look at this year’s top ten in comparison to the 2019 top ten vulnerabilities, key findings include:

• Cross-site Scripting vulnerabilities continue to be a major threat to web applications as attackers exploiting XSS attacks can gain control of the user’s account and steal personal information such as passwords, bank account numbers, credit card info, personally identifiable information (PII), social security numbers, and more. The most awarded vulnerability two-years running, XSS vulnerabilities cost organizations US$4.2 million in total bounty awards, up 26% from the previous year. These bugs account for 18% of all reported vulnerabilities, but the average bounty award is just US$501. With the average bounty for a critical vulnerability being $3,650, this means organizations are mitigating this common, potentially painful bug on the cheap.
• Improper Access Control (up from ninth place in 2019) and Information Disclosure (still holding the third spot) remain common. Awards for Improper Access Control increased 134% year over year to just over US$4 million. Information Disclosure was not far behind, increasing 63% year over year. Access control design decisions have to be made by humans, not technology, and the potential for errors is high, and both errors are nearly impossible to detect using automated tools.
• SSRF vulnerabilities, which can be exploited to target internal systems behind firewalls, show the risk of cloud migrations. Previously, SSRF bugs were fairly benign and held our seventh place spot, as they only allowed internal network scanning and sometimes access to internal admin panels. But in this era of rapid digital transformation, the advent of cloud architecture and unprotected metadata endpoints has rendered these vulnerabilities increasingly critical.
• SQL Injection is dropping year-over-year. Considered one of the worst threats to web application security by OWASP and others, the scale of SQL injection attacks can be devastating, as sensitive data, including business information, intellectual property, and critical customer data, is stored on database servers susceptible to these attacks. In years past, SQL injection was one of the most common vulnerability types. However, our data indicate that it’s been dropping year-over-year from fifth in 2019 to seventh in 2020. By shifting security left, organizations are leveraging hackers and other methods to proactively monitor attack surfaces and prevent bugs from entering code.

“Finding the most common vulnerability types is inexpensive,” Han continued. “Of the top 10 most awarded weakness types, only Improper Access Control, Server-Side Request Forgery (SSRF), and Information Disclosure saw their average bounty awards rise more than 10%. The others fell in average value or were nearly flat. Unlike traditional security tools and methods, which become more expensive and cumbersome as goals change and attack surface expands, hacker-powered security is actually more cost-effective as time goes on. With hackers, it’s becoming less expensive to prevent bad actors from exploiting the most common bugs.”

For the full HackerOne Top 10 Most Impactful and Rewarded Vulnerability Types - 2020 Edition, please visit https://www.hackerone.com/top-ten-vulnerabilities

About HackerOne
HackerOne empowers the world to build a safer internet. As the world’s most trusted hacker-powered security platform, HackerOne gives organizations access to the largest community of hackers on the planet. Armed with the most robust database of vulnerability trends and industry benchmarks, the hacker community mitigates cyber risk by searching, finding, and safely reporting real-world security weaknesses for organizations across all industries and attack surfaces. Customers include The U.S. Department of Defense, Dropbox, General Motors, GitHub, Goldman Sachs, Google, Hyatt, Intel, Lufthansa, Microsoft, MINDEF Singapore, Nintendo, PayPal, Qualcomm, Slack, Starbucks, Twitter, and Verizon Media. HackerOne was ranked fifth on the Fast Company World’s Most Innovative Companies list for 2020. Headquartered in San Francisco, HackerOne has a presence in London, New York, the Netherlands, France, Singapore, and over 70 other locations across the globe.

Methodology
This edition of the HackerOne Top 10 Most Impactful and Rewarded Vulnerability Types was based on HackerOne’s proprietary data examining security weaknesses resolved on the HackerOne platform between May 2019 and April 2020. Vulnerabilities included here were reported by the hacker community through vulnerability disclosures and public and private bounty programs. All vulnerability classifications were made or confirmed by HackerOne customers, including weakness type, impact, and severity.

Note: The vulnerability rating taxonomy, which HackerOne maps to the industry standard Common Weakness Enumeration, is used by HackerOne customers and hackers to categorize reported vulnerabilities. Data presented here is from May 2019 through April 2020.