Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
14
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Heap buffer overflow in Curl_ipv4_resolve_r due to incorrect buffer alignment and size calculation on AmigaOS
curl
Unknown
2025-12-17
Second-Order XSS via javascript protocol in MCP Server Portal Apps leads to ATO
Cloudflare Public Bug Bounty Cross-site Scripting (XSS) - Stored (CWE-79)
Low
2025-12-16
Heap Overflow in cURL AmigaOS Socket Implementation
curl Heap Overflow (CWE-122)
Medium
2025-12-16
Curl Alt-Svc Parser Stack Buffer Overflow
curl Stack Overflow (CWE-121)
Medium
2025-12-16
Path Traversal Bypass in file:// URLs Due to Incomplete URL-Encoded Path Normalization
curl Path Traversal (CWE-22)
High
2025-12-15
testing hackerone functions
curl Improper Restriction of Authentication Attempts (CWE-307)
None
2025-12-13
Denial of Service (DoS) vulnerability in dedotdotify() URL path normalization
curl Uncontrolled Resource Consumption (CWE-400)
High
2025-12-13
Buffer Overflow in cURL Internal printf Function
curl Stack Overflow (CWE-121)
Critical
2025-12-12
Terminal Output Not Great
curl Improper Neutralization of Escape, Meta, or Control Sequences (CWE-150)
Low
2025-12-11
Certificate Hostname Validation Bypass via Leading Dot in Hostname
curl Improper Certificate Validation (CWE-295)
Medium
2025-12-09
Stack Buffer Overflow in cURL wolfSSL Backend (lib/vtls/wolfssl.c)
curl Stack Overflow (CWE-121)
Unknown
2025-12-09
curl built with GnuTLS backend defaults to weak crypto parameters
curl Inadequate Encryption Strength (CWE-326)
None
2025-12-08
Unauthenticated GraphQL access by prepending __schema to private operations
Enjin Authentication Bypass (CAPEC-115)
Medium
2025-12-05
Stored XSS Vulnerability via SVG File
Nextcloud Cross-site Scripting (XSS) - Stored (CWE-79)CVE-2025-66512
Medium
2025-12-05
Title: Use-After-Free in cURL Test Suite via Improper Cleanup of Global Handle
curl Use After Free (CWE-416)
High
2025-12-05
admin_audit does not log actions on files in a group folder
Nextcloud Insufficient Logging (CWE-778)CVE-2025-66552
Medium
2025-12-05
Deck app allowed user with "Can share" permission to modify permissions of other non-owners
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2025-66557
Medium
2025-12-05
Calendar app allowed booking appointments without the generated token
Nextcloud Insecure Direct Object Reference (IDOR) (CWE-639)CVE-2025-66546
Low
2025-12-05
Calendar attachments of local files are offered to downloaded
Nextcloud Improper Handling of Unexpected Data Type (CWE-241)CVE-2025-66550
Medium
2025-12-05
Missing ownership check in Tables app allows moving columns into tables of other users
Nextcloud Insecure Direct Object Reference (IDOR) (CWE-639)CVE-2025-66551
Medium
2025-12-05
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895