Browse publicly disclosed writeups from HackerOne sorted by vulnerability type. Discover which vulnerabilities are most commonly found on which programs to help aid you in your hunt.


8697
total disclosed

$6,984,201
total publicly paid out



Recently Disclosed


Vulnerability Type Statistics

None supplied


182 programs
1016 disclosed

Information Disclosure


173 programs
908 disclosed

Cross-site Scripting (XSS) - Generic


123 programs
881 disclosed

Violation of Secure Design Principles


160 programs
673 disclosed

Improper Authentication - Generic


123 programs
581 disclosed

Cross-Site Request Forgery (CSRF)


99 programs
371 disclosed

Cross-site Scripting (XSS) - Stored


81 programs
359 disclosed

Privilege Escalation


101 programs
321 disclosed

Denial of Service


86 programs
315 disclosed

Cross-site Scripting (XSS) - Reflected


77 programs
277 disclosed

Improper Access Control - Generic


91 programs
254 disclosed

Open Redirect


94 programs
236 disclosed

SQL Injection


49 programs
198 disclosed

Code Injection


72 programs
195 disclosed

Business Logic Errors


71 programs
174 disclosed

Command Injection - Generic


63 programs
163 disclosed

Memory Corruption - Generic


41 programs
152 disclosed

Cryptographic Issues - Generic


76 programs
152 disclosed

Insecure Direct Object Reference (IDOR)


60 programs
151 disclosed

Server-Side Request Forgery (SSRF)


58 programs
147 disclosed

Cross-site Scripting (XSS) - DOM


48 programs
106 disclosed

Path Traversal


33 programs
106 disclosed

UI Redressing (Clickjacking)


43 programs
99 disclosed

Brute Force


26 programs
50 disclosed

HTTP Request Smuggling


21 programs
39 disclosed

Privacy Violation


24 programs
39 disclosed

OS Command Injection


18 programs
34 disclosed

Classic Buffer Overflow


12 programs
29 disclosed

Buffer Over-read


10 programs
28 disclosed

XML External Entities (XXE)


18 programs
27 disclosed

Cleartext Storage of Sensitive Information


19 programs
27 disclosed

Heap Overflow


13 programs
25 disclosed

Improper Authorization


13 programs
25 disclosed

Out-of-bounds Read


7 programs
24 disclosed

Information Exposure Through an Error Message


18 programs
23 disclosed

CRLF Injection


17 programs
23 disclosed

Phishing


16 programs
22 disclosed

NULL Pointer Dereference


6 programs
19 disclosed

Deserialization of Untrusted Data


14 programs
17 disclosed

Man-in-the-Middle


12 programs
17 disclosed

Insufficient Session Expiration


15 programs
17 disclosed

Improper Input Validation


13 programs
17 disclosed

Cleartext Transmission of Sensitive Information


13 programs
15 disclosed

Improper Certificate Validation


12 programs
15 disclosed

Use After Free


9 programs
15 disclosed

Information Exposure Through Debug Information


13 programs
14 disclosed

Misconfiguration


10 programs
14 disclosed

Stack Overflow


8 programs
13 disclosed

Information Exposure Through Directory Listing


6 programs
11 disclosed

Insecure Storage of Sensitive Information


7 programs
11 disclosed

HTTP Response Splitting


8 programs
10 disclosed

Weak Password Recovery Mechanism for Forgotten Password


8 programs
10 disclosed

Resource Injection


10 programs
10 disclosed

Modification of Assumed-Immutable Data (MAID)


4 programs
10 disclosed

Remote File Inclusion


7 programs
8 disclosed

Weak Cryptography for Passwords


6 programs
8 disclosed

Use of Hard-coded Credentials


7 programs
8 disclosed

Session Fixation


6 programs
8 disclosed

Client-Side Enforcement of Server-Side Security


6 programs
8 disclosed

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')


