Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,262
CVE-linked
1,866
Programs
343
New This Week
0
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 654 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
RXSS on █████████
U.S. Dept Of Defense Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2022-09-06
RXSS on ███████
U.S. Dept Of Defense Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2022-09-06
XSS DUE TO CVE-2020-3580
U.S. Dept Of Defense Cross-site Scripting (XSS) - Reflected (CWE-79)CVE-2020-3580
Medium
2022-09-06
firebase credentials leaks @ ███████
MTN Group Information Disclosure (CWE-200)
Medium
2022-09-05
firebase credentials leaks @ https://mpulse.mtnonline.com
MTN Group Information Disclosure (CWE-200)
Medium
2022-09-05
CVE-2021-38314 @ https://www.mtn.ci
MTN Group CVE-2021-38314
Medium
2022-09-05
Information disclosure through django debug mode
MTN Group Information Exposure Through Debug Information (CWE-215)
Medium
2022-09-05
API key (api.semrush.com) leak in JS-file
Semrush Information Disclosure (CWE-200)
Medium
2022-09-05
Unauthenticated SSRF in 3rd party module "cerdic/csstidy"
Nextcloud Server-Side Request Forgery (SSRF) (CWE-918)CVE-2022-31132
Medium
2022-09-03
IDOR on TikTok Ads Endpoint
TikTok Insecure Direct Object Reference (IDOR) (CWE-639)
Medium
2022-09-01
Password reset token leak on third party website via Referer header [██████████]
MTN Group
Medium
2022-09-01
Enable 2Fa verification without verifying email
Cloudflare Public Bug Bounty Improper Access Control - Generic (CWE-284)
Medium
2022-08-31
TikTok's pixel/sdk.js leaks current URL from websites using postMessage
TikTok Improper Authorization (CWE-285)
Medium
2022-08-30
Privilege Escalation - "Analyst" Role Can View Email Domains of a Company - [GET /voyager/api/voyagerOrganizationDashEmailDomainMappings]
LinkedIn Privilege Escalation (CAPEC-233)
Medium
2022-08-26
Unauthorized access
GitLab Improper Access Control - Generic (CWE-284)CVE-2022-2185
Medium
2022-08-25
Non-revoked API Key Information disclosure via Stripo_report()
Stripo Inc Cleartext Storage of Sensitive Information (CWE-312)
Medium
2022-08-25
NordVPN Linux Client - Unsafe service file permissions leads to Local Privilege Escalation
Nord Security Privilege Escalation (CAPEC-233)
Medium
2022-08-24
Reflected XSS on ███ via jobid parameter
Sony Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2022-08-24
Off-by-slash vulnerability in nodejs.org and iojs.org
Node.js Path Traversal (CWE-22)
Medium
2022-08-24
support.invisionpower.com takeover the subdomain with Zendesk
Invision Power Services, Inc. Privilege Escalation (CAPEC-233)
Medium
2022-08-24
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud584
Shopify465
curl464
Node.js third-party modules307
GitLab258
X / xAI250 $7,000
Uber239