Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
14
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
[Critical Data Breach] Exposure of PII Data Leak via API Response
U.S. Dept Of Defense Cleartext Storage of Sensitive Information (CWE-312)
Critical
2026-01-12
DNN - Unrestricted Arbitrary File Upload #████████
U.S. Dept Of Defense File Content Injection (CAPEC-23)CVE-2025-64095
Critical
2026-01-12
GlobalProtect - OS Command Injection #█████████
U.S. Dept Of Defense OS Command Injection (CWE-78)CVE-2024-3400
Critical
2026-01-12
Heap Out-of-Bounds Read in lib/http2.c via Malformed PUSH_PROMISE Headers
curl Out-of-bounds Read (CWE-125)
High
2026-01-10
CRLF Injection in HTTP header values allows arbitrary header injection
curl CRLF Injection (CWE-93)
None
2026-01-10
State Isolation Failure in Multiplexed Connections (Shared Auth Context)
curl Exposure of Data Element to Wrong Session (CWE-488)
Critical
2026-01-08
Stack Buffer Overflow in mprintf.c formatting function (fallback path)
curl Classic Buffer Overflow (CWE-120)
High
2026-01-08
inconsistently Rejection Logic in file:// URLs with Authority
curl Path Traversal (CWE-22)
Low
2026-01-08
SQL injection identified on IBM endpoint.
IBM SQL Injection (CWE-89)
Critical
2026-01-07
CVE-2025-14524: bearer token leak on cross-protocol redirect
curl Insufficiently Protected Credentials (CWE-522)CVE-2025-14524
Low
2026-01-07
CVE-2025-15079: libssh global knownhost override
curl Improper Validation of Certificate with Host Mismatch (CWE-297)CVE-2025-15079
Low
2026-01-07
CVE-2025-15224: libssh key passphrase bypass without agent set
curl CVE-2025-15224
Low
2026-01-07
Postgres Admin Username and Password in Plain text
UPchieve Insecure Storage of Sensitive Information (CWE-922)
Low
2026-01-06
Non-Production API Endpoints for the AI Ops Service Fails to Log to CloudTrail Resulting in Silent Permission Enumeration
AWS VDP Insufficient Logging (CWE-778)
Medium
2026-01-06
MQTT: Missing upper bound on incoming Remaining Length allows server-controlled long wait
curl Uncontrolled Resource Consumption (CWE-400)
Low
2026-01-06
AWS Auto Scaling Service Reporting "AWS Internal" for CloudTrail Events Generated from Specific Endpoints
AWS VDP Insufficient Logging (CWE-778)
Medium
2026-01-05
Stored XSS via SVG Upload in chat.line.biz
LY Corporation
Low
2026-01-05
Path Traversal in curl file:// Protocol Handler Allows Unauthorized File Access
curl Path Traversal (CWE-22)CVE-2021-22901
High
2026-01-04
Alt-Svc bypasses credential leak protection (CVE-2018-1000007)
curl Information Exposure Through Sent Data (CWE-201)CVE-2018-1000007
High
2026-01-04
Predictable proposal participant tokens enable unauthorized access and vote submission
Nextcloud Use of Insufficiently Random Values (CWE-330)CVE-2025-66511
Low
2026-01-04
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895