Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,220
CVE-linked
1,854
Programs
342
New This Week
7
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
After changing the storefront password, the preview link is still valid
Shopify Improper Access Control - Generic (CWE-284)
Low
2022-04-21
User with no Develop apps permission can Uninstall Custom App
Shopify Improper Authorization (CWE-285)
Low
2022-04-21
Invitation Email is resent as a Reminder after invalidating pending email invites
Mattermost Improper Access Control - Generic (CWE-284)CVE-2022-1385
Low
2022-04-19
SSRF occurrence in website preview used by LINE Official Account Manager (https://manager.line.biz)
LY Corporation Server-Side Request Forgery (SSRF) (CWE-918)
Low
2022-04-18
Improper Implementation of SDK Allows Universal XSS in Webview Leading to Account Takeover
EXNESS Improper Access Control - Generic (CWE-284)
Low
2022-04-13
CRLF Injection - Http Response Splitting
EXNESS CRLF Injection (CWE-93)
Low
2022-04-13
Exposed Golang Pprof debugger at https://cn-geo1.uber.com/
Uber Information Exposure Through Debug Information (CWE-215)
Low
2022-04-07
Uninstalling Rockstar Games Launcher for Windows (64-bit), then reinstalling keeps you logged in without authentication
Rockstar Games Privacy Violation (CWE-359)
Low
2022-04-07
Private invitation links/tokens leak to third-party analytics site
HackerOne Information Disclosure (CWE-200)
Low
2022-04-05
[api.krisp.ai] Race condition on /v2/seats endpoint allows bypassing the original seat limit
Krisp Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
Low
2022-04-04
Broken Domain Link Takeover from kubernetes.io docs
Kubernetes Insecure Temporary File (CWE-377)
Low
2022-04-03
Information Leakage via TikTok Ads Web Cache Deception
TikTok Misconfiguration (CWE-16)
Low
2022-03-31
EC2 Takeover at turn.shopify.com
Shopify Cross-site Scripting (XSS) - Stored (CWE-79)
Low
2022-03-28
Misconfigured rate limit at app.sign.plus/forgot_password
Alohi Business Logic Errors (CWE-840)
Low
2022-03-25
Broken link hijacking in https://kubernetes-csi.github.io/docs/drivers.html?highlight=chubaofs#production-drivers
Kubernetes Insecure Temporary File (CWE-377)
Low
2022-03-25
Bypassing domain deny_list rule in Smokescreen via trailing dot leads to SSRF
Stripe Server-Side Request Forgery (SSRF) (CWE-918)
Low
2022-03-23
Potential Authentication Bypass through "autologin" feature
ImpressCMS CVE-2021-26600
Low
2022-03-22
Race condition on action: Invite members to a team
Omise Business Logic Errors (CWE-840)
Low
2022-03-22
html injection via invite members can be leads account takeover
Mattermost Cross-site Scripting (XSS) - Generic (CWE-79)CVE-2022-1002
Low
2022-03-22
Theft of protected files on Android
ownCloud Violation of Secure Design Principles (CWE-657)
Low
2022-03-17
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258 $1,730
X / xAI250 $2,500
Uber239 $9,895