Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports

12,219

CVE-linked

1,854

Programs

342

New This Week

Severity: All Critical High Medium Low

Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

Program filter: tiktok✕

Chained Broken Access Control in TikTok Live Backstage Enables Full Control of Public Leaderboard Activities

TikTok Privilege Escalation (CAPEC-233)

Medium

2025-09-11

Stored XSS on TikTok's backend leads to the leakage of highly sensitive administrator data (Cookies, API Keys, Internal Paths, Emails, phone numbers).

TikTok Cross-site Scripting (XSS) - Stored (CWE-79)

Medium

2025-09-11

Chain Vulnerability lead to Full Control Group Live Accounts & Undeletable Creator

TikTok Privilege Escalation (CAPEC-233)

Medium

2025-07-08

Unauthorized Access to Private Video Description via Translation API for Private Accounts

TikTok Insecure Direct Object Reference (IDOR) (CWE-639)

Low

2025-06-27

IDOR on ads.tiktok.com Allows Unauthorized Product Addition

TikTok Insecure Direct Object Reference (IDOR) (CWE-639)

Low

2025-02-20

Unauthorized Access to TikTok Account [Private Videos] via API Endpoint

TikTok Insecure Direct Object Reference (IDOR) (CWE-639)

Medium

2025-01-24

CSRF in ticket function

TikTok Cross-Site Request Forgery (CSRF) (CWE-352)

Medium

2024-11-05

Stored-XSS-ads.tiktok.com

TikTok Cross-site Scripting (XSS) - Stored (CWE-79)

Low

2024-10-02

DOM XSS in tiktok.com/login via the redirect_url parameter

TikTok Cross-site Scripting (XSS) - DOM (CWE-79)

High

2024-09-21

Exploitable live argument in onClick Function leads to Data Leakage of Inactive/Suspended Products

TikTok Business Logic Errors (CWE-840)

Medium

2024-07-19

Account Takeover via Authentication Bypass in TikTok Account Recovery

TikTok Authentication Bypass Using an Alternate Path or Channel (CWE-288)

Critical

2024-07-13

Authentication Bypass on TikTok Seller Signup Process Allows Account Creation Without Phone Verification

TikTok Improper Access Control - Generic (CWE-284)

Low

2024-07-03

Lynxview JS interfaces Takeover via deeplink traversal

TikTok Cross-site Scripting (XSS) - DOM (CWE-79)

High

2024-05-24

Reflected XSS on Pangle Endpoint

TikTok Cross-site Scripting (XSS) - Reflected (CWE-79)

High

2024-04-05

Using Branded Hashtag Feature User Partnered with Account Manager Can View Videos Uploaded By A Private TikTok Account If 'item_id' Is Known

TikTok Information Disclosure (CWE-200)

Medium

2024-04-03

HTML Injection on TikTok Ads

TikTok Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CWE-80)

Low

2024-02-20

Multiple Open Redirect on TikTok domains

TikTok Improper Access Control - Generic (CWE-284)

Low

2024-02-16

Reflected XSS On [https://www-useast1a.tiktok.com/ug/incentive/share/hd]

TikTok Cross-site Scripting (XSS) - Reflected (CWE-79)

Medium

2024-01-12

RXSS on TikTok endpoints

TikTok Cross-site Scripting (XSS) - Reflected (CWE-79)

Medium

2024-01-09

RXSS via region parameter

TikTok Cross-site Scripting (XSS) - Reflected (CWE-79)

Medium

2024-01-09

Top Weakness Types

Most Active Programs

Program	Reports	Max $
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	—
HackerOne	609	—
Nextcloud	582	—
Shopify	464	—
curl	439	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$2,500
Uber	239	$9,895

Goal Reached Thanks to every supporter — we hit 100%!

Bug Bounty Intelligence