Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
10
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Program filter: automattic
Follow by email allows for following by unverified emails
Automattic Violation of Secure Design Principles (CWE-657)
Low
2020-01-14
Authenticated Code Execution through Phar deserialization in CSV Importer as Shop manager in WooCommerce
Automattic Deserialization of Untrusted Data (CWE-502)
High
2019-12-19
WooCommerce Blacklist in 'map_meta_cap' leads to Privilege Escalation of Shopmanagers
Automattic Privilege Escalation (CAPEC-233)
High
2019-12-19
Stored XSS in Jetpack's Simple Payment Module by Contributors / Authors
Automattic Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2019-12-19
Arbitrary File Download as Shopmanager
Automattic Path Traversal (CWE-22)
High
2019-12-19
[IDOR] Attacker user can Approve/Decline AFK on the behalf of other users
Automattic Insecure Direct Object Reference (IDOR) (CWE-639)
Unknown
2019-12-01
Stored XSS vulnerability in comments on *.wordpress.com
Automattic Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2019-10-21
Stored Self XSS on https://app.crowdsignal.com (in Photo Insert App) + Stored XSS on https://*your-subdomain*.survey.fm
Automattic Cross-site Scripting (XSS) - Stored (CWE-79)
High
2019-10-21
Disclosure of 152 cookie names via crafted input
Automattic Information Disclosure (CWE-200)
Low
2019-08-04
No rate limit on app.crowdsignal.com (Finish quiz)
Automattic Business Logic Errors (CWE-840)
Low
2019-07-27
Gaining unlimited bonus points on websites with WooCommerce Points and Rewards
Automattic Business Logic Errors (CWE-840)
High
2019-07-05
Broken Authentication - Security token gets captured via man in the middle attack
Automattic Improper Authentication - Generic (CWE-287)
High
2019-06-22
Captcha bypass for the most important function - At en.instagram-brand.com
Automattic
Medium
2019-06-22
Cross Domain leakage of sensitive information - Leading to Account Takeover at Instagram Brand
Automattic Improper Authentication - Generic (CWE-287)
Low
2019-06-22
Authentication Bypass - Chaining two vulnerabilities leads to account takeover at en.instagram-brand.com
Automattic Improper Authentication - Generic (CWE-287)
High
2019-06-22
Insufficient DKIM record with RSA 512-bit key used on WordPress.com
Automattic Inadequate Encryption Strength (CWE-326)
Medium
2019-05-30
Wordpress VIP leaks email of the test a/c
Automattic Information Disclosure (CWE-200)
Medium
2019-05-28
WooCommerce: Persistent XSS via customer address (state/county)
Automattic Cross-site Scripting (XSS) - Stored (CWE-79)
High
2019-05-26
DOM based XSS in the WooCommerce plugin
Automattic Cross-site Scripting (XSS) - DOM (CWE-79)
Medium
2019-05-05
No Rate Limit on CrowdSignal Polls when Adding Comment
Automattic Business Logic Errors (CWE-840)
Low
2019-04-13
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895