Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
9
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
response manipulation leads to bypass in register at employee website than 0 click account takeover
IBM Improper Authentication - Generic (CWE-287)
Critical
2023-06-21
Cloudflare CASB Confused Deputy Problem
Cloudflare Public Bug Bounty
Critical
2023-06-07
HTML injection in API response including request url
Reddit Remote File Inclusion (CWE-98)
Critical
2023-05-18
read and message other user's messages
Reddit Insecure Direct Object Reference (IDOR) (CWE-639)
Critical
2023-05-18
Exposed GIT repo on ██████████[HtUS]
U.S. Dept Of Defense Cleartext Storage of Sensitive Information (CWE-312)
Critical
2023-05-15
[HTA2] XXE on https://███ via SpellCheck Endpoint.
U.S. Dept Of Defense XML External Entities (XXE) (CWE-611)
Critical
2023-05-15
[hta3] Remote Code Execution on ████
U.S. Dept Of Defense Code Injection (CWE-94)
Critical
2023-05-15
Sensitive Data Exposure via wp-config.php file
U.S. Dept Of Defense Information Disclosure (CWE-200)
Critical
2023-05-15
Default Credentials on Kinetic Core System Console - https://█████/kinetic/app/
U.S. Dept Of Defense Use of Default Credentials (CWE-1392)
Critical
2023-05-15
Subdomain Takeover Affecting at vex.weather.com
IBM Improper Authentication - Generic (CWE-287)
Critical
2023-05-10
SQL Injection at https://████ via ███ parameter
Sony SQL Injection (CWE-89)
Critical
2023-04-24
Time Based SQL Injection
U.S. Department of State SQL Injection (CWE-89)
Critical
2023-04-20
JWT audience claim is not verified
Internet Bug Bounty Missing Critical Step in Authentication (CWE-304)CVE-2023-22482
Critical
2023-04-16
[HTA2] Authorization Bypass on https://██████ leaks confidential aircraft/missile information
U.S. Dept Of Defense Improper Authorization (CWE-285)
Critical
2023-04-14
WordPress application vulnerable to DoS attack via wp-cron.php
U.S. Dept Of Defense Uncontrolled Resource Consumption (CWE-400)
Critical
2023-04-14
Remote Code Execution on ownCloud instances with ImageMagick installed
ownCloud Code Injection (CWE-94)
Critical
2023-04-12
DoS at █████(CVE-2018-6389)
U.S. Dept Of Defense Uncontrolled Resource Consumption (CWE-400)CVE-2018-6389
Critical
2023-03-24
[uchat.uberinternals.com] Mattermost doesn't check Origin in Websockets, which leads to the Critical Inforamation Leakage.
Uber Cross-Site Request Forgery (CSRF) (CWE-352)
Critical
2023-03-23
[data-07.uberinternal.com] SSRF in Portainer app lead to access to Internal Docker API without Auth
Uber Server-Side Request Forgery (SSRF) (CWE-918)
Critical
2023-03-23
[CVE-2022-44268] Arbitrary Remote Leak via ImageMagick
HackerOne Remote File Inclusion (CWE-98)CVE-2022-44268
Critical
2023-03-16
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895