A good way of prioritising vulnerabilities is to see what market value is placed on finding them via bug bounty programs. Maybe this should be the way you choose what to fix first…:
Cross-site scripting (XSS) errors that allow attackers to inject malicious code into otherwise benign websites continue to be the most common web application vulnerability across organizations.
Bug bounty firm HackerOne recently analyzed data on more than 120,000 security vulnerabilities reported to organizations through the end of 2018 by the hacker community via public and private bug bounty programs. HackerOne’s customers classified the vulnerabilities and ranked the top 10 of them by impact, severity, and weakness type.
The analysis showed XSS to be the most common issue for most organizations, even though the threat is often downplayed because it does not always lead to large-scale information breaches,” says Miju Han, director of program management at HackerOne.
“Our data tells a different story because companies pay out for XSS far more than they do for any other vulnerability class,” Han says. In fact, of the $55 million that bug hunters in HackerOne’s program have earned so far in total, some $8 million has been from reporting XSS vulnerabilities alone, she says. “XSS is important for companies to guard against. XSS is here to stay,”