Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
10
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Crafted smart contract can take 1.5 minutes to execute due to inefficient CODESIZE implementation
Rootstock Labs Uncontrolled Resource Consumption (CWE-400)
Medium
2025-06-12
Crafted smart contract can take ~23 seconds to execute due to immense error string construction
Rootstock Labs Uncontrolled Resource Consumption (CWE-400)
Medium
2025-06-12
Lack of Feedback Validation Permits Arbitrary Driver Ratings
Bykea Insecure Direct Object Reference (IDOR) (CWE-639)
Medium
2025-06-12
Path Traversal Vulnerability in Lila Project
Lichess Path Traversal: '.../...//' (CWE-35)
High
2025-06-09
IDOR Vulnerability at AddTagToAssets operation name
HackerOne Insecure Direct Object Reference (IDOR) (CWE-639)
Medium
2025-06-08
ImageId Format Injection in Image Upload Endpoint
Lichess Improper Input Validation (CWE-20)
Medium
2025-06-06
1 Click Account Takeover via Auth Token Theft on marketing.hostinger.com
hostinger Improper Access Control - Generic (CWE-284)
High
2025-06-06
DoS Vulnerability via Cache Poisoning on cdn.shopify.com and shopify-assets.shopifycdn.com
Shopify Cache Poisoning (CAPEC-141)
Medium
2025-06-04
returnUrl= allow attacker to redirect users to the another phising website and takeover credientials
Insightly Improper Authentication - Generic (CWE-287)
Medium
2025-06-04
CVE-2025-5399: WebSocket endless loop
curl Loop with Unreachable Exit Condition ('Infinite Loop') (CWE-835)CVE-2025-5399
Low
2025-06-04
Server-Side Request Forgery (SSRF) via Game Export API
Lichess Server-Side Request Forgery (SSRF) (CWE-918)
Critical
2025-06-03
IDOR: Account Deletion via Session Misbinding – Attacker Can Delete Victim Account
Mozilla Insecure Direct Object Reference (IDOR) (CWE-639)
High
2025-06-03
Public GitHub repositories for multiple HackerOne managed triage team profiles contain private HackerOne reports information
HackerOne Information Disclosure (CWE-200)
Medium
2025-05-31
Information Disclosure of metrics fax.wavecell.com/metrics
8x8 Information Disclosure (CWE-200)
Low
2025-05-30
Facebook Username Takeover via Broken Link in Footer
Omise Improper Access Control - Generic (CWE-284)
Low
2025-05-30
Private AWS AMIs are temporarily being exposed publicly
AWS VDP
None
2025-05-29
Apache Airflow Fab Provider: Application does not invalidate session after password change via Airflow cli
Internet Bug Bounty Insufficient Session Expiration (CWE-613)CVE-2024-45033
Low
2025-05-29
Remote Code Execution via unsafe usage of `reply.view({ raw })` in @fastify/view (EJS template engine)
Fastify
None
2025-05-28
CVE-2025-5025: No QUIC certificate pinning with wolfSSL
curl Improper Certificate Validation (CWE-295)CVE-2025-5025
Medium
2025-05-28
CVE-2025-4947: QUIC certificate check skip with wolfSSL
curl Improper Validation of Certificate with Host Mismatch (CWE-297)CVE-2025-4947
Medium
2025-05-28
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895