Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports

12,221

CVE-linked

1,854

Programs

342

New This Week

Severity: All Critical High Medium Low

Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

Api data leak

Planet Labs Information Disclosure (CWE-200)

Medium

2024-11-20

RXSS in ███ via S parameter

Mars Cross-site Scripting (XSS) - Reflected (CWE-79)

Medium

2024-11-19

sensitive data-creds for database - private key

Mars Missing Encryption of Sensitive Data (CWE-311)

Medium

2024-11-19

CSRF in Delete Pet Function

Mars Cross-Site Request Forgery (CSRF) (CWE-352)

Medium

2024-11-19

Reflected XSS on formaction parameter

Mars Cross-site Scripting (XSS) - Reflected (CWE-79)

Medium

2024-11-19

A potential risk in the cloudFrontExtensionsConsole which can be used to privilege escalation.

AWS VDP Improper Access Control - Generic (CWE-284)

Medium

2024-11-19

Hackerone supports accounts organitation takeover

HackerOne

Medium

2024-11-19

Nextcloud Tables app - inserting rows to an arbitrary table possible

Nextcloud CVE-2024-52511

Medium

2024-11-17

User can copy locked folders and gain access to the contents

Nextcloud Improper Access Control - Generic (CWE-284)CVE-2024-52514

Medium

2024-11-16

Unauthenticated phpinfo()files could lead to ability file read at █████████

MTN Group Improper Access Control - Generic (CWE-284)

Medium

2024-11-15

Leaking VPN traffic through non-RFC1918 local IP addresses

Mozilla Cleartext Transmission of Sensitive Information (CWE-319)

Medium

2024-11-08

Potential XSS in redirect_url Parameter

Acronis Cross-site Scripting (XSS) - Reflected (CWE-79)

Medium

2024-11-06

CSRF in ticket function

TikTok Cross-Site Request Forgery (CSRF) (CWE-352)

Medium

2024-11-05

When curl uses Schannel as TLS backend, it fails to enforce TLS 1.3 cipher suite selections correctly

curl Business Logic Errors (CWE-840)

Medium

2024-11-04

Insecure Invitation Link Handling

ProductBoard, Inc.

Medium

2024-10-31

ReDoS Vulnerability in HTTP Accept Headers Parsing

Internet Bug Bounty CVE-2024-39316

Medium

2024-10-30

Bypassing HackerOne 2FA due to race condition

HackerOne Business Logic Errors (CWE-840)

Medium

2024-10-30

No rate limit in OTP code sending

MTN Group

Medium

2024-10-21

Information Leakage via Clicked Link in GitHub Repository (Fingerprinting)

GitHub Information Disclosure (CWE-200)CVE-2024-9539

Medium

2024-10-17

Circular based introspetion Query leading to single request denial of service and cost consumption and query cost on api.sorare.com/graphql

Sorare

Medium

2024-10-17

Top Weakness Types

Most Active Programs

Program	Reports	Max $
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	—
HackerOne	609	—
Nextcloud	582	—
Shopify	464	—
curl	440	—
Node.js third-party modules	307	—
GitLab	258	$13,950
X / xAI	250	$2,500
Uber	239	$9,895

Goal Reached Thanks to every supporter — we hit 100%!

Bug Bounty Intelligence