漏洞赏金情报

数据来源：HackerOne 公开披露报告 · 每 6 小时更新

浏览 HackerOne 平台公开披露的漏洞赏金报告，按严重程度、漏洞类型或目标项目筛选，关联 CVE 编号。

已披露报告

12,262

关联 CVE

1,866

参与项目数

343

近 7 天新增

0

严重度: All Critical High Medium Low

类型: 全部 Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 654 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

IDOR - Delete technical skill assessment result & Gained Badges result of any user

Medium

2022-10-05

Reddit talk promotion offers don't expire, allowing users to accept them after being demoted

Reddit Insecure Direct Object Reference (IDOR) (CWE-639)

Medium

2022-10-03

Open Redirect on www.redditinc.com via `failed` query param bypass after fixed bug #1257753

Reddit Open Redirect (CWE-601)

Medium

2022-09-30

no rate limit in forgot password session

Medium

2022-09-29

XSS in Widget Review Form Preview in settings

Judge.me Cross-site Scripting (XSS) - Stored (CWE-79)

Medium

2022-09-29

Take over subdomains of r2.dev using R2 custom domains

Cloudflare Public Bug Bounty

Medium

2022-09-28

Server-side request forgery (ssrf)

Yelp Server-Side Request Forgery (SSRF) (CWE-918)

Medium

2022-09-28

CORS Misconfiguration on Yelp

Medium

2022-09-28

password field autocomplete enabled

Yelp Insecure Storage of Sensitive Information (CWE-922)

Medium

2022-09-27

[CVE-2022-35949]: undici.request vulnerable to SSRF using absolute / protocol-relative URL on pathname

Internet Bug Bounty Server-Side Request Forgery (SSRF) (CWE-918)CVE-2022-35949

Medium

2022-09-23

CVE-2022-35948: CRLF Injection in Nodejs ‘undici’ via Content-Type

Internet Bug Bounty CRLF Injection (CWE-93)CVE-2022-35948

Medium

2022-09-23

Open Redirect on www.redditinc.com via `failed` query param

Reddit Open Redirect (CWE-601)

Medium

2022-09-22

Unauthenticated IP allowlist bypass when accessing job artifacts through gitlab pages at `{group_id}.gitlab.io`

GitLab Improper Access Control - Generic (CWE-284)

Medium

2022-09-22

getUsersOfRoom discloses users in private channels

Rocket.Chat CVE-2022-32226

Medium

2022-09-22

Rocket.chat user info security issue

Rocket.Chat Cleartext Transmission of Sensitive Information (CWE-319)CVE-2022-32227

Medium

2022-09-22

Message ID Enumeration with Regular Expression in getReadReceipts Meteor method

Rocket.Chat Information Disclosure (CWE-200)CVE-2022-32228

Medium

2022-09-22

NoSQL-Injection discloses S3 File Upload URLs

Rocket.Chat Information Disclosure (CWE-200)CVE-2022-35246

Medium

2022-09-22

getRoomRoles Method leaks Channel Owner

Rocket.Chat Information Disclosure (CWE-200)CVE-2022-35247

Medium

2022-09-22

Message ID Enumeration with Action Link Handler

Rocket.Chat Information Disclosure (CWE-200)CVE-2022-32218

Medium

2022-09-22

REST API gets `query` as parameter and executes it

Rocket.Chat Information Disclosure (CWE-200)CVE-2022-32219

Medium

2022-09-22

高频漏洞类型

最活跃项目

项目	报告数	最高赏金
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	$2,257
HackerOne	609	—
Nextcloud	584	—
Shopify	465	—
curl	464	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$7,000
Uber	239	—