Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,262
CVE-linked
1,866
Programs
343
New This Week
0
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 654 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Error when editing a calendar appointment returns stacktrace and query
Nextcloud Information Disclosure (CWE-200)CVE-2023-48308
Medium
2024-01-17
Invite tokens have Insufficient entropy in GHES Management Console
GitHub Use of Insufficiently Random Values (CWE-330)CVE-2023-46648
Medium
2024-01-12
RC Between GitHub's Repo Transfer REST API and updateTeamsRepository GraphQL Mutation Results in Covert and Persistent Admin Access Retention
GitHub Misconfiguration (CWE-16)CVE-2023-6690
Medium
2024-01-12
Reflected XSS On [https://www-useast1a.tiktok.com/ug/incentive/share/hd]
TikTok Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2024-01-12
Users can access exams in course without having to subscribe to PREMIUM
LinkedIn Improper Access Control - Generic (CWE-284)
Medium
2024-01-10
RXSS on TikTok endpoints
TikTok Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2024-01-09
RXSS via region parameter
TikTok Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2024-01-09
CVE-2023-49920: Apache Airflow: Missing CSRF protection on DAG/trigger
Internet Bug Bounty Cross-Site Request Forgery (CSRF) (CWE-352)CVE-2023-49920
Medium
2024-01-09
View Repo and Title of Any Private Check Run
GitHub Insecure Direct Object Reference (IDOR) (CWE-639)CVE-2023-46646
Medium
2024-01-08
Subdomain takeover on one of the subdomain under mozaws.net
Mozilla Misconfiguration (CWE-16)
Medium
2024-01-04
Subdomain takeover on one of the subdomain under mozaws.net
Mozilla Misconfiguration (CWE-16)
Medium
2024-01-04
Subdomain takeover on one of the subdomain under mozaws.net
Mozilla Misconfiguration (CWE-16)
Medium
2024-01-04
Subdomain takeover on one of the subdomain under mozaws.net
Mozilla Misconfiguration (CWE-16)
Medium
2024-01-04
An attacker can submit a Pentest Opportunity and change the status of the opportunity from submitted to in_review or reviewed
HackerOne Improper Access Control - Generic (CWE-284)
Medium
2024-01-04
[PATs] Ability to leak comments from issues without ANY "Issues" repo permissions by utilizing "Pull Request" permissions
GitHub Improper Access Control - Generic (CWE-284)CVE-2023-51380
Medium
2024-01-03
[PATs] Token with Read-Only permissions on Issues able to modify issue comments using content write permission
GitHub Improper Access Control - Generic (CWE-284)CVE-2023-51379
Medium
2024-01-03
1 Click to 'Close Account and Refund' via POSTMESSAGE
TikTok Improper Access Control - Generic (CWE-284)
Medium
2024-01-03
DNS pin middleware can be tricked into DNS rebinding allowing SSRF
Nextcloud Server-Side Request Forgery (SSRF) (CWE-918)CVE-2023-48306
Medium
2024-01-01
curl cookie mixed case PSL bypass
Internet Bug Bounty Information Exposure Through Sent Data (CWE-201)CVE-2023-46218
Medium
2023-12-22
OpenSSL vulnerable to the Marvin Attack (CVE-2022-4304)
Internet Bug Bounty Information Exposure Through Timing Discrepancy (CWE-208)CVE-2022-4304
Medium
2023-12-21
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud584
Shopify465
curl464
Node.js third-party modules307
GitLab258
X / xAI250 $7,000
Uber239