Help Center

What are Weaknesses and Clusters? How do I use Weaknesses?

If you are looking for a mapping between the current set of weaknesses and legacy vulnerability types, you can find it here.

HackerOne adopts a subset of CWE (Common Weakness Enumeration) weaknesses for report classification. Each vulnerability report can be labeled with a weakness, either by the hacker at the time of report submission, or by the team at any later point in time. 

  • A weakness is a type of mistake in software that introduces vulnerabilities within that software. The term applies to mistakes regardless of whether they occur in implementation, design, or other phases of the software development life cycle.
  • A cluster is a set of weaknesses. They map to external groupings that are widely used and/or commonly referred in the security industry, for easier navigation and browsing within weaknesses. 

Within your program settings for the Report Submission Form (Settings > Program > Submit Report Form), you can enable, disable or hide each weakness for you program’s submissions. You can prevent hackers from submitting vulnerability reports that exploit a weakness that is out of scope by setting weaknesses to different states.



  • Enabled: Reports can be submitted with this weakness selected. You may add a contextual message if you have extra instructions, or information pertaining to this weakness that you wish to share. 
  • Disabled: This weakness will be displayed, but reports with this weakness selected cannot be submitted. You must supply a message to go with it. This option is often used if there is a common weakness type you have decided to put out of scope, and you wish to attach an explanation of why this weakness type is out of scope.
  • Hidden: This weakness will not be shown on the report submission form at all. 
Have more questions? Submit a request
Powered by Zendesk