Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,244
CVE-linked
1,864
Programs
343
New This Week
23
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 657 Improper Authentication - Generic 653 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Information disclosure through Server side resource forgery
Stripo Inc Server-Side Request Forgery (SSRF) (CWE-918)
Medium
2020-01-28
Prototype pollution in dot-prop
Node.js third-party modules Modification of Assumed-Immutable Data (MAID) (CWE-471)CVE-2020-8116
Medium
2020-01-28
xss in /users/[id]/set_tier endpoint
RATELIMITED Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2020-01-25
Stored XSS | api.mapbox.com | IE 11 | Styles name
Mapbox Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2020-01-21
Ubuntu/Debian installation method allows key poisoning and code execution for network attacker
MariaDB Cryptographic Issues - Generic (CWE-310)
Medium
2020-01-21
Reflected XSS on www/delivery/afr.php
Revive Adserver Cross-site Scripting (XSS) - Reflected (CWE-79)CVE-2020-8115
Medium
2020-01-21
open Firebase Database: msdict-dev.firebaseio.com
MobiSystems Ltd. Improper Access Control - Generic (CWE-284)
Medium
2020-01-20
Open redirect
Nord Security Open Redirect (CWE-601)
Medium
2020-01-18
DoS of https://blog.yelp.com/ and other WP instances via CVE-2018-6389
Yelp CVE-2018-6389
Medium
2020-01-17
Exposed debug.log file leads to information disclosure
MariaDB Information Disclosure (CWE-200)
Medium
2020-01-15
Reflected xss on 8x8.vc
8x8 Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2020-01-15
url.parse() hostname spoofing via javascript: URIs
Node.js Cross-site Scripting (XSS) - Generic (CWE-79)
Medium
2020-01-15
Port and service scanning on localhost due to improper URL validation.
curl Information Disclosure (CWE-200)
Medium
2020-01-15
Http request splitting
Node.js HTTP Response Splitting (CWE-113)
Medium
2020-01-15
[node-red] Stored XSS within Flow's - "Name" field
Node.js third-party modules Cross-site Scripting (XSS) - Stored (CWE-79)CVE-2019-15607
Medium
2020-01-11
[npm-git-publish] RCE via insecure command formatting
Node.js third-party modules Code Injection (CWE-94)
Medium
2020-01-11
[meta-git] RCE via insecure command formatting
Node.js third-party modules Code Injection (CWE-94)
Medium
2020-01-11
CRLF Injection in legacy url API (url.parse().hostname)
Node.js CRLF Injection (CWE-93)
Medium
2020-01-10
Unrestricted file upload in www.semrush.com > /my_reports/api/v1/upload/image
Semrush Violation of Secure Design Principles (CWE-657)
Medium
2020-01-10
Access to ██████████████ due to weak credentials
8x8 Improper Authentication - Generic (CWE-287)
Medium
2020-01-08
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud583
Shopify464
curl457
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239