Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,250
CVE-linked
1,864
Programs
343
New This Week
6
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 653 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
[notevil] - Sandbox Escape Lead to RCE on Node.js and XSS in the Browser
Node.js third-party modules Code Injection (CWE-94)
High
2020-08-27
[bl] Uninitialized memory exposure via negative .consume()
Node.js third-party modules Buffer Over-read (CWE-126)CVE-2020-8244
High
2020-08-27
Stored XSS in "Create Groups"
GitLab Cross-site Scripting (XSS) - Stored (CWE-79)
High
2020-08-26
Stealing data from customers.gitlab.com without user interaction
GitLab Insecure Direct Object Reference (IDOR) (CWE-639)
High
2020-08-26
[min-http-server] List any file in the folder by using path traversal.
Node.js third-party modules Path Traversal (CWE-22)
High
2020-08-26
[json-bigint] DoS via `__proto__` assignment
Node.js third-party modules Uncontrolled Resource Consumption (CWE-400)CVE-2020-8237
High
2020-08-25
SSO bypass in zendesk using trint organization able to leak internal ticket information
Trint Ltd Improper Authentication - Generic (CWE-287)
High
2020-08-24
Prototype Pollution lodash 4.17.15
Node.js third-party modules Uncontrolled Resource Consumption (CWE-400)
High
2020-08-21
Django DEBUG mode enabled and leaked system information.
Dropcontact Misconfiguration (CWE-16)
High
2020-08-21
Dropcontact's disclosed report is exposing Private/Confidential information
Dropcontact Information Disclosure (CWE-200)
High
2020-08-20
[object-path-set] Prototype pollution
Node.js third-party modules Modification of Assumed-Immutable Data (MAID) (CWE-471)
High
2020-08-20
[GoldSrc] RCE via 'spk' Console Command
Valve Classic Buffer Overflow (CWE-120)
High
2020-08-19
[GoldSrc] RCE via malformed BSP file
Valve Classic Buffer Overflow (CWE-120)
High
2020-08-19
Buffer overflow In hl.exe's launch -game argument allows an attacker to execute arbitrary code locally or from browser
Valve Stack Overflow (CWE-121)
High
2020-08-19
CRITICAL Insecure Direct Object Reference (I.D.O.R) - Link Other User's Credit Card
Yelp Privacy Violation (CWE-359)
High
2020-08-19
Blind Stored XSS Via Staff Name
Shopify Cross-site Scripting (XSS) - Stored (CWE-79)
High
2020-08-18
pre-auth Stored XSS in comments via javascript: url when administrator edits user supplied comment
WordPress Cross-site Scripting (XSS) - Stored (CWE-79)
High
2020-08-18
Idor for firstpromoter service
Dropcontact Insecure Direct Object Reference (IDOR) (CWE-639)
High
2020-08-18
Default Creds Spring Boot Admin
8x8 Information Disclosure (CWE-200)
High
2020-08-14
Path traversal on https://███ allows arbitrary file read (CVE-2020-3452)
U.S. Dept Of Defense Path Traversal (CWE-22)CVE-2020-3452
High
2020-08-13
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud584
Shopify464
curl459
Node.js third-party modules307
GitLab258
X / xAI250 $7,000
Uber239