Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,250
CVE-linked
1,864
Programs
343
New This Week
6
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 653 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
CSRF leads to a stored self xss
Imgur Cross-site Scripting (XSS) - Reflected (CWE-79)
Low
2019-08-30
Access Projects And create projects in gitlab pre production server
GitLab Improper Access Control - Generic (CWE-284)
Low
2019-08-28
Option method enabled in kartpay Webservers
Kartpay Information Disclosure (CWE-200)
Low
2019-08-28
SSRF in Search.gov via ?url= parameter
GSA Bounty Server-Side Request Forgery (SSRF) (CWE-918)
Low
2019-08-26
Subdomain Takeover due to unclaimed domain pointing to AWS
GSA Bounty Off-by-one Error (CWE-193)
Low
2019-08-26
Wrong Interpretation of URL encoded characters, showing different punny code leads to redirection on different domain
X / xAI Open Redirect (CWE-601)
Low
2019-08-26
All functions that allow users to specify color code are vulnerable to ReDoS
GitLab Uncontrolled Resource Consumption (CWE-400)
Low
2019-08-21
Can register any mobile number in MFA without current code.
Superhuman (formerly Grammarly) Improper Access Control - Generic (CWE-284)
Low
2019-08-15
Bypass of biometrics security functionality is possible in Android application (com.shopify.mobile)
Shopify Improper Authentication - Generic (CWE-287)
Low
2019-08-14
Link obfuscation bug
Brave Software Cryptographic Issues - Generic (CWE-310)
Low
2019-08-12
Program Email Nofication settings ignored when being added as an external contributor
HackerOne Information Disclosure (CWE-200)
Low
2019-08-07
Information disclosure (system username, server info) in the x-amz-meta-s3cmd-attrs response header on data.gov
GSA Bounty Information Disclosure (CWE-200)
Low
2019-08-06
Application Design issue for Phone Number field in Registration.
Kartpay Information Exposure Through an Error Message (CWE-209)
Low
2019-08-05
Captcha protection Bypass on Forgot password page
Kartpay Violation of Secure Design Principles (CWE-657)
Low
2019-08-05
Disclosure of 152 cookie names via crafted input
Automattic Information Disclosure (CWE-200)
Low
2019-08-04
Total bounties paid amount is disclosed because of redesign of the Program Profiles
HackerOne Information Disclosure (CWE-200)
Low
2019-08-02
RTL override char allowed at khanacademy redirect page
Khan Academy Violation of Secure Design Principles (CWE-657)
Low
2019-08-02
Unclaimed Github Repository Takeover on https://www.data.gov/labs
GSA Bounty Phishing (CAPEC-98)
Low
2019-07-29
Root user disclosure in data.gov domain though x-amz-meta-s3cmd-attrs header
GSA Bounty Information Disclosure (CWE-200)
Low
2019-07-29
SQLi allow query restriction bypass on exposed FileContentProvider
Nextcloud SQL Injection (CWE-89)CVE-2019-15622
Low
2019-07-29
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud584
Shopify464
curl459
Node.js third-party modules307
GitLab258
X / xAI250 $7,000
Uber239