Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
11
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Program filter: gitlab
Unauthorized access to private project security dashboard
GitLab Information Disclosure (CWE-200)
Medium
2020-11-21
Todos are not redacted when membership changes - Access to (confidential) issues and merge requests
GitLab Information Disclosure (CWE-200)
Medium
2020-11-02
Elasticsearch leaks data through the notes scope
GitLab Improper Access Control - Generic (CWE-284)
Medium
2020-10-06
Transferring a public group to a private group doesn't remove code from the Elastichsearch API search result
GitLab Improper Access Control - Generic (CWE-284)
Medium
2020-10-06
Stored XSS on PyPi simple API endpoint
GitLab Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2020-09-09
SSRF into Shared Runner, by replacing dockerd with malicious server in Executor
GitLab Server-Side Request Forgery (SSRF) (CWE-918)
Medium
2020-09-08
Initial mirror user can be assigned by other user even if the mirror was removed
GitLab Improper Access Control - Generic (CWE-284)
Medium
2020-08-26
SSRF In plantuml (on plantuml.pre.gitlab.com)
GitLab Server-Side Request Forgery (SSRF) (CWE-918)
Medium
2020-08-17
Stored XSS in blob viewer
GitLab Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2020-08-04
Unrestricted file upload leads to Stored XSS
GitLab Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2020-08-03
Send arbitrary PUT requests when user clicks on a link
GitLab Command Injection - Generic (CWE-77)
Medium
2020-07-27
Uncontrolled Resource Consumption in any Markdown field using Mermaid
GitLab Uncontrolled Resource Consumption (CWE-400)CVE-2019-15584CVE-2019-9220
Medium
2019-12-20
Blocked user Git access through CI/CD token
GitLab Improper Access Control - Generic (CWE-284)CVE-2019-15589
Medium
2019-12-13
Container scanning and Dependency scanning report leaked to unauthorized users
GitLab Improper Access Control - Generic (CWE-284)CVE-2019-15591CVE-2017-18269CVE-2017-16997CVE-2018-1000001CVE-2016-10228CVE-2018-18520CVE-2010-4052CVE-2018-16869CVE-2018-18311CVE-2014-3488CVE-2017-12794CVE-2018-1000201
Medium
2019-12-13
GraphQL query "namespace" leaks data
GitLab Improper Access Control - Generic (CWE-284)
Medium
2019-12-03
Bypassing push rules via MRs created by Email
GitLab Improper Access Control - Generic (CWE-284)
Medium
2019-10-01
Bypass Email Verification -- Able to Access Internal Gitlab Services that use Login with Gitlab and Perform Check on email domain
GitLab Reliance on Untrusted Inputs in a Security Decision (CWE-807)CVE-2019-5473
Medium
2019-08-30
GitLab's GitHub integration is vulnerable to SSRF vulnerability
GitLab Server-Side Request Forgery (SSRF) (CWE-918)CVE-2019-5461
Medium
2019-08-30
DoS on the Issue page by exploiting Mermaid.
GitLab Uncontrolled Resource Consumption (CWE-400)
Medium
2019-05-13
SSRF in CI after first run
GitLab Server-Side Request Forgery (SSRF) (CWE-918)
Medium
2019-04-12
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895