Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,248
CVE-linked
1,864
Programs
343
New This Week
16
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 653 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Sqli on ██████ search functionality
Mars SQL Injection (CWE-89)
Medium
2024-06-25
Reflected xss on ████████
Mars Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2024-06-25
CSRF resulting in adding pet at ███████
Mars Cross-Site Request Forgery (CSRF) (CWE-352)
Low
2024-06-25
Account takeover using reset password link
Mars Open Redirect (CWE-601)
Medium
2024-06-25
monitoring.prow-canary.k8s.io is vulnerable to CVE-2022-21703 (Grafana 0-day)
Kubernetes Cross-Site Request Forgery (CSRF) (CWE-352)CVE-2022-21703
Low
2024-06-25
DoS with crafted "Range" header
Ruby on Rails
High
2024-06-25
S3 Bucket Takeover on apptio endpoint
IBM Improper Access Control - Generic (CWE-284)
Medium
2024-06-21
Ability to identify actual private from sandboxed programs using link hackerone.com/$handle/terms_acceptance_data.csv
HackerOne Improper Access Control - Generic (CWE-284)
Medium
2024-06-20
Notes app can be tricked into using a received share created before the user logged in
Nextcloud Business Logic Errors (CWE-840)CVE-2024-37317
Medium
2024-06-19
[Meetup][World ID][OIDC] Insufficient Filtering of "state" Parameter in Response Mode form_post leads to XSS and ATO
Tools for Humanity Cross-Site Scripting (XSS) (CAPEC-63)
Critical
2024-06-19
Program Member Could Duplicate Report To A Non Related Program Original Report
HackerOne Improper Access Control - Generic (CWE-284)
High
2024-06-19
NULL dereference when encoding DN of x509 certificate
curl NULL Pointer Dereference (CWE-476)
Low
2024-06-19
"package_name" can be set as desired when submitting a Pentest Opportunity form
HackerOne Improper Access Control - Generic (CWE-284)
Medium
2024-06-19
[IDOR] Improper Access Control on Embedded Submission Form
HackerOne Insecure Direct Object Reference (IDOR) (CWE-639)
Low
2024-06-19
Cloudflare /cdn-cgi/ path allows resizing images from unauthorised sources on enjinusercontent.com
Enjin Code Injection (CWE-94)
Low
2024-06-19
Ability to bulk submit reports via query named based batching
HackerOne Violation of Secure Design Principles (CWE-657)
Low
2024-06-19
Attackers can *Upgrade and claim offer* on the Premium Trial Subscription with a total price of *IDR0.00* from the original *IDR7,022,061.82*
LinkedIn Business Logic Errors (CWE-840)
High
2024-06-18
[HTAF4-213] [Pre-submission] HTTPOnly session cookie exposure on the /csstest endpoint
U.S. Dept Of Defense Information Exposure Through Debug Information (CWE-215)
Medium
2024-06-18
Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://██████ (███)
U.S. Dept Of Defense Path Traversal (CWE-22)CVE-2019-11510CVE-2019-11542CVE-2019-11539CVE-2019-11538CVE-2019-11508CVE-2019-11540
High
2024-06-18
[CVE-2018-0296] Cisco VPN path traversal on the https://███████/ (████.███.mil)
U.S. Dept Of Defense Path Traversal (CWE-22)CVE-2018-0296
Medium
2024-06-18
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud584
Shopify464
curl457
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239