Skip to main content
Top Ten Vulnerabilities

The HackerOne Top 10 Most Impactful and Rewarded Vulnerability Types – 2020 Edition

As a security leader, you’re responsible for a constantly evolving attack surface. The past year has changed the role of the CISO, making it tougher to navigate your operating environment. Distributed decision-making has expanded the volume and variety of risks you must confront, regulators are approaching data privacy with greater scrutiny, and executive teams and boards of directors are starting to think about how information risk impacts strategic planning.

vulnerabilities four hackers

Today’s CISO must think about:

  • Functional leadership - Can we handle and mitigate breaches, incidents, and crises?
  • Information security service delivery - Are we meeting deadlines?
  • Scaling governance, risk, and compliance - Are we meeting regulatory standards?
  • Responsiveness and agility - Are we leveraging information risk to make decisions?
vulnerabilities two hackers

Security leaders are looking for creative ways to meet these demands. Vulnerability disclosure policies (VDPs) have emerged as a powerful solution. VDPs quickly establish a process for receiving vulnerability reports from hackers and security researchers. But what are the hackers finding? How are they changing the security landscape? And what do security leaders need to know?

HackerOne maintains the most authoritative database of vulnerabilities in the industry. We’re here to help you make smarter decisions about vulnerability mitigation and remediation, and to empower you to allocate your resources efficiently.

To that end, we’re providing a list of the top 10 vulnerability types as indicated by bounty awards and customer impact to help you understand the most common, formidable security risks you’re facing.

And for a comprehensive look at the data behind this snapshot, read The 4th Hacker-Powered Security Report.

Key Takeaways

The Big Picture

Security vulnerabilities are a reality of modern technology. Fortunately for us, hackers are too. This list highlights that hackers are helping mitigate the most serious risks to your business.

Total bounty amount by weakness type

Weakness type Bounties total financial rewards amount YOY % change
1 XSS $4,211,006 26%
2 Improper Access Control - Generic $4,013,316 134%
3 Information Disclosure $3,520,801 63%
4 Server-Side Request Forgery (SSRF) $2,995,755 103%
5 Insecure Direct Object Reference (IDOR) $2,264,833 70%
6 Privilege Escalation $2,017,592 48%
7 SQL Injection $1,437,341 40%
8 Improper Authentication - Generic $1,371,863 36%
9 Code Injection $982,247 -7%
10 Cross-Site Request Forgery (CSRF) $662,751 -34%

Average bounty payout per industry for critical vulnerabilities

vulnerability seated hacker


This edition of the HackerOne Top 10 Most Impactful and Rewarded Vulnerability Types was based on HackerOne’s proprietary data examining security weaknesses resolved on the HackerOne platform between May 2019 and April 2020. Vulnerabilities included here were reported by the hacker community through vulnerability disclosures and public and private bounty programs. All vulnerability classifications were made or confirmed by HackerOne customers, including weakness type, impact, and severity.

Note: The vulnerability rating taxonomy, which HackerOne maps to the industry standard Common Weakness Enumeration, is used by HackerOne customers and hackers to categorize reported vulnerabilities. Data presented here is from May 2019 through April 2020.

Strengthen Your Security Posture

Reduce your company’s risk of security vulnerabilities and tap into the world’s largest community of security hackers. Contact us today to see which program is the right fit.