Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
10
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Program filter: vimeo
SSRF leaking internal google cloud data through upload function [SSH Keys, etc..]
Vimeo Server-Side Request Forgery (SSRF) (CWE-918)
Critical
2019-12-13
Reflected File Download (RFD) in download video
Vimeo
Medium
2019-08-23
Possibility to overwrite any file in the vpe.cdn.vimeo.tv leads to the Stored XSS for the all customers on the embed.vhx.tv
Vimeo Improper Access Control - Generic (CWE-284)
High
2019-07-10
Domain pointing to vimeo portfolio are prone to takeover using on-demand.
Vimeo Business Logic Errors (CWE-840)
High
2018-08-27
Improper Authentication in Vimeo's API 'versions' endpoint.
Vimeo Improper Authentication - Generic (CWE-287)
High
2018-05-15
Watch any Password Video without password
Vimeo Information Disclosure (CWE-200)
Unknown
2017-10-18
OAuth 2 Authorization Bypass via CSRF and Cross Site Flashing
Vimeo Cross-Site Request Forgery (CSRF) (CWE-352)
Unknown
2017-10-18
Images and Subtitles Leakage from private videos
Vimeo Information Disclosure (CWE-200)
Unknown
2017-10-18
Disclosure of sensitive information through Google Cloud Storage bucket
Vimeo Information Disclosure (CWE-200)
High
2017-09-29
Reflected XSS on vimeo.com/musicstore
Vimeo Cross-site Scripting (XSS) - Generic (CWE-79)
Unknown
2017-08-31
Stored XSS on player.vimeo.com
Vimeo Cross-site Scripting (XSS) - Generic (CWE-79)
Unknown
2017-08-31
XSS when using captions/subtitles on video player based on Flash (requires user interaction)
Vimeo Cross-site Scripting (XSS) - Generic (CWE-79)
Unknown
2017-08-31
XSS on vimeo.com | "Search within these results" feature (requires user interaction)
Vimeo Cross-site Scripting (XSS) - Generic (CWE-79)
Unknown
2017-08-31
XSS on vimeo.com/home after other user follows you
Vimeo Cross-site Scripting (XSS) - Generic (CWE-79)
Unknown
2017-08-31
XSS on player.vimeo.com without user interaction and vimeo.com with user interaction
Vimeo Cross-site Scripting (XSS) - Generic (CWE-79)
Unknown
2017-08-31
XSS on mobile version of vimeo.com where the button "Follow" appears
Vimeo Cross-site Scripting (XSS) - Generic (CWE-79)
Unknown
2017-08-31
Securing "Reset password" pages from bots
Vimeo Violation of Secure Design Principles (CWE-657)
Unknown
2017-01-31
[vimeopro.com] CRLF Injection
Vimeo
Unknown
2016-10-24
XSS in Subtitles of Vimeo Flash Player and Hubnut
Vimeo Cross-site Scripting (XSS) - Generic (CWE-79)
Unknown
2016-09-14
Downloading password protected / restricted videos
Vimeo
Unknown
2016-09-05
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895