Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
11
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Program filter: gitlab
Insufficient Type Check leading to Developer ability to delete Project, Repository, Group, ...
GitLab Type Confusion (CWE-843)
High
2020-11-02
Insufficient Type Check on GraphQL leading to Maintainer delete repository
GitLab Improper Access Control - Generic (CWE-284)
High
2020-11-02
Ability to bypass email verification for OAuth grants results in accounts takeovers on 3rd parties
GitLab Authentication Bypass Using an Alternate Path or Channel (CWE-288)
High
2020-10-01
Adding everyone to the repo due to the lack of rate limit
GitLab Insecure Direct Object Reference (IDOR) (CWE-639)
High
2020-09-14
Stored XSS in markdown when redacting references
GitLab Cross-site Scripting (XSS) - Stored (CWE-79)
High
2020-09-09
Injection of `http.<url>.*` git config settings leading to SSRF
GitLab Server-Side Request Forgery (SSRF) (CWE-918)
High
2020-09-08
Members from parent group keep their access level on a subgroup transfer and are invisible
GitLab Improper Access Control - Generic (CWE-284)
High
2020-09-08
Stored XSS in "Create Groups"
GitLab Cross-site Scripting (XSS) - Stored (CWE-79)
High
2020-08-26
Stealing data from customers.gitlab.com without user interaction
GitLab Insecure Direct Object Reference (IDOR) (CWE-639)
High
2020-08-26
SSRF on project import via the remote_attachment_url on a Note
GitLab Server-Side Request Forgery (SSRF) (CWE-918)
High
2020-06-07
Server Side Request Forgery mitigation bypass
GitLab Server-Side Request Forgery (SSRF) (CWE-918)CVE-2019-5464
High
2020-04-18
Cross-site Scripting (XSS) - Stored in RDoc wiki pages
GitLab UI Redressing (Clickjacking) (CAPEC-103)
High
2019-12-16
Git flag injection - Search API with scope 'blobs'
GitLab Command Injection - Generic (CWE-77)CVE-2019-15575
High
2019-12-15
Group search leaks private MRs, code, commits
GitLab Improper Access Control - Generic (CWE-284)CVE-2019-5487
High
2019-12-14
Group search with Elastic search enable leaks unrelated data
GitLab Improper Access Control - Generic (CWE-284)
High
2019-12-14
Bypass Email Verification using Salesforce -- Reproducible in gitlab.com
GitLab Violation of Secure Design Principles (CWE-657)CVE-2019-5486
High
2019-12-13
GitLab::UrlBlocker validation bypass leading to full Server Side Request Forgery
GitLab Server-Side Request Forgery (SSRF) (CWE-918)
High
2019-12-12
Importing GitLab project archives can replace uploads of other users
GitLab Insecure Direct Object Reference (IDOR) (CWE-639)CVE-2019-5469
High
2019-12-11
Stored XSS in Wiki pages
GitLab Cross-site Scripting (XSS) - Stored (CWE-79)CVE-2019-5467
High
2019-09-02
Persistent XSS in Note objects
GitLab Cross-site Scripting (XSS) - Stored (CWE-79)
High
2019-07-19
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895