Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
9
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Account creation with invalid email addresses / email is accepting % and %0d%0a line termination chars
HackerOne Violation of Secure Design Principles (CWE-657)
Low
2024-02-04
Vulnerability Report: NO RATE LIMIT Password RESET
Trellix Improper Authentication - Generic (CWE-287)
Low
2024-02-02
CORS Misconfiguration on █████
Publitas
Low
2024-01-31
CVE-2024-0853: OCSP verification bypass with TLS session reuse
curl Improper Check for Certificate Revocation (CWE-299)CVE-2024-0853
Low
2024-01-31
No CSRF protection when adding an item to cart
Mars Cross-Site Request Forgery (CSRF) (CWE-352)
Low
2024-01-30
Pickle deserialization vulnerability in XComs
Internet Bug Bounty Deserialization of Untrusted Data (CWE-502)
Low
2024-01-29
Html injection in event Description
LinkedIn Improper Input Validation (CWE-20)
Low
2024-01-29
Reflected XSS on help.shopify.com
Shopify Cross-site Scripting (XSS) - Reflected (CWE-79)
Low
2024-01-25
curl HSTS long file name clears contents
Internet Bug Bounty Missing Encryption of Sensitive Data (CWE-311)
Low
2024-01-20
Cookie headers are not cleared in cross-domain redirect in undici-fetch
Internet Bug Bounty Information Disclosure (CWE-200)CVE-2023-45143
Low
2024-01-20
Open redirect in user_saml via RelayState parameter
Nextcloud Open Redirect (CWE-601)CVE-2024-22400
Low
2024-01-18
Reflected XSS on https://travel.line.me
LY Corporation Cross-site Scripting (XSS) - Reflected (CWE-79)
Low
2024-01-18
[h1-2102] [Oberlo] Least privileged user can cancel account owner's subscription via POST on /payments/subscribe
Shopify Improper Access Control - Generic (CWE-284)
Low
2024-01-17
Exposure of account recovery hint by querying by user email
Mozilla Exposure of Sensitive Information Due to Incompatible Policies (CWE-213)
Low
2024-01-11
Blind SSRF in Mail App
Nextcloud Server-Side Request Forgery (SSRF) (CWE-918)CVE-2023-48307
Low
2024-01-10
Text Injection/ Content Spoofing on https://cloud.e.khanacademy.org by breaking out of input tag.
Khan Academy Violation of Secure Design Principles (CWE-657)
Low
2023-12-22
Admins can change authentication details of user configured external storage
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2023-48303
Low
2023-12-21
App PIN code can be bypassed in Files iOS
Nextcloud Improper Authentication - Generic (CWE-287)CVE-2023-49790
Low
2023-12-18
Web API key registration allows registering multiple keys by reusing `request_id`
Valve
Low
2023-12-12
Authentication Bypass to (CVE-2023-2982)
CS Money Authentication Bypass Using an Alternate Path or Channel (CWE-288)CVE-2023-2982
Low
2023-12-08
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895