Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports

12,219

CVE-linked

1,854

Programs

342

New This Week

Severity: All Critical High Medium Low

Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

Program filter: reddit✕

Application level DOS at Login Page ( Accepts Long Password )

High

2022-02-07

Weak rate limit could lead to ATO due to weak password protection mechanisms

Reddit Improper Restriction of Authentication Attempts (CWE-307)

Low

2021-12-15

[dubsmash] Username and password bruteforce

Reddit Improper Restriction of Authentication Attempts (CWE-307)

Low

2021-12-13

com.reddit.frontpage vulernable to Task Hijacking (aka StrandHogg Attack)

Reddit Phishing (CAPEC-98)

Medium

2021-12-13

[dubsmash] Long String in 'shoutout' Parameter Leading Internal server Error on Popular hastags , Community and User Profile

Reddit Uncontrolled Resource Consumption (CWE-400)

High

2021-12-13

No Rate limit on change password leads to account takeover

Reddit Improper Restriction of Authentication Attempts (CWE-307)

Low

2021-12-13

Missing rate limit in current password change settings leads to Account takeover

Reddit Improper Restriction of Authentication Attempts (CWE-307)

Medium

2021-10-27

Content Spoofing/Text Injection at https://gateway-production.dubsmash.com

Reddit User Interface (UI) Misrepresentation of Critical Information (CWE-451)

None

2021-10-27

Third party app could steal access token as well as protected files using inAppBrowser

Reddit Information Disclosure (CWE-200)

Medium

2021-10-27

Race condition leads to Inflation of coins when bought via Google Play Store at endpoint https://oauth.reddit.com/api/v2/gold/android/verify_purchase

Reddit Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)

Medium

2021-10-27

Outsider can affect Upvote Percentage of private subreddit post by calling /api/vote API

Reddit Improper Access Control - Generic (CWE-284)

Low

2021-10-27

Image queue default key of 'None' and GraphQL unhandled type exception

Reddit Type Confusion (CWE-843)

Medium

2021-10-27

S3 bucket Upload on studio.redditinc.com (s3-r-w.ap-east-1.amazonaws.com)

Reddit Improper Access Control - Generic (CWE-284)

Low

2021-10-21

GPS metadata preserved when converting HEIF to PNG

Reddit Privacy Violation (CWE-359)

High

2021-10-21

Broken Authendication And Session Management

Reddit Improper Access Control - Generic (CWE-284)

Unknown

2021-10-21

Vulnerability Name: URL Redirection / Unvalidate Open Redirect

Reddit Open Redirect (CWE-601)

Unknown

2021-10-21

User Account has been taken out

Reddit Weak Cryptography for Passwords (CWE-261)

Critical

2021-10-21

critical file found etc/passwd on www.reddit.com

Reddit Information Disclosure (CWE-200)

High

2021-10-21

XSS

Reddit Cross-site Scripting (XSS) - Generic (CWE-79)

None

2021-10-21

Oauth Misconfiguration Lead To Account Takeover

Reddit Improper Authorization (CWE-285)

Medium

2021-10-21

Top Weakness Types

Most Active Programs

Program	Reports	Max $
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	—
HackerOne	609	—
Nextcloud	582	—
Shopify	464	—
curl	439	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$2,500
Uber	239	$9,895

Goal Reached Thanks to every supporter — we hit 100%!

Bug Bounty Intelligence