Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
9
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
DOS: out of memory from gif through upload api
Mattermost Uncontrolled Resource Consumption (CWE-400)CVE-2022-3257
Low
2022-09-21
HTML Injection in email via Name field
HackerOne Cross-site Scripting (XSS) - Generic (CWE-79)
Low
2022-09-18
SSRF via potential filter bypass with too lax local domain checking
Nextcloud Server-Side Request Forgery (SSRF) (CWE-918)CVE-2022-39211
Low
2022-09-16
Information exposure in in guzzlehttp/guzzle (https://github.com/nextcloud/3rdparty/tree/master/guzzlehttp/guzzle)
Nextcloud Information Exposure Through Debug Information (CWE-215)CVE-2022-36074
Low
2022-09-16
CSRF in Changing User Verification Email
TikTok Cross-Site Request Forgery (CSRF) (CWE-352)
Low
2022-09-13
Access to arbitrary file of the Nextcloud Android app from within the Nextcloud Android app
Nextcloud Path Traversal (CWE-22)CVE-2022-39210
Low
2022-09-11
Modifying Sprunk vs eCola crew data
Rockstar Games Insecure Direct Object Reference (IDOR) (CWE-639)
Low
2022-09-06
IDOR Payments Status
Omise Business Logic Errors (CWE-840)
Low
2022-09-06
Exposed gitlab repo at https://adammanco.mtn.com/api/v4/projects
MTN Group Information Disclosure (CWE-200)
Low
2022-09-05
Brute force protections don't work
Nextcloud Privacy Violation (CWE-359)CVE-2022-31118
Low
2022-09-03
Password disclosure in initial setup of Mail App
Nextcloud Cleartext Storage of Sensitive Information (CWE-312)CVE-2022-31119
Low
2022-09-03
Federated share accepting/declining is not logged in audit log
Nextcloud Business Logic Errors (CWE-840)CVE-2022-31120
Low
2022-09-03
Wordpress users disclosure from json and xml file
MTN Group Information Disclosure (CWE-200)
Low
2022-09-02
API Key reported in #1465145 not rotated and thus is still valid and can be used by anyone
Adobe Cleartext Storage of Sensitive Information (CWE-312)
Low
2022-09-01
Any expired reset password link can still be used to reset the password
Acronis Improper Access Control - Generic (CWE-284)
Low
2022-09-01
Password reset tokens sent to CSP reporting endpoints
Snapchat Information Disclosure (CWE-200)
Low
2022-08-31
CVE-2022-35252: control code in cookie denial of service
curl Improper Input Validation (CWE-20)CVE-2022-35252
Low
2022-08-31
Blind SSRF on platform.dash.cloudflare.com Due to Sentry misconfiguration
Cloudflare Public Bug Bounty Server-Side Request Forgery (SSRF) (CWE-918)
Low
2022-08-31
Golang expvar Information Disclosure
Uber Information Exposure Through Debug Information (CWE-215)
Low
2022-08-24
IDOR on TikTok Seller
TikTok Insecure Direct Object Reference (IDOR) (CWE-639)
Low
2022-08-16
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895