Top Ten Vulnerabilities

The HackerOne Top 10 Vulnerability Types

As a security leader, you’re responsible for a constantly evolving attack surface. The past year has changed the role of the CISO, making it tougher to navigate your operating environment. Distributed decision-making has expanded the volume and variety of risks you must confront, regulators are approaching data privacy with greater scrutiny, and executive teams and boards of directors are starting to think about how information risk impacts strategic planning.

Today's CISO must think about:

Functional leadership

Can we handle and mitigate breaches, incidents and crises?

verified_user
Secure generative AI and LLMs

Are we protected in a new era of AI vulnerabilities?

lock
Scaling governance, risk and compliance

Are we meeting regulatory standards?

verified
Responsiveness and agility

Are we leveraging information risk to make decisions?

update
Top 10 vulnerabilities types

Security leaders are looking for creative ways to meet these demands.

Cybercrime continues to rise at the same time CISOs are being challenged to do more with less. In this climate, you're more at risk if you’re ignoring the benefits a huge community of talented and tenacious ethical hackers can bring to your organization's security. Thousands of the world's most influential brands trust hackers to deliver impactful findings and vulnerabilities.

The 7th Annual Hacker-Powered Security Report goes deeper than ever before, taking a more comprehensive look at the top ten vulnerabilities and how various industries are performing when it comes to incentivizing hackers to find the vulnerabilities that are most important to them.

This year’s Top Ten Vulnerabilities looks at what percentage of the total reports is attributable to each vulnerability type. And we’ve cross-referenced that by industry so you can see how your industry compares to the platform average when it comes to types of vulnerability reports received.

Cross-site scripting (XSS)—the largest category overall—is broken out into its different subtypes, so improper access control is the number-one vulnerability on the list, comprising 13% of all valid vulnerabilities reported through the HackerOne platform.

Get the Full Report

And for a comprehensive look at the data behind this snapshot, read the 7th Annual Hacker-Powered Security Report.

Download Now

Key Takeaways

1
Hackers can help secure AI.
Hackers can help secure AI.

5% of hackers say that generative Al (GenAI) tools themselves will become a major target for them in the coming years, and 61% said they plan to use and develop hacking tools using GenAl to find more vulnerabilities. Another 62% of hackers said they plan to specialize in the OWASP Top 10 for Large Language Models (LLMs).

Hackers are finding more high and critical bugs.
Hackers are finding more high and critical bugs.

Hackers are reporting 13% more critical bugs in 2023, and 15% more high-severity bugs. Critical or high-rated bugs make up 29% of valid bug bounty reports.

Different vulnerabilities have a greater impact on different industries.
Different vulnerabilities have a greater impact on different industries.

While improper access control is the most common vulnerability type across industries at 13%, it has a much greater impact on Telecommunications organizations, with improper access control making up 28% of vulnerability reports for the industry. How does your industry compare?

Incorporating code security audits and pentesting into your bug bounty strategy saves money.
Incorporating code security audits and pentesting into your bug bounty strategy saves money.

A code security audit could save you a potential $18,000 on your bounty program. We've seen a 54% increase in pentests since 2022, and a 16% increase in the number of vulnerabilities being surfaced by pentests, with 15% of vulnerabilities found being rated as high or critical severity.

The cost of a bug is increasing.
The cost of a bug is increasing.

The median cost of a bug on the HackerOne platform is $500, the average cost is $1,048, and the 90th percentile is $3,000.

The Big Picture

Security vulnerabilities are a reality of modern technology. Fortunately for us, hackers are too. This list highlights that hackers are helping mitigate the most serious risks to your business.

Download Now

Bugs Surfaced: Bug Bounty vs. Pentest

A penetration test (pentest), involves identifying and addressing vulnerabilities, similar to a bug bounty program, but a pentest often leans more toward ensuring an organization adheres to specific compliance and security standards. Bug bounty programs incentivize ethical hackers via monetary rewards for successfully discovering and reporting vulnerabilities or bugs to the application's developer. 


Do pentesting and bug bounties serve the same purpose or complement each other? While both approaches engage security researcher communities, their outcomes are distinct.

Top ten vulnerabilities surfaced in bug bounty
Top ten vulnerabilities surfaced in pentesting

Methodology

This edition of the HackerOne Top 10 Vulnerability Types was based on HackerOne’s proprietary data examining security weaknesses resolved on the HackerOne platform between June 2022 and June 2023. Vulnerabilities included here were reported by the hacker community through vulnerability disclosures and public and private programs across the HackerOne platform. All vulnerability classifications were made or confirmed by HackerOne customers, including weakness type, impact, and severity.

Note: The vulnerability rating taxonomy, which HackerOne maps to the industry standard Common Weakness Enumeration, is used by HackerOne customers and hackers to categorize reported vulnerabilities.

Questions? We have answers.

How else can we help? Let us know and we’ll get in touch.