Program Activity
Browse public program activity and get an insight into which programs are receiving attention.
Browse publicly disclosed writeups from HackerOne sorted by vulnerability type. Discover which vulnerabilities are most commonly found on which programs to help aid you in your hunt.
8393 total disclosed
$6,643,733 total publicly paid out
Recently Disclosed
- $1000 CVE-2021-22926: CURLOPT_SSLCERT mixup with Secure Transport
- $700 CVE-2021-22922: Wrong content via metalink not discarded
- $150 Stored XSS на странице "Изменить клиента", вкладка "История" [city-mobil.ru/taxiserv]
- No bounty Open Redirect on http://events.hackerone.com/redirect?url=https://naglinagli.github.io
- $1800 [go]: Add query for detecting CORS misconfiguration
- $300 email verification bypass
- $150 Stored XSS на странице "Измененить водителя" [city-mobil.ru/taxiserv]
- $5000 Blind SSRF на calendar.mail.ru при импорте календаря
- No bounty CSRF in changing password after using reset password link
- $2500 MCS Graphite SSRF: internal network access
- No bounty internal path disclosure via error message
- $500 Open AWS S3 bucket at ubergreece.s3.amazonaws.com exposes confidential internal documents and files
- $300 A malicious user can upload a malicious script through managesieve and trigger its execution in order to consume almost 100% of CPU (LMTP).
- $50 Reflected XSS on cz.acronis.com/dekujeme-za-odber-novinek-produktu-disk-director with ability to creating an admin user in WordPress
- $250 Reflected XSS in https://www.intensedebate.com/js/getCommentLink.php
- $350 Default settings leak federated cloud id to lookup server of all users
- No bounty OS Command Injection in '/lib/un.rb -- Utilities to replace common UNIX commands in Makefiles etc'
- $1500 Открытый Confluence и доступы к чату операторов в Skype
- $100 [100K-ctf] Multiple vulnerabilities leading to compromise of Pinger instance.
- $50 No rate Limit
- $700 DNS Setup allows sending mail on behalf of other customers
- $800 CVE-2021-22897: schannel cipher selection surprise
- $750 [XSS] Reflected XSS via POST request in (editJobAlert.htm) file
- $1200 [Plazius] SSRF через некорректно сконфигурированный Fiddler 46.148.201.206:10121
- No bounty Blind SQL iNJECTION
- $100 Privilege Escalation Leads to Control The Owner Access Token Which leads to control the stream [streamlabs.com]
- No bounty XSS (reflected, and then, cookie persisted) on api documentation site theme selector (old version of dokuwiki)
- No bounty Stored XSS on https://events.hackerone.com
- No bounty xss reflected on https://███████- (███ parameters)
- No bounty XSS Reflected on https://███ (███ parameter)
- No bounty CSRF на установку своей почты к аккаунту.
- No bounty Kryptor/SECURITY.md missing HACKERONE program update.
- $1250 Corss-Tenant IDOR on Business allowing escalation privilege, invitation takeover, and edition of any other Businesses' employees
- $100 Android app does not clear end to end encryption keys
- $250 removed user can still join the organization
- $300 No Rate Limit On Forgot Password Page
- $200 Stored XSS on store.my.games
- $1000 CSRF on TikTok Ads Portal
- $100 Account takeover just through csrf in https://booking.qiwi.kz/profile
- No bounty Private ip leaking through response
- $1000 Reflected XSS on transact.playstation.com using postMessage from the opening window
- $100 No brute force protection on web-api-cloud.acronis.com
- $1000 Blind SSRF on [relap.io]
- No bounty one delegate can add another delegate and delete other delegates, exposing all confidential inbox messages
- No bounty Lack warning label when receiving a letter
- No bounty Zero click account Takeover due to Api misconfiguration 🏂🎩
- No bounty Subdomain takeover of ███.wavecell.com
- $350 SQL Injection Union Based
- $2738 [3DS][StreetPass] Buffer Overflow in Super Mario Maker level decompression
- $500 XSS reflected on [https://www.pixiv.net]
| Vulnerability Type | Statistics | Most Disclosed |
|---|---|---|
None suppliedView disclosed reports. |
174 programs 972 disclosed |
Mailru 56 disclosed |
Cross-site Scripting (XSS) - GenericView disclosed reports. |
121 programs 879 disclosed |
Mailru 71 disclosed |
Information DisclosureView disclosed reports. |
