Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
10
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Chained vulnerabilities create DOS attack against users on desafio5estrelas.com
Uber Cross-Site Request Forgery (CSRF) (CWE-352)
Low
2021-03-30
CSRF to Cross-site Scripting (XSS)
U.S. Dept Of Defense Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2021-03-24
CSRF to Cross-site Scripting (XSS)
U.S. Dept Of Defense Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2021-03-24
Lack of CSRF protection on uberps.com makes every form vulnerable to CSRF
Uber Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2021-03-15
Outdated Wordpress installation and plugins at www.uberxgermany.com create CSRF and XSS vulnerabilities
Uber Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2021-02-25
Non-changing "_idnonce" value leads to CSRF on accounts at https://intensedebate.com for account takeover
Automattic Cross-Site Request Forgery (CSRF) (CWE-352)
Low
2021-02-17
[socket.io] Cross-Site Websocket Hijacking
Node.js third-party modules Cross-Site Request Forgery (CSRF) (CWE-352)
High
2021-01-31
███████mill is vulnerable to cross site request forgery that leads to full account take over.
U.S. Dept Of Defense Cross-Site Request Forgery (CSRF) (CWE-352)
High
2021-01-25
One Click Account takeover using Ouath CSRF bypass by adding Null byte %00 in state parameter on www.streamlabs.com
Logitech Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2021-01-06
[tumblr.com] CSRF in /svc/user/filtered_content
Automattic Cross-Site Request Forgery (CSRF) (CWE-352)
Low
2020-12-26
CSRF in changing users donation_settings [https://streamlabs.com/api/v6/viewer-portal/viewer-settings/donation_settings]
Logitech Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2020-12-26
CSRF for deleting videos
TikTok Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2020-12-23
User In The Same Center Can Create CSRF To Change The Information About Business
TikTok Cross-Site Request Forgery (CSRF) (CWE-352)
Low
2020-12-18
[CSRF] TikTok Careers Portal Account Takeover
TikTok Cross-Site Request Forgery (CSRF) (CWE-352)
High
2020-12-15
CSRF on https://apps.topcoder.com/wiki/users/editmyprofilepicture.action
Lab45 Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2020-12-14
CSRF on https://apps.topcoder.com/wiki/pages/doattachfile.action
Lab45 Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2020-12-14
Arbitrary change of blog's background image via CSRF
WordPress Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2020-12-14
CSRF to Stored HTML injection at https://www.█████
U.S. Dept Of Defense Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2020-12-03
[Admin Panel] CSRF to resume/pause runner
GitLab Cross-Site Request Forgery (CSRF) (CWE-352)CVE-2020-13350
Low
2020-12-01
CSRF to account takeover in https://█████/
U.S. Dept Of Defense Cross-Site Request Forgery (CSRF) (CWE-352)
Critical
2020-11-09
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895