Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports

12,219

CVE-linked

1,854

Programs

342

New This Week

Severity: All Critical High Medium Low

Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

Local File Read vulnerability on ██████████ [HtUS]

U.S. Dept Of Defense PHP Local File Inclusion (CAPEC-252)

High

2023-01-06

CSRF to ATO at https://█████/user/account [HtUS]

U.S. Dept Of Defense Cross-Site Request Forgery (CSRF) (CWE-352)

High

2023-01-06

CVE-2022-40127: RCE in Apache Airflow <2.4.0 bash example

Internet Bug Bounty Code Injection (CWE-94)CVE-2022-40127

High

2023-01-05

Address Bar Spoofing on TOR Browser

Tor Phishing (CAPEC-98)

High

2023-01-02

S3 bucket takeover [learn2.khanacademy.org]

Khan Academy

High

2022-12-29

Account takeover - improper validation of jwt signature (with regards to experiation date claim)

Linktree Improper Authorization (CWE-285)

High

2022-12-26

Mass account takeover!

Stripe Misconfiguration (CWE-16)

High

2022-12-21

Cross-site scripting on algorithm collaborator

Quantopian Cross-site Scripting (XSS) - Stored (CWE-79)

High

2022-12-21

Email Verification Bypass Allows Users to Add & verify Any Email As Guardians Email

Khan Academy Privilege Escalation (CAPEC-233)

High

2022-12-17

LFI at http://www.████

Sony Command Injection - Generic (CWE-77)

High

2022-12-16

[MK8DX] Improper verification of Competition creation allows to create "Official" competitions

Nintendo Improper Access Control - Generic (CWE-284)

High

2022-12-15

ReDoS (Rails::Html::PermitScrubber.scrub_attribute)

Internet Bug Bounty CVE-2022-23514

High

2022-12-14

Insecure use of shell.openExternal() leads to RCE in Rocket.Chat-Desktop

Rocket.Chat OS Command Injection (CWE-78)CVE-2022-44567

High

2022-12-08

SQL Injection on [█████████]

Sony SQL Injection (CWE-89)

High

2022-12-07

Unauthorized access to resumes stored on LinkedIn

LinkedIn Insecure Direct Object Reference (IDOR) (CWE-639)

High

2022-12-07

Double evaluation in .bash_prompt of dotfiles allows a malicious repository to execute arbitrary commands

Ian Dunn

High

2022-12-01

Any organization's assets pending review can be downloaded

HackerOne Information Disclosure (CWE-200)

High

2022-11-29

RubyのCGIライブラリにHTTPレスポンス分割（HTTPヘッダインジェクション）があり、秘密情報が漏洩する

Ruby HTTP Response Splitting (CWE-113)CVE-2021-33621 CVE-2019-16254

High

2022-11-24

Ability to bypass locked Cloudflare WARP on wifi networks.

Cloudflare Public Bug Bounty Client-Side Enforcement of Server-Side Security (CWE-602)CVE-2022-3512

High

2022-11-16

CSP-bypass XSS in project settings page

GitLab Cross-site Scripting (XSS) - Generic (CWE-79)

High

2022-11-16

Top Weakness Types

Most Active Programs

Program	Reports	Max $
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	—
HackerOne	609	—
Nextcloud	582	—
Shopify	464	—
curl	439	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$2,500
Uber	239	$9,895

Goal Reached Thanks to every supporter — we hit 100%!

Bug Bounty Intelligence