168 programs 874 disclosed |
Hackerone 97 disclosed |
Violation of Secure Design PrinciplesView disclosed reports. |
153 programs 661 disclosed |
Hackerone 78 disclosed |
Improper Authentication - GenericView disclosed reports. |
121 programs 571 disclosed |
Shopify 42 disclosed |
Cross-Site Request Forgery (CSRF)View disclosed reports. |
96 programs 363 disclosed |
Mailru 22 disclosed |
Cross-site Scripting (XSS) - StoredView disclosed reports. |
77 programs 343 disclosed |
Mailru 58 disclosed |
Denial of ServiceView disclosed reports. |
81 programs 306 disclosed |
Shopify-scripts 80 disclosed |
Privilege EscalationView disclosed reports. |
95 programs 298 disclosed |
Newrelic 28 disclosed |
Cross-site Scripting (XSS) - ReflectedView disclosed reports. |
75 programs 263 disclosed |
Mailru 54 disclosed |
Improper Access Control - GenericView disclosed reports. |
87 programs 239 disclosed |
Shopify 18 disclosed |
Open RedirectView disclosed reports. |
92 programs 232 disclosed |
Shopify 17 disclosed |
SQL InjectionView disclosed reports. |
48 programs 193 disclosed |
Mailru 47 disclosed |
Code InjectionView disclosed reports. |
70 programs 189 disclosed |
Deptofdefense 21 disclosed |
Command Injection - GenericView disclosed reports. |
62 programs 162 disclosed |
Nodejs-ecosystem 22 disclosed |
Business Logic ErrorsView disclosed reports. |
66 programs 159 disclosed |
Legalrobot 12 disclosed |
Memory Corruption - GenericView disclosed reports. |
41 programs 150 disclosed |
Shopify-scripts 45 disclosed |
Cryptographic Issues - GenericView disclosed reports. |
74 programs 150 disclosed |
Twitter 10 disclosed |
Insecure Direct Object Reference (IDOR)View disclosed reports. |
55 programs 144 disclosed |
Mailru 21 disclosed |
Server-Side Request Forgery (SSRF)View disclosed reports. |
55 programs 142 disclosed |
Mailru 20 disclosed |
Cross-site Scripting (XSS) - DOMView disclosed reports. |
47 programs 103 disclosed |
Mailru 17 disclosed |
UI Redressing (Clickjacking)View disclosed reports. |
42 programs 98 disclosed |
Legalrobot 8 disclosed |
Path TraversalView disclosed reports. |
26 programs 98 disclosed |
Nodejs-ecosystem 45 disclosed |
Brute ForceView disclosed reports. |
24 programs 48 disclosed |
Mailru 16 disclosed |
Privacy ViolationView disclosed reports. |
22 programs 37 disclosed |
Nordvpn 6 disclosed |
HTTP Request SmugglingView disclosed reports. |
19 programs 33 disclosed |
Paypal 5 disclosed |
OS Command InjectionView disclosed reports. |
18 programs 33 disclosed |
Starbucks 5 disclosed |
Buffer Over-readView disclosed reports. |
10 programs 28 disclosed |
Ibb-data 8 disclosed |
XML External Entities (XXE)View disclosed reports. |
18 programs 27 disclosed |
Mailru 5 disclosed |
Heap OverflowView disclosed reports. |
13 programs 25 disclosed |
Ibb-perl 6 disclosed |
Classic Buffer OverflowView disclosed reports. |
11 programs 25 disclosed |
Valve 12 disclosed |
Out-of-bounds ReadView disclosed reports. |
7 programs 24 disclosed |
Nodejs-ecosystem 10 disclosed |
Information Exposure Through an Error MessageView disclosed reports. |
17 programs 22 disclosed |
Mailru 3 disclosed |
CRLF InjectionView disclosed reports. |
17 programs 22 disclosed |
Vkcom 2 disclosed |
Cleartext Storage of Sensitive InformationView disclosed reports. |
15 programs 22 disclosed |
Deptofdefense 3 disclosed |
Improper AuthorizationView disclosed reports. |
10 programs 22 disclosed |
Razer 5 disclosed |
PhishingView disclosed reports. |
15 programs 21 disclosed |
Mailru 4 disclosed |
NULL Pointer DereferenceView disclosed reports. |
6 programs 19 disclosed |
Shopify-scripts 8 disclosed |
Insufficient Session ExpirationView disclosed reports. |
15 programs 16 disclosed |
Visma 2 disclosed |
Improper Input ValidationView disclosed reports. |
12 programs 16 disclosed |
Mailru 3 disclosed |
Deserialization of Untrusted DataView disclosed reports. |
12 programs 15 disclosed |
Deptofdefense 4 disclosed |
Use After FreeView disclosed reports. |
9 programs 15 disclosed |
Ibb-php 6 disclosed |
Man-in-the-MiddleView disclosed reports. |
10 programs 14 disclosed |
Portswigger 4 disclosed |
Improper Certificate ValidationView disclosed reports. |
