Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,250
CVE-linked
1,865
Programs
343
New This Week
6
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 653 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Reflected XSS via Moodle on ███ [CVE-2022-35653]
U.S. Dept Of Defense Cross-site Scripting (XSS) - Reflected (CWE-79)CVE-2022-35653
Medium
2024-05-03
SQL injection on ██████████ via 'where' parameter
U.S. Dept Of Defense SQL Injection (CWE-89)
Medium
2024-05-03
HTTP Request Smuggling via Content Length Obfuscation
Node.js HTTP Request Smuggling (CWE-444)CVE-2024-27982
Medium
2024-05-03
Code exec on Github runner via Pull request name
Linux Foundation Decentralized Trust Code Injection (CWE-94)
Medium
2024-04-28
CVE-2024-25128: Apache Airflow: Authentication Bypass when Legacy OpenID(2.0) is in use as AUTH_TYPE
Internet Bug Bounty Improper Authentication - Generic (CWE-287)CVE-2024-25128
Medium
2024-04-28
CVE-2024-27351: Potential regular expression denial-of-service in django.utils.text.Truncator.words()
Internet Bug Bounty Uncontrolled Resource Consumption (CWE-400)CVE-2024-27351
Medium
2024-04-28
Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames
Internet Bug Bounty Uncontrolled Resource Consumption (CWE-400)CVE-2024-27316
Medium
2024-04-24
RXSS in hidden parameter
IBM Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2024-04-23
CVE-2024-2398: HTTP/2 push headers memory-leak
Internet Bug Bounty CVE-2024-2398
Medium
2024-04-22
Stored XSS in messages
SideFX Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2024-04-17
Self XSS in Tag name pattern field /<username>/<reponame>/settings/tag_protection/new
GitHub Cross-site Scripting (XSS) - Generic (CWE-79)CVE-2024-1084
Medium
2024-04-15
#2 XSS on watchdocs.indriverapp.com
inDrive Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2024-04-11
Unprotected Atlantis Server at https://152.70.█.█
8x8 Improper Authentication - Generic (CWE-287)
Medium
2024-04-11
Intent Leads To Unauthorised Video Call Initiation Leaking Surrounding Informations Of Victim
Snapchat Privacy Violation (CWE-359)
Medium
2024-04-05
Using Branded Hashtag Feature User Partnered with Account Manager Can View Videos Uploaded By A Private TikTok Account If 'item_id' Is Known
TikTok Information Disclosure (CWE-200)
Medium
2024-04-03
CVE-2024-2466: TLS certificate check bypass with mbedTLS (reward request)
Internet Bug Bounty Improper Certificate Validation (CWE-295)CVE-2024-2466
Medium
2024-03-29
New Hacktivity features:Bounty rewards leakage Where programs doesn’t decide to disclose bounty in limited disclosure report
HackerOne Information Disclosure (CWE-200)
Medium
2024-03-28
cookie is sent on redirect
curl Insufficiently Protected Credentials (CWE-522)
Medium
2024-03-28
HTTP/2 PUSH_PROMISE DoS
curl Uncontrolled Resource Consumption (CWE-400)
Medium
2024-03-27
CVE-2024-2466: TLS certificate check bypass with mbedTLS
curl Improper Validation of Certificate with Host Mismatch (CWE-297)CVE-2016-3739CVE-2013-4545CVE-2013-6422CVE-2014-0139CVE-2014-1263CVE-2014-2522CVE-2014-8151CVE-2024-2466
Medium
2024-03-27
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud584
Shopify464
curl459
Node.js third-party modules307
GitLab258
X / xAI250 $7,000
Uber239