Browse publicly disclosed writeups from HackerOne sorted by vulnerability type. Discover which vulnerabilities are most commonly found on which programs to help aid you in your hunt.
7829
total disclosed
$5,342,621
total publicly paid out
Most Disclosed
-
bobrov91 disclosed -
sp1d3rs56 disclosed -
jobert50 disclosed -
jon_bottarini48 disclosed -
netfuzzer42 disclosed -
skavans41 disclosed -
japz41 disclosed -
edoverflow41 disclosed -
geeknik38 disclosed -
bigbear_38 disclosed
Programs that disclosure
Mailru535 disclosed 
Hackerone388 disclosed 
Shopify306 disclosed 
Nextcloud208 disclosed 
Deptofdefense208 disclosed Twitter205 disclosed
Nodejs-ecosystem191 disclosed
Newrelic184 disclosed
Uber175 disclosed 
Shopify-scripts157 disclosed
Top Bounties
- shopify-scripts rewarded Steal ALL collateral during liquidation by exploiting lack of validation in `flip.kick` with a $50,000 bounty!
- shopify-scripts rewarded Steal collateral during `end` process, by earning DSR interest after `flow`. with a $25,000 bounty!
- shopify-scripts rewarded SQL Injection in report_xml.php through countryFilter[] parameter with a $25,000 bounty!
- shopify-scripts rewarded Key Reinstallation Attacks: Breaking WPA2 by forcing nonce reuse with a $25,000 bounty!
- shopify-scripts rewarded SSRF in Exchange leads to ROOT access in all instances with a $25,000 bounty!
- shopify-scripts rewarded Takeover an account that doesn't have a Shopify ID and more with a $22,500 bounty!
- shopify-scripts rewarded Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation with a $22,500 bounty!
- shopify-scripts rewarded ETH contract handling errors with a $21,000 bounty!
- shopify-scripts rewarded ETH contract handling errors with a $21,000 bounty!
- shopify-scripts rewarded Potential pre-auth RCE on Twitter VPN with a $20,160 bounty!
- shopify-scripts rewarded Potential pre-auth RCE on Twitter VPN with a $20,160 bounty!
- shopify-scripts rewarded Account takeover via leaked session cookie with a $20,000 bounty!
- shopify-scripts rewarded Confidential data of users and limited metadata of programs and reports accessible via GraphQL with a $20,000 bounty!
- shopify-scripts rewarded Shopify admin authentication bypass using partners.shopify.com with a $20,000 bounty!
- shopify-scripts rewarded Arbitrary file read via the UploadsRewriter when moving and issue with a $20,000 bounty!
- shopify-scripts rewarded Account takeover via leaked session cookie with a $20,000 bounty!
- shopify-scripts rewarded Bypass for #488147 enables stored XSS on https://paypal.com/signin again with a $20,000 bounty!
- shopify-scripts rewarded Getting all the CD keys of any game with a $20,000 bounty!
- shopify-scripts rewarded Bypass for #488147 enables stored XSS on https://paypal.com/signin again with a $20,000 bounty!
- shopify-scripts rewarded Getting all the CD keys of any game with a $20,000 bounty!
Recently Disclosed
- Google CVE-2020-8913 - Persistent arbitrary code execution in Android's Google Play Core Library: details, explanation and the PoC
- Google CVE-2020-8913 - Persistent arbitrary code execution in Android's Google Play Core Library: details, explanation and the PoC
- Redact Android: Explanation of Access to app protected components vulnerability
- Google CVE-2020-8913 - Persistent arbitrary code execution in Android's Google Play Core Library: details, explanation and the PoC
- Kubernetes kubeadm logs tokens before deleting them
- Filezilla FileZilla 3.46.3 - 'Scale factor' Buffer Overflow
- Gitlab Stored XSS in group issue list
- Curl krb5: double-free in read_data() after realloc() fail
- Gocd XSS In https://docs.gocd.org/current/
- Curl Heap buffer overflow in TFTP when using small blksize
- Pingidentity Session misconfiguration on forget password feature at https://ort-admin.pingone.com
- Nextcloud Leaked of Profile Image from URL changing
- Nextcloud Social App does not validate server certificates for outgoing connections
- Bugpoc XSS Challenge
- Automattic Rate Limit Misconfiguration on tumblr login .