目標達成 すべての支援者に感謝 — 100%達成しました!

目標: 1000 CNY · 調達済み: 1000 CNY

100.0%
コーヒーを一杯おごる

漏洞赏金情报

数据来源:HackerOne 公开披露报告 · 每 6 小时更新

浏览 HackerOne 平台公开披露的漏洞赏金报告,按严重程度、漏洞类型或目标项目筛选,关联 CVE 编号。

已披露报告
12,217
关联 CVE
1,854
参与项目数
342
近 7 天新增
12
严重度: All CriticalHighMediumLow
类型: 全部 Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
项目筛选:gitlab
Ability to bypass email verification for OAuth grants results in accounts takeovers on 3rd parties
GitLab Authentication Bypass Using an Alternate Path or Channel (CWE-288)
High
2020-10-01
Adding everyone to the repo due to the lack of rate limit
GitLab Insecure Direct Object Reference (IDOR) (CWE-639)
High
2020-09-14
Stored XSS in markdown when redacting references
GitLab Cross-site Scripting (XSS) - Stored (CWE-79)
High
2020-09-09
Stored XSS on PyPi simple API endpoint
GitLab Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2020-09-09
EXIF metadata not stripped from JPG group logos
GitLab Information Disclosure (CWE-200)
Low
2020-09-08
Injection of `http.<url>.*` git config settings leading to SSRF
GitLab Server-Side Request Forgery (SSRF) (CWE-918)
High
2020-09-08
Members from parent group keep their access level on a subgroup transfer and are invisible
GitLab Improper Access Control - Generic (CWE-284)
High
2020-09-08
SSRF into Shared Runner, by replacing dockerd with malicious server in Executor
GitLab Server-Side Request Forgery (SSRF) (CWE-918)
Medium
2020-09-08
Stored XSS in "Create Groups"
GitLab Cross-site Scripting (XSS) - Stored (CWE-79)
High
2020-08-26
An attacker can run pipeline jobs as arbitrary user
GitLab Business Logic Errors (CWE-840)
Critical
2020-08-26
Privilege escalation from any user (including external) to gitlab admin when admin impersonates you
GitLab Privilege Escalation (CAPEC-233)
Critical
2020-08-26
Stealing data from customers.gitlab.com without user interaction
GitLab Insecure Direct Object Reference (IDOR) (CWE-639)
High
2020-08-26
Initial mirror user can be assigned by other user even if the mirror was removed
GitLab Improper Access Control - Generic (CWE-284)
Medium
2020-08-26
SSRF In plantuml (on plantuml.pre.gitlab.com)
GitLab Server-Side Request Forgery (SSRF) (CWE-918)
Medium
2020-08-17
Full Read SSRF on Gitlab's Internal Grafana
GitLab Server-Side Request Forgery (SSRF) (CWE-918)
Critical
2020-08-07
Stored XSS in blob viewer
GitLab Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2020-08-04
Unrestricted file upload leads to Stored XSS
GitLab Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2020-08-03
Send arbitrary PUT requests when user clicks on a link
GitLab Command Injection - Generic (CWE-77)
Medium
2020-07-27
gitlab-workhorse bypass in Gitlab::Middleware::Multipart allowing files in `allowed_paths` to be read
GitLab Information Disclosure (CWE-200)
Critical
2020-06-08
SSRF on project import via the remote_attachment_url on a Note
GitLab Server-Side Request Forgery (SSRF) (CWE-918)
High
2020-06-07
高频漏洞类型
最活跃项目
项目报告数最高赏金
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895