Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,222
CVE-linked
1,855
Programs
342
New This Week
3
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Cross-site scripting via hardcoded front-end watched expression.
Quantopian Cross-site Scripting (XSS) - Generic (CWE-79)
Medium
2022-12-21
Host header injection that bypassed protection and allowed accessing multiple subdomains
Urban Company Server-Side Request Forgery (SSRF) (CWE-918)
Medium
2022-12-21
CVE-2022-43551: Another HSTS bypass via IDN
curl Cleartext Transmission of Sensitive Information (CWE-319)CVE-2022-43551CVE-2022-42916
Medium
2022-12-21
Unauthorized Canceling/Unsubscribe TaxJar account & Payment information DIsclosure
Stripe Improper Access Control - Generic (CWE-284)
Medium
2022-12-20
Sub-Domain Takeover at http://www.codefi.consensys.net/
Consensys Improper Access Control - Generic (CWE-284)
Medium
2022-12-16
Rails::Html::SafeListSanitizer vulnerable to XSS when certain tags are allowed (math+style || svg+style)
Ruby on Rails Cross-site Scripting (XSS) - Generic (CWE-79)CVE-2022-23519
Medium
2022-12-14
Incomplete fix for CVE-2022-32209 (XSS in Rails::Html::Sanitizer under certain configurations)
Ruby on Rails Cross-site Scripting (XSS) - Generic (CWE-79)CVE-2022-23520
Medium
2022-12-14
Electron CVE-2022-35954 Delimiter Injection Vulnerability in exportVariable
Internet Bug Bounty CVE-2022-35954
Medium
2022-12-14
DoS via markdown API from unauthenticated user
GitHub Uncontrolled Resource Consumption (CWE-400)CVE-2022-39209
Medium
2022-12-13
Link-shortener bypass (regression on fix for #1032610)
X / xAI Security Through Obscurity (CWE-656)
Medium
2022-12-12
SSRF vulnerability can be exploited when a hijacked aggregated api server such as metrics-server returns 30X
Kubernetes Server-Side Request Forgery (SSRF) (CWE-918)CVE-2022-3172
Medium
2022-12-10
DNS rebinding in --inspect via invalid octal IP address
Node.js OS Command Injection (CWE-78)CVE-2022-43548
Medium
2022-12-07
Ability to change permissions across seller platform
TikTok Improper Access Control - Generic (CWE-284)
Medium
2022-12-06
Unprotected Atlantis Server at https://152.70.█.█
8x8 Improper Authentication - Generic (CWE-287)
Medium
2022-12-06
XSS in linktr.ee - on link thumbnail adding
Linktree Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2022-12-06
IDOR in Stats API Endpoint Allows Viewing Equity or Net Profit of Any MT Account
EXNESS Insecure Direct Object Reference (IDOR) (CWE-639)
Medium
2022-12-05
Exposed Cortex API at https://cortex-ingest.shopifycloud.com/
Shopify Misconfiguration (CWE-16)
Medium
2022-12-02
POST following PUT confusion
Internet Bug Bounty Information Disclosure (CWE-200)CVE-2022-32221
Medium
2022-12-02
XSS in Acronis Cloud Manager Admin Portal
Acronis Cross-site Scripting (XSS) - Generic (CWE-79)
Medium
2022-12-02
Stored XSS in /admin/product and /admin/collections
Shopify Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2022-12-01
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud583
Shopify464
curl440
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239