Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,248
CVE-linked
1,864
Programs
343
New This Week
16
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 653 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Session works after logout from Shopify account
Shopify Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (CWE-362)
Low
2020-03-30
program_analytics_benchmarks query shows information not visible in public
HackerOne Information Disclosure (CWE-200)
Low
2020-03-27
Reset password without knowing current password
X / xAI Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
Low
2020-03-25
Account deletion requests not entirely honoured. Misinformation even after seeking clarification from customer support.
Nord Security Privacy Violation (CWE-359)
Low
2020-03-24
SSRF leads to internal port scan
Stripo Inc Server-Side Request Forgery (SSRF) (CWE-918)
Low
2020-03-24
Race Condition leads to undeletable group member
HackerOne Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
Low
2020-03-20
scripts loader (denial of service) vulnerability
MariaDB Uncontrolled Resource Consumption (CWE-400)CVE-2018-6389
Low
2020-03-19
Minimal information disclosure of internal asset names and links which were not publicly accessible.
Starbucks Information Disclosure (CWE-200)
Low
2020-03-17
Timeline Editor Self-XSS (Previous Fix #738072 Incomplete)
Shopify Cross-site Scripting (XSS) - Reflected (CWE-79)
Low
2020-03-16
Internal Hostname disclosure from multiple Apache servers via blank host header method
Ping Identity Information Disclosure (CWE-200)
Low
2020-03-12
bypass old password with array in /admin/account-user-email.php
Revive Adserver Array Index Underflow (CWE-129)CVE-2020-8142
Low
2020-03-12
Open redirection bypass in /www/admin/campaign-modify.php
Revive Adserver Open Redirect (CWE-601)CVE-2020-8143
Low
2020-03-12
Disabled account can still use GraphQL endpoint
HackerOne Improper Access Control - Generic (CWE-284)
Low
2020-03-12
Monero wallet password change is confirmed when not matching
Monero Unverified Password Change (CWE-620)
Low
2020-03-11
Potential linkage of public/private (anonymous) node addresses
Monero Information Disclosure (CWE-200)
Low
2020-03-11
Hong Kong - Open Redirect on card.starbucks.com.hk
Starbucks Open Redirect (CWE-601)
Low
2020-03-10
Blind Stored XSS on iOS App due to Unsanitized Webview
Nextcloud Cross-site Scripting (XSS) - Stored (CWE-79)CVE-2019-15614
Low
2020-03-07
Delete All Data of Any User
Nextcloud
Low
2020-03-01
Broken link for wrong domain entry may be leveraged for Phishing, Misinformation, Serving Malware
Nextcloud
Low
2020-03-01
DOMPurify 0.8.9 released
Nextcloud Cross-site Scripting (XSS) - Generic (CWE-79)
Low
2020-03-01
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud584
Shopify464
curl457
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239