Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports

12,245

CVE-linked

1,864

Programs

343

New This Week

Severity: All Critical High Medium Low

Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 653 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

URl redirection

Kartpay Open Redirect (CWE-601)

Medium

2019-08-28

[public] Path traversal using symlink

Node.js third-party modules Path Traversal (CWE-22)

Medium

2019-08-28

Passcode Protection in Android Devices Can be Bypassed.

Nextcloud Violation of Secure Design Principles (CWE-657)

Medium

2019-08-27

Stack overflow affecting "ext" field on stylers.xml configuration file

Notepad++ Stack Overflow (CWE-121)

Medium

2019-08-25

Reflected File Download (RFD) in download video

Vimeo

Medium

2019-08-23

[larvitbase-api] Unintended Require

Node.js third-party modules Remote File Inclusion (CWE-98)CVE-2019-5479

Medium

2019-08-20

xmlrpc.php file enabled - data.gov

GSA Bounty Improper Access Control - Generic (CWE-284)

Medium

2019-08-19

Previously created sessions continue being valid after MFA activation

Superhuman (formerly Grammarly) Improper Access Control - Generic (CWE-284)

Medium

2019-08-19

SSRF In Get Video Contents

Semrush Server-Side Request Forgery (SSRF) (CWE-918)

Medium

2019-08-19

[kb.informatica.com] Dom Based xss

Informatica Cross-site Scripting (XSS) - Generic (CWE-79)

Medium

2019-08-17

Github Token Leaked publicly for https://github.com/mopub

X / xAI Cleartext Storage of Sensitive Information (CWE-312)

Medium

2019-08-15

subdomain take over at recommendation.algolia.com

Algolia Violation of Secure Design Principles (CWE-657)

Medium

2019-08-14

“email” MFA mode allows bypassing MFA from victim’s device when the device trust is not expired

Superhuman (formerly Grammarly) Improper Authentication - Generic (CWE-287)

Medium

2019-08-12

Blind Stored XSS In "Report a Problem" on www.data.gov/issue/

GSA Bounty Cross-site Scripting (XSS) - Stored (CWE-79)

Medium

2019-08-07

Reflected XSS on https://inventory.upserve.com/ (affects IE users only)

Upserve Cross-site Scripting (XSS) - Reflected (CWE-79)

Medium

2019-08-06

Improper Session management can cause account takeover[https://micropurchase.18f.gov]

GSA Bounty Insufficient Session Expiration (CWE-613)

Medium

2019-07-30

Github wikis are editable by anyone https://github.com/paragonie/password_lock/wiki

Paragon Initiative Enterprises Improper Access Control - Generic (CWE-284)

Medium

2019-07-29

Rate Limit workaround in the message of the phone number verification

Unikrn Improper Restriction of Authentication Attempts (CWE-307)

Medium

2019-07-26

[http-file-server] Stored XSS in the filename when directories listing

Node.js third-party modules Cross-site Scripting (XSS) - Stored (CWE-79)CVE-2019-5458

Medium

2019-07-24

[min-http-server] Stored XSS in the filename when directories listing

Node.js third-party modules CVE-2019-5457

Medium

2019-07-24

Top Weakness Types

Most Active Programs

Program	Reports	Max $
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	$2,257
HackerOne	609	—
Nextcloud	584	—
Shopify	464	—
curl	457	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$2,500
Uber	239	—

Goal Reached Thanks to every supporter — we hit 100%!

Bug Bounty Intelligence