Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,244
CVE-linked
1,864
Programs
343
New This Week
23
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 657 Improper Authentication - Generic 653 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
No Security check at changing password and at adding mobile number which leads to account takeover and spam
Khan Academy Violation of Secure Design Principles (CWE-657)
Medium
2017-02-21
[wave.informatica.com]- Subdomain missconfiguration
Informatica Violation of Secure Design Principles (CWE-657)
Medium
2017-02-19
QuickTime Promotion on a DoD website
U.S. Dept Of Defense Violation of Secure Design Principles (CWE-657)
Low
2017-02-15
Email Spoofing
PortSwigger Web Security Violation of Secure Design Principles (CWE-657)
Low
2017-02-14
API: Bug in method auth.signup , дающий возможность бесконечно звонить
VK.com Violation of Secure Design Principles (CWE-657)
Unknown
2017-02-13
Missing SPF Flags on nextcloud.com
Nextcloud Violation of Secure Design Principles (CWE-657)
Unknown
2017-02-10
X.509 certificate validation fails on international vanity domains
Yelp Violation of Secure Design Principles (CWE-657)
None
2017-02-06
Restricted file access when it exists in old versions of task or wiki document
Phabricator Violation of Secure Design Principles (CWE-657)
Unknown
2017-02-06
Enumerating emails through "Forgot Password" form
Phabricator Violation of Secure Design Principles (CWE-657)
Unknown
2017-02-06
cloudup Subdomain Takeover That resolves to Desk.com ( CNAME cloudup.desk.com )
Automattic Violation of Secure Design Principles (CWE-657)
Medium
2017-02-02
Securing "Reset password" pages from bots
Vimeo Violation of Secure Design Principles (CWE-657)
Unknown
2017-01-31
Subdomain take over signup.websummit
WebSummit Violation of Secure Design Principles (CWE-657)
Unknown
2017-01-29
Email Spoofing
Nextcloud Violation of Secure Design Principles (CWE-657)
Unknown
2017-01-25
Email Spoofing
Bumble Violation of Secure Design Principles (CWE-657)
Low
2017-01-24
[Screenhero] Subdomain takeover
Slack Violation of Secure Design Principles (CWE-657)
Unknown
2017-01-21
Email spoofing possible via Legal Robot domain
Legal Robot Violation of Secure Design Principles (CWE-657)
Unknown
2017-01-21
Validation bypass on user profile
Legal Robot Violation of Secure Design Principles (CWE-657)
Unknown
2017-01-20
No user confirmation when an auto-updated extension gets more permissions
Brave Software Violation of Secure Design Principles (CWE-657)
Low
2017-01-20
Text injection on Auth problem at urbandictionary.com
Urban Dictionary Violation of Secure Design Principles (CWE-657)
Unknown
2017-01-17
HTTP-Basic Authentication on logs.nextcloud.com
Nextcloud Violation of Secure Design Principles (CWE-657)
Unknown
2017-01-17
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud583
Shopify464
curl457
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239