Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,222
CVE-linked
1,855
Programs
342
New This Week
3
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Navgraph confusion allows any 3p app to send and read requests from the server at app.hey.com
Basecamp Deserialization of Untrusted Data (CWE-502)
Medium
2024-07-09
Bypass network import restriction via data URL
Node.js Improper Access Control - Generic (CWE-284)CVE-2024-22020
Medium
2024-07-08
Incorrect Deep-link validation leading to unresponsive application and device
Flickr Improper Input Validation (CWE-20)
Medium
2024-07-06
IDOR may allow access to non-public photos
Flickr Insecure Direct Object Reference (IDOR) (CWE-639)
Medium
2024-07-06
Authentication & Registration Bypass in Newspack Extended Access
Automattic Improper Authentication - Generic (CWE-287)
Medium
2024-07-05
Unlimited fake rate to the passenger in city to city, Affected endpoint `/api/v1/reviews/ride/<ID>/driver`
inDrive Business Logic Errors (CWE-840)
Medium
2024-07-02
Reflected XSS of media.indrive.com
inDrive Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2024-07-02
CVE-2024-32760 in nginx
Internet Bug Bounty CVE-2024-32760
Medium
2024-07-01
CVE-2024-31079 in nginx
Internet Bug Bounty Stack Overflow (CWE-121)CVE-2024-31079
Medium
2024-07-01
CVE-2024-35200 in nginx
Internet Bug Bounty NULL Pointer Dereference (CWE-476)CVE-2024-35200
Medium
2024-07-01
[CVE-2024-32464] ActionText ContentAttachment’s can Contain Unsanitized HTML
Internet Bug Bounty Cross-site Scripting (XSS) - Stored (CWE-79)CVE-2024-32464
Medium
2024-06-30
sqli on █████████ search functionality
Mars SQL Injection (CWE-89)
Medium
2024-06-25
Attacker can add two free bags offered by the site at the same time.
Mars Business Logic Errors (CWE-840)
Medium
2024-06-25
Sqli on ██████ search functionality
Mars SQL Injection (CWE-89)
Medium
2024-06-25
Reflected xss on ████████
Mars Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2024-06-25
Account takeover using reset password link
Mars Open Redirect (CWE-601)
Medium
2024-06-25
S3 Bucket Takeover on apptio endpoint
IBM Improper Access Control - Generic (CWE-284)
Medium
2024-06-21
Ability to identify actual private from sandboxed programs using link hackerone.com/$handle/terms_acceptance_data.csv
HackerOne Improper Access Control - Generic (CWE-284)
Medium
2024-06-20
Notes app can be tricked into using a received share created before the user logged in
Nextcloud Business Logic Errors (CWE-840)CVE-2024-37317
Medium
2024-06-19
"package_name" can be set as desired when submitting a Pentest Opportunity form
HackerOne Improper Access Control - Generic (CWE-284)
Medium
2024-06-19
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud583
Shopify464
curl440
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239