12 programs 14 disclosed |
Nextcloud 2 disclosed |
Stack OverflowView disclosed reports. |
8 programs 13 disclosed |
Valve 5 disclosed |
Cleartext Transmission of Sensitive InformationView disclosed reports. |
11 programs 13 disclosed |
Uber 3 disclosed |
Information Exposure Through Debug InformationView disclosed reports. |
12 programs 13 disclosed |
Dropcontact 2 disclosed |
Information Exposure Through Directory ListingView disclosed reports. |
6 programs 11 disclosed |
Nextcloud 3 disclosed |
Weak Password Recovery Mechanism for Forgotten PasswordView disclosed reports. |
8 programs 10 disclosed |
Wakatime 3 disclosed |
Insecure Storage of Sensitive InformationView disclosed reports. |
6 programs 10 disclosed |
Mailru 3 disclosed |
Modification of Assumed-Immutable Data (MAID)View disclosed reports. |
4 programs 10 disclosed |
Nodejs-ecosystem 7 disclosed |
MisconfigurationView disclosed reports. |
8 programs 10 disclosed |
Line 3 disclosed |
HTTP Response SplittingView disclosed reports. |
7 programs 9 disclosed |
Brave 2 disclosed |
Resource InjectionView disclosed reports. |
9 programs 9 disclosed |
Owncloud 1 disclosed |
Remote File InclusionView disclosed reports. |
7 programs 8 disclosed |
Mailru 2 disclosed |
Use of Hard-coded CredentialsView disclosed reports. |
7 programs 8 disclosed |
Starbucks 2 disclosed |
Session FixationView disclosed reports. |
6 programs 8 disclosed |
Legalrobot 2 disclosed |
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')View disclosed reports. |
7 programs 8 disclosed |
Hackerone 2 disclosed |
Weak Cryptography for PasswordsView disclosed reports. |
5 programs 7 disclosed |
Weblate 2 disclosed |
Array Index UnderflowView disclosed reports. |
6 programs 7 disclosed |
Valve 2 disclosed |
Client-Side Enforcement of Server-Side SecurityView disclosed reports. |
5 programs 7 disclosed |
Newrelic 3 disclosed |
Unrestricted Upload of File with Dangerous TypeView disclosed reports. |
5 programs 7 disclosed |
Visma 2 disclosed |
Insufficiently Protected CredentialsView disclosed reports. |
6 programs 6 disclosed |
Mixmax 1 disclosed |
Password in Configuration FileView disclosed reports. |
6 programs 6 disclosed |
Torproject 1 disclosed |
Missing Authentication for Critical FunctionView disclosed reports. |
4 programs 6 disclosed |
Paypal 3 disclosed |
Improper Null TerminationView disclosed reports. |
4 programs 5 disclosed |
Ibb-php 2 disclosed |
Externally Controlled Reference to a Resource in Another SphereView disclosed reports. |
3 programs 5 disclosed |
Mailru 3 disclosed |
Forced BrowsingView disclosed reports. |
4 programs 4 disclosed |
Ubnt 1 disclosed |
Double FreeView disclosed reports. |
4 programs 4 disclosed |
Shopify-scripts 1 disclosed |
Reliance on Cookies without Validation and Integrity Checking in a Security DecisionView disclosed reports. |
4 programs 4 disclosed |
Cuvva 1 disclosed |
Integer OverflowView disclosed reports. |
4 programs 4 disclosed |
Ibb-python 1 disclosed |
Time-of-check Time-of-use (TOCTOU) Race ConditionView disclosed reports. |
4 programs 4 disclosed |
Shopify 1 disclosed |
File and Directory Information ExposureView disclosed reports. |
4 programs 4 disclosed |
Solana-bbp 1 disclosed |
Authentication Bypass Using an Alternate Path or ChannelView disclosed reports. |
4 programs 4 disclosed |
Gitlab 1 disclosed |
Use of a Key Past its Expiration DateView disclosed reports. |
3 programs 3 disclosed |
Ubnt 1 disclosed |
Write-what-where ConditionView disclosed reports. |
3 programs 3 disclosed |
Shopify-scripts 1 disclosed |
Use of a Broken or Risky Cryptographic AlgorithmView disclosed reports. |
3 programs 3 disclosed |
Hackerone 1 disclosed |
Integer UnderflowView disclosed reports. |
3 programs 3 disclosed |
Ibb-perl 1 disclosed |
Information Exposure Through Sent DataView disclosed reports. |
3 programs 3 disclosed |
Chaturbate 1 disclosed |
Buffer UnderflowView disclosed reports. |
2 programs 3 disclosed |
Ibb-php 2 disclosed |
Plaintext Storage of a PasswordView disclosed reports. |
3 programs 3 disclosed |
Midpoint_h1c 1 disclosed |
Reliance on Untrusted Inputs in a Security DecisionView disclosed reports. |
3 programs 3 disclosed |
Datastax 1 disclosed |
