Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,221
CVE-linked
1,854
Programs
342
New This Week
4
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
One-click account hijack for anyone using Apple sign-in with Reddit, due to response-type switch + leaking href to XSS on www.redditmedia.com
Reddit Improper Access Control - Generic (CWE-284)
Critical
2022-08-02
Insecure use of shell.openExternal() in Rocket.Chat Desktop App leading to RCE
Rocket.Chat OS Command Injection (CWE-78)
Critical
2022-08-01
Hijack all emails sent to any domain that uses Cloudflare Email Forwarding
Cloudflare Public Bug Bounty Improper Authorization (CWE-285)
Critical
2022-07-28
Race condition in faucet when using starport
Cosmos
Critical
2022-07-26
Can use the Reddit android app as usual even though revoking the access of it from reddit.com
Reddit Insufficient Session Expiration (CWE-613)
Critical
2022-07-16
Insecure Object Permissions for Guest User leads to access to internal documents!
IBM Improper Authentication - Generic (CWE-287)
Critical
2022-07-15
[CVE-2021-44228] nps.acronis.com is vulnerable to the recent log4shell 0-day
Acronis Deserialization of Untrusted Data (CWE-502)CVE-2021-44228
Critical
2022-07-13
Able to view hackerone reports attachments
GitLab Insecure Storage of Sensitive Information (CWE-922)
Critical
2022-07-11
Mass Account Takeover at https://app.taxjar.com/ - No user Interaction
Stripe Authentication Bypass Using an Alternate Path or Channel (CWE-288)
Critical
2022-07-11
Exposed valid AWS, Mysql, Sendgrid and other secrets
Glovo Use of Hard-coded Credentials (CWE-798)
Critical
2022-07-08
Blind User-Agent SQL Injection to Blind Remote OS Command Execution at █████████
Sony OS Command Injection (CWE-78)
Critical
2022-07-06
SSRF via Office file thumbnails
Slack Information Disclosure (CWE-200)
Critical
2022-07-05
June 2022 Incident Report
HackerOne
Critical
2022-07-01
HTTP request smuggling with Origin Rules using newlines in the host_header action parameter
Cloudflare Public Bug Bounty HTTP Request Smuggling (CWE-444)
Critical
2022-06-27
sql injection via https://setup.p2p.ihost.com/
IBM SQL Injection (CWE-89)
Critical
2022-06-17
Steal private objects of other projects via project import
GitLab Insecure Direct Object Reference (IDOR) (CWE-639)
Critical
2022-06-07
Private objects exposed through project import
GitLab Insecure Direct Object Reference (IDOR) (CWE-639)
Critical
2022-06-07
Misconfigurated login page able to lock login action for any account without user interaction
Reddit
Critical
2022-06-06
Cross-site scripting on dashboard2.omise.co
Omise Cross-site Scripting (XSS) - Stored (CWE-79)
Critical
2022-05-24
Integer overflow vulnerability
Glovo Integer Overflow (CWE-190)
Critical
2022-05-17
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl440
Node.js third-party modules307
GitLab258 $13,950
X / xAI250 $2,500
Uber239