Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
14
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Program filter: cloudflare
`use-mcp`'s oauth2 process uses a window.open call with untrusted mcp server provided data allowing for code execution under the page using it
Cloudflare Public Bug Bounty Cross-site Scripting (XSS) - Generic (CWE-79)
Medium
2025-09-30
Arbitrary file read from Cloudflare Pages build environment
Cloudflare Public Bug Bounty
Medium
2024-02-23
Bypass R2 payment screen
Cloudflare Public Bug Bounty Improper Restriction of Authentication Attempts (CWE-307)
Medium
2023-11-10
Cloudflare is not properly deleting user's account
Cloudflare Public Bug Bounty Business Logic Errors (CWE-840)
Medium
2023-04-13
Session mismatch leading to potential account takeover (local access required)
Cloudflare Public Bug Bounty Insecure Direct Object Reference (IDOR) (CWE-639)
Medium
2023-04-10
Extraction of Pages build scripts, config values, tokens, etc. via symlinks
Cloudflare Public Bug Bounty Information Disclosure (CWE-200)
Medium
2023-03-06
Origin IP address disclosure through Pingora response header
Cloudflare Public Bug Bounty Information Exposure Through an Error Message (CWE-209)
Medium
2023-01-10
Bypass Cloudflare WARP lock on iOS.
Cloudflare Public Bug Bounty Client-Side Enforcement of Server-Side Security (CWE-602)CVE-2022-3322
Medium
2022-11-07
Take over subdomains of r2.dev using R2 custom domains
Cloudflare Public Bug Bounty
Medium
2022-09-28
Signup with any Email and Enable 2-FA without verifying Email
Cloudflare Public Bug Bounty Improper Authentication - Generic (CWE-287)
Medium
2022-09-12
Enable 2Fa verification without verifying email
Cloudflare Public Bug Bounty Improper Access Control - Generic (CWE-284)
Medium
2022-08-31
Bypassing Cache Deception Armor using .avif extension file
Cloudflare Public Bug Bounty Information Disclosure (CWE-200)
Medium
2022-06-27
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895