Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,225
CVE-linked
1,856
Programs
342
New This Week
6
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
[file-browser] Inadequate Output Encoding and Escaping
Node.js third-party modules Cross-site Scripting (XSS) - Stored (CWE-79)
High
2020-01-29
China - ecjobsdc.starbucks.com.cn html/shtml file upload vulnerability
Starbucks Privilege Escalation (CAPEC-233)
High
2020-01-29
[url-parse] Improper Validation and Sanitization
Node.js third-party modules Improper Input Validation (CWE-20)CVE-2020-8124
High
2020-01-27
Race Condition allows to redeem multiple times gift cards which leads to free "money"
Reverb.com Business Logic Errors (CWE-840)
High
2020-01-25
Norway - store.starbucks.no - CSRF on email change
Starbucks Cross-Site Request Forgery (CSRF) (CWE-352)
High
2020-01-23
The login of Hotor Not is Vulnerable to bruteforce.
Bumble Improper Restriction of Authentication Attempts (CWE-307)
High
2020-01-23
Subdomain takeover of storybook.lystit.com
Lyst Privilege Escalation (CAPEC-233)
High
2020-01-22
Хранимый XSS в Business-аккаунте, на странице компании
DRIVE.NET, Inc. Cross-site Scripting (XSS) - Stored (CWE-79)
High
2020-01-17
Arbitrary File Write as SYSTEM from unprivileged user
Valve Privilege Escalation (CAPEC-233)
High
2020-01-15
Helpdesk Takeover at dmc.datastax.com
DataStax Reliance on Untrusted Inputs in a Security Decision (CWE-807)
High
2020-01-15
UNRESTRICTED FILE UPLOAD AT chat.makerdao.com
BlockDev Sp. Z o.o Insecure Temporary File (CWE-377)
High
2020-01-15
App Takeover ( makerdao.herokuapp.com )
BlockDev Sp. Z o.o Privilege Escalation (CAPEC-233)
High
2020-01-15
Token leak in security challenge flow allows retrieving victim's PayPal email and plain text password
PayPal Missing Authentication for Critical Function (CWE-306)
High
2020-01-08
Potential unprivileged Stored XSS through wp_targeted_link_rel
WordPress Cross-site Scripting (XSS) - Stored (CWE-79)CVE-2019-16773
High
2020-01-08
[express-laravel-passport] Improper Authentication
Node.js third-party modules Improper Authentication - Generic (CWE-287)
High
2020-01-04
Lack or Origin check leads to Cross-Site Websocket Hijacking (CSWSH)
Superhuman (formerly Grammarly) Improper Access Control - Generic (CWE-284)
High
2020-01-04
[fileview] Inadequate Output Encoding and Escaping
Node.js third-party modules Cross-site Scripting (XSS) - Stored (CWE-79)CVE-2019-15602
High
2019-12-28
Bypass password reset rate limit protection at moneybird.com/passwords
Moneybird Uncontrolled Resource Consumption (CWE-400)
High
2019-12-22
Authenticated Code Execution through Phar deserialization in CSV Importer as Shop manager in WooCommerce
Automattic Deserialization of Untrusted Data (CWE-502)
High
2019-12-19
WooCommerce Blacklist in 'map_meta_cap' leads to Privilege Escalation of Shopmanagers
Automattic Privilege Escalation (CAPEC-233)
High
2019-12-19
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud583
Shopify464
curl442
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239