漏洞赏金情报

数据来源：HackerOne 公开披露报告 · 每 6 小时更新

浏览 HackerOne 平台公开披露的漏洞赏金报告，按严重程度、漏洞类型或目标项目筛选，关联 CVE 编号。

已披露报告

12,219

关联 CVE

1,854

参与项目数

342

近 7 天新增

10

严重度: All Critical High Medium Low

类型: 全部 Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

项目筛选：ibb✕

CVE-2022-23519: Rails::Html::SafeListSanitizer vulnerable to XSS when certain tags are allowed (math+style || svg+style)

Internet Bug Bounty Cross-site Scripting (XSS) - Generic (CWE-79)CVE-2022-23519

Medium

2023-01-04

Electron CVE-2022-35954 Delimiter Injection Vulnerability in exportVariable

Internet Bug Bounty CVE-2022-35954

Medium

2022-12-14

POST following PUT confusion

Internet Bug Bounty Information Disclosure (CWE-200)CVE-2022-32221

Medium

2022-12-02

CVE-2022-45402: Apache Airflow: Open redirect during login

Internet Bug Bounty Open Redirect (CWE-601)CVE-2022-45402

Medium

2022-12-01

potential denial of service attack via the locale parameter

Internet Bug Bounty Uncontrolled Resource Consumption (CWE-400)CVE-2022-41323

Medium

2022-11-28

CVE-2022-42916: HSTS bypass via IDN

Internet Bug Bounty Cleartext Transmission of Sensitive Information (CWE-319)CVE-2022-42916

Medium

2022-11-03

[CVE-2022-35949]: undici.request vulnerable to SSRF using absolute / protocol-relative URL on pathname

Internet Bug Bounty Server-Side Request Forgery (SSRF) (CWE-918)CVE-2022-35949

Medium

2022-09-23

CVE-2022-35948: CRLF Injection in Nodejs ‘undici’ via Content-Type

Internet Bug Bounty CRLF Injection (CWE-93)CVE-2022-35948

Medium

2022-09-23

Airflow Daemon Mode Insecure Umask Privilege Escalation

Internet Bug Bounty Incorrect Permission Assignment for Critical Resource (CWE-732)CVE-2022-38170

Medium

2022-09-17

Disabling context isolation, nodeIntegrationInSubFrames using an unauthorised frame.

Internet Bug Bounty Improper Access Control - Generic (CWE-284)

Medium

2022-08-11

Off-by-slash vulnerability in nodejs.org and iojs.org

Internet Bug Bounty Path Traversal (CWE-22)

Medium

2022-07-28

Rack CVE-2022-30122: Denial of Service Vulnerability in Rack Multipart Parsing

Internet Bug Bounty CVE-2022-30122

Medium

2022-07-23

CVE-2022-32214 - HTTP Request Smuggling Due To Improper Delimiting of Header Fields

Internet Bug Bounty HTTP Request Smuggling (CWE-444)CVE-2022-32214

Medium

2022-07-22

CVE-2022-32213 - HTTP Request Smuggling Due to Flawed Parsing of Transfer-Encoding

Internet Bug Bounty HTTP Request Smuggling (CWE-444)CVE-2022-32213

Medium

2022-07-22

CVE-2022-32215 - HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding

Internet Bug Bounty HTTP Request Smuggling (CWE-444)CVE-2022-32215

Medium

2022-07-22

Apache HTTP Server: mod_proxy_ajp: Possible request smuggling

Internet Bug Bounty CVE-2022-26377

Medium

2022-07-09

CVE-2022-32206: HTTP compression denial of service

Internet Bug Bounty Allocation of Resources Without Limits or Throttling (CWE-770)CVE-2022-32206

Medium

2022-06-27

CVE-2022-32207: Unpreserved file permissions

Internet Bug Bounty Business Logic Errors (CWE-840)CVE-2022-32207

Medium

2022-06-27

Rails::Html::SafeListSanitizer vulnerable to xss attack in an environment that allows the style tag

Internet Bug Bounty Cross-site Scripting (XSS) - Generic (CWE-79)CVE-2022-32209

Medium

2022-06-27

CVE-2022-30115: HSTS bypass via trailing dot

Internet Bug Bounty Cleartext Transmission of Sensitive Information (CWE-319)CVE-2022-30115

Medium

2022-06-11

高频漏洞类型

最活跃项目

项目	报告数	最高赏金
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	—
HackerOne	609	—
Nextcloud	582	—
Shopify	464	—
curl	439	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$2,500
Uber	239	$9,895