Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,240
CVE-linked
1,863
Programs
342
New This Week
20
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 657 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Avatar image upload and bypass real image verification
Nextcloud Violation of Secure Design Principles (CWE-657)
Unknown
2017-01-15
URI scheme bypass in mail app lead to HTML content spoof and opener control
Nextcloud Violation of Secure Design Principles (CWE-657)
Unknown
2017-01-12
Vulnerable Javascript library
CodeIgniter Violation of Secure Design Principles (CWE-657)
None
2017-01-10
[iOS/Android] Address Bar Spoofing Vulnerability
Brave Software Violation of Secure Design Principles (CWE-657)CVE-2016-9473
Unknown
2017-01-08
Content Injection error page
Coinbase Violation of Secure Design Principles (CWE-657)
Unknown
2017-01-05
Deleting Key-value pair from Frozen HASH or Clearing a Frozen HASH
shopify-scripts Violation of Secure Design Principles (CWE-657)
None
2017-01-05
Username can be used to trick the victim on the name of www.gratipay.com
Gratipay Violation of Secure Design Principles (CWE-657)
Unknown
2016-12-30
Username Restriction is not applied for reserved folders
Gratipay Violation of Secure Design Principles (CWE-657)
Unknown
2016-12-30
HTTP OPTION Method is Enabled on portswigger.net
PortSwigger Web Security Violation of Secure Design Principles (CWE-657)
Low
2016-12-27
Bypass rate limiting on /users/password (possibly site-wide rate limit bypass?)
HackerOne Violation of Secure Design Principles (CWE-657)
None
2016-12-08
[Nextcloud 9.0.53] Content Spoofing in 'trustDomain' parameter
Nextcloud Violation of Secure Design Principles (CWE-657)
Unknown
2016-12-05
Login Hints on Admin Panel
Nextcloud Violation of Secure Design Principles (CWE-657)
Medium
2016-12-05
Content (Text) Injection at NextCloud Server 9.0.52 - via http://custom_nextcloud_url/remote.php/dav/files/
Nextcloud Violation of Secure Design Principles (CWE-657)CVE-2016-9468
Low
2016-12-02
ByPassing the email Validation Email on Sign up process in mobile apps
Coinbase Violation of Secure Design Principles (CWE-657)
Unknown
2016-11-28
Access to Amazon S3 bucket
DigitalSellz Violation of Secure Design Principles (CWE-657)
Unknown
2016-11-27
No CAPTCHA ia exist in pages
Ian Dunn Violation of Secure Design Principles (CWE-657)
None
2016-11-23
Bypass the resend limit in Send Invites
Pushwoosh Violation of Secure Design Principles (CWE-657)
Medium
2016-11-22
Missing Rate limiting for sensitive actions (like "forgot password") and reCaptcha error.
bitaccess Violation of Secure Design Principles (CWE-657)
Unknown
2016-11-21
RC4 cipher suites detected on status.slack.com
Slack Violation of Secure Design Principles (CWE-657)
Unknown
2016-11-18
Runtime manipulation iOS app breaking the PIN
Coinbase Violation of Secure Design Principles (CWE-657)
Unknown
2016-11-16
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609 $1,500
Nextcloud583
Shopify464
curl455
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239