Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,244
CVE-linked
1,864
Programs
343
New This Week
23
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 657 Improper Authentication - Generic 653 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Remote Code Execution in coming Kibana 7.7.0
Elastic Privilege Escalation (CAPEC-233)
Critical
2021-04-19
[wireguard-wrapper] Command Injection via insecure command concatenation
Node.js third-party modules Command Injection - Generic (CWE-77)
Critical
2021-04-16
RCE on TikTok Ads Portal
TikTok Code Injection (CWE-94)
Critical
2021-04-15
Password Reset link hijacking via Host Header Poisoning leads to account takeover
U.S. Dept Of Defense Privilege Escalation (CAPEC-233)
Critical
2021-04-02
Account takeover via XSS
Rocket.Chat Cross-site Scripting (XSS) - Stored (CWE-79)
Critical
2021-03-31
Critical Information disclosure of rtapi token for any user via https://video-support-staging.uber.com/video/api/getPopulousUser
Uber Information Disclosure (CWE-200)
Critical
2021-03-29
Server Side Request Forgery
Lark Technologies Server-Side Request Forgery (SSRF) (CWE-918)
Critical
2021-03-29
Unauth RCE on Jenkins Instance at https://█████████/
U.S. Dept Of Defense OS Command Injection (CWE-78)
Critical
2021-03-24
CVE-2021-26855 on ████████ resulting in SSRF
U.S. Dept Of Defense Server-Side Request Forgery (SSRF) (CWE-918)CVE-2021-26855
Critical
2021-03-24
SSRF due to CVE-2021-26855 on ████████
U.S. Dept Of Defense Server-Side Request Forgery (SSRF) (CWE-918)CVE-2021-26855
Critical
2021-03-24
Blind Stored XSS Payload fired at the backend on https://█████████/
U.S. Dept Of Defense Cross-site Scripting (XSS) - Stored (CWE-79)
Critical
2021-03-24
Multiple bugs leads to RCE on TikTok for Android
TikTok Improper Export of Android Application Components (CWE-926)
Critical
2021-03-17
RCE due to ImageTragick v2
pixiv Code Injection (CWE-94)
Critical
2021-03-16
HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
Node.js Uncontrolled Resource Consumption (CWE-400)CVE-2021-22883
Critical
2021-03-15
Duplicate Entry of email leads to 500 Server Error which disclosing the SQL Database table information
Kartpay Information Disclosure (CWE-200)
Critical
2021-03-14
critical information disclosure
U.S. Dept Of Defense Information Disclosure (CWE-200)
Critical
2021-03-11
critical information disclosure
U.S. Dept Of Defense Information Disclosure (CWE-200)
Critical
2021-03-11
Blind Stored XSS on ███████ leads to takeover admin account
U.S. Dept Of Defense Cross-site Scripting (XSS) - Stored (CWE-79)
Critical
2021-03-11
Information Disclosure(PHPINFO/Credentials) on DoD Asset
U.S. Dept Of Defense Information Disclosure (CWE-200)
Critical
2021-03-11
Disclosure of Merchant_id into the source code without entered OTP code leads to Victims MID takeover.
Kartpay Information Disclosure (CWE-200)
Critical
2021-03-08
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud583
Shopify464
curl457
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239