The HackerOne Top 10 Most Impactful and Rewarded Vulnerability Types – 2020 Edition
As a security leader, you’re responsible for a constantly evolving attack surface. The past year has changed the role of the CISO, making it tougher to navigate your operating environment. Distributed decision-making has expanded the volume and variety of risks you must confront, regulators are approaching data privacy with greater scrutiny, and executive teams and boards of directors are starting to think about how information risk impacts strategic planning.
Today's CISO must think about:

Security leaders are looking for creative ways to meet these demands.
Vulnerability disclosure policies (VDPs) have emerged as a powerful solution. VDPs quickly establish a process for receiving vulnerability reports from hackers and security researchers. But what are the hackers finding? How are they changing the security landscape? And what do security leaders need to know?
HackerOne maintains the most authoritative database of vulnerabilities in the industry. We’re here to help you make smarter decisions about vulnerability mitigation and remediation, and to empower you to allocate your resources efficiently.
To that end, we’re providing a list of the top 10 vulnerability types as indicated by bounty awards and customer impact to help you understand the most common, formidable security risks you’re facing.

Get the Full Report
And for a comprehensive look at the data behind this snapshot, read The 4th Hacker-Powered Security Report.
Key Takeaways
The Big Picture
Security vulnerabilities are a reality of modern technology. Fortunately for us, hackers are too. This list highlights that hackers are helping mitigate the most serious risks to your business.
Total bounty amount by weakness type
Weakness type | Bounties total financial rewards amount | YOY % change | |
---|---|---|---|
1 | XSS | $4,211,006 | 26% |
2 | Improper Access Control - Generic | $4,013,316 | 134% |
3 | Information Disclosure | $3,520,801 | 63% |
4 | Server-Side Request Forgery (SSRF) | $2,995,755 | 103% |
5 | Insecure Direct Object Reference (IDOR) | $2,264,833 | 70% |
6 | Privilege Escalation | $2,017,592 | 48% |
7 | SQL Injection | $1,437,341 | 40% |
8 | Improper Authentication - Generic | $1,371,863 | 36% |
9 | Code Injection | $982,247 | -7% |
10 | Cross-Site Request Forgery (CSRF) | $662,751 | -34% |
Average bounty payout per industry for critical vulnerabilities
Methodology
This edition of the HackerOne Top 10 Most Impactful and Rewarded Vulnerability Types was based on HackerOne’s proprietary data examining security weaknesses resolved on the HackerOne platform between May 2019 and April 2020. Vulnerabilities included here were reported by the hacker community through vulnerability disclosures and public and private bounty programs. All vulnerability classifications were made or confirmed by HackerOne customers, including weakness type, impact, and severity.
Note: The vulnerability rating taxonomy, which HackerOne maps to the industry standard Common Weakness Enumeration, is used by HackerOne customers and hackers to categorize reported vulnerabilities. Data presented here is from May 2019 through April 2020.
Questions? We have answers.
How else can we help? Let us know and we’ll get in touch.