Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,247
CVE-linked
1,864
Programs
343
New This Week
25
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 653 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Grinchs website takendown with various other exploits
h1-ctf Improper Restriction of Authentication Attempts (CWE-307)
Critical
2021-03-02
hackyholidays CTF Writeup
h1-ctf
Critical
2021-03-02
[Pre-Submission][H1-4420-2019] API access to Phabricator on code.uberinternal.com from leaked certificate in git repo
Uber Insecure Storage of Sensitive Information (CWE-922)
Critical
2021-02-25
RCE via npm misconfig -- installing internal libraries from the public registry
Uber Code Injection (CWE-94)
Critical
2021-02-24
Pre-auth Remote Code Execution on multiple Uber SSL VPN servers
Uber Command Injection - Generic (CWE-77)
Critical
2021-02-24
[manage.jumpbikes.com] Blind XSS on Jump admin panel via user name
Uber Cross-site Scripting (XSS) - Stored (CWE-79)
Critical
2021-02-23
SQL Injection in www.hyperpure.com
Eternal Code Injection (CWE-94)
Critical
2021-02-22
█████████ IDOR leads to disclosure of PHI/PII
U.S. Dept Of Defense Insecure Direct Object Reference (IDOR) (CWE-639)
Critical
2021-02-18
CVE-2020-6287 https://redapi2.acronis.com
Acronis Improper Access Control - Generic (CWE-284)CVE-2020-6287
Critical
2021-02-16
xmlrpc.php FILE IS enabled it will used for Bruteforce attack and Denial of Service(DoS)
BlockDev Sp. Z o.o Uncontrolled Resource Consumption (CWE-400)
Critical
2021-02-12
RCE on build server via misconfigured pip install
Yelp Download of Code Without Integrity Check (CWE-494)
Critical
2021-02-09
RCE via npm misconfig -- installing internal libraries from the public registry
PayPal Code Injection (CWE-94)
Critical
2021-02-09
Stored XSS & SSRF in Lark Docs
Lark Technologies Server-Side Request Forgery (SSRF) (CWE-918)
Critical
2021-02-05
Full account takeover on https://████████.mil
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
Critical
2021-01-25
Taking Grinch Down To Save Holidays
h1-ctf SQL Injection (CWE-89)
Critical
2021-01-22
XSS in message attachment fileds.
Rocket.Chat Cross-site Scripting (XSS) - Stored (CWE-79)CVE-2020-8288
Critical
2021-01-17
Hackyholidays [ h1-ctf] writeup [mission:- stop the grinch ]
h1-ctf Improper Access Control - Generic (CWE-284)
Critical
2021-01-14
CTF Writeup
h1-ctf SQL Injection (CWE-89)
Critical
2021-01-14
h1-ctf : 12 days of hack holiday writeup
h1-ctf Information Disclosure (CWE-200)
Critical
2021-01-14
[curling] Remote Code Execution
Node.js third-party modules Command Injection - Generic (CWE-77)
Critical
2021-01-14
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud584
Shopify464
curl457
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239