Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,250
CVE-linked
1,864
Programs
343
New This Week
6
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 653 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
IDOR - Leaking of team data (name, email, ID, member ID) via POST /api/v1/graphql `FetchMemberships` operation
Tools for Humanity Insecure Direct Object Reference (IDOR) (CWE-639)
Medium
2024-05-09
Member role which doesn't have permission to send message can send by executing channel commands
Mattermost Improper Access Control - Generic (CWE-284)
Medium
2024-05-08
Incorrect Type Conversion in interpreting IPv4-mapped IPv6 addresses and below `curl` results in indeterminate SSRF vulnerabilities.
curl Type Confusion (CWE-843)CVE-2023-24329CVE-2024-22243
Critical
2024-05-08
XSS in Aspera documentation website
IBM Cross-site Scripting (XSS) - DOM (CWE-79)
Medium
2024-05-06
Unsafe yaml load can lead to remote code execution
Liberapay Deserialization of Untrusted Data (CWE-502)
Low
2024-05-04
Reflected XSS via Keycloak on ███ [CVE-2021-20323]
U.S. Dept Of Defense Cross-site Scripting (XSS) - Reflected (CWE-79)CVE-2021-20323
Medium
2024-05-03
reflected xss [CVE-2020-3580]
U.S. Dept Of Defense Cross-site Scripting (XSS) - Reflected (CWE-79)CVE-2020-3580
Medium
2024-05-03
Reflected Cross-site Scripting via search query on ██████
U.S. Dept Of Defense Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2024-05-03
Reflected XSS on error message on Login Page
U.S. Dept Of Defense Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2024-05-03
Reflected XSS via Moodle on ███ [CVE-2022-35653]
U.S. Dept Of Defense Cross-site Scripting (XSS) - Reflected (CWE-79)CVE-2022-35653
Medium
2024-05-03
SQL injection on ██████████ via 'where' parameter
U.S. Dept Of Defense SQL Injection (CWE-89)
Medium
2024-05-03
fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect
Node.js Violation of Secure Design Principles (CWE-657)CVE-2024-30261
Unknown
2024-05-03
Proxy-Authorization header not cleared on cross-origin redirect in undici.request
Node.js Insufficiently Protected Credentials (CWE-522)CVE-2024-30260
Low
2024-05-03
HTTP Request Smuggling via Content Length Obfuscation
Node.js HTTP Request Smuggling (CWE-444)CVE-2024-27982
Medium
2024-05-03
Adobe Experience Manager 'Childlist selector' - Cross-Site Scripting on cbconnection.adobe.com
Adobe Cross-site Scripting (XSS) - Reflected (CWE-79)
Low
2024-05-02
Production Key and Data Found on Subdomain No Longer Operated by Shopify / Dangling DNS
Shopify File and Directory Information Exposure (CWE-538)
None
2024-05-01
No Session Expiry after log-out, attacker can reuse the old cookies
Shopify Insufficient Session Expiration (CWE-613)
Low
2024-05-01
Insecure Direct Object Reference Protection bypass by changing HTTP method in IBM Your Learning endpoint.
IBM Insecure Direct Object Reference (IDOR) (CWE-639)
Critical
2024-05-01
Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash
Internet Bug Bounty Uncontrolled Resource Consumption (CWE-400)CVE-2024-27983
High
2024-04-29
Attachment disclosure via summary report
HackerOne Insecure Direct Object Reference (IDOR) (CWE-639)
Critical
2024-04-29
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud584
Shopify464
curl459
Node.js third-party modules307
GitLab258
X / xAI250 $7,000
Uber239