Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,220
CVE-linked
1,854
Programs
342
New This Week
7
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Spoof Email with Hyperlink Injection via Invites functionality
Pushwoosh Violation of Secure Design Principles (CWE-657)
Low
2016-11-14
race condition in adding team members
Shopify Violation of Secure Design Principles (CWE-657)
Low
2016-11-10
More content spoofing through dir param in the files app
Nextcloud Violation of Secure Design Principles (CWE-657)CVE-2016-9467
Low
2016-11-04
Not clearing hex-decoded variable after usage in Authentication
Paragon Initiative Enterprises Violation of Secure Design Principles (CWE-657)
None
2016-11-03
Content spoofing due to the improper behavior of the 403 page in Private Server
Nextcloud Violation of Secure Design Principles (CWE-657)
None
2016-10-31
Bypass 8 chars password complexity with 6 chars only due to insecure password reset functionaliy
Legal Robot Violation of Secure Design Principles (CWE-657)
Unknown
2016-10-29
Missing DMARC record
Whisper Violation of Secure Design Principles (CWE-657)
Unknown
2016-10-28
Insecure 2FA/authentication implementation creates a brute force vulnerability
GitLab Violation of Secure Design Principles (CWE-657)
Unknown
2016-10-28
Login credentials transmitted in cleartext on index.rubygems.org
RubyGems Violation of Secure Design Principles (CWE-657)
Unknown
2016-10-17
Homograph attack
Brave Software Violation of Secure Design Principles (CWE-657)
Low
2016-10-14
Content spoofing in lookup.nextcloud.com
Nextcloud Violation of Secure Design Principles (CWE-657)
Low
2016-10-10
unsecured legalrobot.co.uk assets
Legal Robot Violation of Secure Design Principles (CWE-657)
Unknown
2016-10-05
DNSSEC misconfiguration
Skyliner Violation of Secure Design Principles (CWE-657)
Unknown
2016-09-30
Stealing users password (Limited Scenario)
Uber Violation of Secure Design Principles (CWE-657)
Unknown
2016-09-29
demo.nextcloud.com: Content spoofing due to default Apache Error Page
Nextcloud Violation of Secure Design Principles (CWE-657)
Unknown
2016-09-29
Issue in the implementation of captcha and race condition
VK.com Violation of Secure Design Principles (CWE-657)
Unknown
2016-09-29
Hacker.One Subdomain Takeover
HackerOne Violation of Secure Design Principles (CWE-657)
Low
2016-09-20
Brute force login and bypass locked account restrictions via iOS app
Instacart Violation of Secure Design Principles (CWE-657)
Unknown
2016-09-19
CSRF AT INVITING PEOPLE THOUGH PHONE NUMBER
Eternal Violation of Secure Design Principles (CWE-657)
Unknown
2016-09-14
Missing rel=noreferrer tag allows link in list to change url of currently open tab
Instacart Violation of Secure Design Principles (CWE-657)
Unknown
2016-09-12
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258 $1,730
X / xAI250 $2,500
Uber239 $9,895