Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
10
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
CVE-2024-9681: HSTS subdomain overwrites parent cache entry
curl Business Logic Errors (CWE-840)CVE-2024-9681
Low
2024-11-06
Open redirect via redirect_to parameter in tumblr.com
Automattic Open Redirect (CWE-601)
Low
2024-11-05
Social media account takeover
MTN Group Externally Controlled Reference to a Resource in Another Sphere (CWE-610)
Low
2024-11-03
Bypassing Recaptcha Protection in `https://connect.acronis.com`
Acronis Violation of Secure Design Principles (CWE-657)
Low
2024-10-30
Information disclosure on password cancel endpoint
Mozilla Information Disclosure (CWE-200)
Low
2024-10-29
Memory Leak in bytes_to_hexstring Function
Linux Foundation Decentralized Trust Use After Free (CWE-416)
Low
2024-10-24
Race condition leads to add more than 5 email at Data breaches monitor system at https://stage.firefoxmonitor.nonprod.cloudops.mozgcp.net
Mozilla Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (CWE-362)
Low
2024-10-18
Timeline API returns private post when target of a push notification
Automattic Improper Access Control - Generic (CWE-284)
Low
2024-10-17
fs.fchown/fchmod bypasses permission model
Internet Bug Bounty Insecure Direct Object Reference (IDOR) (CWE-639)CVE-2024-36137
Low
2024-10-16
IDOR vulnerability leads to Deleting message after leaving/getting banned from group using message ID
Rocket.Chat Insecure Direct Object Reference (IDOR) (CWE-639)
Low
2024-10-13
Subdomain takeover in Gitlab pages
GitLab Misconfiguration (CWE-16)
Low
2024-10-09
HTML injection possible with soft email confirmations when Administrator manually confirms attacker email address
GitLab Resource Injection (CWE-99)
Low
2024-10-08
Stored-XSS-ads.tiktok.com
TikTok Cross-site Scripting (XSS) - Stored (CWE-79)
Low
2024-10-02
Remove obsolete domain from handbook subdomain
GitLab Misconfiguration (CWE-16)
Low
2024-10-01
XSS when using `translate` in Action Controller (Rails 7.0, 7.1)
Ruby on Rails Cross-site Scripting (XSS) - Generic (CWE-79)CVE-2020-15169
Low
2024-10-01
Posts sent via websockets aren't sanitized properly
Mattermost Improper Input Validation (CWE-20)CVE-2024-47003
Low
2024-10-01
Able to see location coordinates in any event without permission to do so
FetLife Information Disclosure (CWE-200)
Low
2024-09-25
Possible XSS Vulnerability in Action Controller
Internet Bug Bounty Cross-site Scripting (XSS) - Generic (CWE-79)CVE-2024-26143
Low
2024-09-25
curl: stack-buffer overread during punycode conversions
Internet Bug Bounty Buffer Over-read (CWE-126)CVE-2024-6874
Low
2024-09-22
Unbounded memory growth with session handling in TLSv1.3
Internet Bug Bounty Allocation of Resources Without Limits or Throttling (CWE-770)CVE-2024-2511
Low
2024-09-22
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895