Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,248
CVE-linked
1,864
Programs
343
New This Week
16
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 653 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Able to download any hosted content on AWS S3 bucket(stripo)
Stripo Inc Improper Access Control - Generic (CWE-284)
Low
2020-02-10
[script-manager] Unintended require
Node.js third-party modules Code Injection (CWE-94)CVE-2020-8129
Low
2020-02-07
The password limit is not set, [DoS].
Localize
Low
2020-02-06
Stored XSS in Name of Team Member Invitation
Localize Cross-site Scripting (XSS) - Stored (CWE-79)
Low
2020-02-06
Directory listing is enabled that exposes non public data through multiple path
Nextcloud Information Exposure Through Directory Listing (CWE-548)
Low
2020-02-01
Android content provider exposes password-protected share password hashes
Nextcloud Information Disclosure (CWE-200)
Low
2020-01-31
HTML injection and limited XSS via logo image upload - Nextcloud 12.0.0
Nextcloud Cross-site Scripting (XSS) - Stored (CWE-79)
Low
2020-01-31
Nextcloud logs ldap passwords
Nextcloud Plaintext Storage of a Password (CWE-256)
Low
2020-01-31
SQL exception in JSON format
Nextcloud Information Exposure Through an Error Message (CWE-209)
Low
2020-01-31
Tabnabbing in template comments - stripo.email
Stripo Inc Violation of Secure Design Principles (CWE-657)
Low
2020-01-31
WAF bypass via double encoded non standard ASCII chars permitted a reflected XSS on response page not found pages - (629745 bypass)
Starbucks Cross-site Scripting (XSS) - Reflected (CWE-79)
Low
2020-01-29
Denial Of Service in Strapi Framework using argument injection
Node.js third-party modules Uncontrolled Resource Consumption (CWE-400)CVE-2020-8123
Low
2020-01-28
Creating malformed URLs via new line character in-between two URLs leads to misrepresented hyperlinks in Tweets/DMs
X / xAI CRLF Injection (CWE-93)
Low
2020-01-24
Disclosure of Users Information On Wordpress Api [https://jitsi.org/]
8x8 Improper Access Control - Generic (CWE-284)
Low
2020-01-23
Double linking cause XSS (but blokeced by CSP in gitlab.com)
GitLab Cross-site Scripting (XSS) - DOM (CWE-79)
Low
2020-01-20
Disclosure of User Information
Nord Security Information Disclosure (CWE-200)
Low
2020-01-16
Wordpress users disclosure on blog.makerdao.con
BlockDev Sp. Z o.o Information Disclosure (CWE-200)
Low
2020-01-15
Theme Assets uploader allows HTML content
Automattic Unrestricted Upload of File with Dangerous Type (CWE-434)
Low
2020-01-14
Follow by email allows for following by unverified emails
Automattic Violation of Secure Design Principles (CWE-657)
Low
2020-01-14
Same site Scripting
DRIVE.NET, Inc.
Low
2020-01-13
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud584
Shopify464
curl457
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239