Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,240
CVE-linked
1,863
Programs
342
New This Week
20
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 657 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Content Spoofing/Text Injection in https://demo.nextcloud.com
Nextcloud Violation of Secure Design Principles (CWE-657)
Low
2017-04-28
Content Spoofing/Text Injection in nextcloud.com
Nextcloud Violation of Secure Design Principles (CWE-657)
Low
2017-04-19
javascript: and mailto: links are allowed in JIRA integration settings
HackerOne Violation of Secure Design Principles (CWE-657)
Low
2017-04-10
SSLv3 POODLE Vulnerability
Rockstar Games Violation of Secure Design Principles (CWE-657)
Low
2017-04-09
Inadequate/dangerous jQuery behavior
Gratipay Violation of Secure Design Principles (CWE-657)
Low
2017-04-05
Content Spoofing or Text Injection in (403 forbidden page injection) and Nginx version disclosure via response header
Ubiquiti Inc. Violation of Secure Design Principles (CWE-657)
Low
2017-04-03
HTTP trace method is enabled on aspen.io
Gratipay Violation of Secure Design Principles (CWE-657)
Low
2017-03-31
Google Analytics could be used as CSP bypass for data exfiltration on hackerone.com
HackerOne Violation of Secure Design Principles (CWE-657)
Low
2017-03-26
Content Spoofing in "files" app
Nextcloud Violation of Secure Design Principles (CWE-657)CVE-2017-0888
Low
2017-03-06
Report redaction doesn't apply to report title update activities
HackerOne Violation of Secure Design Principles (CWE-657)
Low
2017-02-25
Mixed Active content issue on https://www.lyst.com
Lyst Violation of Secure Design Principles (CWE-657)
Low
2017-02-22
QuickTime Promotion on a DoD website
U.S. Dept Of Defense Violation of Secure Design Principles (CWE-657)
Low
2017-02-15
Email Spoofing
PortSwigger Web Security Violation of Secure Design Principles (CWE-657)
Low
2017-02-14
Email Spoofing
Bumble Violation of Secure Design Principles (CWE-657)
Low
2017-01-24
No user confirmation when an auto-updated extension gets more permissions
Brave Software Violation of Secure Design Principles (CWE-657)
Low
2017-01-20
HTTP OPTION Method is Enabled on portswigger.net
PortSwigger Web Security Violation of Secure Design Principles (CWE-657)
Low
2016-12-27
Content (Text) Injection at NextCloud Server 9.0.52 - via http://custom_nextcloud_url/remote.php/dav/files/
Nextcloud Violation of Secure Design Principles (CWE-657)CVE-2016-9468
Low
2016-12-02
Spoof Email with Hyperlink Injection via Invites functionality
Pushwoosh Violation of Secure Design Principles (CWE-657)
Low
2016-11-14
race condition in adding team members
Shopify Violation of Secure Design Principles (CWE-657)
Low
2016-11-10
More content spoofing through dir param in the files app
Nextcloud Violation of Secure Design Principles (CWE-657)CVE-2016-9467
Low
2016-11-04
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609 $1,500
Nextcloud583
Shopify464
curl455
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239