Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,262
CVE-linked
1,866
Programs
343
New This Week
0
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 654 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
lib/ldap.c follows attacker-controlled LDAP referrals and binds to a second server; WinLDAP builds leak current logon credentials (confirmed on Window
curl Insufficiently Protected Credentials (CWE-522)
Medium
2026-06-01
Blind POST SSRF via Web Push Notification Endpoint
phpBB Server-Side Request Forgery (SSRF) (CWE-918)
Medium
2026-05-30
V1Plugin.Decrypt panics on empty ciphertext (Remote DoS)
AWS VDP Array Index Underflow (CWE-129)
Medium
2026-05-28
V2Plugin.Decrypt panics on empty ciphertext (Remote DoS)
AWS VDP Array Index Underflow (CWE-129)
Medium
2026-05-28
iOS Brave Playlist "Open in Private Tab" bypasses FaceID requirement for Private Tabs
Brave Software Improper Authentication - Generic (CWE-287)
Medium
2026-05-28
curl GnuTLS backend accepts a clientAuth-only certificate for HTTPS server authentication
curl Improper Certificate Validation (CWE-295)
Medium
2026-05-25
Group restriction bypass via bearer token in user_oidc (SETTING_RESTRICT_LOGIN_TO_GROUPS not enforced in Backend::getCurrentUserId)
Nextcloud Improper Access Control - Generic (CWE-284)
Medium
2026-05-21
curl --skip-existing has a TOCTOU race that lets a post-check symlink redirect the later download write
curl Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
Medium
2026-05-20
POST /api/bitcoinWithdrawalFees returns financial data without authentication despite being documented as a USER OPERATION (private endpoint)
CoinMate.io Improper Authentication - Generic (CWE-287)
Medium
2026-05-20
Cross-repository IDOR in `/settings/security_analysis/bypass_reviewers` allows unauthorized delegated bypass reviewer modification
GitHub Insecure Direct Object Reference (IDOR) (CWE-639)CVE-2026-3307
Medium
2026-05-19
HSTS multi-trailing-dot bypass-ish: possible incomplete fix for CVE-2022-30115
curl Cleartext Transmission of Sensitive Information (CWE-319)CVE-2022-30115
Medium
2026-05-18
Unauthenticated File Upload to CDN
Enjin Improper Access Control - Generic (CWE-284)
Medium
2026-05-18
IDOR: autotranslate.translateMessage Full Message Content Leak
Rocket.Chat Insecure Direct Object Reference (IDOR) (CWE-639)
Medium
2026-05-18
ActiveStorage Disk Service Path Traversal via Custom Blob Key Injection
Ruby on Rails Path Traversal (CWE-22)
Medium
2026-05-07
wcurl treats some URL operands after -- as curl options
curl Improper Neutralization of Value Delimiters (CWE-142)
Medium
2026-05-06
libcurl 8.20.0 incomplete fix for CVE-2026-7168: changing only CURLOPT_PROXYPORT leaks stale Proxy Digest auth to a different proxy
curl CVE-2026-7168
Medium
2026-05-05
MQTT state machine confusion: PINGRESP/DISCONNECT with non-zero remaining_length dispatches to stale nextstate
curl Improper Input Validation (CWE-20)
Medium
2026-04-29
Negotiate connection reuse with wrong credentials when using CURLAUTH_ANY
curl Authentication Bypass by Primary Weakness (CWE-305)CVE-2026-1965
Medium
2026-04-29
CVE-2026-7168: cross-proxy Digest auth state leak
curl Exposure of Data Element to Wrong Session (CWE-488)CVE-2026-7168
Medium
2026-04-29
CVE-2026-7009: OCSP stapling bypass with Apple SecTrust
curl Improper Certificate Validation (CWE-295)CVE-2024-8096CVE-2024-0853CVE-2026-7009
Medium
2026-04-29
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud584
Shopify465
curl464
Node.js third-party modules307
GitLab258
X / xAI250 $7,000
Uber239