Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,262
CVE-linked
1,866
Programs
343
New This Week
0
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 654 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
CVE-2023-32001: fopen race condition
curl Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)CVE-2023-32001
Medium
2023-07-25
SSRF in graphQL query (pwapi.ex2b.com)
EXNESS Server-Side Request Forgery (SSRF) (CWE-918)
Medium
2023-07-24
DiffieHellman doesn't generate keys after setting a key
Node.js Inconsistency Between Implementation and Documented Design (CWE-1068)CVE-2023-30590
Medium
2023-07-20
node.js process aborts when processing x509 certs with invalid public key information
Node.js Uncontrolled Resource Consumption (CWE-400)CVE-2023-30588
Medium
2023-07-20
fs.openAsBlob() bypasses permission system
Node.js Improper Access Control - Generic (CWE-284)CVE-2023-30583
Medium
2023-07-20
fs module's file watching is not restricted by --allow-fs-read
Node.js Improper Access Control - Generic (CWE-284)CVE-2023-30582
Medium
2023-07-20
[Hubs] - Broken access control in placing objects in hubs room
Mozilla Improper Access Control - Generic (CWE-284)
Medium
2023-07-20
Bypass for forced re-authentication upon biometrics change
Bitwarden Improper Authentication - Generic (CWE-287)
Medium
2023-07-19
XSS exploit of RDoc documentation generated by rdoc
Ruby Cross-site Scripting (XSS) - Stored (CWE-79)CVE-2013-0256
Medium
2023-07-18
XSS exploit of RDoc documentation generated by rdoc (CVE-2013-0256)
Ruby Cross-site Scripting (XSS) - Stored (CWE-79)CVE-2013-0256
Medium
2023-07-18
Stored XSS in RDoc hyperlinks through javascript scheme
Ruby Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2023-07-18
Brute force protection allows to send more requests than intended
Nextcloud Improper Restriction of Authentication Attempts (CWE-307)CVE-2023-32320
Medium
2023-07-13
CVE-2023-28710 Apache Airflow Spark Provider Arbitrary File Read via JDBC
Internet Bug Bounty Improper Input Validation (CWE-20)CVE-2023-28710
Medium
2023-07-12
CSRF protection bypass on TikTok Webcast Endpoints
TikTok Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2023-07-12
Asset Inventory Internal Descriptions are leaked in CSV export
HackerOne Business Logic Errors (CWE-840)
Medium
2023-07-12
Rate limit missing sign-in page
Tennessee Valley Authority Improper Restriction of Authentication Attempts (CWE-307)
Medium
2023-07-11
xss(r) vcc-na11.8x8.com
8x8 Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2023-07-10
ActionView sanitize helper bypass leading to XSS using SVG tag.
Ruby on Rails Cross-site Scripting (XSS) - Generic (CWE-79)CVE-2022-23515CVE-2022-23518
Medium
2023-07-10
Arbitrary file write triggered by deeplink abuse - MetaMask Android
MetaMask Business Logic Errors (CWE-840)
Medium
2023-07-07
Banned user still able to invited to reports as a collabrator and reset the password
HackerOne Improper Access Control - Generic (CWE-284)
Medium
2023-07-06
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud584
Shopify465
curl464
Node.js third-party modules307
GitLab258
X / xAI250 $7,000
Uber239