Browse publicly disclosed writeups from HackerOne sorted by vulnerability type. Discover which vulnerabilities are most commonly found on which programs to help aid you in your hunt.


8067
total disclosed

$5,844,177
total publicly paid out



Recently Disclosed


Disclosed by vulnerability type


Vulnerability Type Statistics Most Disclosed

None supplied


Click here to view disclosed reports.
169 reports
940 disclosed
Mailru
55 disclosed

Cross-site Scripting (XSS) - Generic


Click here to view disclosed reports.
119 reports
877 disclosed
Mailru
71 disclosed

Information Disclosure


Click here to view disclosed reports.
162 reports
843 disclosed
Hackerone
97 disclosed

Violation of Secure Design Principles


Click here to view disclosed reports.
151 reports
656 disclosed
Hackerone
78 disclosed

Improper Authentication - Generic


Click here to view disclosed reports.
119 reports
564 disclosed
Shopify
42 disclosed

Cross-Site Request Forgery (CSRF)


Click here to view disclosed reports.
92 reports
352 disclosed
Mailru
20 disclosed

Cross-site Scripting (XSS) - Stored


Click here to view disclosed reports.
74 reports
324 disclosed
Mailru
52 disclosed

Denial of Service


Click here to view disclosed reports.
81 reports
302 disclosed
Shopify-scripts
80 disclosed

Privilege Escalation


Click here to view disclosed reports.
89 reports
284 disclosed
Newrelic
28 disclosed

Cross-site Scripting (XSS) - Reflected


Click here to view disclosed reports.
69 reports
235 disclosed
Mailru
53 disclosed

Open Redirect


Click here to view disclosed reports.
91 reports
228 disclosed
Shopify
17 disclosed

Improper Access Control - Generic


Click here to view disclosed reports.
79 reports
217 disclosed
Shopify
18 disclosed

Code Injection


Click here to view disclosed reports.
68 reports
180 disclosed
Deptofdefense
18 disclosed

SQL Injection


Click here to view disclosed reports.
47 reports
174 disclosed
Mailru
40 disclosed

Command Injection - Generic


Click here to view disclosed reports.
62 reports
157 disclosed
Nodejs-ecosystem
22 disclosed

Memory Corruption - Generic


Click here to view disclosed reports.
41 reports
150 disclosed
Shopify-scripts
45 disclosed

Business Logic Errors


Click here to view disclosed reports.
62 reports
149 disclosed
Legalrobot
12 disclosed

Cryptographic Issues - Generic


Click here to view disclosed reports.
74 reports
148 disclosed
Twitter
10 disclosed

Insecure Direct Object Reference (IDOR)


Click here to view disclosed reports.
53 reports
140 disclosed
Mailru
21 disclosed

Server-Side Request Forgery (SSRF)


Click here to view disclosed reports.
53 reports
130 disclosed
Gitlab
16 disclosed

Cross-site Scripting (XSS) - DOM


Click here to view disclosed reports.
46 reports
100 disclosed
Mailru
16 disclosed

UI Redressing (Clickjacking)


Click here to view disclosed reports.
41 reports
97 disclosed
Legalrobot
8 disclosed

Path Traversal


Click here to view disclosed reports.
23 reports
95 disclosed
Nodejs-ecosystem
45 disclosed

Brute Force


Click here to view disclosed reports.
21 reports
41 disclosed
Mailru
14 disclosed

Privacy Violation


Click here to view disclosed reports.
22 reports
37 disclosed
Nordvpn
6 disclosed

HTTP Request Smuggling


Click here to view disclosed reports.
19 reports
28 disclosed
Paypal
4 disclosed

OS Command Injection


Click here to view disclosed reports.
16 reports
27 disclosed
Starbucks
4 disclosed

XML External Entities (XXE)


Click here to view disclosed reports.
17 reports
25 disclosed
Mailru
4 disclosed

Heap Overflow


Click here to view disclosed reports.
12 reports
23 disclosed
Ibb-perl
6 disclosed

Out-of-bounds Read


Click here to view disclosed reports.
6 reports
23 disclosed
Nodejs-ecosystem
10 disclosed

