漏洞赏金情报

数据来源：HackerOne 公开披露报告 · 每 6 小时更新

浏览 HackerOne 平台公开披露的漏洞赏金报告，按严重程度、漏洞类型或目标项目筛选，关联 CVE 编号。

已披露报告

12,247

关联 CVE

1,864

参与项目数

343

近 7 天新增

25

严重度: All Critical High Medium Low

类型: 全部 Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 653 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

heap-use-after-free in mrb_vm_exec - vm.c:1247

shopify-scripts Memory Corruption - Generic (CWE-119)

Medium

2017-05-21

Dav sharing permissions issue

Nextcloud Privilege Escalation (CAPEC-233)

Medium

2017-05-20

XSS in the search bar of mercantile.wordpress.org

WordPress Cross-site Scripting (XSS) - Reflected (CWE-79)

Medium

2017-05-20

No BruteForce Protection

Weblate Improper Restriction of Authentication Attempts (CWE-307)

Medium

2017-05-17

CSRF : Lock and Unlock Translation

Weblate Cross-Site Request Forgery (CSRF) (CWE-352)

Medium

2017-05-17

Rate Limit Bypass on login Page

Weblate Improper Authentication - Generic (CWE-287)

Medium

2017-05-17

CSV export filter bypass leads to formula injection.

Weblate Command Injection - Generic (CWE-77)

Medium

2017-05-17

Activation tokens are not expiring

Weblate Cross-Site Request Forgery (CSRF) (CWE-352)

Medium

2017-05-17

Open Redirect via "next" parameter in third-party authentication

Weblate Open Redirect (CWE-601)

Medium

2017-05-17

Registration captcha bypass

Weblate Violation of Secure Design Principles (CWE-657)

Medium

2017-05-17

Open redirect in Signing in via Social Sites

Weblate Open Redirect (CWE-601)

Medium

2017-05-17

No Rate Limitting at Change Password

Medium

2017-05-17

full path disclosure at hosted.weblate.org/admin/accounts/profile/

Weblate Path Traversal (CWE-22)

Medium

2017-05-17

Possible SSRF in email server settings(SMTP mode)

Nextcloud Server-Side Request Forgery (SSRF) (CWE-918)

Medium

2017-05-15

XSS in instacart.com/store/partner_recipe

Instacart Cross-site Scripting (XSS) - Generic (CWE-79)

Medium

2017-05-11

Gitlab.com is vulnerable to reverse tabnabbing. (#2)

GitLab UI Redressing (Clickjacking) (CAPEC-103)

Medium

2017-05-09

Gitlab.com is vulnerable to reverse tabnabbing via AsciiDoc links. (#3)

GitLab UI Redressing (Clickjacking) (CAPEC-103)

Medium

2017-05-09

[Gnip Blogs] Reflected XSS via "plupload.flash.swf" component vulnerable to SOME

X / xAI Cross-site Scripting (XSS) - Reflected (CWE-79)

Medium

2017-05-08

Subdomain takeover on https://cloudfront.ubnt.com/ due to non-used CloudFront DNS entry

Ubiquiti Inc. Improper Authentication - Generic (CWE-287)

Medium

2017-05-07

There is an vulnerability in https://bridge.cspr.ng where an attacker can users directory

Paragon Initiative Enterprises

Medium

2017-05-07

高频漏洞类型

最活跃项目

项目	报告数	最高赏金
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	$2,257
HackerOne	609	—
Nextcloud	584	—
Shopify	464	—
curl	457	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$2,500
Uber	239	—