Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
14
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Program filter: curl
Inconsistent URL Parsing in curl Leading to Potential SSRF and Access Control Bypass
curl Improper Input Validation (CWE-20)
Low
2025-09-26
Race condition on global `gss_context` during SOCKS5 GSS-API negotiation in libcurl
curl Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (CWE-362)
Medium
2025-09-26
Use-after-free when POST body buffer is freed before transfer
curl Use After Free (CWE-416)
Medium
2025-09-26
Timing Attack Vulnerability in curl Digest Authentication via Non-Constant-Time String Comparison
curl Information Exposure Through Timing Discrepancy (CWE-208)
Medium
2025-09-18
Security Analysis Report: CURL Integer Overflow Vulnerability
curl Integer Overflow (CWE-190)
Unknown
2025-09-18
int overflow in krb5_read_data() leads to (possible) massive `recv()` write
curl Integer Overflow (CWE-190)
Low
2025-09-18
Stack Buffer Overflow in cURL Cookie Parsing Leads to RCE
curl Stack Overflow (CWE-121)
High
2025-09-16
Multiple Unsafe strcpy() Function Calls Leading to Potential Buffer Overflow Vulnerabilities in cURL 8.16.1-DEV
curl Classic Buffer Overflow (CWE-120)
High
2025-09-14
TOCTOU Race Condition in HTTP/2 Connection Reuse Leads to Certificate Validation Bypass
curl Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
High
2025-09-11
CVE-2025-9086: Out of bounds read for cookie path
curl Buffer Over-read (CWE-126)CVE-2025-9086
Low
2025-09-10
CVE-2025-10148: predictable WebSocket mask
curl Reusing a Nonce, Key Pair in Encryption (CWE-323)CVE-2025-10148
Low
2025-09-10
Confirmed Security Misconfigurations on curl.se (BREACH, Missing Security Headers, ETag Info Disclosure)
curl Information Disclosure (CWE-200)CVE-2003-1418
Medium
2025-09-09
libcurl: Host-Only Cookies Leak to Alternate IPv4 Forms
curl
Unknown
2025-09-04
Heap-buffer-overflow (Out-of-Bounds Read) in DoH hostname encoding
curl Out-of-bounds Read (CWE-125)
None
2025-09-04
Incorrect Parsing of IPv6 Zone ID in curl
curl Authentication Bypass by Primary Weakness (CWE-305)
High
2025-09-01
Missing Security Headers
curl
Medium
2025-08-22
curl leaks destination IP via glibc getaddrinfo() UDP connect, bypassing SOCKS5/Tor
curl Information Disclosure (CWE-200)
Unknown
2025-08-20
Curl parse_connect_to_string Heap-Overread Leading to Denial of Service via CURLOPT_CONNECT_TO
curl Buffer Over-read (CWE-126)
Medium
2025-08-20
WebSocket Fragmentation DoS on Curl Client
curl Uncontrolled Resource Consumption (CWE-400)
High
2025-08-19
## Title Heap Use-After-Free Vulnerability in `curl` Leading to Potential Code Execution
curl Use After Free (CWE-416)
Medium
2025-08-18
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895