Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,247
CVE-linked
1,864
Programs
343
New This Week
22
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 653 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Insecure loading of ICU data through ICU_DATA environment variable
Node.js CVE-2023-23920
Low
2023-03-19
CSRF in Importing CSV files [app.taxjar.com]
Stripe Cross-Site Request Forgery (CSRF) (CWE-352)
Low
2023-03-16
Open Redirect - https://████████.jetblue.com/███?url=
JetBlue Open Redirect (CWE-601)
Low
2023-03-13
information disclosure of another company bug on video.
HackerOne Information Disclosure (CWE-200)
Low
2023-03-12
Attacker is able to query Github repositories of arbitrary Shopify Hydrogen Users
Shopify Improper Access Control - Generic (CWE-284)
Low
2023-03-09
Mail app stores cleartext password in database until OAUTH2 setup is done
Nextcloud Plaintext Storage of a Password (CWE-256)CVE-2023-23944
Low
2023-03-08
Object injection in `stripe-billing-typographic` GitHub project via /auth/login
Stripe Resource Injection (CWE-99)
Low
2023-03-06
Missing rate limiting on password reset functionality allows to send lot of emails
Nextcloud Improper Access Control - Generic (CWE-284)
Low
2023-03-05
Verifying email bypass
Stripe Improper Access Control - Generic (CWE-284)
Low
2023-03-03
Shop App - Attacker is able to intercept authorization code during authentication (OAuth) and is able to get access to Microsoft Outlook email account
Shopify Insufficiently Protected Credentials (CWE-522)
Low
2023-03-02
Direct access to tox.ini file which is contain configuration details
Yelp Insecure Storage of Sensitive Information (CWE-922)
Low
2023-03-02
Messages can still be seen on conversation after expiring when cron is misconfigured
Nextcloud Privacy Violation (CWE-359)CVE-2023-26041
Low
2023-02-27
CVE-2023-23914: HSTS ignored on multiple requests
Internet Bug Bounty Business Logic Errors (CWE-840)CVE-2023-23914
Low
2023-02-24
CVE-2023-23915: HSTS amnesia with --parallel
Internet Bug Bounty Business Logic Errors (CWE-840)CVE-2023-23915
Low
2023-02-24
View thumbnail of any private video (friends or followers only) of Private/Public account
TikTok Privacy Violation (CWE-359)
Low
2023-02-17
Unclaimed official s3 bucket of tendermint(tendermint-packages) which is used by many other blockchain companies in their code
Cosmos Business Logic Errors (CWE-840)
Low
2023-02-15
CVE-2023-23914: curl HSTS ignored on multiple requests
curl Cleartext Transmission of Sensitive Information (CWE-319)CVE-2023-23914
Low
2023-02-15
CVE-2023-23915: HSTS amnesia with --parallel
curl Cleartext Transmission of Sensitive Information (CWE-319)CVE-2023-23915
Low
2023-02-15
HTML injection that may lead to XSS on HackerOne.com through H1 Triage Wizard Chrome Extension
HackerOne Cross-site Scripting (XSS) - Stored (CWE-79)
Low
2023-02-14
Promotion code can be used more than redemption limit.
Stripe Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
Low
2023-02-13
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud584
Shopify464
curl457
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239