Buffer Over-read


Click here to view disclosed reports.
9 reports
23 disclosed
Ibb-php
8 disclosed

CRLF Injection


Click here to view disclosed reports.
17 reports
22 disclosed
Vkcom
2 disclosed

Classic Buffer Overflow


Click here to view disclosed reports.
9 reports
22 disclosed
Valve
12 disclosed

Information Exposure Through an Error Message


Click here to view disclosed reports.
17 reports
21 disclosed
Gitlab
3 disclosed

Improper Authorization


Click here to view disclosed reports.
9 reports
21 disclosed
Razer
5 disclosed

Cleartext Storage of Sensitive Information


Click here to view disclosed reports.
15 reports
20 disclosed
Deptofdefense
3 disclosed

NULL Pointer Dereference


Click here to view disclosed reports.
6 reports
19 disclosed
Shopify-scripts
8 disclosed

Phishing


Click here to view disclosed reports.
13 reports
18 disclosed
Mailru
4 disclosed

Use After Free


Click here to view disclosed reports.
9 reports
15 disclosed
Ibb-php
6 disclosed

Man-in-the-Middle


Click here to view disclosed reports.
10 reports
14 disclosed
Portswigger
4 disclosed

Insufficient Session Expiration


Click here to view disclosed reports.
13 reports
14 disclosed
Visma
2 disclosed

Improper Input Validation


Click here to view disclosed reports.
10 reports
14 disclosed
Mailru
3 disclosed

Information Exposure Through Debug Information


Click here to view disclosed reports.
12 reports
13 disclosed
Dropcontact
2 disclosed

Deserialization of Untrusted Data


Click here to view disclosed reports.
10 reports
12 disclosed
Deptofdefense
3 disclosed

Stack Overflow


Click here to view disclosed reports.
8 reports
11 disclosed
Valve
3 disclosed

Cleartext Transmission of Sensitive Information


Click here to view disclosed reports.
9 reports
10 disclosed
Uber
2 disclosed

Information Exposure Through Directory Listing


Click here to view disclosed reports.
5 reports
10 disclosed
Nextcloud
3 disclosed

Improper Certificate Validation


Click here to view disclosed reports.
9 reports
10 disclosed
Nextcloud
2 disclosed

HTTP Response Splitting


Click here to view disclosed reports.
7 reports
9 disclosed
Brave
2 disclosed

Weak Password Recovery Mechanism for Forgotten Password


Click here to view disclosed reports.
7 reports
9 disclosed
Wakatime
3 disclosed

Insecure Storage of Sensitive Information


Click here to view disclosed reports.
5 reports
9 disclosed
Mailru
3 disclosed

Modification of Assumed-Immutable Data (MAID)


Click here to view disclosed reports.
3 reports
9 disclosed
Nodejs-ecosystem
7 disclosed

Session Fixation


Click here to view disclosed reports.
6 reports
8 disclosed
Legalrobot
2 disclosed

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')


Click here to view disclosed reports.
7 reports
8 disclosed
Hackerone
2 disclosed

Weak Cryptography for Passwords


Click here to view disclosed reports.
5 reports
7 disclosed
Weblate
2 disclosed

Resource Injection


Click here to view disclosed reports.
7 reports
7 disclosed
Owncloud
1 disclosed

Use of Hard-coded Credentials


Click here to view disclosed reports.
7 reports
7 disclosed
Zomato
1 disclosed

Client-Side Enforcement of Server-Side Security


Click here to view disclosed reports.
5 reports
7 disclosed
Newrelic
3 disclosed

Unrestricted Upload of File with Dangerous Type


Click here to view disclosed reports.
5 reports
7 disclosed
Visma
2 disclosed

Misconfiguration


Click here to view disclosed reports.
6 reports
7 disclosed
Line
2 disclosed

Remote File Inclusion


Click here to view disclosed reports.
6 reports
6 disclosed
Ruby
1 disclosed

Insufficiently Protected Credentials


Click here to view disclosed reports.
6 reports
6 disclosed
Mixmax
1 disclosed

Array Index Underflow


Click here to view disclosed reports.
5 reports
6 disclosed
Valve
2 disclosed

Password in Configuration File


Click here to view disclosed reports.
5 reports
5 disclosed
Torproject
1 disclosed

