Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,245
CVE-linked
1,864
Programs
343
New This Week
23
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 653 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
libtiff 4.0.6 segfault / read outside of buffer (CVE-2016-9297)
Internet Bug Bounty Memory Corruption - Generic (CWE-119)CVE-2016-9297
Medium
2019-10-04
CVE-2017-5969: libxml2 when used in recover mode, allows remote attackers to cause a denial of service (NULL pointer dereference)
Internet Bug Bounty NULL Pointer Dereference (CWE-476)CVE-2017-5969
Medium
2019-10-04
login csrf in analytics.mopub.com
X / xAI Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2019-10-02
Reports Modal in app.mopub.com Disclose by any user
X / xAI Information Disclosure (CWE-200)
Medium
2019-10-02
Bypassing push rules via MRs created by Email
GitLab Improper Access Control - Generic (CWE-284)
Medium
2019-10-01
Arbitrary file creation with semi-controlled content (leads to DoS, EoP and others) at Steam Windows Client
Valve Path Traversal (CWE-22)
Medium
2019-09-26
CSS injection via BB code tag "█████"
phpBB Resource Injection (CWE-99)CVE-2019-16108
Medium
2019-09-26
[https-proxy-agent] Socket returned without TLS upgrade on non-200 CONNECT response, allowing request data to be sent over unencrypted connection
Node.js third-party modules Man-in-the-Middle (CWE-300)
Medium
2019-09-25
Stored XSS in localhost:* via integrated torrent downloader
Brave Software Cross-site Scripting (XSS) - Stored (CWE-79)CVE-2019-15782
Medium
2019-09-24
Malformed map detailed texture files in GoldSrc games lead to Remote Code Execution
Valve Stack Overflow (CWE-121)
Medium
2019-09-17
CVE-2019-0196: mod_http2 with scoreboard Use-After-Free (Read)
Internet Bug Bounty Use After Free (CWE-416)CVE-2019-0196
Medium
2019-09-10
Web protection component in Anti-Virus products family ignores HSTS security policy
Kaspersky Man-in-the-Middle (CWE-300)
Medium
2019-09-05
Xss on community.imgur.com
Imgur Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2019-09-03
[larvitbase-www] Unintended Require
Node.js third-party modules Remote File Inclusion (CWE-98)
Medium
2019-09-03
Bypass Email Verification -- Able to Access Internal Gitlab Services that use Login with Gitlab and Perform Check on email domain
GitLab Reliance on Untrusted Inputs in a Security Decision (CWE-807)CVE-2019-5473
Medium
2019-08-30
GitLab's GitHub integration is vulnerable to SSRF vulnerability
GitLab Server-Side Request Forgery (SSRF) (CWE-918)CVE-2019-5461
Medium
2019-08-30
Missing DNSSEC
Nextcloud Man-in-the-Middle (CWE-300)
Medium
2019-08-29
Reflected XSS / Markup Injection in `index.php/svg/core/logo/logo` parameter `color`
Nextcloud Cross-site Scripting (XSS) - Reflected (CWE-79)CVE-2020-8120
Medium
2019-08-29
Certificate warnings and similar UI elements in Web protection of Anti-Virus products family are susceptible to clickjacking
Kaspersky UI Redressing (Clickjacking) (CAPEC-103)
Medium
2019-08-28
Reflected XSS: Taxonomy Converter via tax parameter
WordPress Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2019-08-28
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud584
Shopify464
curl457
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239