Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports

12,219

CVE-linked

1,854

Programs

342

New This Week

Severity: All Critical High Medium Low

Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

Program filter: slack✕

Hashed data exposure via WebSockets to Workspace Members

Slack Insufficiently Protected Credentials (CWE-522)

Critical

2023-09-21

Ability to join an arbitrary workspace by utilizing a proxy to manipulate invite links

Slack Improper Authentication - Generic (CWE-287)

Critical

2023-06-23

Unauthorized access to GovSlack

Slack Improper Authentication - Generic (CWE-287)

Medium

2023-05-19

Bypass invite accept for victim

Slack Business Logic Errors (CWE-840)

Medium

2023-02-17

XSS on link and window.opener

Slack Cross-site Scripting (XSS) - Reflected (CWE-79)

Medium

2023-01-23

CSV export/import functionality allows administrators to modify member and message content of a workspace

Slack Privilege Escalation (CAPEC-233)

None

2022-09-28

SSRF via Office file thumbnails

Slack Information Disclosure (CWE-200)

Critical

2022-07-05

Email html Injection

Slack Code Injection (CWE-94)

Low

2022-05-19

Workspace configuration metadata disclosure

Slack Information Disclosure (CWE-200)

High

2022-04-01

Stored XSS through PDF viewer

Slack Cross-site Scripting (XSS) - Stored (CWE-79)

High

2022-03-16

[Android] Directory traversal leading to disclosure of auth tokens

Slack Path Traversal (CWE-22)

High

2022-02-25

Lack of URL normalization renders Blocked-Previews feature ineffectual

Slack Security Through Obscurity (CWE-656)

Medium

2022-01-16

Stored XSS in files.slack.com

Slack Cross-site Scripting (XSS) - Stored (CWE-79)

Medium

2021-12-02

Cross-site leak allows attacker to de-anonymize members of his team from another origin

Slack Privilege Escalation (CAPEC-233)

Low

2021-11-11

Misuse of groups feature allows workspace members to join private channels without being invited

Slack Improper Access Control - Generic (CWE-284)

High

2021-10-21

Denial of Service via Hyperlinks in Posts

Slack Uncontrolled Resource Consumption (CWE-400)

Medium

2021-10-03

Private application files can be uploaded to Slack via malicious uploader

Slack Information Disclosure (CWE-200)

Medium

2021-08-04

Header modification results in disclosure of Slack infra metadata to unauthorized parties

Slack Server-Side Request Forgery (SSRF) (CWE-918)

Medium

2021-06-09

Team members can trigger arbitrary code execution in Slack Desktop Apps via HTML Notifications

Slack Code Injection (CWE-94)

High

2021-05-09

Slack-Corp Heroku application disclosing limited info about company members

Slack Information Disclosure (CWE-200)

Low

2020-12-09

Top Weakness Types

Most Active Programs

Program	Reports	Max $
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	—
HackerOne	609	—
Nextcloud	582	—
Shopify	464	—
curl	439	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$2,500
Uber	239	$9,895

Goal Reached Thanks to every supporter — we hit 100%!

Bug Bounty Intelligence