Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
10
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Path traversal by monkey-patching Buffer internals
Internet Bug Bounty Path Traversal (CWE-22)CVE-2024-21896
High
2024-05-29
Non-authenticated path traversal leading to arbitrary file read
ExpressionEngine Path Traversal (CWE-22)CVE-2021-44534
High
2024-05-28
Low privileges (auth) Remote Command Execution - PHP file upload bypass.
ExpressionEngine Code Injection (CWE-94)CVE-2020-13443
High
2024-05-28
Stored-XSS injected in Wiki page via Banzai pipeline
GitLab Cross-site Scripting (XSS) - Stored (CWE-79)
High
2024-05-28
Lynxview JS interfaces Takeover via deeplink traversal
TikTok Cross-site Scripting (XSS) - DOM (CWE-79)
High
2024-05-24
Any user could upload attachments to pentest scoping form they don't have access to
HackerOne Business Logic Errors (CWE-840)
High
2024-05-15
Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash
Internet Bug Bounty Uncontrolled Resource Consumption (CWE-400)CVE-2024-27983
High
2024-04-29
Remote vulnerabilities in spp
PlayStation Classic Buffer Overflow (CWE-120)CVE-2006-4304
High
2024-04-25
Denial of Service caused by HTTP/2 CONTINUATION Flood
Internet Bug Bounty Uncontrolled Resource Consumption (CWE-400)CVE-2024-24549
High
2024-04-22
Docker Secret Disclosure via GitHub Actions Cache Poisoning
Linux Foundation Decentralized Trust Information Disclosure (CWE-200)
High
2024-04-20
"Assertion failed" in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash
Node.js Uncontrolled Resource Consumption (CWE-400)CVE-2024-27983
High
2024-04-08
Reflected XSS on Pangle Endpoint
TikTok Cross-site Scripting (XSS) - Reflected (CWE-79)
High
2024-04-05
Race Condition Enables Bypassing Verification Check
Tools for Humanity Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (CWE-362)
High
2024-04-04
[portswigger.net] Path Traversal al /cms/audioitems
PortSwigger Web Security Path Traversal (CWE-22)
High
2024-04-04
CVE-2024-27281: RCE vulnerability with .rdoc_options in RDoc
Internet Bug Bounty CVE-2024-27281
High
2024-03-29
Libuv: Improper Domain Lookup that potentially leads to SSRF attacks
Internet Bug Bounty Server-Side Request Forgery (SSRF) (CWE-918)CVE-2024-24806
High
2024-03-29
Improper Authentication (Login without Registration with any user) at ████
U.S. Dept Of Defense Improper Authentication - Generic (CWE-287)
High
2024-03-22
DBMS information getting exposed publicly on -- [ ██████████ ]
U.S. Dept Of Defense Insecure Storage of Sensitive Information (CWE-922)
High
2024-03-22
Authentication Bypass with usage of PreSignedURL
ownCloud Improper Access Control - Generic (CWE-284)
High
2024-03-22
setuid() does not drop all privileges due to io_uring
Node.js Privilege Escalation (CAPEC-233)CVE-2024-22017
High
2024-03-16
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895