漏洞赏金情报

数据来源：HackerOne 公开披露报告 · 每 6 小时更新

浏览 HackerOne 平台公开披露的漏洞赏金报告，按严重程度、漏洞类型或目标项目筛选，关联 CVE 编号。

已披露报告

12,219

关联 CVE

1,854

参与项目数

342

近 7 天新增

14

严重度: All Critical High Medium Low

类型: 全部 Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

项目筛选：stripo✕

Permanent DOS for new users!

Stripo Inc Uncontrolled Resource Consumption (CWE-400)

High

2020-12-21

No rate limiting for confirmation email lead to huge Mass mailings

Stripo Inc Business Logic Errors (CWE-840)

Medium

2020-12-11

SSRF external interaction

Stripo Inc Server-Side Request Forgery (SSRF) (CWE-918)

Low

2020-12-11

Non-revoked API Key Disclosure in a Disclosed API Key Disclosure Report on Stripo

Stripo Inc Cleartext Storage of Sensitive Information (CWE-312)

Medium

2020-12-04

No rate limiting for subscribe email + lead to Cross origin misconfiguration

Stripo Inc Business Logic Errors (CWE-840)

Medium

2020-11-30

Race condition on my.stripo.email at /cabinet/stripeapi/v1/projects/298427/emails/folders uri

Stripo Inc Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (CWE-362)

Medium

2020-11-09

weak password poilicy in signup password leak to account takeover

Stripo Inc Violation of Secure Design Principles (CWE-657)

None

2020-10-16

SSL cookie without secure flag set

Medium

2020-10-13

Public and secret api key leaked in JavaScript source

Stripo Inc Cleartext Storage of Sensitive Information (CWE-312)

Medium

2020-09-29

No CSRF Protection in Resend Confirmation Email feature leads to Sending Unwanted Email in Victim's Inbox without knowing Victim's email address

Stripo Inc Cross-Site Request Forgery (CSRF) (CWE-352)

Medium

2020-09-08

Cross-Site WebSocket Hijacking Lead to Steal XSRF-TOKEN

Stripo Inc Improper Access Control - Generic (CWE-284)

High

2020-07-27

Integer Overflow (CVE_2017_7529)

Stripo Inc Integer Overflow (CWE-190)CVE-2017-7529

Medium

2020-07-13

SSRF via Export Service in ActiveCampaign

Stripo Inc Server-Side Request Forgery (SSRF) (CWE-918)

High

2020-07-13

[www.stripo.email] There is no rate limit for /it/contact-us/ endpoints

Stripo Inc Improper Authentication - Generic (CWE-287)

Low

2020-07-03

multiple email usage -my.stripo.email-

Stripo Inc Improper Access Control - Generic (CWE-284)

Medium

2020-07-03

[www.stripo.email] You can bypass the speed limit by changing the IP.

Stripo Inc Information Exposure Through Debug Information (CWE-215)

Medium

2020-06-30

SSRF in my.stripo.email

Stripo Inc Server-Side Request Forgery (SSRF) (CWE-918)

High

2020-06-30

[www.stripo.email] There is no rate limit for contact-us endpoints

Stripo Inc Improper Authorization (CWE-285)

Low

2020-05-26

CORS on my.stripo.email

Unknown

2020-04-28

[www.stripo.email] You can override the speed limit by adding the X-Forwarded-For header.

Stripo Inc Improper Authorization (CWE-285)

Medium

2020-04-23

高频漏洞类型

最活跃项目

项目	报告数	最高赏金
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	—
HackerOne	609	—
Nextcloud	582	—
Shopify	464	—
curl	439	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$2,500
Uber	239	$9,895