Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,262
CVE-linked
1,866
Programs
343
New This Week
0
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 654 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Ownership check missing when updating or deleting attachments
Nextcloud Insecure Direct Object Reference (IDOR) (CWE-639)CVE-2022-31131
Medium
2022-07-06
Reflected XSS on ███?loc=
UPS VDP Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2022-07-05
SMTP Command Injection in iCalendar Attachments to Emails via Newlines
Nextcloud CRLF Injection (CWE-93)CVE-2022-31014
Medium
2022-07-04
Open redirect found on account.brave.com
Brave Software Open Redirect (CWE-601)
Medium
2022-06-30
Arbitrary file download via "Save .torrent file" option can lead to Client RCE and XSS
Brave Software Code Injection (CWE-94)
Medium
2022-06-30
Arbitrary file download due to bad handling of Redirects in WebTorrent
Brave Software Code Injection (CWE-94)
Medium
2022-06-30
Redirecting users to malicious torrent-files/websites using WebTorrent
Brave Software Violation of Secure Design Principles (CWE-657)
Medium
2022-06-30
XSS Payload on TikTok Seller Center endpoint
TikTok Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2022-06-29
CVE-2022-32206: HTTP compression denial of service
Internet Bug Bounty Allocation of Resources Without Limits or Throttling (CWE-770)CVE-2022-32206
Medium
2022-06-27
CVE-2022-32207: Unpreserved file permissions
Internet Bug Bounty Business Logic Errors (CWE-840)CVE-2022-32207
Medium
2022-06-27
Unauthorized Access to Internal Server Panel without Authentication
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
Medium
2022-06-27
Reflected XSS via `████████` parameter
U.S. Dept Of Defense Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2022-06-27
Bypassing Cache Deception Armor using .avif extension file
Cloudflare Public Bug Bounty Information Disclosure (CWE-200)
Medium
2022-06-27
Rails::Html::SafeListSanitizer vulnerable to xss attack in an environment that allows the style tag
Internet Bug Bounty Cross-site Scripting (XSS) - Generic (CWE-79)CVE-2022-32209
Medium
2022-06-27
CVE-2022-32206: HTTP compression denial of service
curl Allocation of Resources Without Limits or Throttling (CWE-770)CVE-2022-32206
Medium
2022-06-27
CVE-2022-32207: Unpreserved file permissions
curl Business Logic Errors (CWE-840)CVE-2022-32207
Medium
2022-06-27
Credential leak when use two url
curl Insufficiently Protected Credentials (CWE-522)
Medium
2022-06-27
User can link non-public file attachments, leading to file disclose on edit by higher-privileged user
Phabricator Business Logic Errors (CWE-840)
Medium
2022-06-26
Bypass for Domain-level redirects (Unvalidated Redirects and Forwar)
GitLab Open Redirect (CWE-601)
Medium
2022-06-22
Add more seats by paying less via PUT /v2/seats request manipulation
Krisp Improper Input Validation (CWE-20)
Medium
2022-06-20
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud584
Shopify465
curl464
Node.js third-party modules307
GitLab258
X / xAI250 $7,000
Uber239