Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,222
CVE-linked
1,855
Programs
342
New This Week
3
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Subdomain takeover of ████.jitsi.net
8x8 Privilege Escalation (CAPEC-233)
High
2021-05-14
Request Access for Uber Device Returns Management Platform (https://www.eats-devicereturns.com/request-access/) Bypass Allows Access to PII
Uber Privilege Escalation (CAPEC-233)
High
2021-05-14
███ on https://████ enable ███ scraping, injection, stored XSS
U.S. Dept Of Defense Leftover Debug Code (Backdoor) (CWE-489)
High
2021-05-11
Path Traversal - [ CVE-2020-3452 ]
U.S. Dept Of Defense Path Traversal (CWE-22)CVE-2020-3452
High
2021-05-11
Team members can trigger arbitrary code execution in Slack Desktop Apps via HTML Notifications
Slack Code Injection (CWE-94)
High
2021-05-09
TAMS registration details API for admins open at https://tamsapi.gsa.gov/user/tams/api/usermgmnt/pendingUserDetails/
U.S. General Services Administration Insecure Direct Object Reference (IDOR) (CWE-639)
High
2021-05-07
[CS:GO] Unchecked texture file name with TEXTUREFLAGS_DEPTHRENDERTARGET can lead to Remote Code Execution
Valve Stack Overflow (CWE-121)
High
2021-05-06
[Source Engine] Material path truncation leads to Remote Code Execution
Valve Improper Input Validation (CWE-20)
High
2021-05-06
Subdomain takeover of ███.wavecell.com
8x8 Privilege Escalation (CAPEC-233)
High
2021-05-02
[i18next] Prototype pollution attack
Node.js third-party modules Modification of Assumed-Immutable Data (MAID) (CWE-471)
High
2021-04-26
HTTP Request Smuggling
U.S. Dept Of Defense HTTP Request Smuggling (CWE-444)
High
2021-04-20
bypassing dashboard without account + Information disclosure trough websockets
Nextcloud Improper Access Control - Generic (CWE-284)
High
2021-04-20
Ability to DOS any organization's SSO and open up the door to account takeovers
Superhuman (formerly Grammarly) Improper Authentication - Generic (CWE-287)
High
2021-04-15
Reflected/Stored XSS on duckduckgo.com
DuckDuckGo Cross-site Scripting (XSS) - Reflected (CWE-79)
High
2021-04-10
Exposed█████████in apk file - devbuilds.uber.com
Uber Information Disclosure (CWE-200)
High
2021-04-09
RCE in ██████ subdomain via CVE-2017-1000486
U.S. Dept Of Defense Code Injection (CWE-94)CVE-2017-1000486
High
2021-04-08
Integer overflow in CipherUpdate
Internet Bug Bounty Integer Overflow (CWE-190)CVE-2021-23840CVE-2020-36242
High
2021-04-08
Cross-Tenant IDOR ( graphql `AddRulesToPixelEvents` query ) allowing to add, update, and delete rules of any Pixel events on the platform
TikTok Insecure Direct Object Reference (IDOR) (CWE-639)
High
2021-04-02
Read-only path traversal (CVE-2020-3452) at https://████████
U.S. Dept Of Defense Path Traversal (CWE-22)CVE-2020-3452
High
2021-04-02
Read-only path traversal (CVE-2020-3452) at https://█████
U.S. Dept Of Defense Path Traversal (CWE-22)CVE-2020-3452
High
2021-04-02
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud583
Shopify464
curl440
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239