Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
14
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Program filter: brave
Brave Shields Domain Reordering Leads to Origin Confusion
Brave Software Violation of Secure Design Principles (CWE-657)
Low
2026-04-13
SameSite restrictions are lifted, and SameSite:Strict cookie are being sent.
Brave Software Improper Certificate Validation (CWE-295)CVE-2018-12402CVE-2022-29912CVE-2022-45410CVE-2022-45413CVE-2023-30674CVE-2025-48980
High
2025-10-15
Prompt Injection via GitHub Patch in Brave AI Chat (Leo)
Brave Software LLM01: Prompt Injection
High
2025-08-22
Null Pointer Dereference by Crafted Response from AI Model
Brave Software NULL Pointer Dereference (CWE-476)
Low
2025-03-26
Incorrect security UI of files' download source on brave MacOS
Brave Software User Interface (UI) Misrepresentation of Critical Information (CWE-451)CVE-2025-23086
High
2025-01-16
Brave Android: Incorrect URL Eliding in Brave Shields Pop Up
Brave Software Violation of Secure Design Principles (CWE-657)CVE-2024-37406
Low
2024-09-18
UAF on JSEthereumProvider
Brave Software Use After Free (CWE-416)
Critical
2023-10-11
Tor IP leak caused by the PDF Viewer extension in certain situations
Brave Software Information Disclosure (CWE-200)
Medium
2023-08-02
HTML injection in title of reader view
Brave Software Cross-site Scripting (XSS) - DOM (CWE-79)
Medium
2023-06-22
Universal XSS through FIDO U2F register from subframe
Brave Software Cross-site Scripting (XSS) - Generic (CWE-79)
High
2023-06-22
Phishing/Malware site blocking on Brave iOS can be bypassed with trailing dot in hostname
Brave Software Violation of Secure Design Principles (CWE-657)
Medium
2023-06-22
Onion-Location header allows to open arbitrary URLs including chrome:
Brave Software Violation of Secure Design Principles (CWE-657)
High
2023-06-22
XSS on Brave Today through custom RSS feed
Brave Software Cross-site Scripting (XSS) - DOM (CWE-79)
Medium
2023-06-22
New XSS vector in ReaderMode with %READER-TITLE-NONCE%
Brave Software Cross-site Scripting (XSS) - Generic (CWE-79)
Critical
2023-06-22
Universal XSS with Playlist feature
Brave Software Cross-site Scripting (XSS) - Stored (CWE-79)
High
2023-06-22
XSS on internal: privileged origin through reader mode
Brave Software Cross-site Scripting (XSS) - Generic (CWE-79)
High
2023-06-22
Security token and handler name leak from window.braveBlockRequests
Brave Software Information Disclosure (CWE-200)
High
2023-06-22
Persistent user tracking is possible using window.caches, by avoiding Brave Shields
Brave Software Privacy Violation (CWE-359)
Medium
2023-06-22
UI spoofing by showing sms:/tel: dialog on another website
Brave Software Phishing (CAPEC-98)
Low
2023-06-22
Brave Shield for iOS is weak against IDN homograph attacks
Brave Software Phishing (CAPEC-98)
Low
2023-06-22
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895