Four hackers

Today’s Ciso Must think about:

  • Functional leadership - Can we handle and mitigate breaches, incidents, and crises?
  • Information security service delivery - Are we meeting deadlines?
  • Scaling governance, risk, and compliance - Are we meeting regulatory standards?
  • Responsiveness and agility - Are we leveraging information risk to make decisions?

Security leaders are looking for creative ways to meet these demands. Vulnerability disclosure policies (VDPs) have emerged as a powerful solution. VDPs quickly establish a process for receiving vulnerability reports from hackers and security researchers. But what are the hackers finding? How are they changing the security landscape? And what do security leaders need to know?

HackerOne maintains the most authoritative database of vulnerabilities in the industry. We’re here to help you make smarter decisions about vulnerability mitigation and remediation, and to empower you to allocate your resources efficiently.

To that end, we’re providing a list of the top 10 vulnerability types as indicated by bounty awards and customer impact to help you understand the most common, formidable security risks you’re facing.

And for a comprehensive look at the data behind this snapshot, read The 4th Hacker-Powered Security Report.

Two hackers

Key Takeaways

  1. Organizations are using creative tools to cut down on XSS.

    Cross-site Scripting (XSS) continues to be the most awarded vulnerability type with US$4.2 million in total bounty awards, up 26% from the previous year.

    XSS vulnerabilities are extremely common and hard to eliminate, even for organizations with the most mature application security. XSS vulnerabilities are often embedded in code that can impact your production pipeline.

    These bugs account for 18% of all reported vulnerabilities, but the average bounty award is just US$501. That means organizations are mitigating this common, potentially painful bug on the cheap.

  2. Improper Access Control and Information Disclosure are Increasingly Common.

    Awards for Improper Access Control increased 134% year over year to just over US$4 million. Information Disclosure was not far behind, increasing 63% year over year.

    Both methods expose potentially sensitive data like personally identifiable information. While they range widely in criticality, they can be disastrous if sensitive customer or internal information is leaked by misconfigured permissions.

    These vulnerabilities are prevalent because they’re nearly impossible to detect using automated tools. Hacker-powered security provides a relatively inexpensive and extremely effective method for mitigating these vulnerabilities

  3. SSRF (Server Side Request Forgery) shows the risk of cloud migrations.

    An SSRF exploit that causes connections to external third-party systems might result in malicious onward attacks that appear to originate from the organization hosting the vulnerable application, leading to potential legal liabilities and reputational damage.

    Previously, SSRF bugs were fairly benign, as they only allowed internal network scanning and sometimes access to internal admin panels. But in this era of rapid digital transformation, the advent of cloud architecture and unprotected metadata endpoints has rendered these vulnerabilities increasingly critical.

    In fact, SSRF can lead to total compromise of the systems they’re found on and allow further access to the target’s cloud infrastructure.

    Thanks to VDP and bug bounty programs, organizations are increasingly able to find and mitigate these bugs before they can be exploited. Overall, organizations spent about USD$3 million mitigating SSRF last year — compared to the millions they would have needed to spend if an SSRF attack had been carried out by a bad actor.

  4. SQL Injection is dropping year-over-year.

    In years past, SQL injection was one of the most common vulnerability types. However, our data indicate that it’s been dropping year-over-year.

    Modern security frameworks and methods, including the central role of hackers, have rendered this bug nearly a thing of the past. SQL injection tends to occur when organizations aren’t monitoring which apps are mapped to a database and how they interface. By shifting security left, organizations are leveraging hackers and other methods to proactively monitor attack surfaces and prevent bugs from entering code.

  5. Finding the most common vulnerability types is inexpensive.

    Of the top 10 most awarded weakness types, only Improper Access Control, Server-Side Request Forgery (SSRF), and Information Disclosure saw their average bounty awards rise more than 10%. The others fell in average value or were nearly flat.

    Unlike traditional security tools and methods, which become more expensive and cumbersome as your goals change and your attack surface expands, hacker-powered security is actually more cost-effective as time goes on. With hackers, it’s becoming less expensive to prevent bad actors from exploiting the most common bugs.

The Big Picture

Security vulnerabilities are a reality of modern technology. Fortunately for us, hackers are too. This list highlights that hackers are helping mitigate the most serious risks to your business.

Total Bounty Amount by Weakness Type

Weakness Type Bounties Total Financial Rewards Amount YOY % Chage
1 XSS $4,211,006 26%
2 Improper Access Control - Generic $4,013,316 134%
3 Information Disclosure $3,520,801 63%
4 Server-Side Request Forgery (SSRF) $2,995,755 103%
5 Insecure Direct Object Reference (IDOR) $2,264,833 70%
6 Privilege Escalation $2,017,592 48%
7 SQL Injection $1,437,341 40%
8 Improper Authentication - Generic $1,371,863 36%
9 Code Injection $982,247 -7%
10 Cross-Site Request Forgery (CSRF) $662,751 -34%

Average Bounty Payout Per Industry For Critical Vulnerabilities


This edition of the HackerOne Top 10 Most Impactful and Rewarded Vulnerability Types was based on HackerOne’s proprietary data examining security weaknesses resolved on the HackerOne platform between May 2019 and April 2020. Vulnerabilities included here were reported by the hacker community through vulnerability disclosures and public and private bounty programs. All vulnerability classifications were made or confirmed by HackerOne customers, including weakness type, impact, and severity.

Note: The vulnerability rating taxonomy, which HackerOne maps to the industry standard Common Weakness Enumeration, is used by HackerOne customers and hackers to categorize reported vulnerabilities. Data presented here is from May 2019 through April 2020.

Seated hacker
Strengthen Your Security Posture

Reduce your company’s risk of security vulnerabilities and tap into the world’s largest community of security hackers. Contact us today to see which program is the right fit.

Contact Us