Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports

12,221

CVE-linked

1,854

Programs

342

New This Week

Severity: All Critical High Medium Low

Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

Program filter: reddit✕

Open Redirect on www.redditinc.com via `failed` query param bypass after fixed bug #1257753

Reddit Open Redirect (CWE-601)

Medium

2022-09-30

IDOR allows an attacker to modify the links of any user

Reddit Insecure Direct Object Reference (IDOR) (CWE-639)

High

2022-09-30

Unrestricted File Upload on reddit.secure.force.com

Reddit CVE-2022-30190

Low

2022-09-30

XSS Reflected on reddit.com via url path

Reddit Cross-site Scripting (XSS) - Reflected (CWE-79)

High

2022-09-27

Open Redirect on www.redditinc.com via `failed` query param

Reddit Open Redirect (CWE-601)

Medium

2022-09-22

Getting access of mod logs from any public or restricted subreddit with IDOR vulnerability

Reddit Insecure Direct Object Reference (IDOR) (CWE-639)

High

2022-08-04

XSS in redditmedia.com can compromise data of reddit.com

Reddit Cross-site Scripting (XSS) - Stored (CWE-79)

Medium

2022-08-03

One-click account hijack for anyone using Apple sign-in with Reddit, due to response-type switch + leaking href to XSS on www.redditmedia.com

Reddit Improper Access Control - Generic (CWE-284)

Critical

2022-08-02

Can use the Reddit android app as usual even though revoking the access of it from reddit.com

Reddit Insufficient Session Expiration (CWE-613)

Critical

2022-07-16

Open Redirect through POST Request in www.redditinc.com

Reddit Open Redirect (CWE-601)

Medium

2022-07-08

Moderators can send messages to users from banned subreddits via `oauth.reddit.com/api/mod/conversations`

Reddit Improper Input Validation (CWE-20)

Low

2022-07-04

Able to approve admin approval and change effective status without adding payment details .

Reddit Business Logic Errors (CWE-840)

High

2022-06-22

CSRF (protection bypassed) to force a below 18 user into viewing an nsfw subreddit !

Reddit Cross-Site Request Forgery (CSRF) (CWE-352)

Medium

2022-06-16

Several Subdomains Takeover

High

2022-06-08

Misconfigurated login page able to lock login action for any account without user interaction

Critical

2022-06-06

Reflected xss in https://sh.reddit.com

Reddit Cross-site Scripting (XSS) - Reflected (CWE-79)

High

2022-05-08

Able to bypass email verification and change email to any other user email

Reddit Improper Access Control - Generic (CWE-284)

High

2022-05-06

Regular Expression Denial of Service vulnerability

Reddit Uncontrolled Resource Consumption (CWE-400)CVE-2021-32640

Medium

2022-04-12

registering with the same email address multiple times leads to account takeover

Reddit Improper Authentication - Generic (CWE-287)

Low

2022-03-14

XSS via Mod Log Removed Posts

Reddit Cross-site Scripting (XSS) - Stored (CWE-79)

High

2022-03-10

Top Weakness Types

Most Active Programs

Program	Reports	Max $
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	—
HackerOne	609	—
Nextcloud	582	—
Shopify	464	—
curl	440	—
Node.js third-party modules	307	—
GitLab	258	$13,950
X / xAI	250	$2,500
Uber	239	—

Goal Reached Thanks to every supporter — we hit 100%!

Bug Bounty Intelligence