Helping you become a BugBountyHunter


We're on a mission to be your go-to place for everything bug bounties and to help you learn how to get started.
Learn how to test for security vulnerabilities on web applications with our various real-life web applications and begin to gain the confidence needed to apply your newly found knowledge on bug bounty programs. Browse and digest security researcher tutorials, guides, writeups and find information related to public bug bounty programs.


Learning about web application vulnerabilities


New or experienced, learn about various vulnerability types on custom made web application challenges based on real bug bounty findings! Learn about new techniques and bypasses whilst embracing the mindset of a hacker.


You have knowledge on what type of vulnerability you should be looking for but are you able to find it? There are no flags to find and instead you're learning about he various mistakes developers make when developing and how vulnerabilities arise from this.

The stage is yours, take it and have some fun!

Browse free challenges

🔥 Level up

This strict URL filter should prevent XSS, right?

Browse challenge

For newcomers

Can you find any XSS? No HTML tags allowed!

Browse challenge

🔥 Level up

Can you access our private tool, XSS Destroyer?

Browse challenge

For newcomers

Checking if a whitelisted string is found is a bad approach

Browse challenge

Extended learning

ZSeano's Playground


FastFoodHackings is a demo web application designed to test your approach to discovering vulnerabilities. You've learnt about various vulnerability types from our other challenges, but now can you go and find them without knowing where they are?


With over 25 unique findings to discover but no knowledge on what to find, it's up to you to learn the hacker mindset and discover all of the vulnerabilities! Learn how the web application works and explore the various features available and begin your hunt!

Please note there is no triage available for this demo.

Visit playground

Public program activity


Browse information related to public program activity such as the amount of reports received in ~90 days (updated daily), hackers thanked and if allowed, disclosed reports.

Disclosed report rewards

Status.im paid a bounty
Tor paid a bounty
Starbucks paid a bounty
Zomato paid a bounty
Sifchain paid a bounty
Spotify paid a bounty
SKALE Network paid a bounty
Smartsheet paid a bounty
Slack paid a bounty
Traffic Fac... paid a bounty
Stripe paid a bounty
Snapchat paid a bounty
Showmax paid a bounty
Tinder paid a bounty
Shopify paid a bounty

Recently launched

Payoneer launched a public program
Redis launched a public program
Mondelēz I... launched a public program
Costco launched a public program
Veeam launched a public program
JetBlue launched a public program
Radancy launched a public program
OpenSea launched a public program
InMobi launched a public program
Tennessee V... launched a public program
Krisp launched a public program
Wickr launched a public program
Vend by Lig... launched a public program
Agoric launched a public program
SEGA launched a public program

Quiet programs

Workly... received 0 reports in last 90 days
Alvosec received 0 reports in last 90 days
Nokogiri received 0 reports in last 90 days
CERT/CC received 0 reports in last 90 days
FINRA ... received 0 reports in last 90 days
Starli... received 0 reports in last 90 days
GoCD received 0 reports in last 90 days
Homebrew received 0 reports in last 90 days
Python... received 0 reports in last 90 days
Sweatc... received 0 reports in last 90 days
Simple... received 0 reports in last 90 days
Ramp VDP received 0 reports in last 90 days
WakaTime received 0 reports in last 90 days
GlobaL... received 0 reports in last 90 days
Gmelius received 0 reports in last 90 days

Browse more programs from HackerOne

Our Community

Contributed by members View our members


Disclosed from Hackevents View all disclosed reports


Finding Hunter Vuln type
Medium a non admin doctor can search for patients twsec Level 2 Application/Business Logic
High idor prob_hakz Level 2 Insecure direct object reference
Medium Reflected xss on register.php 0xblackbird Level 4 Reflective XSS
CRITICAL It is possible to reset drAdmin's password vigilante Level 4 Auth issues
Medium [COLLAB] DOM XSS on register patch bypass amec0e Level 2 Reflective XSS
CRITICAL Endpoint allows unauthorized users to update other user's passwords 0xblackbird Level 4 Auth issues
Medium XSS on internet explorer in the login page using the referer header sumzer0 Level 2 Reflective XSS
Medium Reflected XSS on login Page via ref paramater codersanjay Level 3 Reflective XSS
Low Open URL Redirect on /drpanel/logout.php rintox Level 3 Open Redirect
Medium Applogic at Modifying Appointment Details mrrootsec Level 2 Application/Business Logic