Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports

12,219

CVE-linked

1,854

Programs

342

New This Week

Severity: All Critical High Medium Low

Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

Brave Android: Incorrect URL Eliding in Brave Shields Pop Up

Brave Software Violation of Secure Design Principles (CWE-657)CVE-2024-37406

Low

2024-09-18

Unauthenticated Varnish Cache Purge

Adobe Misconfiguration (CWE-16)

Low

2024-09-12

CVE-2024-41937: Apache Airflow: Stored XSS Vulnerability on provider link

Internet Bug Bounty Cross-site Scripting (XSS) - Stored (CWE-79)CVE-2024-41937

Low

2024-09-07

Reflected XSS on www.acronis.com/de-de/my/subscriptions/index.html

Acronis Cross-site Scripting (XSS) - Reflected (CWE-79)

Low

2024-08-27

Acronis True Image 2020 Build 22510 Nonstop Backup Service Unquoted service path (privilege escalation)

Acronis Privilege Escalation (CAPEC-233)

Low

2024-08-27

Local Privilege Escalation via EXE hijacking with Acronis True Image 2021 - Acronis Scheduler2 Service

Acronis Privilege Escalation (CAPEC-233)

Low

2024-08-27

Local Privilege Escalation via EXE hijacking with Acronis True Image 2021 installer

Acronis Privilege Escalation (CAPEC-233)

Low

2024-08-27

HTML injection in swagger UI

Ionity GmbH Cross-site Scripting (XSS) - Generic (CWE-79)

Low

2024-08-27

XSS in https://promo.acronis.com/

Acronis Cross-site Scripting (XSS) - DOM (CWE-79)

Low

2024-08-26

CSRF and XSS on www.acronis.com

Acronis Cross-site Scripting (XSS) - Reflected (CWE-79)

Low

2024-08-26

Cross Site Scripting (Reflected) on https://www.acronis.cz/dotaznik/roadshow-2020/

Acronis Cross-site Scripting (XSS) - Reflected (CWE-79)

Low

2024-08-26

Source Code and data exfiltration via Github Copilot

GitHub Code Injection (CWE-94)

Low

2024-08-19

Bypassing 2FA with conventional session management - open.rocket.chat

Rocket.Chat Improper Authentication - Generic (CWE-287)

Low

2024-08-10

IDOR lets a malicious user reveal the unpinned achievement badges of any Reddit user

Reddit Insecure Direct Object Reference (IDOR) (CWE-639)

Low

2024-08-09

CVE-2024-7264: ASN.1 date parser overread

curl Buffer Over-read (CWE-126)CVE-2024-7264

Low

2024-08-01

CVE-2024-6874: macidn punycode buffer overread

curl Buffer Over-read (CWE-126)CVE-2024-6874

Low

2024-07-24

Minor security issue with Hackerone Invitations from sandbox program

HackerOne Business Logic Errors (CWE-840)

Low

2024-07-22

HTML Injection into https://www.██████.mil

U.S. Dept Of Defense Command Injection - Generic (CWE-77)

Low

2024-07-19

Permission model improperly processes UNC paths

Node.js Privilege Escalation (CAPEC-233)CVE-2024-37372

Low

2024-07-15

Missing permission check when removing a photo from an album

Nextcloud Improper Access Control - Generic (CWE-284)CVE-2024-37314

Low

2024-07-14

Top Weakness Types

Most Active Programs

Program	Reports	Max $
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	—
HackerOne	609	—
Nextcloud	582	—
Shopify	464	—
curl	439	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$2,500
Uber	239	$9,895

Goal Reached Thanks to every supporter — we hit 100%!

Bug Bounty Intelligence