Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,240
CVE-linked
1,863
Programs
342
New This Week
20
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 657 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Stored XSS on activity
Shopify Cross-site Scripting (XSS) - Stored (CWE-79)
High
2018-08-14
XSS-уязвимость, связанная с загрузкой файлов
VK.com Cross-site Scripting (XSS) - Stored (CWE-79)
Critical
2018-08-02
HTML TAG INJECTION ON PROFILE NAME
GitLab Cross-site Scripting (XSS) - Stored (CWE-79)
Low
2018-07-27
stored xss in scrape-metadata when reading metadata from an html page
Node.js third-party modules Cross-site Scripting (XSS) - Stored (CWE-79)
High
2018-07-27
Stored XSS in Node-Red
Node.js third-party modules Cross-site Scripting (XSS) - Stored (CWE-79)
High
2018-07-18
Persistent XSS - Selecting users as allowed merge request approvers
GitLab Cross-site Scripting (XSS) - Stored (CWE-79)CVE-2018-10379
Medium
2018-07-16
XSS (Persistent) - Selecting role(s) for protected branches
GitLab Cross-site Scripting (XSS) - Stored (CWE-79)CVE-2018-10379
High
2018-07-16
[m-server] HTML Injection in filenames displayed as directory listing in the browser allows to embed iframe with malicious JavaScript code
Node.js third-party modules Cross-site Scripting (XSS) - Stored (CWE-79)CVE-2018-16484
Medium
2018-07-12
Stored XSS in "post last edited" option
Discourse Cross-site Scripting (XSS) - Stored (CWE-79)
High
2018-07-09
Stored Cross Site Scripting
Y Combinator Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2018-07-09
[buttle] HTML Injection in filename leads to XSS when directory listing is displayed in the browser
Node.js third-party modules Cross-site Scripting (XSS) - Stored (CWE-79)CVE-2019-5422
Medium
2018-07-04
Очень жесткая XSS в личных сообщениях m.ok.ru
ok.ru Cross-site Scripting (XSS) - Stored (CWE-79)
Critical
2018-06-30
[sexstatic] HTML injection in directory name(s) leads to Stored XSS when malicious file is embed with <iframe> element used in directory name
Node.js third-party modules Cross-site Scripting (XSS) - Stored (CWE-79)CVE-2018-3755
Medium
2018-05-29
Unfiltered input allows for XSS in "Playtime Item Grants" fields
Valve Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2018-05-24
Stored XXS @ https://steamcommunity.com/search/users/#text= via Profile Name
Valve Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2018-05-24
Persistent XSS in https://sandbox.reverb.com/item/
Reverb.com Cross-site Scripting (XSS) - Stored (CWE-79)
High
2018-05-06
Airship: Persistent XSS via Comment
Paragon Initiative Enterprises Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2018-04-24
Stored XSS in learnboost.com via the lesson[goals] parameter.
Automattic Cross-site Scripting (XSS) - Stored (CWE-79)
Unknown
2018-04-22
Stored XSS in www.learnboost.com via ZIP codes.
Automattic Cross-site Scripting (XSS) - Stored (CWE-79)
Unknown
2018-04-22
Stored XSS in Snapmatic + R★Editor comments
Rockstar Games Cross-site Scripting (XSS) - Stored (CWE-79)
High
2018-04-19
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609 $1,500
Nextcloud583
Shopify464
curl455
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239