Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
9
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Leaks of username and password leads to CVE-2018-18862 exploitation
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)CVE-2018-18862
High
2023-06-02
Basic auth header on WebDAV requests is not bruteforce protected
Nextcloud Improper Restriction of Authentication Attempts (CWE-307)CVE-2023-32319
High
2023-06-02
Stored XSS via Kroki diagram
GitLab Cross-site Scripting (XSS) - Stored (CWE-79)
High
2023-06-02
Stored XSS in merge request pages
GitLab Cross-site Scripting (XSS) - Stored (CWE-79)
High
2023-05-30
Bypass validation parts in AWS IAM Authenticator for Kubernetes
Kubernetes Improper Authentication - Generic (CWE-287)
High
2023-05-25
[accounts.reddit.com] Redirect parameter allows for XSS
Reddit Cross-site Scripting (XSS) - Generic (CWE-79)
High
2023-05-18
CSRF to delete accounts [HtUS]
U.S. Dept Of Defense Cross-Site Request Forgery (CSRF) (CWE-352)
High
2023-05-15
LDAP Server NULL Bind Connection Information Disclosure
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
High
2023-05-15
Reset password link sent over unsecured http protocol
Mattermost Improper Access Control - Generic (CWE-284)
High
2023-05-10
download file type warning on Windows does not appear if "ask where to save file before downloading" setting is enabled
Brave Software CVE-2023-28360
High
2023-05-10
NoSQL injection in listEmojiCustom method call
Rocket.Chat SQL Injection (CWE-89)CVE-2023-28359
High
2023-05-09
Moving private messages into vision with updateMessage method
Rocket.Chat Information Disclosure (CWE-200)CVE-2023-28325
High
2023-05-09
Insecure Direct Object Reference (IDOR) - Delete Campaigns
HackerOne Insecure Direct Object Reference (IDOR) (CWE-639)
High
2023-05-03
Blind SSRF to internal services in matrix preview_link API
Reddit Server-Side Request Forgery (SSRF) (CWE-918)
High
2023-04-26
ReDoS( Ruby, Time)
Internet Bug Bounty Uncontrolled Resource Consumption (CWE-400)CVE-2023-28756
High
2023-04-26
Authentication bypass on gist.github.com through SSH Certificates
GitHub Improper Access Control - Generic (CWE-284)CVE-2023-23761
High
2023-04-20
RichText parser vulnerability in scheduled posts allows XSS
Reddit Cross-site Scripting (XSS) - Stored (CWE-79)
High
2023-04-20
Unauthenticated Blind SSRF at https://█████ via xmlrpc.php file
U.S. Dept Of Defense Server-Side Request Forgery (SSRF) (CWE-918)
High
2023-04-14
A malicious actor could rotate tokens of a victim, given that he knows the victim's token ID
Cloudflare Public Bug Bounty Improper Access Control - Generic (CWE-284)
High
2023-04-13
UXss on brave browser via scan QR Code
Brave Software Cross-site Scripting (XSS) - Generic (CWE-79)CVE-2022-23258
High
2023-04-11
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895