Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,262
CVE-linked
1,866
Programs
343
New This Week
0
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 654 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Mute User can disclose private channel members to unauthorized users
Rocket.Chat Information Disclosure (CWE-200)CVE-2023-28357
Medium
2023-05-09
Maliciously crafted message can cause Rocket.Chat server to stop responding
Rocket.Chat Uncontrolled Resource Consumption (CWE-400)CVE-2023-28356
Medium
2023-05-09
blind Server-Side Request Forgery (SSRF) allows scanning internal ports
Elastic Server-Side Request Forgery (SSRF) (CWE-918)
Medium
2023-05-05
Reflected XSS Via origCity Parameter (UPPER Case + WAF Protection Bypass)
Expedia Group Bug Bounty Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2023-05-04
Potential directory traversal in OC\Files\Node\Folder::getFullPath
Nextcloud Path Traversal: 'dir\..\..\filename' (CWE-31)
Medium
2023-05-04
Document content of files can be obtained through Collabora for files of other users
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2023-25150
Medium
2023-05-04
Possible XSS vulnerability without a content security bypass
Stripe Cross-site Scripting (XSS) - Generic (CWE-79)
Medium
2023-05-01
XSS vulnerability without a content security bypass in a `CUSTOM` App through Button tag
Stripe Cross-site Scripting (XSS) - Generic (CWE-79)
Medium
2023-05-01
Reference fetch can saturate the server bandwidth for 10 seconds
Nextcloud Uncontrolled Resource Consumption (CWE-400)CVE-2023-28644
Medium
2023-04-29
Name collision of shared folders
Nextcloud Use of Incorrectly-Resolved Name or Reference (CWE-706)CVE-2023-28643
Medium
2023-04-29
Information disclosure by sending a GIF
LinkedIn Client-Side Enforcement of Server-Side Security (CWE-602)
Medium
2023-04-28
Desktop client does not verify received singed certificate in end to end encryption
Nextcloud Improper Certificate Validation (CWE-295)CVE-2023-29000
Medium
2023-04-27
S3 Bucket Takeover : brave-apt
Brave Software Improper Access Control - Generic (CWE-284)
Medium
2023-04-26
CVE-2023-28755: ReDoS vulnerability in URI
Internet Bug Bounty Uncontrolled Resource Consumption (CWE-400)CVE-2023-28755
Medium
2023-04-26
The endpoint '/test/webhooks' is vulnerable to DNS Rebinding
Omise Server-Side Request Forgery (SSRF) (CWE-918)
Medium
2023-04-26
Retrospective change of message timestamp and order
Rocket.Chat CVE-2023-28317
Medium
2023-04-25
Messages can be hidden regardless of server configuration
Rocket.Chat CVE-2023-28318
Medium
2023-04-25
The `io.kubernetes.client.util.generic.dynamic.Dynamics` contains a code execution vulnerability due to SnakeYAML
Kubernetes Code Injection (CWE-94)CVE-2022-1471
Medium
2023-04-25
File Read Vulnerability allows Attackers to Compromise S3 buckets using Prow
Kubernetes Improper Access Control - Generic (CWE-284)
Medium
2023-04-25
reflected XSS in [www.equifax.com]
Equifax-vdp Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2023-04-23
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud584
Shopify465
curl464
Node.js third-party modules307
GitLab258
X / xAI250 $7,000
Uber239