Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
9
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Permission model bypass by specifying a path traversal sequence in a buffer,
Node.js Path Traversal (CWE-22)CVE-2023-32004
High
2023-08-11
DNS rebinding in --inspect (again) via invalid IP addresses
Node.js OS Command Injection (CWE-78)CVE-2022-32212
High
2023-08-11
Nginx Alias Traversal - babel.bluetab.net
IBM Path Traversal (CWE-22)
High
2023-08-11
IDOR in channel ID leads to customer email disclosure on https://video.ibm.com
IBM Information Disclosure (CWE-200)
High
2023-08-11
[WiiU/Switch] Remote code execution inside the ENL library
Nintendo Classic Buffer Overflow (CWE-120)
High
2023-08-11
New AppPassword can be generated without password confirmation
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2023-39963
High
2023-08-10
Waketime Payment Gateway Vulnerability
WakaTime Missing Encryption of Sensitive Data (CWE-311)
High
2023-08-05
Privilege Escalation in kOps using GCE/GCP Provider
Kubernetes Privilege Escalation (CAPEC-233)
High
2023-08-04
Plaintext leakage of DNS requests in Windows 1.1.1.1 WARP client
Cloudflare Public Bug Bounty Cleartext Transmission of Sensitive Information (CWE-319)CVE-2023-2754
High
2023-08-03
XMLRPC does not limit deserializable classes.
Ruby Deserialization of Untrusted Data (CWE-502)
High
2023-08-01
Steam Deck Single Click Root Remote Code Execution
Valve
High
2023-08-01
Argument/Code Injection via ActiveStorage's image transformation functionality
Ruby on Rails Code Injection (CWE-94)CVE-2022-21831
High
2023-07-28
ReDoS in Rack::Multipart
Ruby on Rails CVE-2022-30122
High
2023-07-28
XSS on rockstargames.com
Rockstar Games Cross-site Scripting (XSS) - Generic (CWE-79)
High
2023-07-25
Password reset endpoint is not brute force protected
Nextcloud Improper Restriction of Authentication Attempts (CWE-307)CVE-2023-35172
High
2023-07-21
Process-based permissions can be bypassed with the "inspector" module.
Node.js Improper Access Control - Generic (CWE-284)CVE-2023-30587
High
2023-07-20
Filesystem experimental permissions policy does not handle path traversal cases.
Node.js Path Traversal (CWE-22)CVE-2023-30584
High
2023-07-20
The use of __proto__ in process.mainModule.__proto__.require() bypasses the permission system in Node v19.6.1
Node.js Privilege Escalation (CAPEC-233)CVE-2023-30581
High
2023-07-20
An IDOR that can lead to enumeration of a user and disclosure of email and phone number within cashier
Unikrn Insecure Direct Object Reference (IDOR) (CWE-639)
High
2023-07-17
Subscription check bypass of NordVPN service
Nord Security Improper Authorization (CWE-285)
High
2023-07-17
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895