Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,240
CVE-linked
1,863
Programs
342
New This Week
20
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 657 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Unlimited fake rate to the passenger in city to city, Affected endpoint `/api/v1/reviews/ride/<ID>/driver`
inDrive Business Logic Errors (CWE-840)
Medium
2024-07-02
Reflected XSS of media.indrive.com
inDrive Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2024-07-02
CVE-2024-32760 in nginx
Internet Bug Bounty CVE-2024-32760
Medium
2024-07-01
CVE-2024-31079 in nginx
Internet Bug Bounty Stack Overflow (CWE-121)CVE-2024-31079
Medium
2024-07-01
CVE-2024-35200 in nginx
Internet Bug Bounty NULL Pointer Dereference (CWE-476)CVE-2024-35200
Medium
2024-07-01
[CVE-2024-32464] ActionText ContentAttachment’s can Contain Unsanitized HTML
Internet Bug Bounty Cross-site Scripting (XSS) - Stored (CWE-79)CVE-2024-32464
Medium
2024-06-30
Account Takeover / Arbitrary File read and deletion / Partial code execution (intent redirection)
MercadoLibre Code Injection (CWE-94)
High
2024-06-28
Subdomain takeover ████████.mil
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
Critical
2024-06-27
Local File Disclosure on the █████ (https://████████.edu/) leads to the full source code disclosure and credentials leak
U.S. Dept Of Defense Insecure Storage of Sensitive Information (CWE-922)
Critical
2024-06-27
IDOR leading unauthenticated attacker to download documents discloses PII of users and soldiers via https://www.█████████/Download.aspx?id= [HtUS]
U.S. Dept Of Defense Insecure Direct Object Reference (IDOR) (CWE-639)
High
2024-06-27
sqli on █████████ search functionality
Mars SQL Injection (CWE-89)
Medium
2024-06-25
Attacker can add two free bags offered by the site at the same time.
Mars Business Logic Errors (CWE-840)
Medium
2024-06-25
Sqli on ██████ search functionality
Mars SQL Injection (CWE-89)
Medium
2024-06-25
Reflected xss on ████████
Mars Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2024-06-25
CSRF resulting in adding pet at ███████
Mars Cross-Site Request Forgery (CSRF) (CWE-352)
Low
2024-06-25
Account takeover using reset password link
Mars Open Redirect (CWE-601)
Medium
2024-06-25
monitoring.prow-canary.k8s.io is vulnerable to CVE-2022-21703 (Grafana 0-day)
Kubernetes Cross-Site Request Forgery (CSRF) (CWE-352)CVE-2022-21703
Low
2024-06-25
DoS with crafted "Range" header
Ruby on Rails
High
2024-06-25
S3 Bucket Takeover on apptio endpoint
IBM Improper Access Control - Generic (CWE-284)
Medium
2024-06-21
Ability to identify actual private from sandboxed programs using link hackerone.com/$handle/terms_acceptance_data.csv
HackerOne Improper Access Control - Generic (CWE-284)
Medium
2024-06-20
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609 $1,500
Nextcloud583
Shopify464
curl455
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239