The HackerOne Top 10 Most Impactful and Rewarded Vulnerability Types – 2020 Edition
As a security leader, you’re responsible for a constantly evolving attack surface. The past year has changed the role of the CISO, making it tougher to navigate your operating environment. Distributed decision-making has expanded the volume and variety of risks you must confront, regulators are approaching data privacy with greater scrutiny, and executive teams and boards of directors are starting to think about how information risk impacts strategic planning.
Today’s CISO must think about:
- Functional leadership - Can we handle and mitigate breaches, incidents, and crises?
- Information security service delivery - Are we meeting deadlines?
- Scaling governance, risk, and compliance - Are we meeting regulatory standards?
- Responsiveness and agility - Are we leveraging information risk to make decisions?
Security leaders are looking for creative ways to meet these demands. Vulnerability disclosure policies (VDPs) have emerged as a powerful solution. VDPs quickly establish a process for receiving vulnerability reports from hackers and security researchers. But what are the hackers finding? How are they changing the security landscape? And what do security leaders need to know?
HackerOne maintains the most authoritative database of vulnerabilities in the industry. We’re here to help you make smarter decisions about vulnerability mitigation and remediation, and to empower you to allocate your resources efficiently.
To that end, we’re providing a list of the top 10 vulnerability types as indicated by bounty awards and customer impact to help you understand the most common, formidable security risks you’re facing.
And for a comprehensive look at the data behind this snapshot, read The 4th Hacker-Powered Security Report.
The Big Picture
Security vulnerabilities are a reality of modern technology. Fortunately for us, hackers are too. This list highlights that hackers are helping mitigate the most serious risks to your business.
Total bounty amount by weakness type
|Weakness type||Bounties total financial rewards amount||YOY % change|
|2||Improper Access Control - Generic||$4,013,316||134%|
|4||Server-Side Request Forgery (SSRF)||$2,995,755||103%|
|5||Insecure Direct Object Reference (IDOR)||$2,264,833||70%|
|8||Improper Authentication - Generic||$1,371,863||36%|
|10||Cross-Site Request Forgery (CSRF)||$662,751||-34%|
Average bounty payout per industry for critical vulnerabilities
This edition of the HackerOne Top 10 Most Impactful and Rewarded Vulnerability Types was based on HackerOne’s proprietary data examining security weaknesses resolved on the HackerOne platform between May 2019 and April 2020. Vulnerabilities included here were reported by the hacker community through vulnerability disclosures and public and private bounty programs. All vulnerability classifications were made or confirmed by HackerOne customers, including weakness type, impact, and severity.
Note: The vulnerability rating taxonomy, which HackerOne maps to the industry standard Common Weakness Enumeration, is used by HackerOne customers and hackers to categorize reported vulnerabilities. Data presented here is from May 2019 through April 2020.
Strengthen Your Security Posture
Reduce your company’s risk of security vulnerabilities and tap into the world’s largest community of security hackers. Contact us today to see which program is the right fit.