漏洞赏金情报

数据来源：HackerOne 公开披露报告 · 每 6 小时更新

浏览 HackerOne 平台公开披露的漏洞赏金报告，按严重程度、漏洞类型或目标项目筛选，关联 CVE 编号。

已披露报告

12,240

关联 CVE

1,863

参与项目数

342

近 7 天新增

20

严重度: All Critical High Medium Low

类型: 全部 Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 657 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

Stored XSS on add project

Moneybird Cross-site Scripting (XSS) - Stored (CWE-79)

Medium

2020-10-05

Application DOS via specially crafted payload on 3d.cs.money

Medium

2020-10-01

[cs.money] Open Redirect Leads to Account Takeover

CS Money Improper Authentication - Generic (CWE-287)

Medium

2020-09-30

DOM XSS on https://www.███████

U.S. Dept Of Defense Cross-site Scripting (XSS) - DOM (CWE-79)

Medium

2020-09-29

Reflected XSS in https://www.██████/

U.S. Dept Of Defense Cross-site Scripting (XSS) - Reflected (CWE-79)

Medium

2020-09-29

Reflected XSS in https://www.█████/

U.S. Dept Of Defense Cross-site Scripting (XSS) - Reflected (CWE-79)

Medium

2020-09-29

Cross Site Scripting (XSS) – Reflected

U.S. Dept Of Defense Cross-site Scripting (XSS) - Reflected (CWE-79)

Medium

2020-09-29

Email flooding using user invitation feature in biz.yelp.com due to lack of rate limiting

Yelp Violation of Secure Design Principles (CWE-657)

Medium

2020-09-29

Access control missing while viewing the attachments in the "All boards"

Nextcloud Insecure Direct Object Reference (IDOR) (CWE-639)CVE-2020-8235

Medium

2020-09-29

Public and secret api key leaked in JavaScript source

Stripo Inc Cleartext Storage of Sensitive Information (CWE-312)

Medium

2020-09-29

IDOR in https://3d.cs.money/

CS Money Insecure Direct Object Reference (IDOR) (CWE-639)

Medium

2020-09-28

Bypass restrict of member subscription to use custom background in https://3d.cs.money without prime subscription

Medium

2020-09-28

Re-Sharing allows increase of privileges

Nextcloud Improper Privilege Management (CWE-269)CVE-2020-8223

Medium

2020-09-28

Unauthenticated HTML Injection Stored - ContactUs form

Medium

2020-09-25

[snekserve] Stored XSS via filenames HTML formatted

Node.js third-party modules Cross-site Scripting (XSS) - Stored (CWE-79)

Medium

2020-09-24

[commit-msg] RCE via insecure command formatting

Node.js third-party modules Code Injection (CWE-94)

Medium

2020-09-24

[gity] RCE via insecure command formatting

Node.js third-party modules Code Injection (CWE-94)

Medium

2020-09-24

[git-lib] RCE via insecure command formatting

Node.js third-party modules Code Injection (CWE-94)

Medium

2020-09-24

China - IDOR on Reservation Staging/Non Production Site - https://reservation.stg.starbucks.com.cn

Starbucks Insecure Direct Object Reference (IDOR) (CWE-639)

Medium

2020-09-22

[steam client] Opening a specific steam:// url overwrites files at an arbitrary location

Valve Write-what-where Condition (CWE-123)

Medium

2020-09-22

高频漏洞类型

最活跃项目

项目	报告数	最高赏金
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	$2,257
HackerOne	609	$1,500
Nextcloud	583	—
Shopify	464	—
curl	455	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$2,500
Uber	239	—