Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,222
CVE-linked
1,855
Programs
342
New This Week
4
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
CSP-bypass XSS in project settings page
GitLab Cross-site Scripting (XSS) - Generic (CWE-79)
High
2022-11-16
XSS: `v-safe-html` is not safe enough
GitLab Cross-site Scripting (XSS) - Generic (CWE-79)
High
2022-11-16
New /add_contacts /remove_contacts quick commands susseptible to XSS from Customer Contact firstname/lastname fields
GitLab Cross-site Scripting (XSS) - Stored (CWE-79)CVE-2022-1948
High
2022-11-16
Admin can create a hidden admin account which even the owner can not detect and remove and do administrative actions on the application.
Reddit Improper Access Control - Generic (CWE-284)
High
2022-11-14
Subdomain takeover at http://test.www.midigator.com
Equifax-vdp Privilege Escalation (CAPEC-233)
High
2022-11-12
Business Suite "Get Leads" Resulting in Revealing User Email & Phone
TikTok Insecure Direct Object Reference (IDOR) (CWE-639)
High
2022-11-10
sensitive data exposure
Reddit Insecure Storage of Sensitive Information (CWE-922)
High
2022-11-10
I found another way to bypass Cloudflare Warp lock!
Cloudflare Public Bug Bounty Client-Side Enforcement of Server-Side Security (CWE-602)CVE-2022-3321
High
2022-11-07
Completely remove VPN profile from locked WARP iOS cient.
Cloudflare Public Bug Bounty Client-Side Enforcement of Server-Side Security (CWE-602)CVE-2022-3337
High
2022-11-07
DOS via issue preview
GitLab Uncontrolled Resource Consumption (CWE-400)
High
2022-11-04
XSS in SocialIcon Link
Linktree Cross-site Scripting (XSS) - Stored (CWE-79)
High
2022-10-31
Accessing/Editing Folders of Other Users in the Orginisation.
Lark Technologies Improper Access Control - Generic (CWE-284)
High
2022-10-29
Subdomain takeover on 'de-headless.staging.gymshark.com'
Gymshark Misconfiguration (CWE-16)
High
2022-10-27
Weak randomness in WebCrypto keygen
Node.js Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338)CVE-2022-35255
High
2022-10-26
Mass Accounts Takeover Without any user Interaction at https://app.taxjar.com/
Stripe Authentication Bypass Using an Alternate Path or Channel (CWE-288)
High
2022-10-19
User information disclosed via API
U.S. General Services Administration Information Disclosure (CWE-200)
High
2022-10-19
Otp bypass in verifying nin
MTN Group Improper Authentication - Generic (CWE-287)
High
2022-10-17
Authentication bypass leads to Information Disclosure at U.S Air Force "https://███"
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
High
2022-10-14
Broken access discloses users and PII at https://███████ [HtUS]
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
High
2022-10-14
[hta3] Chain of ESI Injection & Reflected XSS leading to Account Takeover on [███]
U.S. Dept Of Defense Cross-site Scripting (XSS) - Reflected (CWE-79)
High
2022-10-14
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud583
Shopify464
curl440
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239