Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
10
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Improper Authorization Leads to Editor can toggle admin-only workspace features (Lovable Cloud)
Lovable VDP Improper Authorization (CWE-285)
Low
2025-11-04
No Confirmation Email For Email Change
Hiro Information Disclosure (CWE-200)
Low
2025-10-31
Invalidate active sessions after password change
Hiro Violation of Secure Design Principles (CWE-657)
Low
2025-10-31
Blockstack Browser For Mac leaks "Core API Password" to 3rd parties
Hiro Information Disclosure (CWE-200)
Low
2025-10-31
Memory leak in Curl_auth_create_ntlm_type3_message
curl Uncontrolled Resource Consumption (CWE-400)
Low
2025-10-28
libcurl MQTT PUBLISH length overflow (heap overflow)
curl Heap Overflow (CWE-122)
Low
2025-10-28
CSRF allowing unauthorized modification of user Notes on ███████
Tucows (VDP) Cross-Site Request Forgery (CSRF) (CWE-352)
Low
2025-10-10
OpenSSL backend: X509 peer certificate not freed in ossl_get_channel_binding causes per-request memory leak (DoS risk for long-lived clients)
curl Uncontrolled Resource Consumption (CWE-400)
Low
2025-10-08
Access to the business emails of Rockstar Support agents through the support platform
Rockstar Games Improper Access Control - Generic (CWE-284)
Low
2025-10-02
Email not verified when changing afterwards on apps.nextcloud.com
Nextcloud Violation of Secure Design Principles (CWE-657)
Low
2025-09-29
Inconsistent URL Parsing in curl Leading to Potential SSRF and Access Control Bypass
curl Improper Input Validation (CWE-20)
Low
2025-09-26
int overflow in krb5_read_data() leads to (possible) massive `recv()` write
curl Integer Overflow (CWE-190)
Low
2025-09-18
URL Scheme Validation Bypass in Shopify Mobile App Allows Javascript Execution
Shopify Forced Browsing (CWE-425)
Low
2025-09-17
MongoDB Query Logs & Schema Leak via Unauthenticated Endpoint
Bykea LLM06: Sensitive Information Disclosure
Low
2025-09-17
CVE-2025-9086: Out of bounds read for cookie path
curl Buffer Over-read (CWE-126)CVE-2025-9086
Low
2025-09-10
CVE-2025-10148: predictable WebSocket mask
curl Reusing a Nonce, Key Pair in Encryption (CWE-323)CVE-2025-10148
Low
2025-09-10
Unauthorized Blogs Creation
Lichess Improper Access Control - Generic (CWE-284)
Low
2025-09-02
AWS | Self Registration Internal LibreChat : Access to internal/proprietary LLMs
AWS VDP Authentication Bypass Using an Alternate Path or Channel (CWE-288)
Low
2025-08-25
Invalid
WakaTime Improper Access Control - Generic (CWE-284)
Low
2025-08-19
Rails Debug Mode Enabled On ( https://44.208.145.207/testrail/files.md5 )
Malwarebytes
Low
2025-08-15
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895