Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports

12,219

CVE-linked

1,854

Programs

342

New This Week

Severity: All Critical High Medium Low

Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

Program filter: ibb✕

ReDoS (Rails::Html::PermitScrubber.scrub_attribute)

Internet Bug Bounty CVE-2022-23514

High

2022-12-14

Electron CVE-2022-35954 Delimiter Injection Vulnerability in exportVariable

Internet Bug Bounty CVE-2022-35954

Medium

2022-12-14

CVE-2022-35260: .netrc parser out-of-bounds access

Internet Bug Bounty Stack Overflow (CWE-121)CVE-2022-35260

Low

2022-12-03

POST following PUT confusion

Internet Bug Bounty Information Disclosure (CWE-200)CVE-2022-32221

Medium

2022-12-02

CVE-2022-45402: Apache Airflow: Open redirect during login

Internet Bug Bounty Open Redirect (CWE-601)CVE-2022-45402

Medium

2022-12-01

potential denial of service attack via the locale parameter

Internet Bug Bounty Uncontrolled Resource Consumption (CWE-400)CVE-2022-41323

Medium

2022-11-28

CVE-2022-35252: control code in cookie denial of service

Internet Bug Bounty Improper Input Validation (CWE-20)CVE-2022-35252

Low

2022-11-05

CVE-2022-42916: HSTS bypass via IDN

Internet Bug Bounty Cleartext Transmission of Sensitive Information (CWE-319)CVE-2022-42916

Medium

2022-11-03

[CVE-2022-35949]: undici.request vulnerable to SSRF using absolute / protocol-relative URL on pathname

Internet Bug Bounty Server-Side Request Forgery (SSRF) (CWE-918)CVE-2022-35949

Medium

2022-09-23

CVE-2022-35948: CRLF Injection in Nodejs ‘undici’ via Content-Type

Internet Bug Bounty CRLF Injection (CWE-93)CVE-2022-35948

Medium

2022-09-23

CVE-2022-38362: Apache Airflow Docker Provider <3.0 RCE vulnerability in example dag

Internet Bug Bounty Command Injection - Generic (CWE-77)CVE-2022-38362

High

2022-09-23

Airflow Daemon Mode Insecure Umask Privilege Escalation

Internet Bug Bounty Incorrect Permission Assignment for Critical Resource (CWE-732)CVE-2022-38170

Medium

2022-09-17

CVE-2022-21831: Possible code injection vulnerability in Rails / Active Storage

Internet Bug Bounty Code Injection (CWE-94)CVE-2022-21831

High

2022-09-10

Pause-based desync in Apache HTTPD

Internet Bug Bounty HTTP Request Smuggling (CWE-444)

High

2022-08-25

Disabling context isolation, nodeIntegrationInSubFrames using an unauthorised frame.

Internet Bug Bounty Improper Access Control - Generic (CWE-284)

Medium

2022-08-11

Off-by-slash vulnerability in nodejs.org and iojs.org

Internet Bug Bounty Path Traversal (CWE-22)

Medium

2022-07-28

Node.js - DLL Hijacking on Windows

Internet Bug Bounty Untrusted Search Path (CWE-426)

High

2022-07-25

CVE-2022-27781: CERTINFO never-ending busy-loop

Internet Bug Bounty Uncontrolled Resource Consumption (CWE-400)CVE-2022-27781

Low

2022-07-24

Rack CVE-2022-30122: Denial of Service Vulnerability in Rack Multipart Parsing

Internet Bug Bounty CVE-2022-30122

Medium

2022-07-23

CVE-2022-32214 - HTTP Request Smuggling Due To Improper Delimiting of Header Fields

Internet Bug Bounty HTTP Request Smuggling (CWE-444)CVE-2022-32214

Medium

2022-07-22

Top Weakness Types

Most Active Programs

Program	Reports	Max $
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	—
HackerOne	609	—
Nextcloud	582	—
Shopify	464	—
curl	439	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$2,500
Uber	239	$9,895

Goal Reached Thanks to every supporter — we hit 100%!

Bug Bounty Intelligence