Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,244
CVE-linked
1,864
Programs
343
New This Week
23
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 657 Improper Authentication - Generic 653 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint
Uber Cross-site Scripting (XSS) - Reflected (CWE-79)
Critical
2017-12-26
SSL-protected Reflected XSS in m.uber.com
Uber Cross-site Scripting (XSS) - Reflected (CWE-79)
Critical
2017-12-26
SSL-protected Reflected XSS in https://m.uber.com/0-dfffb25d2cf6ceeb0a27.js Endpoint
Uber Cross-site Scripting (XSS) - Reflected (CWE-79)
Critical
2017-12-26
The Microsoft Store Uber App Does Not Implement Certificate Pinning
Uber Improper Certificate Validation (CWE-295)
Critical
2017-12-24
Admin Panel Accessed (OAuth Bypassed )
Mapbox Command Injection - Generic (CWE-77)
Critical
2017-12-21
Unserialize leading to arbitrary PHP function invoke
Rockstar Games Code Injection (CWE-94)
Critical
2017-12-13
Report Design Critical Stored DOM XSS Vulnerability
Infogram Cross-site Scripting (XSS) - Stored (CWE-79)
Critical
2017-12-08
Privilege Escalation with Session Hijacking Having a Non-privileged Valid User
Ubiquiti Inc. CVE-2017-0935
Critical
2017-12-04
Access Grab_Road BigData Database via Open Presto coordinator
Grab Information Disclosure (CWE-200)
Critical
2017-11-30
Remote Code Execution at http://tw.corp.ubnt.com
Ubiquiti Inc. Command Injection - Generic (CWE-77)
Critical
2017-11-29
Privilege Escalation using API->Feature
Ubiquiti Inc. Privilege Escalation (CAPEC-233)CVE-2017-0932
Critical
2017-11-24
CSRF: Replacing the router configuration backup having an 'operator' user and bypassing the "Referer:' whitelist protection
Ubiquiti Inc. CVE-2017-0933
Critical
2017-11-24
Privilege Escalation: From operator to ubnt (and root) with non-interactive Session Hijacking
Ubiquiti Inc. CVE-2017-0934
Critical
2017-11-24
WordPress DB Class, bad implementation of prepare method guides to sqli and information disclosure
WordPress SQL Injection (CWE-89)
Critical
2017-11-13
Command injection on Phabricator instance with an evil hg branch name
Phabricator Command Injection - Generic (CWE-77)
Critical
2017-11-11
Remote code execution on rubygems.org
RubyGems Deserialization of Untrusted Data (CWE-502)CVE-2017-0903
Critical
2017-11-09
Any user with invite capabilities can take-over any account on Discourse
Discourse
Critical
2017-11-06
Linux TBB SFTP URI allows local IP disclosure
Tor Information Disclosure (CWE-200)
Critical
2017-10-25
Shopify admin authentication bypass using partners.shopify.com
Shopify Improper Authorization (CWE-285)
Critical
2017-09-28
all private tokens are leaked to an unauthenticated attacker
GitLab Privilege Escalation (CAPEC-233)
Critical
2017-09-21
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud583
Shopify464
curl457
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239