目標達成 すべての支援者に感謝 — 100%達成しました!

目標: 1000 CNY · 調達済み: 1000 CNY

100.0%
コーヒーを一杯おごる

漏洞赏金情报

数据来源:HackerOne 公开披露报告 · 每 6 小时更新

浏览 HackerOne 平台公开披露的漏洞赏金报告,按严重程度、漏洞类型或目标项目筛选,关联 CVE 编号。

已披露报告
12,219
关联 CVE
1,854
参与项目数
342
近 7 天新增
14
严重度: All CriticalHighMediumLow
类型: 全部 Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
[Variation of #1554049] 1-Click Chaining of Self-XSS, Cookie Tossing and AntiCSRF Token Prediction leads to auto approval in Access Temp Auth
Cloudflare Public Bug Bounty
High
2026-04-14
Brave Shields Domain Reordering Leads to Origin Confusion
Brave Software Violation of Secure Design Principles (CWE-657)
Low
2026-04-13
Credential Disclosure via Unvalidated directDownloadUrl (Missing DontAddCredentialsAttribute)
Nextcloud Insufficiently Protected Credentials (CWE-522)
Medium
2026-04-13
Argument Injection via curl Short-Flag Grouping
curl Command Injection - Generic (CWE-77)
Critical
2026-04-13
Integer Overflow/Signedness Mismatch in Printf Precision for HTTP/2 Trailer Headers
curl Integer Overflow (CWE-190)CVE-2020-19909
None
2026-04-11
Encryption context keys and values logged at INFO level
AWS VDP Insertion of Sensitive Information into Log File (CWE-532)
None
2026-04-10
Open Redirect in Rocket.Chat
Rocket.Chat Open Redirect (CWE-601)CVE-2026-22560
Medium
2026-04-10
[Vertical Privilege Escalation] User can Unapproved any Approved Translation at [/translations/unapprove/]
Mozilla Privilege Escalation (CAPEC-233)
Medium
2026-04-10
User Can Delete Other Users' Personal Access Tokens at /delete-token/{token_id}/ on Mozilla Pontoon
Mozilla Improper Access Control - Generic (CWE-284)
Low
2026-04-10
Memory leak in gem decode logic can allow attacker to take down Rubygems.org application
RubyGems Uncontrolled Resource Consumption (CWE-400)
Medium
2026-04-09
libcurl: Integer truncation in curl_easy_ssls_import() causes TLS sessions to never expire
curl
Medium
2026-04-09
Health check errors silently dropped when channel buffer full
AWS VDP
None
2026-04-07
IDOR on ██████ via direct photo URL leads to unauthorized access to deleted and other users' photos
Nextcloud Insecure Direct Object Reference (IDOR) (CWE-639)
Unknown
2026-04-07
no_proxy IDN mismatch: Unicode hostnames bypass proxy exclusion list
curl Improper Access Control - Generic (CWE-284)CVE-2022-42916CVE-2022-43551
Unknown
2026-04-07
FTP entrypath accepts 0xFF (Telnet IAC) through incomplete ISCNTRL filter, sent on wire via CWD on connection reuse
curl CVE-2020-8284
Unknown
2026-04-07
Improper enforcement of CURLOPT_SOCKS5_AUTH due to missing reuse key validation in libcurl
curl Improper Authorization (CWE-285)
Low
2026-04-07
Reported Denial of Service
Monero Uncontrolled Resource Consumption (CWE-400)
Unknown
2026-04-06
Reported RPC Overflow
Monero Integer Overflow (CWE-190)
Unknown
2026-04-06
# SCURLOPT_SSH_KNOWNHOSTS and host fingerprint pins are silently bypassed when an SSH connection is reused from the connection pool
curl Exposed Dangerous Method or Function (CWE-749)
Unknown
2026-04-06
SMTP Command Injection via CRLF in libcurl MAIL_FROM / MAIL_RCPT (lib/smtp.c)
curl CRLF Injection (CWE-93)
Unknown
2026-04-06
高频漏洞类型
最活跃项目
项目报告数最高赏金
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895