目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

漏洞赏金情报

数据来源:HackerOne 公开披露报告 · 每 6 小时更新

浏览 HackerOne 平台公开披露的漏洞赏金报告,按严重程度、漏洞类型或目标项目筛选,关联 CVE 编号。

已披露报告
12,222
关联 CVE
1,855
参与项目数
342
近 7 天新增
3
严重度: All CriticalHighMediumLow
类型: 全部 Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
项目筛选:wakatime
Blocking users to sign up on the site
WakaTime Violation of Secure Design Principles (CWE-657)
None
2017-07-08
Password Policy Issue
WakaTime Improper Authentication - Generic (CWE-287)
Low
2017-07-06
Running 2 accounts with a single email
WakaTime Business Logic Errors (CWE-840)
Unknown
2017-07-06
UI Redressing on Embedded Charts
WakaTime UI Redressing (Clickjacking) (CAPEC-103)
Low
2017-07-05
Clickjacking on authorized page https://wakatime.com/share/embed
WakaTime UI Redressing (Clickjacking) (CAPEC-103)
Low
2017-07-05
Missing filteration of meta characters in all full name field on wakatime.com
WakaTime Violation of Secure Design Principles (CWE-657)
Low
2017-07-04
Leaking password reset token via referrer from external Twitter share button
WakaTime Information Disclosure (CWE-200)
Unknown
2017-07-03
Sensitive Cookie Without 'HttpOnly' Flag
WakaTime
None
2017-07-03
Session not expired on logout
WakaTime Improper Authentication - Generic (CWE-287)
Unknown
2017-07-03
No rate limiting for confirmation email, can spam anyone with confirmation emails
WakaTime Violation of Secure Design Principles (CWE-657)
Unknown
2017-07-03
No rate limit when creating new goals [https://wakatime.com/goals]
WakaTime Violation of Secure Design Principles (CWE-657)
Unknown
2017-07-03
JSON CSRF on POST Heartbeats API
WakaTime Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2017-07-03
IDOR create accounts and verify them with original account email
WakaTime Insecure Direct Object Reference (IDOR) (CWE-639)
Low
2017-07-03
No redirect uri for Twitter Oath resulting in token leak
WakaTime Improper Authentication - Generic (CWE-287)
Low
2017-07-03
No notificatoin sent on email after account deletion.
WakaTime Violation of Secure Design Principles (CWE-657)
Low
2017-07-03
Two email addresses can access the same account
WakaTime Violation of Secure Design Principles (CWE-657)
Unknown
2017-07-03
Lack of Password Confirmation When Changing Email
WakaTime Violation of Secure Design Principles (CWE-657)
Unknown
2017-07-03
Forgot password link doesn't expire after used, only after some hours
WakaTime Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
Low
2017-07-03
Missing Account Deletion Notification
WakaTime
Unknown
2017-07-03
Email Spoofing Via /api/v1/users/reset_password
WakaTime
Unknown
2017-07-01
高频漏洞类型
最活跃项目
项目报告数最高赏金
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud583
Shopify464
curl440
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239