Skip to main content

Security@ 2022: Achieve Attack Resistance

Get your complimentary pass to Security@ 2022 with promo code VIPCOMP

October 12-13, San Diego | October 13, London

Register today

 

Top Ten Vulnerabilities

The HackerOne Top 10 Most Impactful and Rewarded Vulnerability Types – 2020 Edition

As a security leader, you’re responsible for a constantly evolving attack surface. The past year has changed the role of the CISO, making it tougher to navigate your operating environment. Distributed decision-making has expanded the volume and variety of risks you must confront, regulators are approaching data privacy with greater scrutiny, and executive teams and boards of directors are starting to think about how information risk impacts strategic planning.

Today's CISO must think about:

Security leaders are looking for creative ways to meet these demands.

Vulnerability disclosure policies (VDPs) have emerged as a powerful solution. VDPs quickly establish a process for receiving vulnerability reports from hackers and security researchers. But what are the hackers finding? How are they changing the security landscape? And what do security leaders need to know?

HackerOne maintains the most authoritative database of vulnerabilities in the industry. We’re here to help you make smarter decisions about vulnerability mitigation and remediation, and to empower you to allocate your resources efficiently.

To that end, we’re providing a list of the top 10 vulnerability types as indicated by bounty awards and customer impact to help you understand the most common, formidable security risks you’re facing.

Get the Full Report

And for a comprehensive look at the data behind this snapshot, read The 4th Hacker-Powered Security Report.

The Big Picture

Security vulnerabilities are a reality of modern technology. Fortunately for us, hackers are too. This list highlights that hackers are helping mitigate the most serious risks to your business.

Total bounty amount by weakness type
Weakness typeBounties total financial rewards amountYOY % change
1XSS$4,211,00626%
2Improper Access Control - Generic$4,013,316134%
3Information Disclosure$3,520,80163%
4Server-Side Request Forgery (SSRF)$2,995,755103%
5Insecure Direct Object Reference (IDOR)$2,264,83370%
6Privilege Escalation$2,017,59248%
7SQL Injection$1,437,34140%
8Improper Authentication - Generic$1,371,86336%
9Code Injection$982,247-7%
10Cross-Site Request Forgery (CSRF)$662,751-34%

Average bounty payout per industry for critical vulnerabilities

Methodology

This edition of the HackerOne Top 10 Most Impactful and Rewarded Vulnerability Types was based on HackerOne’s proprietary data examining security weaknesses resolved on the HackerOne platform between May 2019 and April 2020. Vulnerabilities included here were reported by the hacker community through vulnerability disclosures and public and private bounty programs. All vulnerability classifications were made or confirmed by HackerOne customers, including weakness type, impact, and severity.

Note: The vulnerability rating taxonomy, which HackerOne maps to the industry standard Common Weakness Enumeration, is used by HackerOne customers and hackers to categorize reported vulnerabilities. Data presented here is from May 2019 through April 2020.

Questions? We have answers.

How else can we help? Let us know and we’ll get in touch.