漏洞赏金情报

数据来源：HackerOne 公开披露报告 · 每 6 小时更新

浏览 HackerOne 平台公开披露的漏洞赏金报告，按严重程度、漏洞类型或目标项目筛选，关联 CVE 编号。

已披露报告

12,220

关联 CVE

1,854

参与项目数

342

近 7 天新增

8

严重度: All Critical High Medium Low

类型: 全部 Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

项目筛选：gitlab✕

Account Takeover via Password Reset without user interactions

GitLab Improper Access Control - Generic (CWE-284)

Critical

2025-02-26

RepositoryPipeline allows importing of local git repos

GitLab Improper Access Control - Generic (CWE-284)

Medium

2022-11-04

Unauthenticated IP allowlist bypass when accessing job artifacts through gitlab pages at `{group_id}.gitlab.io`

GitLab Improper Access Control - Generic (CWE-284)

Medium

2022-09-22

Unauthorized access

GitLab Improper Access Control - Generic (CWE-284)CVE-2022-2185

Medium

2022-08-25

Found Origin IP's lead to access to gitlab

GitLab Improper Access Control - Generic (CWE-284)

Medium

2022-08-02

"External status checks" can be accepted by users below developer access if the user is either author or assignee of the target merge request

GitLab Improper Access Control - Generic (CWE-284)

Medium

2022-06-08

Container escape on public GitLab CI runners

GitLab Improper Access Control - Generic (CWE-284)

High

2022-04-27

Improper access control for users with expired password, giving the user full access through API and Git

GitLab Improper Access Control - Generic (CWE-284)

Medium

2022-01-27

Guest Users can create issues for Sentry errors and track their status

GitLab Improper Access Control - Generic (CWE-284)

Low

2021-09-24

A deactivated user can access data through GraphQL

GitLab Improper Access Control - Generic (CWE-284)

Medium

2021-08-30

Kroki Arbitrary File Read/Write

GitLab Improper Access Control - Generic (CWE-284)

High

2021-05-21

Revoked User can still view the Merge Request created by him via API

GitLab Improper Access Control - Generic (CWE-284)

Medium

2021-03-15

Guest users can change the confidentiality attribute on those issues that have been assigned to them

GitLab Improper Access Control - Generic (CWE-284)

Low

2020-11-09

Insufficient Type Check on GraphQL leading to Maintainer delete repository

GitLab Improper Access Control - Generic (CWE-284)

High

2020-11-02

Elasticsearch leaks data through the notes scope

GitLab Improper Access Control - Generic (CWE-284)

Medium

2020-10-06

Transferring a public group to a private group doesn't remove code from the Elastichsearch API search result

GitLab Improper Access Control - Generic (CWE-284)

Medium

2020-10-06

Members from parent group keep their access level on a subgroup transfer and are invisible

GitLab Improper Access Control - Generic (CWE-284)

High

2020-09-08

Initial mirror user can be assigned by other user even if the mirror was removed

GitLab Improper Access Control - Generic (CWE-284)

Medium

2020-08-26

Group search leaks private MRs, code, commits

GitLab Improper Access Control - Generic (CWE-284)CVE-2019-5487

High

2019-12-14

Group search with Elastic search enable leaks unrelated data

GitLab Improper Access Control - Generic (CWE-284)

High

2019-12-14

高频漏洞类型

最活跃项目

项目	报告数	最高赏金
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	—
HackerOne	609	—
Nextcloud	582	—
Shopify	464	—
curl	439	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$2,500
Uber	239	$9,895