7 programs
8 disclosed

Array Index Underflow


6 programs
7 disclosed

Unrestricted Upload of File with Dangerous Type


5 programs
7 disclosed

Insufficiently Protected Credentials


6 programs
6 disclosed

Password in Configuration File


6 programs
6 disclosed

Missing Authentication for Critical Function


4 programs
6 disclosed

Double Free


4 programs
5 disclosed

Time-of-check Time-of-use (TOCTOU) Race Condition


5 programs
5 disclosed

Improper Null Termination


4 programs
5 disclosed

Externally Controlled Reference to a Resource in Another Sphere


3 programs
5 disclosed

Authentication Bypass Using an Alternate Path or Channel


5 programs
5 disclosed

Forced Browsing


4 programs
4 disclosed

Use of a Key Past its Expiration Date


4 programs
4 disclosed

Reliance on Cookies without Validation and Integrity Checking in a Security Decision


4 programs
4 disclosed

Use of a Broken or Risky Cryptographic Algorithm


4 programs
4 disclosed

Integer Overflow


4 programs
4 disclosed

Information Exposure Through Sent Data


4 programs
4 disclosed

File and Directory Information Exposure


4 programs
4 disclosed

Missing Required Cryptographic Step


3 programs
3 disclosed

Write-what-where Condition


3 programs
3 disclosed

Integer Underflow


3 programs
3 disclosed

Type Confusion


3 programs
3 disclosed

Buffer Underflow


2 programs
3 disclosed

Plaintext Storage of a Password


3 programs
3 disclosed

Reliance on Untrusted Inputs in a Security Decision


3 programs
3 disclosed

Incorrect Authorization


3 programs
3 disclosed

LDAP Injection


2 programs
3 disclosed

Allocation of Resources Without Limits or Throttling


2 programs
3 disclosed

Inadequate Encryption Strength


2 programs
2 disclosed

Use of Inherently Dangerous Function


2 programs
2 disclosed

Reusing a Nonce, Key Pair in Encryption


2 programs
2 disclosed

Missing Encryption of Sensitive Data


2 programs
2 disclosed

Improper Neutralization of HTTP Headers for Scripting Syntax


2 programs
2 disclosed

Improper Handling of Insufficient Permissions or Privileges


2 programs
2 disclosed

Execution with Unnecessary Privileges


1 programs
2 disclosed

Malware


1 programs
2 disclosed

Unverified Password Change


2 programs
2 disclosed

Improper Check or Handling of Exceptional Conditions


1 programs
2 disclosed

Improper Privilege Management


2 programs
2 disclosed

Missing Authorization


2 programs
2 disclosed

User Interface (UI) Misrepresentation of Critical Information


2 programs
2 disclosed

Off-by-one Error


2 programs
2 disclosed

Incorrect Calculation of Buffer Size


1 programs
1 disclosed

Key Exchange without Entity Authentication


1 programs
1 disclosed

Buffer Under-read


1 programs
1 disclosed

Use of Externally-Controlled Format String


1 programs
1 disclosed

Reliance on Reverse DNS Resolution for a Security-Critical Action


1 programs
1 disclosed

Use of Hard-coded Cryptographic Key


1 programs
1 disclosed

Exposed Dangerous Method or Function


1 programs
1 disclosed

Security Through Obscurity


1 programs
1 disclosed

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)


1 programs
1 disclosed

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)


1 programs
1 disclosed

Improper Handling of URL Encoding (Hex Encoding)


1 programs
1 disclosed

XML Injection


1 programs
1 disclosed

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)


1 programs
1 disclosed

Use of Hard-coded Password


1 programs
1 disclosed

Improper Export of Android Application Components


1 programs
1 disclosed

Download of Code Without Integrity Check


1 programs
1 disclosed

Storing Passwords in a Recoverable Format


1 programs
1 disclosed

External Control of Critical State Data


1 programs
1 disclosed

Incorrect Permission Assignment for Critical Resource


1 programs
1 disclosed

Path Traversal: '.../...//'


1 programs
1 disclosed

Unchecked Error Condition


1 programs
1 disclosed