Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,244
CVE-linked
1,864
Programs
343
New This Week
24
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 657 Improper Authentication - Generic 653 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Tomcat examples available for public, Disclosure Apache Tomcat version, Critical/High/Medium CVE
U.S. Dept Of Defense Information Exposure Through an Error Message (CWE-209)CVE-2020-1938CVE-2019-0232CVE-2019-17563CVE-2019-10072CVE-2019-0199CVE-2020-1967CVE-2019-12418CVE-2019-0221CVE-2019-2684CVE-2020-1935CVE-2018-11784
Medium
2020-06-11
Reflected XSS and HTML Injectionon a DoD website
U.S. Dept Of Defense Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2020-06-11
xmlrpc.php file enabled
8x8 Server-Side Request Forgery (SSRF) (CWE-918)
Medium
2020-06-09
XSS (Cross site scripting) on https://apimgr.8x8.com
8x8 Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2020-06-09
Reflected XSS on http://axa.dxi.eu
8x8 Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2020-06-09
Xss (cross site scripting) on http://axa.dxi.eu/
8x8 Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2020-06-09
Unauthorized access to metadata of undisclosed reports that were retested
HackerOne Information Disclosure (CWE-200)
Medium
2020-06-05
[crypto-js] Insecure entropy source - Math.random()
Node.js third-party modules Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338)
Medium
2020-06-04
Mail does not verify IMAP/SMTP host connected via TLS
Nextcloud Improper Certificate Validation (CWE-295)CVE-2020-8156
Medium
2020-06-03
Reflected XSS in Nanostation Loco M2 - AirOS ver=6.1.7
Ubiquiti Inc. Cross-site Scripting (XSS) - Reflected (CWE-79)CVE-2020-8170
Medium
2020-06-01
Cleartext Transmission of Sensitive Information Leads to administrator access
Helium Cleartext Transmission of Sensitive Information (CWE-319)
Medium
2020-05-30
Path traversal in command line client
MariaDB Path Traversal (CWE-22)
Medium
2020-05-28
OS Command Injection on Jison [all-parser-ports]
Node.js third-party modules OS Command Injection (CWE-78)CVE-2020-8178
Medium
2020-05-28
SSRF in img.lemlist.com that leads to Localhost Port Scanning
lemlist Server-Side Request Forgery (SSRF) (CWE-918)
Medium
2020-05-28
Organization Takeover via invitation API
Helium Insecure Direct Object Reference (IDOR) (CWE-639)
Medium
2020-05-27
No Rate Limiting on https://██████/██████████/accounts/password/reset/ endpoint leads to Denial of Service
U.S. Dept Of Defense Violation of Secure Design Principles (CWE-657)
Medium
2020-05-27
Self XSS combine CSRF at https://████████/index.php
U.S. Dept Of Defense Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2020-05-27
XSS Reflected
U.S. Dept Of Defense Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2020-05-27
Incorrect control of the trial period
Nord Security Client-Side Enforcement of Server-Side Security (CWE-602)
Medium
2020-05-26
XSS in https://affiliates.kromtech.com
Clario Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2020-05-25
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609 $1,500
Nextcloud583
Shopify464
curl457
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239