Let’s start with cross-site scripting (XSS), one of the most common bugs reported to bug bounty programs. It’s so prevalent that, year after year, it shows up in OWASP’s list of the top 10 vulnerabilities threatening web applications. It’s also HackerOne’s most reported vulnerability, with more than $4 million paid out in 2020 alone.

An XSS vulnerability occurs when attackers can execute custom scripts on a victim’s browser. If an application fails to distinguish between user input and the legitimate code that makes up a web page, attackers can inject their own code into pages viewed by other users. The victim’s browser ...