Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
10
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Program filter: gsa_bbp
SQL injection in https://labs.data.gov/dashboard/datagov/csv_to_json via User-agent
GSA Bounty SQL Injection (CWE-89)
Critical
2019-03-22
Multiple Bugs in api.data.gov/signup endpoint leads to send custom messages to Anyone
GSA Bounty
Medium
2018-11-13
Redirect on authorization allows account compromise
GSA Bounty Improper Authentication - Generic (CWE-287)
Critical
2018-11-06
Defacement of catalog.data.gov via web cache poisoning to stored DOMXSS
GSA Bounty Cross-site Scripting (XSS) - Stored (CWE-79)
High
2018-11-01
[idp.fr.cloud.gov] Open Redirect
GSA Bounty Open Redirect (CWE-601)
Low
2018-11-01
SSH server compatible with several vulnerable cryptographic algorithms
GSA Bounty Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
Medium
2018-03-02
CI for [example.gov] can be logged in and accessible
GSA Bounty Improper Access Control - Generic (CWE-284)
Critical
2018-02-07
Subdomain Takeover
GSA Bounty Privilege Escalation (CAPEC-233)
High
2017-11-28
2FA bypass - confirmation tokens don't expire
GSA Bounty Improper Access Control - Generic (CWE-284)
Medium
2017-11-17
Error Page Content Spoofing or Text Injection
GSA Bounty
Unknown
2017-11-17
CSRF in generating a new Personal Key
GSA Bounty Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2017-11-17
CSRF to change Account Security Keys on secure.login.gov
GSA Bounty Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2017-11-01
Cross-Site Request Forgery on the Federalist API (all endpoints), using Flash file on the attacker's host
GSA Bounty Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2017-09-27
Homo graphs attack
GSA Bounty Violation of Secure Design Principles (CWE-657)
None
2017-09-20
[api.data.gov] Leak Valid API With out Verification -
GSA Bounty Improper Authentication - Generic (CWE-287)
None
2017-09-20
Information disclosure (system username) in the x-amz-meta-s3cmd-attrs response header on federation.data.gov
GSA Bounty Information Disclosure (CWE-200)
Low
2017-09-16
Reflected XSS on the data.gov (WAF bypass+ Chrome XSS Auditor bypass+ works in all browsers)
GSA Bounty Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2017-09-15
HTML injection (with XSS possible) on the https://www.data.gov/issue/ using media_url attribute
GSA Bounty Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2017-09-15
Server Side Misconfiguration (EMAIL SPOOFING)
GSA Bounty Improper Authentication - Generic (CWE-287)
None
2017-09-14
Email Spoofing - SPF record set to Neutral
GSA Bounty Violation of Secure Design Principles (CWE-657)
None
2017-09-06
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895