Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports

12,225

CVE-linked

1,856

Programs

342

New This Week

Severity: All Critical High Medium Low

Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

HTTP Request Smuggling due to ignoring chunk extensions

Node.js HTTP Request Smuggling (CWE-444)CVE-2021-22960

Medium

2021-11-02

critical server misconfiguration lead to access to any user sensitive data which include user email and password

Flickr Business Logic Errors (CWE-840)

Medium

2021-11-02

Reflected XSS at ████ via ██████████= parameter

U.S. Dept Of Defense Cross-site Scripting (XSS) - Reflected (CWE-79)

Medium

2021-10-28

Missing rate limit in current password change settings leads to Account takeover

Reddit Improper Restriction of Authentication Attempts (CWE-307)

Medium

2021-10-27

Third party app could steal access token as well as protected files using inAppBrowser

Reddit Information Disclosure (CWE-200)

Medium

2021-10-27

Race condition leads to Inflation of coins when bought via Google Play Store at endpoint https://oauth.reddit.com/api/v2/gold/android/verify_purchase

Reddit Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)

Medium

2021-10-27

Image queue default key of 'None' and GraphQL unhandled type exception

Reddit Type Confusion (CWE-843)

Medium

2021-10-27

XSS on tiktok.com

TikTok Cross-site Scripting (XSS) - Reflected (CWE-79)

Medium

2021-10-23

Reflected XSS in TikTok endpoints

TikTok Cross-site Scripting (XSS) - Reflected (CWE-79)

Medium

2021-10-22

Oauth Misconfiguration Lead To Account Takeover

Reddit Improper Authorization (CWE-285)

Medium

2021-10-21

Domain Takeover of Reddit.ru via DNS Hijacking

Reddit Improper Access Control - Generic (CWE-284)

Medium

2021-10-21

Email Verification Bypass And Get access to user's private invitation.

Reddit Business Logic Errors (CWE-840)

Medium

2021-10-21

IDOR to pay less for coin purchases on oauth.reddit.com via /api/v2/gold/paypal/create_coin_purchase_order in `order_id` parameter

Reddit Business Logic Errors (CWE-840)

Medium

2021-10-21

Hash-Collision Denial-of-Service Vulnerability in Markdown Parser

Reddit Uncontrolled Resource Consumption (CWE-400)

Medium

2021-10-21

HTTP Request Smuggling due to accepting space before colon

Node.js HTTP Request Smuggling (CWE-444)CVE-2021-22959

Medium

2021-10-20

CSRF leads to account deactivation of users

Evernote

Medium

2021-10-19

phpinfo() disclosure info

U.S. Dept Of Defense Information Disclosure (CWE-200)

Medium

2021-10-18

Reflected Xss https://██████/

U.S. Dept Of Defense Cross-site Scripting (XSS) - Reflected (CWE-79)

Medium

2021-10-18

RXSS Via URI Path - https://██████████/

U.S. Dept Of Defense Cross-site Scripting (XSS) - Reflected (CWE-79)

Medium

2021-10-18

RXSS - https://████████/

U.S. Dept Of Defense Cross-site Scripting (XSS) - Reflected (CWE-79)

Medium

2021-10-18

Top Weakness Types

Most Active Programs

Program	Reports	Max $
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	—
HackerOne	609	—
Nextcloud	583	—
Shopify	464	—
curl	442	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$2,500
Uber	239	—

Goal Reached Thanks to every supporter — we hit 100%!

Bug Bounty Intelligence