Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports

12,220

CVE-linked

1,854

Programs

342

New This Week

Severity: All Critical High Medium Low

Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

IDOR Vulnerability at AddTagToAssets operation name

HackerOne Insecure Direct Object Reference (IDOR) (CWE-639)

Medium

2025-06-08

ImageId Format Injection in Image Upload Endpoint

Lichess Improper Input Validation (CWE-20)

Medium

2025-06-06

DoS Vulnerability via Cache Poisoning on cdn.shopify.com and shopify-assets.shopifycdn.com

Shopify Cache Poisoning (CAPEC-141)

Medium

2025-06-04

returnUrl= allow attacker to redirect users to the another phising website and takeover credientials

Insightly Improper Authentication - Generic (CWE-287)

Medium

2025-06-04

Public GitHub repositories for multiple HackerOne managed triage team profiles contain private HackerOne reports information

HackerOne Information Disclosure (CWE-200)

Medium

2025-05-31

CVE-2025-5025: No QUIC certificate pinning with wolfSSL

curl Improper Certificate Validation (CWE-295)CVE-2025-5025

Medium

2025-05-28

CVE-2025-4947: QUIC certificate check skip with wolfSSL

curl Improper Validation of Certificate with Host Mismatch (CWE-297)CVE-2025-4947

Medium

2025-05-28

Non-Production API Endpoints for the bedrock-agent Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration