漏洞赏金情报

数据来源：HackerOne 公开披露报告 · 每 6 小时更新

浏览 HackerOne 平台公开披露的漏洞赏金报告，按严重程度、漏洞类型或目标项目筛选，关联 CVE 编号。

已披露报告

12,219

关联 CVE

1,854

参与项目数

342

近 7 天新增

14

严重度: All Critical High Medium Low

类型: 全部 Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

项目筛选：security✕

Bypassing the External Link Warning

HackerOne Open Redirect (CWE-601)

Low

2021-05-07

Editing Pentest Summary Report Answers After Submitting Them

HackerOne Modification of Assumed-Immutable Data (MAID) (CWE-471)

Low

2021-05-06

Changing the 2FA secret key and backup codes without knowing the 2FA OTP

HackerOne Modification of Assumed-Immutable Data (MAID) (CWE-471)

Medium

2021-05-06

Improper data update process on UpdatePhabricatorIntegration mutation leads to leak of Phabricator Conduit API token.

HackerOne Information Disclosure (CWE-200)

Critical

2021-04-30

Ability to invite a new member on Sandbox Program

HackerOne Business Logic Errors (CWE-840)

Low

2021-04-05

HackerOne Jira integration plugin Leaked JWT to unauthorized jira users

HackerOne Improper Authentication - Generic (CWE-287)

Medium

2021-04-01

Reflected XSS and possible SSRF/XXE on https://events.hackerone.com/conferences/get_recording_slides_xml.xml?url=myserver/xss.xml

HackerOne Cross-site Scripting (XSS) - Reflected (CWE-79)

None

2021-03-26

Open Redirect on http://events.hackerone.com/redirect?url=https://naglinagli.github.io

HackerOne Open Redirect (CWE-601)

None

2021-03-26

Stored XSS on https://events.hackerone.com

HackerOne Cross-site Scripting (XSS) - Stored (CWE-79)

None

2021-03-26

Indexing of urls on the "External link warning" pages discloses many vulnerable endpoints from the past and unlisted videos/photos

HackerOne Violation of Secure Design Principles (CWE-657)

Medium

2021-03-25

Stored Cross-Site Scripting vulnerability in example Custom Digital Agreement

HackerOne Cross-site Scripting (XSS) - Stored (CWE-79)

Medium

2021-03-18

"Bounty splitting enabled" can discloses if public VDPs are running private VRP

Low

2021-03-18

Dangling cloud instance at vpn.inverselink.com

HackerOne Business Logic Errors (CWE-840)

Low

2021-03-11

Denial Of Service (Out Of Memory) on Updating Bounty Table [Urgent]

HackerOne Uncontrolled Resource Consumption (CWE-400)

Low

2021-02-02

The hacker has access to the administrative part of the management reports in publish report

Low

2020-12-16

Security@ email forwarding and Embedded Submission drafts can be used to obtain copy of deleted attachments from other HackerOne users

HackerOne Insecure Direct Object Reference (IDOR) (CWE-639)

High

2020-11-17

Blind Stored XSS in HackerOne's Sal 4.1.4.2149 (sal.████.com)

HackerOne Cross-site Scripting (XSS) - Stored (CWE-79)CVE-2020-26205

None

2020-11-09

Getting New Invitations without Leaving Programs

HackerOne Business Logic Errors (CWE-840)

Low

2020-10-15

2020-10-09 Credential Stuffing Attack

Unknown

2020-10-13

Making program preference -> program visibilty feature usless and disclosing API Identifier in the progress and data that may cause potential IDORS.

HackerOne Information Disclosure (CWE-200)

Low

2020-10-02

高频漏洞类型

最活跃项目

项目	报告数	最高赏金
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	—
HackerOne	609	—
Nextcloud	582	—
Shopify	464	—
curl	439	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$2,500
Uber	239	$9,895