Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,244
CVE-linked
1,864
Programs
343
New This Week
23
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 657 Improper Authentication - Generic 653 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Access to GitLab's Slack by abusing issue creation from e-mail
GitLab Improper Authentication - Generic (CWE-287)
Critical
2017-09-21
Unauthenticated RCE in Vaultpress
Automattic
Critical
2017-09-15
Blind stored xss [parcel.grab.com] > name parameter
Grab Cross-site Scripting (XSS) - Stored (CWE-79)
Critical
2017-09-14
Restaurant payment information leakage
Eternal
Critical
2017-08-24
Information disclosure vulnerability on a DoD website
U.S. Dept Of Defense Information Disclosure (CWE-200)
Critical
2017-08-15
out of date disqus shortname usage in the web app source code
Starbucks Violation of Secure Design Principles (CWE-657)
Critical
2017-08-12
Ability to log in as any user without authentication if █████████ is empty
Ubiquiti Inc. Improper Authentication - Generic (CWE-287)
Critical
2017-08-08
Open aws s3 bucket s3://rubyci
Ruby Information Disclosure (CWE-200)
Critical
2017-08-06
In App purchase Hack
Kaspersky Use of a Key Past its Expiration Date (CWE-324)
Critical
2017-08-03
SQL Injection, exploitable in boolean mode
Eternal SQL Injection (CWE-89)
Critical
2017-07-19
[█████████] Hardcoded credentials in Android App
Eternal Use of Hard-coded Credentials (CWE-798)
Critical
2017-07-19
Access of Android protected components via embedded intent
Slack Privilege Escalation (CAPEC-233)
Critical
2017-07-17
Authentication bypass on auth.uber.com via subdomain takeover of saostatic.uber.com
Uber Improper Authentication - Generic (CWE-287)
Critical
2017-07-13
Vine all registered user Private/sensitive information disclosure .[ Ip address/phone no/email and many other informations ]
X / xAI Information Disclosure (CWE-200)
Critical
2017-07-11
Remote code execution (RCE) in multiple DoD websites
U.S. Dept Of Defense Code Injection (CWE-94)
Critical
2017-07-05
Remote Code Execution (RCE) vulnerability in multiple DoD websites
U.S. Dept Of Defense Code Injection (CWE-94)
Critical
2017-07-05
Remote code execution vulnerability on a DoD website
U.S. Dept Of Defense Code Injection (CWE-94)CVE-2017-5638
Critical
2017-07-03
Cross-site Scripting (XSS) in /updates-pro/archive/
MapsMarker.com e.U. Cross-site Scripting (XSS) - Generic (CWE-79)
Critical
2017-07-02
[Critical] billion dollars issue
Paragon Initiative Enterprises Man-in-the-Middle (CWE-300)
Critical
2017-06-30
Remote Code Execution (RCE) in a DoD website
U.S. Dept Of Defense Code Injection (CWE-94)
Critical
2017-06-14
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud583
Shopify464
curl457
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239