Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports

12,219

CVE-linked

1,854

Programs

342

New This Week

Severity: All Critical High Medium Low

Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

Possible to enumerate valid files in password protected shares/files drop shares as well as spam folder with files

Nextcloud Information Disclosure (CWE-200)

Low

2025-02-21

IDOR on ads.tiktok.com Allows Unauthorized Product Addition

TikTok Insecure Direct Object Reference (IDOR) (CWE-639)

Low

2025-02-20

Linkedin Broken Link Hijacking on https://hemi.xyz/about

Hemi VDP Externally Controlled Reference to a Resource in Another Sphere (CWE-610)

Low

2025-02-13

CVE-2025-0167: netrc and default credential leak

curl LLM06: Sensitive Information Disclosure CVE-2025-0167 CVE-2024-11053

Low

2025-02-07

CVE-2025-0665: eventfd double close

curl Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (CWE-362)CVE-2025-0665

Low

2025-02-07

Error Page Content Spoofing or Text Injection

XVIDEOS Violation of Secure Design Principles (CWE-657)

Low

2025-02-06

[CVE-2024-54133] Possible Content Security Policy bypass in Action Dispatch

Internet Bug Bounty Cross-site Scripting (XSS) - Generic (CWE-79)CVE-2024-54133

Low

2025-02-06

CVE-2025-0725: gzip integer overflow

curl Integer Overflow to Buffer Overflow (CWE-680)CVE-2025-0725

Low

2025-02-05

Open Redirection effects autodiscover.rockstargames.com

Rockstar Games

Low

2025-02-03

Privilege Escalation - A Non Owner User Who Does not Have access to the user management can invite other users to the restaurant page

Yelp Improper Access Control - Generic (CWE-284)

Low

2025-01-29

Privilege Escalation - A Low Privilege User who does not have access to the user management module can remove the owner of the business account

Yelp Improper Access Control - Generic (CWE-284)

Low

2025-01-28

Stored XSS via SMTP Error Message

XVIDEOS Cross-site Scripting (XSS) - Stored (CWE-79)

Low

2025-01-24

Lack of Rate Limiting on Account Creation Endpoint

XVIDEOS

Low

2025-01-16

Attacker can use any non-enabled capability

Cosmos Privilege Escalation (CAPEC-233)

Low

2025-01-15

netrc and redirect credential leak

Internet Bug Bounty Information Disclosure (CWE-200)CVE-2024-11053

Low

2025-01-15

Blind SSRF Vulnerability in Appstore Release Upload Form

Nextcloud Improper Access Control - Generic (CWE-284)

Low

2025-01-14

Denial of Access to Static Resources via Cache Poisoning on addons.allizom.org

Mozilla Cache Poisoning (CAPEC-141)

Low

2025-01-08

Secrets not masked in UI when sensitive variables are set via Airflow cli

Internet Bug Bounty Information Disclosure (CWE-200)CVE-2024-50378

Low

2024-12-30

Access to limited confidential information of private program as a Ex-reporter, Report Participant(external user) & Ex-staff member

HackerOne Improper Access Control - Generic (CWE-284)

Low

2024-12-24

bypass of this Fixed #2437131 [ Inadequate Protocol Restriction Enforcement in curl ]

curl Cleartext Transmission of Sensitive Information (CWE-319)

Low

2024-12-19

Top Weakness Types

Most Active Programs

Program	Reports	Max $
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	—
HackerOne	609	—
Nextcloud	582	—
Shopify	464	—
curl	439	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$2,500
Uber	239	$9,895

Goal Reached Thanks to every supporter — we hit 100%!

Bug Bounty Intelligence