Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,231
CVE-linked
1,858
Programs
342
New This Week
12
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 657 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Unsafe deserialization leads to token leakage in PayPal & PayPal for Business [Android]
PayPal Deserialization of Untrusted Data (CWE-502)
Medium
2021-04-30
Brew bootstrap process is insecure
Homebrew Code Injection (CWE-94)
Medium
2021-04-30
4 Subdomains Takeover on 2 domains ( muberscolombia.com & ubereats.pl )
Uber Privilege Escalation (CAPEC-233)
Medium
2021-04-29
IDOR leads to leak analytics of any restaurant
Uber Insecure Direct Object Reference (IDOR) (CWE-639)
Medium
2021-04-29
Very long names on demo.openmage.org could redirect victim users to malicious url redirects via email contacts.
OpenMage Privacy Violation (CWE-359)
Medium
2021-04-29
SSRF with information disclosure
Lark Technologies Server-Side Request Forgery (SSRF) (CWE-918)
Medium
2021-04-27
Unexpected federated shares added via public link
Nextcloud Improper Access Control - Generic (CWE-284)
Medium
2021-04-26
No error thrown when IDOR attempted while editing address
OpenMage Misconfiguration (CWE-16)
Medium
2021-04-26
Sharing products with Mail allows phishing attacks due to misconfiguration.
OpenMage Business Logic Errors (CWE-840)
Medium
2021-04-25
IDOR at training.smartpay.gsa.gov/reports/quizzes-taken-by-user
U.S. General Services Administration Insecure Direct Object Reference (IDOR) (CWE-639)
Medium
2021-04-24
XSS in request approvals
GitLab Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2021-04-23
PI leakage By Brute Forcing and Phone number deleting without using password
X / xAI Improper Access Control - Generic (CWE-284)
Medium
2021-04-22
Lack of quarantine macOS attribute(com.apple.quarantine) leads multiple issues including RCE
Basecamp
Medium
2021-04-22
Broken Link Hijacking on Twitter link
Panther Labs
Medium
2021-04-22
'net/ftp': Uncontrolled Resource Consumption (Memory/CPU)
Ruby Uncontrolled Resource Consumption (CWE-400)
Medium
2021-04-21
CSRF in https://███
U.S. Dept Of Defense Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2021-04-20
Round-trip instability in REXML
Ruby CVE-2021-28965
Medium
2021-04-15
Nextcloud Desktop Client RCE via malicious URI schemes
Nextcloud Resource Injection (CWE-99)CVE-2021-22879
Medium
2021-04-15
Stored XSS at Module Name
Stripo Inc Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2021-04-12
XSS at https://exchangemarketplace.com/blogsearch
Shopify Cross-site Scripting (XSS) - Generic (CWE-79)
Medium
2021-04-09
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud583
Shopify464
curl447
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239