Top Ten Vulnerabilities

The HackerOne Top 10 Vulnerability Types

HackerOne has been measuring the top ten vulnerabilities reported on our platform for eight years. Despite the investment in security, and industry calls for better security practices earlier in the software development life cycle (SDLC), we see steady increases in vulnerability reports year over year, and most industries are still seeing the most common vulnerabilities reported again and again.

Today's CISO must think about:

Functional leadership

Can we handle and mitigate breaches, incidents and crises?

verified_user
Secure generative AI and LLMs

Are we protected in a new era of AI vulnerabilities?

lock
Scaling governance, risk and compliance

Are we meeting regulatory standards?

verified
Responsiveness and agility

Are we leveraging information risk to make decisions?

update
Top 10 vulnerabilities 2024/25

The top 10 vulnerabilities need to change.

Valid vulnerabilities on the HackerOne Platform have jumped 12% over the past year, with 78,042 valid issues found across 1,300+ customer programs. While organizations are making efforts to reduce vulnerability reports by identifying trends and putting measures in place to catch them earlier in development, we do expect vulnerability reports to keep rising as more organizations embrace human-led security.

The good news? Reports for the three most common vulnerabilities are all down by a small percentage platform-wide since 2023, with reports for cross-site scripting down 10%, suggesting that some of the tactics to reduce common vulnerabilities are having an impact.

HackerOne data shows that the top ten vulnerabilities reported to customer programs are common and mostly preventable with proactive measures. Catching these issues early in the SDLC can significantly cut down on bounty costs.

hpsr book cover image

Get the Hacker-Powered Security Report

To see how your industry stacks up against the average for these vulnerabilities, read the 8th Annual Hacker-Powered Security Report.

Key Takeaways

1

The Big Picture

Security vulnerabilities are a reality of modern technology. Fortunately, security researchers are, too. This list highlights that hackers are helping mitigate the most serious risks to your business.

Bugs Surfaced: Bug Bounty vs. Pentest

Bug bounty programs focus on real-world attack vectors and user-level issues like business logic flaws, privilege escalation, and open redirects. Pentests, on the other hand, uncover more systemic or architectural vulnerabilities, such as components with known vulnerabilities, cryptographic weaknesses, or secure design violations.On average, each HackerOne pentest uncovers 12 vulnerabilities, with 16% of reports classified as high or critical. Paired with HackerOne’s bug bounty programs, which report an average of 25% high or critical issues, pentesting provides a robust solution for identifying security gaps and ensuring comprehensive coverage.
top 10 vulnerabilities surfaced for pentest and bug bounty

Learn more in the Hacker-Powered Security Report

This 8th Annual Hacker-Powered Security Report compiles insights, data, and analysis from customers, security researchers, and HackerOne’s comprehensive vulnerability database. The insights are gathered from:

  • Aggregated, anonymized data from the HackerOne Platform, made up of over 500,000 valid vulnerability reports. 
     
  • Our annual survey of 2,000+ highly skilled and active members of the security researcher community, covering topics ranging from the time they dedicate to hacking to their views on AI regulations. The respondents reflect the diversity of location, experience, expertise, and age that defines HackerOne’s global community of security researchers.
  • Our annual survey of 50 customers, representing a range of organizational sizes, structures, and industries. 
  • A survey, conducted in partnership with Opinion Matters, of 500 security leaders globally about their approach to cybersecurity challenges.
     

Questions? We have answers.

How else can we help? Let us know and we’ll get in touch.