Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,250
CVE-linked
1,865
Programs
343
New This Week
5
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 653 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Invite tokens have Insufficient entropy in GHES Management Console
GitHub Use of Insufficiently Random Values (CWE-330)CVE-2023-46648
Medium
2024-01-12
RC Between GitHub's Repo Transfer REST API and updateTeamsRepository GraphQL Mutation Results in Covert and Persistent Admin Access Retention
GitHub Misconfiguration (CWE-16)CVE-2023-6690
Medium
2024-01-12
Internal Blind Server-Side Request Forgery (SSRF) allows scanning internal ports
Mozilla Server-Side Request Forgery (SSRF) (CWE-918)
None
2024-01-12
Reflected XSS On [https://www-useast1a.tiktok.com/ug/incentive/share/hd]
TikTok Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2024-01-12
Exposure of account recovery hint by querying by user email
Mozilla Exposure of Sensitive Information Due to Incompatible Policies (CWE-213)
Low
2024-01-11
Users can access exams in course without having to subscribe to PREMIUM
LinkedIn Improper Access Control - Generic (CWE-284)
Medium
2024-01-10
Blind SSRF in Mail App
Nextcloud Server-Side Request Forgery (SSRF) (CWE-918)CVE-2023-48307
Low
2024-01-10
RXSS on TikTok endpoints
TikTok Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2024-01-09
RXSS via region parameter
TikTok Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2024-01-09
CVE-2023-49920: Apache Airflow: Missing CSRF protection on DAG/trigger
Internet Bug Bounty Cross-Site Request Forgery (CSRF) (CWE-352)CVE-2023-49920
Medium
2024-01-09
CVE-2023-46132
Linux Foundation Decentralized Trust Deserialization of Untrusted Data (CWE-502)CVE-2023-46132
High
2024-01-08
View Repo and Title of Any Private Check Run
GitHub Insecure Direct Object Reference (IDOR) (CWE-639)CVE-2023-46646
Medium
2024-01-08
GHES Management console EoP (editor to site admin)
GitHub Improper Access Control - Generic (CWE-284)CVE-2023-46647
High
2024-01-08
The taint flag is not propagated at JSON.parse
Ruby
Unknown
2024-01-05
Subdomain takeover on one of the subdomain under mozaws.net
Mozilla Misconfiguration (CWE-16)
Medium
2024-01-04
Subdomain takeover on one of the subdomain under mozaws.net
Mozilla Misconfiguration (CWE-16)
Medium
2024-01-04
Subdomain takeover on one of the subdomain under mozaws.net
Mozilla Misconfiguration (CWE-16)
Medium
2024-01-04
Subdomain takeover on one of the subdomain under mozaws.net
Mozilla Misconfiguration (CWE-16)
Medium
2024-01-04
An attacker can submit a Pentest Opportunity and change the status of the opportunity from submitted to in_review or reviewed
HackerOne Improper Access Control - Generic (CWE-284)
Medium
2024-01-04
[PATs] Ability to leak comments from issues without ANY "Issues" repo permissions by utilizing "Pull Request" permissions
GitHub Improper Access Control - Generic (CWE-284)CVE-2023-51380
Medium
2024-01-03
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud584
Shopify464
curl459
Node.js third-party modules307
GitLab258
X / xAI250 $7,000
Uber239