Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,222
CVE-linked
1,855
Programs
342
New This Week
3
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Misconfigured SPF Record Flag
Udemy Violation of Secure Design Principles (CWE-657)
Unknown
2016-02-22
proxy port 7000 and shell port 514 not filtered
Gratipay Violation of Secure Design Principles (CWE-657)
None
2016-02-20
User with Read-Only permissions can request/approve public disclosure
HackerOne Violation of Secure Design Principles (CWE-657)
Unknown
2016-02-19
SPF/DKIM/DMARC for grtp.co
Gratipay Violation of Secure Design Principles (CWE-657)
Medium
2016-02-18
HTTP trace method is enabled
Gratipay Violation of Secure Design Principles (CWE-657)
Low
2016-02-17
Validation bypass for Active Record and Active Model
Ruby on Rails Violation of Secure Design Principles (CWE-657)
Medium
2016-02-12
Changeable model ids on vanilla update can lead to severely bad side-effects
Ruby on Rails Violation of Secure Design Principles (CWE-657)
Unknown
2016-02-12
Missing SPF for https://paragonie.com/
Paragon Initiative Enterprises Violation of Secure Design Principles (CWE-657)
Unknown
2016-02-08
Self-XSS in mails sent by hello@owncloud.com
ownCloud Violation of Secure Design Principles (CWE-657)
Unknown
2016-02-06
Mixed Active Scripting Issue on stats.owncloud.org
ownCloud Violation of Secure Design Principles (CWE-657)
Unknown
2016-02-06
*.owncloud.com / *.owncloud.org: Using not strong enough SSL ciphers
ownCloud Violation of Secure Design Principles (CWE-657)
Unknown
2016-02-05
HTML injection can lead to data theft
HackerOne Violation of Secure Design Principles (CWE-657)
Unknown
2016-01-26
owncloud.help: Text Injection
ownCloud Violation of Secure Design Principles (CWE-657)
Unknown
2016-01-23
content injection
withinsecurity Violation of Secure Design Principles (CWE-657)
Unknown
2016-01-21
text injection can be used in phishing 404 page should not include attacker text
withinsecurity Violation of Secure Design Principles (CWE-657)
Unknown
2016-01-16
Improve signals in reputation
HackerOne Violation of Secure Design Principles (CWE-657)
Unknown
2016-01-07
Mail spaming
Gratipay Violation of Secure Design Principles (CWE-657)
Low
2016-01-06
Parameter pollution in social sharing buttons
HackerOne Violation of Secure Design Principles (CWE-657)
Unknown
2015-12-19
profile cover can also load external URL's
HackerOne Violation of Secure Design Principles (CWE-657)
Unknown
2015-12-02
Cookie securing your "Opening soon" store is not secured against XSS
Shopify Violation of Secure Design Principles (CWE-657)
Unknown
2015-12-01
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud583
Shopify464
curl440
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239