The common mistakes that these bug bounty hunters find usually involve basic configuration mistakes or missing best practice issues. When going for more severe bugs, standards like Cross-Site Scripting (XSS) & Cross-Site Request Forgery (CSRF) are not uncommon.
Most development frameworks take care of basic XSS and CSRF issues. They have noticed a decrease in SQL Injection bugs and that can be underpinned by ORMs and prepared statements which do a good job preventing SQL profile websites and/or tools.
"Security is about practice. Try and try again, and keep trying, and keep learning new things," Singer added. "I see some researchers jump in headfirst and try to hack everything in sight. Best of luck to them, but in reality it is not that simple."
The bug bounty hunters cautioned about going it alone to find vulnerabilities before getting approval from the site owner. Sites like Bugcrowd can help set up the legal documentation to protect the bounty hunters.
Sign up for Computerworld eNewsletters.