Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
10
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Отправка произвольных запросов к API с правами любого установленного у пользователя iframe/miniapp
VK.com Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2020-11-07
CSRF To Add New App In Developer Account And Bypassing Json Format
TikTok Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2020-11-06
CSRF on launchpad.37signals.com OAuth2 authorization endpoint
Basecamp Cross-Site Request Forgery (CSRF) (CWE-352)
High
2020-10-30
Site-wide CSRF on Safari due to CORS misconfiguration (not localhost)
CS Money Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2020-10-27
authenticity token not verfied leads to change business name
Shopify Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2020-10-23
CSRF to account takeover in https://███████.mil/
U.S. Dept Of Defense Cross-Site Request Forgery (CSRF) (CWE-352)
Critical
2020-10-16
Send Empty CSRF leads to log out user on [https://hosted.weblate.org/accounts/profile]
Weblate Cross-Site Request Forgery (CSRF) (CWE-352)
Low
2020-10-12
No CSRF Protection in Resend Confirmation Email feature leads to Sending Unwanted Email in Victim's Inbox without knowing Victim's email address
Stripo Inc Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2020-09-08
The authenticity_token can be reversed and used to forge valid per_form_csrf_tokens for arbitrary routes
Ruby on Rails Cross-Site Request Forgery (CSRF) (CWE-352)CVE-2020-8166
Medium
2020-08-27
Authenticity token doesnt expire after single use leading to CSRF
Omise Cross-Site Request Forgery (CSRF) (CWE-352)
Unknown
2020-08-17
The vulnerabilities found were XSS, Public disclosure, Network enumeration via CSRF, DLL hijacking.
Eternal Cross-Site Request Forgery (CSRF) (CWE-352)
Unknown
2020-07-21
[express-cart] Wide CSRF in application
Node.js third-party modules Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2020-07-21
CSRF on comment post
WordPress Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2020-07-16
CSRF Account Deletion on ███ Website
U.S. Dept Of Defense Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2020-07-09
CSRF Vulnerability on post creation page /community/create-post.json
Rockstar Games Cross-Site Request Forgery (CSRF) (CWE-352)
Low
2020-07-07
csrf in https://www.rockstargames.com/reddeadonline/feedback/submit.json
Rockstar Games Cross-Site Request Forgery (CSRF) (CWE-352)
Low
2020-07-07
Logout page does not prevent CSRF
Courier Cross-Site Request Forgery (CSRF) (CWE-352)
Low
2020-07-06
CSRF at https://chatstory.pixiv.net/imported
pixiv Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2020-07-02
Referer Leakge in language changer may lead to FB token theft.
Rockstar Games Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2020-06-24
CSRF Vulnerabiliy on Facebook Linkage Page Allows Full Account takerover of Socialclub Accounts.
Rockstar Games Cross-Site Request Forgery (CSRF) (CWE-352)
High
2020-06-24
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895