Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports

12,219

CVE-linked

1,854

Programs

342

New This Week

Severity: All Critical High Medium Low

Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

Program filter: tiktok✕

Unauthorized Access to Private Video Description via Translation API for Private Accounts

TikTok Insecure Direct Object Reference (IDOR) (CWE-639)

Low

2025-06-27

IDOR on ads.tiktok.com Allows Unauthorized Product Addition

TikTok Insecure Direct Object Reference (IDOR) (CWE-639)

Low

2025-02-20

Stored-XSS-ads.tiktok.com

TikTok Cross-site Scripting (XSS) - Stored (CWE-79)

Low

2024-10-02

Authentication Bypass on TikTok Seller Signup Process Allows Account Creation Without Phone Verification

TikTok Improper Access Control - Generic (CWE-284)

Low

2024-07-03

HTML Injection on TikTok Ads

TikTok Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CWE-80)

Low

2024-02-20

Multiple Open Redirect on TikTok domains

TikTok Improper Access Control - Generic (CWE-284)

Low

2024-02-16

Improper user validation on mentions and hashtags

TikTok Improper Input Validation (CWE-20)

Low

2023-06-22

IDOR in family pairing API

TikTok Insecure Direct Object Reference (IDOR) (CWE-639)

Low

2023-06-02

View thumbnail of any private video (friends or followers only) of Private/Public account

TikTok Privacy Violation (CWE-359)

Low

2023-02-17

Any user can vote on `Friend Only` video pull

TikTok Improper Authorization (CWE-285)

Low

2023-01-27

Stored XSS Payload when sending videos

TikTok Cross-site Scripting (XSS) - Stored (CWE-79)

Low

2022-11-29

Subdomain Takeover via Unclaimed Amazon S3 Bucket (Musical.ly)

TikTok Privilege Escalation (CAPEC-233)

Low

2022-11-07

Remotely Accessible Container Advisor exposed performance metrics and resource usage

TikTok Information Disclosure (CWE-200)

Low

2022-10-24

TikTok Account Creation Date Information Disclosure

TikTok Privacy Violation (CWE-359)

Low

2022-10-18

Bypassing authorization of linked Instagram account

TikTok Missing Authorization (CWE-862)

Low

2022-09-30

CSRF in Changing User Verification Email

TikTok Cross-Site Request Forgery (CSRF) (CWE-352)

Low

2022-09-13

IDOR on TikTok Seller

TikTok Insecure Direct Object Reference (IDOR) (CWE-639)

Low

2022-08-16

Unrestricted File Upload Blind Stored Xss in subdomain ads.tiktok.com

TikTok Cross-site Scripting (XSS) - Stored (CWE-79)

Low

2022-08-04

HTML Injection via Email Share

TikTok Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CWE-80)

Low

2022-07-27

IDOR in report download functionality on ads.tiktok.com

TikTok Insecure Direct Object Reference (IDOR) (CWE-639)

Low

2022-07-22

Top Weakness Types

Most Active Programs

Program	Reports	Max $
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	—
HackerOne	609	—
Nextcloud	582	—
Shopify	464	—
curl	439	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$2,500
Uber	239	$9,895

Goal Reached Thanks to every supporter — we hit 100%!

Bug Bounty Intelligence