Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,220
CVE-linked
1,854
Programs
342
New This Week
7
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Invalid request may lead content spoofing for phishing
Nextcloud Violation of Secure Design Principles (CWE-657)
Unknown
2017-04-12
javascript: and mailto: links are allowed in JIRA integration settings
HackerOne Violation of Secure Design Principles (CWE-657)
Low
2017-04-10
Example HackerOne security@ forward domain is not registered
HackerOne Violation of Secure Design Principles (CWE-657)
Unknown
2017-04-10
SSLv3 POODLE Vulnerability
Rockstar Games Violation of Secure Design Principles (CWE-657)
Low
2017-04-09
HTTP trace method is enabled on gip.rocks
Gratipay Violation of Secure Design Principles (CWE-657)
Medium
2017-04-08
Inadequate/dangerous jQuery behavior
Gratipay Violation of Secure Design Principles (CWE-657)
Low
2017-04-05
An unsafe design practice in the Passphrase may result in Secret being accidentally changed.
Phabricator Violation of Secure Design Principles (CWE-657)
High
2017-04-04
Content Spoofing or Text Injection in (403 forbidden page injection) and Nginx version disclosure via response header
Ubiquiti Inc. Violation of Secure Design Principles (CWE-657)
Low
2017-04-03
HTTP trace method is enabled on aspen.io
Gratipay Violation of Secure Design Principles (CWE-657)
Low
2017-03-31
READ .svg files by changing .svg into .png extension
Instacart Violation of Secure Design Principles (CWE-657)
Unknown
2017-03-29
Site configured improperly at subdomain of lyst.co.uk
Lyst Violation of Secure Design Principles (CWE-657)
Unknown
2017-03-29
Google Analytics could be used as CSP bypass for data exfiltration on hackerone.com
HackerOne Violation of Secure Design Principles (CWE-657)
Low
2017-03-26
HTML Injection/Load Images vulnerability on a DoD website
U.S. Dept Of Defense Violation of Secure Design Principles (CWE-657)
Medium
2017-03-16
No rate limit for Referral Program
Algolia Violation of Secure Design Principles (CWE-657)
Unknown
2017-03-12
Content Spoofing in "files" app
Nextcloud Violation of Secure Design Principles (CWE-657)CVE-2017-0888
Low
2017-03-06
URL Given leading to end users ending up in malicious sites
Gratipay Violation of Secure Design Principles (CWE-657)
Medium
2017-03-01
Brute Force Attack against PIN on Card History Page Could Lead to Card Information Discovery / Fraud
Starbucks Violation of Secure Design Principles (CWE-657)
None
2017-02-28
Stealing xoxs-tokens using weak postMessage / call-popup redirect to current team domain
Slack Violation of Secure Design Principles (CWE-657)
Unknown
2017-02-28
Report redaction doesn't apply to report title update activities
HackerOne Violation of Secure Design Principles (CWE-657)
Low
2017-02-25
Mixed Active content issue on https://www.lyst.com
Lyst Violation of Secure Design Principles (CWE-657)
Low
2017-02-22
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258 $1,730
X / xAI250 $2,500
Uber239 $9,895