Top Ten Vulnerabilities

The HackerOne Top 10 Most Impactful and Rewarded Vulnerability Types – 2020 Edition

As a security leader, you’re responsible for a constantly evolving attack surface. The past year has changed the role of the CISO, making it tougher to navigate your operating environment. Distributed decision-making has expanded the volume and variety of risks you must confront, regulators are approaching data privacy with greater scrutiny, and executive teams and boards of directors are starting to think about how information risk impacts strategic planning.

Today's CISO must think about:

Functional leadership

Can we handle and mitigate breaches, incidents and crises?

Information security service delivery

Are we meeting deadlines?

Scaling governance, risk and compliance

Are we meeting regulatory standards?

Responsiveness and agility

Are we leveraging information risk to make decisions?


Security leaders are looking for creative ways to meet these demands.

Vulnerability disclosure policies (VDPs) have emerged as a powerful solution. VDPs quickly establish a process for receiving vulnerability reports from hackers and security researchers. But what are the hackers finding? How are they changing the security landscape? And what do security leaders need to know?

HackerOne maintains the most authoritative database of vulnerabilities in the industry. We’re here to help you make smarter decisions about vulnerability mitigation and remediation, and to empower you to allocate your resources efficiently.

To that end, we’re providing a list of the top 10 vulnerability types as indicated by bounty awards and customer impact to help you understand the most common, formidable security risks you’re facing.

Get the Full Report

And for a comprehensive look at the data behind this snapshot, read The 4th Hacker-Powered Security Report.

Key Takeaways


The Big Picture

Security vulnerabilities are a reality of modern technology. Fortunately for us, hackers are too. This list highlights that hackers are helping mitigate the most serious risks to your business.

Total bounty amount by weakness type


weakness type


Bounties total financial rewards amount



Weakness typeBounties total financial rewards amountYOY % change
2Improper Access Control - Generic$4,013,316134%
3Information Disclosure$3,520,80163%
4Server-Side Request Forgery (SSRF)$2,995,755103%
5Insecure Direct Object Reference (IDOR)$2,264,83370%
6Privilege Escalation$2,017,59248%
7SQL Injection$1,437,34140%
8Improper Authentication - Generic$1,371,86336%
9Code Injection$982,247-7%
10Cross-Site Request Forgery (CSRF)$662,751-34%

Average bounty payout per industry for critical vulnerabilities


This edition of the HackerOne Top 10 Most Impactful and Rewarded Vulnerability Types was based on HackerOne’s proprietary data examining security weaknesses resolved on the HackerOne platform between May 2019 and April 2020. Vulnerabilities included here were reported by the hacker community through vulnerability disclosures and public and private bounty programs. All vulnerability classifications were made or confirmed by HackerOne customers, including weakness type, impact, and severity.

Note: The vulnerability rating taxonomy, which HackerOne maps to the industry standard Common Weakness Enumeration, is used by HackerOne customers and hackers to categorize reported vulnerabilities. Data presented here is from May 2019 through April 2020.

Questions? We have answers.

How else can we help? Let us know and we’ll get in touch.