Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
10
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Program filter: uber
Outdated Wordpress installation and plugins at www.uberxgermany.com create CSRF and XSS vulnerabilities
Uber Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2021-02-25
Reflected XSS on https://www.uber.com
Uber Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2021-02-24
[experience.uber.com] Node.js source code disclosure & anonymous access to internal Uber documents, templates and tools
Uber Information Disclosure (CWE-200)
Medium
2021-02-23
Subdomain takeover on mta1a1.spmail.uber.com
Uber Improper Access Control - Generic (CWE-284)
Medium
2020-04-06
Change the rating of any trip, therefore change the average driver rating
Uber Business Logic Errors (CWE-840)
Medium
2020-04-06
Lack of proper paymentProfileUUID validation allows any number of free rides without any outstanding balance
Uber Business Logic Errors (CWE-840)
Medium
2019-07-18
Reflected XSS POST method at partners.uber.com
Uber Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2019-01-25
IDOR on partners.uber.com allows for a driver to override administrator documents
Uber Insecure Direct Object Reference (IDOR) (CWE-639)
Medium
2018-12-19
XSS in ubermovement.com via editable Google Sheets
Uber Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2018-12-19
Reflected XSS in lert.uber.com
Uber Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2018-12-19
Possibility to enumerate and bruteforce promotion codes in Uber iOS App
Uber Improper Restriction of Authentication Attempts (CWE-307)
Medium
2018-11-20
Reflected XSS on multiple uberinternal.com domains
Uber Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2018-11-13
Reflected XSS in https://eng.uberinternal.com and https://coeshift.corp.uber.internal/
Uber Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2018-11-13
No rate limiting on https://biz.uber.com/confirm allowed an attacker to join arbitrary business.uber.com accounts
Uber Improper Authentication - Generic (CWE-287)
Medium
2018-11-13
Information Leakage - GitHub - VCenter configuration scripts, StorMagic usernames and password along with default ESXi root password
Uber
Medium
2018-08-27
Information Leak - GitHub - Endpoint Configuration Details
Uber Information Disclosure (CWE-200)
Medium
2018-08-27
Configuration and/or source code files on uchat-staging.uberinternal.com can be viewed without OneLogin SSO Authentication
Uber Improper Authentication - Generic (CWE-287)CVE-2005-2169CVE-2005-0202
Medium
2017-12-26
It's possible to view configuration and/or source code on uchat.awscorp.uberinternal.com without
Uber Improper Authentication - Generic (CWE-287)CVE-2005-2169CVE-2005-0202
Medium
2017-12-26
The Microsoft Store Uber App Does Not Implement Server-side Token Revocation
Uber Insufficient Session Expiration (CWE-613)
Medium
2017-12-24
phone number exposure for riders/drivers given email/uuid
Uber Information Exposure Through an Error Message (CWE-209)
Medium
2017-06-02
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895