Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports

12,222

CVE-linked

1,855

Programs

342

New This Week

Severity: All Critical High Medium Low

Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

CVE-2022-24288: Apache Airflow: TWO RCEs in example DAGs

Internet Bug Bounty Command Injection - Generic (CWE-77)CVE-2022-24288

High

2022-04-01

Stored XSS in merge request creation page through payload in approval rule name

GitLab Cross-site Scripting (XSS) - Stored (CWE-79)

High

2022-03-31

IDOR: leak buyer info & Publish/Hide foreign comments

Judge.me Insecure Direct Object Reference (IDOR) (CWE-639)

High

2022-03-31

Ability to use premium templates as free user via https://stripo.email/templates/?utm_source=viewstripo&utm_medium=referral

Stripo Inc Business Logic Errors (CWE-840)

High

2022-03-30

2 click Remote Code execution in Evernote Android

Evernote Path Traversal: '.../...//' (CWE-35)

High

2022-03-29

Able to steal bearer token from deep link

Basecamp Improper Authentication - Generic (CWE-287)

High

2022-03-27

Password reset token leakage

UPchieve Misconfiguration (CWE-16)

High

2022-03-26

Time-of-check to time-of-use vulnerability in the std::fs::remove_dir_all() function of the Rust standard library

Internet Bug Bounty Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)CVE-2022-21658

High

2022-03-24

Regexes with large repetitions on empty sub-expressions take a very long time to parse

Internet Bug Bounty Uncontrolled Resource Consumption (CWE-400)CVE-2022-24713

High

2022-03-22

Insecure crossdomain.xml on https://vdc.mtnonline.com/

MTN Group Information Disclosure (CWE-200)

High

2022-03-20

PIN 📌 BYPASS 🥷

Yoti Improper Authentication - Generic (CWE-287)

High

2022-03-18

CVE-2020-3452 on https://█████/

U.S. Dept Of Defense Path Traversal (CWE-22)CVE-2020-3452

High

2022-03-18

Arbitrary File Deletion (CVE-2020-3187) on ████████

U.S. Dept Of Defense Path Traversal (CWE-22)CVE-2020-3187

High

2022-03-18

IDOR at https://demo.sftool.gov/TwsHome/ScorecardManage/ via scorecard name

U.S. General Services Administration Improper Access Control - Generic (CWE-284)

High

2022-03-17

0-day Cross Origin Request Forgery vulnerability in Grafana 8.x .

Aiven Ltd Cross-Site Request Forgery (CSRF) (CWE-352)CVE-2022-21703

High

2022-03-16

Stored XSS through PDF viewer

Slack Cross-site Scripting (XSS) - Stored (CWE-79)

High

2022-03-16

CVE-2020-3452 Cisco ASA / Firepower Read-Only Path Traversal Vulnerability - https://esccvc.de.ibm.com

IBM Path Traversal (CWE-22)CVE-2020-3452

High

2022-03-11

XSS via Mod Log Removed Posts

Reddit Cross-site Scripting (XSS) - Stored (CWE-79)

High

2022-03-10

Use of Unsafe function || Strcpy

curl Classic Buffer Overflow (CWE-120)

High

2022-03-09

GRAPHQL cross-tenant IDOR giving write access thought the operation UpdateAtlasApplicationPerson

Stripe Insecure Direct Object Reference (IDOR) (CWE-639)

High

2022-03-08

Top Weakness Types

Most Active Programs

Program	Reports	Max $
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	—
HackerOne	609	—
Nextcloud	583	—
Shopify	464	—
curl	440	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$2,500
Uber	239	—

Goal Reached Thanks to every supporter — we hit 100%!

Bug Bounty Intelligence