Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,245
CVE-linked
1,864
Programs
343
New This Week
23
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 653 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Stored XSS Deleting Menu Links in the Shopify Admin
Shopify Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2017-09-08
Potential code injection in fun delete_directory
ExpressionEngine Code Injection (CWE-94)
Medium
2017-09-07
Image lib - unescaped file path
ExpressionEngine Code Injection (CWE-94)
Medium
2017-09-07
Flash CSRF: Update Ad Frequency %: [cp-ng.pinion.gg]
Unikrn Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2017-09-06
federalist.18f.gov vulnerable to Sweet32 attack
GSA Bounty Man-in-the-Middle (CWE-300)
Medium
2017-09-05
Stored XSS in snapmatic comments
Rockstar Games Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2017-09-05
Double Stored Cross-Site scripting in the admin panel
GSA Bounty Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2017-09-05
[IDOR] The authenticated user can restart website build or view build logs on any another Federalist account
GSA Bounty Insecure Direct Object Reference (IDOR) (CWE-639)
Medium
2017-09-05
The user, who was deleted from Github Organization, still can access all functions of federalist, in case he didn't do logout
GSA Bounty Improper Authentication - Generic (CWE-287)
Medium
2017-09-05
Improper error message
Legal Robot
Medium
2017-09-01
Reflected XSS via Double Encoding
Rockstar Games Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2017-09-01
Length extension attack leading to HTML injection
Eternal Cryptographic Issues - Generic (CWE-310)
Medium
2017-09-01
[Quora Android] Possible to steal arbitrary files from mobile device
Quora Information Disclosure (CWE-200)
Medium
2017-08-30
api.vk.com отдаёт в ответ HTML авторизированную страницу vk.com
VK.com Business Logic Errors (CWE-840)
Medium
2017-08-30
HackerOne reports escalation to JIRA is CSRF vulnerable
HackerOne Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2017-08-30
S3 ACL misconfiguration
Legal Robot Improper Authentication - Generic (CWE-287)
Medium
2017-08-29
Stored XSS in profile activity feed messages
Rockstar Games Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2017-08-28
[dev-unifi-go.ubnt.com] Insecure CORS, Stealing Cookies
Ubiquiti Inc. Information Exposure Through an Error Message (CWE-209)
Medium
2017-08-28
The websocket traffic is not secure enough
Legal Robot Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2017-08-27
Create Api Key is not working
Legal Robot
Medium
2017-08-26
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud584
Shopify464
curl457
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239