Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,222
CVE-linked
1,855
Programs
342
New This Week
3
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
A specially crafted value for the 'Cache-Digest' header causing crash in chat.makerdao.com
BlockDev Sp. Z o.o Improper Restriction of Authentication Attempts (CWE-307)CVE-2020-9490
Critical
2020-11-02
HTTP request smuggling on Basecamp 2 allows web cache poisoning
Basecamp HTTP Request Smuggling (CWE-444)
Critical
2020-10-28
Unauthenticated request smuggling on launchpad.37signals.com
Basecamp HTTP Request Smuggling (CWE-444)
Critical
2020-10-28
[gfc] Command Injection via insecure command formatting
Node.js third-party modules Command Injection - Generic (CWE-77)
Critical
2020-10-27
HEY.com email stored XSS
Basecamp Cross-site Scripting (XSS) - Stored (CWE-79)
Critical
2020-10-27
Non-production Open Database In Combination With XXE Leads To SSRF
Evernote XML External Entities (XXE) (CWE-611)
Critical
2020-10-27
[create-git] RCE via insecure command formatting
Node.js third-party modules Code Injection (CWE-94)
Critical
2020-10-26
Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests
Node.js Uncontrolled Resource Consumption (CWE-400)CVE-2020-8251
Critical
2020-10-17
https://██████ vulnerable to CVE-2020-3187 - Unauthenticated arbitrary file deletion in Cisco ASA/FTD
U.S. Dept Of Defense Array Index Underflow (CWE-129)CVE-2020-3187
Critical
2020-10-16
CSRF to account takeover in https://███████.mil/
U.S. Dept Of Defense Cross-Site Request Forgery (CSRF) (CWE-352)
Critical
2020-10-16
efree() on uninitialized Heap data in imagescale leads to use-after-free
Internet Bug Bounty Use After Free (CWE-416)CVE-2016-10166
Critical
2020-10-10
heap buffer overflow in phar_detect_phar_fname_ext
Internet Bug Bounty Buffer Over-read (CWE-126)CVE-2019-9021
Critical
2020-10-10
Uninitialized read in exif_process_IFD_in_TIFF
Internet Bug Bounty Classic Buffer Overflow (CWE-120)CVE-2019-9641
Critical
2020-10-10
IDOR to Account Takeover on https://████/index.html
U.S. Dept Of Defense Insecure Direct Object Reference (IDOR) (CWE-639)
Critical
2020-09-29
Unauthenticated Arbitrary File Deletion ("CVE-2020-3187") in ████████
U.S. Dept Of Defense Path Traversal (CWE-22)CVE-2020-3187
Critical
2020-09-29
SQLi in login form of █████
U.S. Dept Of Defense SQL Injection (CWE-89)
Critical
2020-09-29
CVE-2020-3187 - Unauthenticated Arbitrary File Deletion
U.S. Dept Of Defense Path Traversal (CWE-22)CVE-2020-3187
Critical
2020-09-21
Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation
Shopify Privilege Escalation (CAPEC-233)
Critical
2020-09-15
[h1-2006 2020] Bounty payments are done !
h1-ctf Server-Side Request Forgery (SSRF) (CWE-918)
Critical
2020-09-14
Unsafe deserialization in Nexus Repository helm plugin
Central Security Project Deserialization of Untrusted Data (CWE-502)CVE-2020-15871
Critical
2020-09-10
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud583
Shopify464
curl440
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239