漏洞赏金情报

数据来源：HackerOne 公开披露报告 · 每 6 小时更新

浏览 HackerOne 平台公开披露的漏洞赏金报告，按严重程度、漏洞类型或目标项目筛选，关联 CVE 编号。

已披露报告

12,222

关联 CVE

1,855

参与项目数

342

近 7 天新增

3

严重度: All Critical High Medium Low

类型: 全部 Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

Blog posts atom feed of a store with password protection can be accessed by anyone

Shopify Information Disclosure (CWE-200)

Medium

2021-11-08

Leaked H1's Employees Email addresses,meeting info on private bug bounty program ████████

HackerOne Information Disclosure (CWE-200)

Medium

2021-11-08

Web Cache Poisoning leading to DoS

U.S. General Services Administration Uncontrolled Resource Consumption (CWE-400)

Medium

2021-11-08

IPv4 only clusters susceptible to MitM attacks via IPv6 rogue router advertisements

Kubernetes Man-in-the-Middle (CWE-300)CVE-2019-9946 CVE-2019-3462

Medium

2021-11-07

Broken link hijacing in https://kubernetes-csi.github.io/docs/drivers.html

Kubernetes Violation of Secure Design Principles (CWE-657)

Medium

2021-11-06

Path Traversal CVE-2021-26086 CVE-2021-26085

MariaDB Path Traversal (CWE-22)CVE-2021-26085 CVE-2021-26086

Medium

2021-11-05

Reflected xss в m.vk.com/chatjoin

VK.com Cross-site Scripting (XSS) - Reflected (CWE-79)

Medium

2021-11-05

Просмотр новых фотографии со стены частной/закрытой группы или закрытого профиля.

VK.com Information Disclosure (CWE-200)

Medium

2021-11-05

Open redirect на мобильной версии в контакте (m.vk.com

VK.com Open Redirect (CWE-601)

Medium

2021-11-05

Злом (virus).. Смотрим кто голосовал в анонимном опросе!!

VK.com Information Disclosure (CWE-200)

Medium

2021-11-05

CSRF на загрузку аудиозаписей

VK.com Cross-Site Request Forgery (CSRF) (CWE-352)

Medium

2021-11-05

CSRF в m.vk.com

VK.com Cross-Site Request Forgery (CSRF) (CWE-352)

Medium

2021-11-05

Просмотр удаленного сообщения из лс группы + возможность его переслать.

VK.com Information Disclosure (CWE-200)

Medium

2021-11-05

Tokenless GUI Authentication

Kubernetes Improper Authentication - Generic (CWE-287)

Medium

2021-11-04

Man in the middle using LoadBalancer or ExternalIPs services

Kubernetes Man-in-the-Middle (CWE-300)CVE-2020-8554

Medium

2021-11-04

Request line injection via HTTP/2 in Apache mod_proxy

Internet Bug Bounty CVE-2021-33193

Medium

2021-11-04

Steal any users `access_token` via open redirect in https://streamlabs.com/global/identity?popup=1&r=

Medium

2021-11-04

private keys exposed on the GitHub repository

MCUboot Cleartext Storage of Sensitive Information (CWE-312)

Medium

2021-11-04

Authentication Bypass & ApacheTomcat Misconfiguration in [██]

8x8 Improper Authentication - Generic (CWE-287)

Medium

2021-11-04

HTTP Request Smuggling due to ignoring chunk extensions

Node.js HTTP Request Smuggling (CWE-444)CVE-2021-22960

Medium

2021-11-02

高频漏洞类型

最活跃项目

项目	报告数	最高赏金
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	—
HackerOne	609	—
Nextcloud	583	—
Shopify	464	—
curl	440	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$2,500
Uber	239	—