Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports

12,219

CVE-linked

1,854

Programs

342

New This Week

Severity: All Critical High Medium Low

Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

Brave Shields Domain Reordering Leads to Origin Confusion

Brave Software Violation of Secure Design Principles (CWE-657)

Low

2026-04-13

FS Permissions Bypass

Node.js Violation of Secure Design Principles (CWE-657)CVE-2025-55130

High

2026-02-12

Account Takeover via Unverified Email Change and Improper Session Handling

U.S. Dept Of Defense Violation of Secure Design Principles (CWE-657)

High

2026-01-12

Cross‑Layer State Confusion in libcurl: Credential & Key‑Material Persistence Across Redirect / Connection Reuse Boundaries

curl Violation of Secure Design Principles (CWE-657)

Critical

2025-12-28

Invalidate active sessions after password change

Hiro Violation of Secure Design Principles (CWE-657)

Low

2025-10-31

Email not verified when changing afterwards on apps.nextcloud.com

Nextcloud Violation of Secure Design Principles (CWE-657)

Low

2025-09-29

No SPF/DMARC records on mb-cosmos.com

Malwarebytes Violation of Secure Design Principles (CWE-657)

Medium

2025-08-18

Double Clickjacking Attack on WakaTime OAuth Authorization Flow at https://wakatime.com/oauth/authorize

WakaTime Violation of Secure Design Principles (CWE-657)

Medium

2025-08-05

Domain highlighting on External link warning is not working on Chrome & Microsoft Edge browsers on Mobile

HackerOne Violation of Secure Design Principles (CWE-657)

Low

2025-03-13

Unauthenticated phpinfo()files could lead to ability file read at h2f54.n1.ips.mtn.co.ug [/dashboard/]

MTN Group Violation of Secure Design Principles (CWE-657)

Medium

2025-02-20

Error Page Content Spoofing or Text Injection

XVIDEOS Violation of Secure Design Principles (CWE-657)

Unknown

2025-02-07

Error Page Content Spoofing or Text Injection

XVIDEOS Violation of Secure Design Principles (CWE-657)

Low

2025-02-06

Exposure of Private Personal Information to an Unauthorized Actor - PII and soldier data (mos, schools, and speciality training)

U.S. Dept Of Defense Violation of Secure Design Principles (CWE-657)

Critical

2025-01-24

Bypassing Recaptcha Protection in `https://connect.acronis.com`

Acronis Violation of Secure Design Principles (CWE-657)

Low

2024-10-30

Weak Password Policy via DirectAdmin Password Change Functionality

Endless Group Violation of Secure Design Principles (CWE-657)

Unknown

2024-10-22

Brave Android: Incorrect URL Eliding in Brave Shields Pop Up

Brave Software Violation of Secure Design Principles (CWE-657)CVE-2024-37406

Low

2024-09-18

Unauthenticated arbitrary file upload on the https://█████/ (█████████)

U.S. Dept Of Defense Violation of Secure Design Principles (CWE-657)

High

2024-08-16

Subdomain takeover ██████

U.S. Dept Of Defense Violation of Secure Design Principles (CWE-657)

Critical

2024-07-26

Unauthenticated arbitrary file upload on the https://█████/ (█████.mil)

U.S. Dept Of Defense Violation of Secure Design Principles (CWE-657)

High

2024-07-19

2fa can't be activated on app.pullrequest.com

HackerOne Violation of Secure Design Principles (CWE-657)

None

2024-07-11

Top Weakness Types

Most Active Programs

Program	Reports	Max $
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	—
HackerOne	609	—
Nextcloud	582	—
Shopify	464	—
curl	439	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$2,500
Uber	239	$9,895

Goal Reached Thanks to every supporter — we hit 100%!

Bug Bounty Intelligence