Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
14
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Program filter: automattic
Unauthenticated Private Messages DIsclosure via wordpress Rest API
Automattic Information Disclosure (CWE-200)
Medium
2022-08-04
Sensei LMS IDOR to send message
Automattic Insecure Direct Object Reference (IDOR) (CWE-639)
Low
2022-08-04
Site information's Display Name section vulnerable for XSS attacks and HTML Injections.
Automattic Cross-site Scripting (XSS) - Stored (CWE-79)
Low
2022-05-16
Reflected XSS due to vulnerable version of sockjs
Automattic Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2022-04-29
Stored XSS on the "www.intensedebate.com/extras-widgets" url at "Recent comments by" module with malicious blog url
Automattic Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2022-04-13
De-anonymize anonymous tips through the Tumblr blog network
Automattic Privacy Violation (CWE-359)
Medium
2022-02-21
SSRF & Blind XSS in Gravatar email
Automattic Cross-site Scripting (XSS) - Stored (CWE-79)
High
2022-01-17
Ability to subscribe to inactive Post+ creators
Automattic Business Logic Errors (CWE-840)
Low
2021-10-05
information disclosure lead to disclose users private notes
Automattic Information Disclosure (CWE-200)
Low
2021-02-25
Stored XSS in wordpress.com
Automattic Cross-site Scripting (XSS) - Stored (CWE-79)
High
2021-02-17
Non-changing "_idnonce" value leads to CSRF on accounts at https://intensedebate.com for account takeover
Automattic Cross-Site Request Forgery (CSRF) (CWE-352)
Low
2021-02-17
Stored XSS in Intense Debate comment system
Automattic Cross-site Scripting (XSS) - Stored (CWE-79)
High
2021-02-14
[sub.wordpress.com] - XSS when adjust block Poll - Confirmation Message - On submission:Redirect to another webpage - Redirect address:[xss_payload]
Automattic Cross-site Scripting (XSS) - Generic (CWE-79)
Medium
2021-02-11
[intensedebate.com] Open Redirect
Automattic Open Redirect (CWE-601)
None
2021-02-10
DOM-Based XSS in tumblr.com
Automattic Cross-site Scripting (XSS) - DOM (CWE-79)
Medium
2021-02-02
Unauthenticated access to webmail at maildev.happytools.dev leading to compromised wordpress site api.happytools.dev [RCE]
Automattic Information Disclosure (CWE-200)
High
2021-02-01
Reflected XSS in https://www.intensedebate.com/js/getCommentLink.php
Automattic Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2021-01-30
Permanent DoS at https://happy.tools/ when inviting a user
Automattic Uncontrolled Resource Consumption (CWE-400)
Medium
2021-01-29
[intensedebate.com] XSS Reflected POST-Based on update/tumblr2/{$id}
Automattic Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2021-01-23
[intensedebate.com] No Rate Limit On The report Functionality Lead To Delete Any Comment When it is enabled
Automattic Business Logic Errors (CWE-840)
High
2021-01-23
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895