Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports

12,219

CVE-linked

1,854

Programs

342

New This Week

Severity: All Critical High Medium Low

Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

Program filter: x✕

Incorrect details on OAuth permissions screen allows DMs to be read without permission

X / xAI Privacy Violation (CWE-359)

Medium

2018-12-14

[staging-engineering.gnip.com] Publicly accessible GIT directory

X / xAI Information Disclosure (CWE-200)

Medium

2018-11-01

Improper session handling on web browsers

X / xAI Insufficient Session Expiration (CWE-613)

Medium

2018-06-26

ms5 debug page exposing internal info (internal IPs, headers)

X / xAI Information Exposure Through Debug Information (CWE-215)

Medium

2018-05-11

Persistent DOM-based XSS in https://help.twitter.com via localStorage

X / xAI Cross-site Scripting (XSS) - Stored (CWE-79)

Medium

2018-02-24

OS Command Execution on User's PC via CSV Injection

X / xAI OS Command Injection (CWE-78)

Medium

2017-11-02

[dev.twitter.com] XSS and Open Redirect

X / xAI

Medium

2017-09-29

Sensitive Information Disclosure https://cards-dev.twitter.com

X / xAI Information Disclosure (CWE-200)

Medium

2017-09-29

XXE on sms-be-vip.twitter.com in SXMP Processor

X / xAI XML External Entities (XXE) (CWE-611)

Medium

2017-07-26

Vine - overwrite account associated with email via android application

X / xAI Improper Authentication - Generic (CWE-287)

Medium

2017-06-14

[Gnip Blogs] Reflected XSS via "plupload.flash.swf" component vulnerable to SOME

X / xAI Cross-site Scripting (XSS) - Reflected (CWE-79)

Medium

2017-05-08

SSRF in https://cards-dev.twitter.com/validator

X / xAI Server-Side Request Forgery (SSRF) (CWE-918)

Medium

2017-04-06

Clickjacking Periscope.tv on Chrome

X / xAI UI Redressing (Clickjacking) (CAPEC-103)

Medium

2017-02-06

Stealing User emails by clickjacking cards.twitter.com/xxx/xxx

X / xAI UI Redressing (Clickjacking) (CAPEC-103)

Medium

2017-02-03

Cross-site scripting (reflected)

X / xAI Cross-site Scripting (XSS) - Generic (CWE-79)

Medium

2016-12-09

View liked twits of private account via publish.twitter.com

X / xAI Information Disclosure (CWE-200)

Medium

2016-11-14

Top Weakness Types

Most Active Programs

Program	Reports	Max $
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	—
HackerOne	609	—
Nextcloud	582	—
Shopify	464	—
curl	439	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$2,500
Uber	239	$9,895

Goal Reached Thanks to every supporter — we hit 100%!

Bug Bounty Intelligence