Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports

12,219

CVE-linked

1,854

Programs

342

New This Week

Severity: All Critical High Medium Low

Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

XSS on player.vimeo.com without user interaction and vimeo.com with user interaction

Vimeo Cross-site Scripting (XSS) - Generic (CWE-79)

Unknown

2017-08-31

XSS on mobile version of vimeo.com where the button "Follow" appears

Vimeo Cross-site Scripting (XSS) - Generic (CWE-79)

Unknown

2017-08-31

Markdown parsing issue enables insertion of malicious tags

Gratipay Cross-site Scripting (XSS) - Generic (CWE-79)

Unknown

2017-08-21

Stored xss in editor

Mapbox Cross-site Scripting (XSS) - Generic (CWE-79)

Unknown

2017-08-17

Blind XSS in mapbox.com/contact

Mapbox Cross-site Scripting (XSS) - Generic (CWE-79)

Unknown

2017-08-15

Cross-site scripting (XSS) on a DoD website

U.S. Dept Of Defense Cross-site Scripting (XSS) - Generic (CWE-79)

Low

2017-08-15

Cross-site scripting (XSS) vulnerability on a DoD website

U.S. Dept Of Defense Cross-site Scripting (XSS) - Generic (CWE-79)

Low

2017-08-15

XSS on www.mapbox.com/authorize

Mapbox Cross-site Scripting (XSS) - Generic (CWE-79)

Unknown

2017-08-14

XSS on www.mapbox.com/authorize/ because of open redirect at /core/oauth/auth

Mapbox Cross-site Scripting (XSS) - Generic (CWE-79)

Unknown

2017-08-14

Reflected XSS in Step 2 of the Installation

Revive Adserver Cross-site Scripting (XSS) - Generic (CWE-79)CVE-2016-9472

Unknown

2017-08-02

Reflected XSS on Zones > Invocation Code

Revive Adserver Cross-site Scripting (XSS) - Generic (CWE-79)

Low

2017-08-02

Stored XSS on Admin Access Page - Email field

Revive Adserver Cross-site Scripting (XSS) - Generic (CWE-79)

High

2017-08-02

Reflected XSS in openapi.starbucks.com /searchasyoutype/v1/search?x-api-key=

Starbucks Cross-site Scripting (XSS) - Generic (CWE-79)

Medium

2017-07-25

XSS in my.shopify.com in widget

Shopify Cross-site Scripting (XSS) - Generic (CWE-79)

Medium

2017-07-21

Wordpress 4.7.2 - Two XSS in Media Upload when file too large.

WordPress Cross-site Scripting (XSS) - Generic (CWE-79)

High

2017-07-17

[alpha.informatica.com] Expensive DOMXSS

Informatica Cross-site Scripting (XSS) - Generic (CWE-79)

Medium

2017-07-08

CRLF and XSS stored on ton.twitter.com

X / xAI Cross-site Scripting (XSS) - Generic (CWE-79)

Unknown

2017-07-05

csp bypass + xss

X / xAI Cross-site Scripting (XSS) - Generic (CWE-79)

Unknown

2017-07-05

Reflected XSS vulnerability on a DoD website

U.S. Dept Of Defense Cross-site Scripting (XSS) - Generic (CWE-79)

Low

2017-07-05

Cross-site Scripting (XSS) in /updates-pro/archive/

MapsMarker.com e.U. Cross-site Scripting (XSS) - Generic (CWE-79)

Critical

2017-07-02

Top Weakness Types

Most Active Programs

Program	Reports	Max $
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	—
HackerOne	609	—
Nextcloud	582	—
Shopify	464	—
curl	439	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$2,500
Uber	239	$9,895

Goal Reached Thanks to every supporter — we hit 100%!

Bug Bounty Intelligence