Browse publicly disclosed writeups from HackerOne sorted by vulnerability type. Discover which vulnerabilities are most commonly found on which programs to help aid you in your hunt.
7889
total disclosed
$5,371,461
total publicly paid out
Most Disclosed
-
bobrov91 disclosed
-
sp1d3rs56 disclosed
-
jobert50 disclosed
-
jon_bottarini48 disclosed
-
netfuzzer42 disclosed
-
japz41 disclosed
-
edoverflow41 disclosed
-
skavans41 disclosed
-
bigbear_38 disclosed
-
geeknik38 disclosed
Programs that disclosure
Mailru542 disclosed
Hackerone388 disclosed
Shopify308 disclosed
Deptofdefense220 disclosed
Nextcloud209 disclosed
Twitter206 disclosed
Nodejs-ecosystem193 disclosed
Newrelic184 disclosed
Uber175 disclosed
Shopify-scripts157 disclosed
Top Bounties
- Makerdao_bbp rewarded Steal ALL collateral during liquidation by exploiting lack of validation in `flip.kick` with a $50,000 bounty!
- Makerdao_bbp rewarded Steal collateral during `end` process, by earning DSR interest after `flow`. with a $25,000 bounty!
- Valve rewarded SQL Injection in report_xml.php through countryFilter[] parameter with a $25,000 bounty!
- Internet rewarded Key Reinstallation Attacks: Breaking WPA2 by forcing nonce reuse with a $25,000 bounty!
- Shopify rewarded SSRF in Exchange leads to ROOT access in all instances with a $25,000 bounty!
- Shopify rewarded Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation with a $22,500 bounty!
- Shopify rewarded Takeover an account that doesn't have a Shopify ID and more with a $22,500 bounty!
- Coinbase rewarded ETH contract handling errors with a $21,000 bounty!
- Coinbase rewarded ETH contract handling errors with a $21,000 bounty!
- Twitter rewarded Potential pre-auth RCE on Twitter VPN with a $20,160 bounty!
- Twitter rewarded Potential pre-auth RCE on Twitter VPN with a $20,160 bounty!
- Hackerone rewarded Account takeover via leaked session cookie with a $20,000 bounty!
- Paypal rewarded Bypass for #488147 enables stored XSS on https://paypal.com/signin again with a $20,000 bounty!
- Hackerone rewarded Confidential data of users and limited metadata of programs and reports accessible via GraphQL with a $20,000 bounty!
- Valve rewarded Getting all the CD keys of any game with a $20,000 bounty!
- Valve rewarded Getting all the CD keys of any game with a $20,000 bounty!
- Shopify rewarded Shopify admin authentication bypass using partners.shopify.com with a $20,000 bounty!
- Hackerone rewarded Account takeover via leaked session cookie with a $20,000 bounty!
- Paypal rewarded Bypass for #488147 enables stored XSS on https://paypal.com/signin again with a $20,000 bounty!
- Gitlab rewarded Arbitrary file read via the UploadsRewriter when moving and issue with a $20,000 bounty!
Recently Disclosed
- $100 Bugpoc Solution for XSS challenge wacky.buggywebsite.com
- Nodejs-ecosystem [systeminformation] Command Injection via insecure command formatting
- Bugpoc Reflected XSS at wacky.buggywebsite.com/frame.html
- Nextcloud Improper access control to messages of Social app
- $200 Cs_money Content Spoofing/Text Injection in https://support.cs.money and JS file not minified and uglyfied which makes it clearly readable
- Deptofdefense SharePoint Web Services Exposed to Anonymous Access
- Deptofdefense SharePoint Web Services Exposed to Anonymous Access
- Mailru Information Disclosure
- $400 Mailru lenta_proxy information disclosure
- Deptofdefense View another user information with IDOR vulnerability
- Deptofdefense Apparent ██████████ website is publicly exposed, suggests default account details on page and has expired SSL/TLS cert
- Deptofdefense {███} It is posible download all information and files via S3 Bucket Misconfiguration
- Deptofdefense Unauthenticated Arbitrary File Deletion "CVE-2020-3187" in █████
- Deptofdefense Local File Inclusion In Registration Page
- Deptofdefense CORS misconfiguration which leads to the disclosure