Top Ten Vulnerabilities

The HackerOne Top 10 Vulnerability Types

As a security leader, you’re responsible for a constantly evolving attack surface. The past year has changed the role of the CISO, making it tougher to navigate your operating environment. Distributed decision-making has expanded the volume and variety of risks you must confront, regulators are approaching data privacy with greater scrutiny, and executive teams and boards of directors are starting to think about how information risk impacts strategic planning.

Today's CISO must think about:

Functional leadership

Can we handle and mitigate breaches, incidents and crises?

Secure generative AI and LLMs

Are we protected in a new era of AI vulnerabilities?

Scaling governance, risk and compliance

Are we meeting regulatory standards?

Responsiveness and agility

Are we leveraging information risk to make decisions?

Top 10 vulnerabilities types

Security leaders are looking for creative ways to meet these demands.

Cybercrime continues to rise at the same time CISOs are being challenged to do more with less. In this climate, you're more at risk if you’re ignoring the benefits a huge community of talented and tenacious ethical hackers can bring to your organization's security. Thousands of the world's most influential brands trust hackers to deliver impactful findings and vulnerabilities.

The 7th Annual Hacker-Powered Security Report goes deeper than ever before, taking a more comprehensive look at the top ten vulnerabilities and how various industries are performing when it comes to incentivizing hackers to find the vulnerabilities that are most important to them.

This year’s Top Ten Vulnerabilities looks at what percentage of the total reports is attributable to each vulnerability type. And we’ve cross-referenced that by industry so you can see how your industry compares to the platform average when it comes to types of vulnerability reports received.

Cross-site scripting (XSS)—the largest category overall—is broken out into its different subtypes, so improper access control is the number-one vulnerability on the list, comprising 13% of all valid vulnerabilities reported through the HackerOne platform.

Get the Full Report

And for a comprehensive look at the data behind this snapshot, read the 7th Annual Hacker-Powered Security Report.

Key Takeaways


The Big Picture

Security vulnerabilities are a reality of modern technology. Fortunately for us, hackers are too. This list highlights that hackers are helping mitigate the most serious risks to your business.

Bugs Surfaced: Bug Bounty vs. Pentest

A penetration test (pentest), involves identifying and addressing vulnerabilities, similar to a bug bounty program, but a pentest often leans more toward ensuring an organization adheres to specific compliance and security standards. Bug bounty programs incentivize ethical hackers via monetary rewards for successfully discovering and reporting vulnerabilities or bugs to the application's developer. 

Do pentesting and bug bounties serve the same purpose or complement each other? While both approaches engage security researcher communities, their outcomes are distinct.

Top ten vulnerabilities surfaced in bug bounty
Top ten vulnerabilities surfaced in pentesting


This edition of the HackerOne Top 10 Vulnerability Types was based on HackerOne’s proprietary data examining security weaknesses resolved on the HackerOne platform between June 2022 and June 2023. Vulnerabilities included here were reported by the hacker community through vulnerability disclosures and public and private programs across the HackerOne platform. All vulnerability classifications were made or confirmed by HackerOne customers, including weakness type, impact, and severity.

Note: The vulnerability rating taxonomy, which HackerOne maps to the industry standard Common Weakness Enumeration, is used by HackerOne customers and hackers to categorize reported vulnerabilities.

Questions? We have answers.

How else can we help? Let us know and we’ll get in touch.