Incorrect AuthorizationView disclosed reports. |
3 programs 3 disclosed |
Stripo 1 disclosed |
LDAP InjectionView disclosed reports. |
2 programs 3 disclosed |
Nodejs-ecosystem 2 disclosed |
Allocation of Resources Without Limits or ThrottlingView disclosed reports. |
2 programs 3 disclosed |
Solana-bbp 2 disclosed |
Missing Required Cryptographic StepView disclosed reports. |
2 programs 2 disclosed |
Phabricator 1 disclosed |
Inadequate Encryption StrengthView disclosed reports. |
2 programs 2 disclosed |
Weblate 1 disclosed |
Use of Inherently Dangerous FunctionView disclosed reports. |
2 programs 2 disclosed |
Brave 1 disclosed |
Reusing a Nonce, Key Pair in EncryptionView disclosed reports. |
2 programs 2 disclosed |
Internet 1 disclosed |
Missing Encryption of Sensitive DataView disclosed reports. |
2 programs 2 disclosed |
Cloudflare 1 disclosed |
Type ConfusionView disclosed reports. |
2 programs 2 disclosed |
Coinbase 1 disclosed |
Improper Neutralization of HTTP Headers for Scripting SyntaxView disclosed reports. |
2 programs 2 disclosed |
Weblate 1 disclosed |
Execution with Unnecessary PrivilegesView disclosed reports. |
1 programs 2 disclosed |
Evernote 2 disclosed |
MalwareView disclosed reports. |
1 programs 2 disclosed |
Valve 2 disclosed |
Unverified Password ChangeView disclosed reports. |
2 programs 2 disclosed |
Khanacademy 1 disclosed |
Improper Check or Handling of Exceptional ConditionsView disclosed reports. |
1 programs 2 disclosed |
Innogames 2 disclosed |
Improper Privilege ManagementView disclosed reports. |
2 programs 2 disclosed |
Nextcloud 1 disclosed |
Missing AuthorizationView disclosed reports. |
2 programs 2 disclosed |
Visma 1 disclosed |
User Interface (UI) Misrepresentation of Critical InformationView disclosed reports. |
2 programs 2 disclosed |
Mailru 1 disclosed |
Incorrect Calculation of Buffer SizeView disclosed reports. |
1 programs 1 disclosed |
Legalrobot 1 disclosed |
Key Exchange without Entity AuthenticationView disclosed reports. |
1 programs 1 disclosed |
Semrush 1 disclosed |
Buffer Under-readView disclosed reports. |
1 programs 1 disclosed |
Ruby 1 disclosed |
Use of Externally-Controlled Format StringView disclosed reports. |
1 programs 1 disclosed |
Ubnt 1 disclosed |
Reliance on Reverse DNS Resolution for a Security-Critical ActionView disclosed reports. |
1 programs 1 disclosed |
Shipt 1 disclosed |
Improper Handling of Insufficient Permissions or PrivilegesView disclosed reports. |
1 programs 1 disclosed |
Razer 1 disclosed |
Use of Hard-coded Cryptographic KeyView disclosed reports. |
1 programs 1 disclosed |
Slack 1 disclosed |
Exposed Dangerous Method or FunctionView disclosed reports. |
1 programs 1 disclosed |
Stripo 1 disclosed |
Security Through ObscurityView disclosed reports. |
1 programs 1 disclosed |
Twitter 1 disclosed |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)View disclosed reports. |
1 programs 1 disclosed |
Hannob 1 disclosed |
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)View disclosed reports. |
1 programs 1 disclosed |
Grammarly 1 disclosed |
Improper Handling of URL Encoding (Hex Encoding)View disclosed reports. |
1 programs 1 disclosed |
Razer 1 disclosed |
XML InjectionView disclosed reports. |
1 programs 1 disclosed |
Topcoder 1 disclosed |
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)View disclosed reports. |
1 programs 1 disclosed |
Zomato 1 disclosed |
Use of Hard-coded PasswordView disclosed reports. |
1 programs 1 disclosed |
Deptofdefense 1 disclosed |
Improper Export of Android Application ComponentsView disclosed reports. |
1 programs 1 disclosed |
Tiktok 1 disclosed |
Download of Code Without Integrity CheckView disclosed reports. |
1 programs 1 disclosed |
Yelp 1 disclosed |
Storing Passwords in a Recoverable FormatView disclosed reports. |
1 programs 1 disclosed |
Upchieve 1 disclosed |
Off-by-one ErrorView disclosed reports. |
1 programs 1 disclosed |
Security 1 disclosed |
External Control of Critical State DataView disclosed reports. |
1 programs 1 disclosed |
Mtn_group 1 disclosed |
Incorrect Permission Assignment for Critical ResourceView disclosed reports. |
1 programs 1 disclosed |
Shopify 1 disclosed |