Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
10
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Enable 2FA without verifying the email
XVIDEOS Improper Access Control - Generic (CWE-284)
Low
2025-05-09
Ability to access policy and updates for unauthorized program
HackerOne Improper Access Control - Generic (CWE-284)
Medium
2025-05-08
CRLF Injection in `--proxy-header` allows extra HTTP headers (CWE-93)
curl CRLF Injection (CWE-93)
None
2025-05-08
Unauthorized Account Access via Leaked Credentials in URL Format (Account Takeover )
Khan Academy Cleartext Storage of Sensitive Information (CWE-312)
Critical
2025-05-07
Path Traversal Vulnerability found on IBM Cloud
IBM Path Traversal (CWE-22)
Critical
2025-05-07
HTML Injection in LinkedIn Premium Support Chat
LinkedIn
Low
2025-05-07
BAC – Bypass chatbot restrictions via unauthorized mention injection
Dust
Medium
2025-05-06
HTTP/3 Stream Dependency Cycle Exploit
curl Improper Input Validation (CWE-20)
High
2025-05-04
`/names.nsf` and all `/names*` files route to public API on rubygems.org
RubyGems Improper Access Control - Generic (CWE-284)
None
2025-05-03
Open Redirect on ███████
Fastly VDP Open Redirect (CWE-601)
Low
2025-05-02
Middleware Authentication Bypass on IBM Portal
IBM Command Injection - Generic (CWE-77)CVE-2025-29927
Critical
2025-05-02
Stored XSS in File Upload Leads to Privilege Escalation and Full Workspace Takeover
Dust Cross-site Scripting (XSS) - Stored (CWE-79)
High
2025-05-02
Session Replay Attack Allows Authentication Bypass via Captured Login Responses Allowing Bypass of 429 Too many attempts for Multiple Failed Logins
WakaTime Improper Authentication - Generic (CWE-287)
High
2025-05-01
[CVE-2025-27220] ReDoS in CGI::Util#escapeElement
Internet Bug Bounty Uncontrolled Resource Consumption (CWE-400)CVE-2025-27220
High
2025-04-30
Privilege Persistence via Cloned Agent
Dust Improper Access Control - Generic (CWE-284)
Medium
2025-04-30
Double Free Vulnerability in `libcurl` Cookie Management (`cookie.c`)
curl Double Free (CWE-415)
Unknown
2025-04-29
Use of a Broken or Risky Cryptographic Algorithm (CWE-327) in libcurl
curl Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
Unknown
2025-04-29
Information disclosure on IBM training service endpoint
IBM Insecure Direct Object Reference (IDOR) (CWE-639)
Unknown
2025-04-29
Improper Session Invalidation – Auto Sign-In Without Credentials After Logout (Affects Chrome & Firefox)
Dust Insufficient Session Expiration (CWE-613)
Medium
2025-04-29
Broken Access Control Exposes Email Verification Status and Privacy Settings via API Endpoint
WakaTime Improper Access Control - Generic (CWE-284)
Low
2025-04-29
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895