Improper Null Termination


Click here to view disclosed reports.
4 reports
5 disclosed
Ibb-php
2 disclosed

Externally Controlled Reference to a Resource in Another Sphere


Click here to view disclosed reports.
3 reports
5 disclosed
Mailru
3 disclosed

Missing Authentication for Critical Function


Click here to view disclosed reports.
4 reports
5 disclosed
Paypal
2 disclosed

Forced Browsing


Click here to view disclosed reports.
4 reports
4 disclosed
Ubnt
1 disclosed

Reliance on Cookies without Validation and Integrity Checking in a Security Decision


Click here to view disclosed reports.
4 reports
4 disclosed
Cuvva
1 disclosed

Time-of-check Time-of-use (TOCTOU) Race Condition


Click here to view disclosed reports.
4 reports
4 disclosed
Shopify
1 disclosed

Authentication Bypass Using an Alternate Path or Channel


Click here to view disclosed reports.
4 reports
4 disclosed
Gitlab
1 disclosed

Double Free


Click here to view disclosed reports.
3 reports
3 disclosed
Shopify-scripts
1 disclosed

Use of a Key Past its Expiration Date


Click here to view disclosed reports.
3 reports
3 disclosed
Ubnt
1 disclosed

Write-what-where Condition


Click here to view disclosed reports.
3 reports
3 disclosed
Shopify-scripts
1 disclosed

Use of a Broken or Risky Cryptographic Algorithm


Click here to view disclosed reports.
3 reports
3 disclosed
Hackerone
1 disclosed

Integer Overflow


Click here to view disclosed reports.
3 reports
3 disclosed
Ibb-python
1 disclosed

Integer Underflow


Click here to view disclosed reports.
3 reports
3 disclosed
Ibb-perl
1 disclosed

Information Exposure Through Sent Data


Click here to view disclosed reports.
3 reports
3 disclosed
Chaturbate
1 disclosed

Buffer Underflow


Click here to view disclosed reports.
2 reports
3 disclosed
Ibb-php
2 disclosed

Plaintext Storage of a Password


Click here to view disclosed reports.
3 reports
3 disclosed
Midpoint_h1c
1 disclosed

Reliance on Untrusted Inputs in a Security Decision


Click here to view disclosed reports.
3 reports
3 disclosed
Datastax
1 disclosed

Incorrect Authorization


Click here to view disclosed reports.
3 reports
3 disclosed
Stripo
1 disclosed

File and Directory Information Exposure


Click here to view disclosed reports.
3 reports
3 disclosed
Solana-bbp
1 disclosed

Allocation of Resources Without Limits or Throttling


Click here to view disclosed reports.
2 reports
3 disclosed
Solana-bbp
2 disclosed

Missing Required Cryptographic Step


Click here to view disclosed reports.
2 reports
2 disclosed
Phabricator
1 disclosed

Inadequate Encryption Strength


Click here to view disclosed reports.
2 reports
2 disclosed
Weblate
1 disclosed

Use of Inherently Dangerous Function


Click here to view disclosed reports.
2 reports
2 disclosed
Brave
1 disclosed

Type Confusion


Click here to view disclosed reports.
2 reports
2 disclosed
Coinbase
1 disclosed

Improper Neutralization of HTTP Headers for Scripting Syntax


Click here to view disclosed reports.
2 reports
2 disclosed
Weblate
1 disclosed

Execution with Unnecessary Privileges


Click here to view disclosed reports.
1 reports
2 disclosed
Evernote
2 disclosed

Malware


Click here to view disclosed reports.
1 reports
2 disclosed
Valve
2 disclosed

Unverified Password Change


Click here to view disclosed reports.
2 reports
2 disclosed
Khanacademy
1 disclosed

Improper Check or Handling of Exceptional Conditions


Click here to view disclosed reports.
1 reports
2 disclosed
Innogames
2 disclosed

Improper Privilege Management


Click here to view disclosed reports.
2 reports
2 disclosed
Nextcloud
1 disclosed

Missing Authorization


Click here to view disclosed reports.
2 reports
2 disclosed
Visma
1 disclosed

LDAP Injection


Click here to view disclosed reports.
1 reports
2 disclosed
Nodejs-ecosystem
2 disclosed

User Interface (UI) Misrepresentation of Critical Information


Click here to view disclosed reports.
2 reports
2 disclosed
Mailru
1 disclosed

Incorrect Calculation of Buffer Size


Click here to view disclosed reports.
1 reports
1 disclosed
Legalrobot
1 disclosed

Reusing a Nonce, Key Pair in Encryption


Click here to view disclosed reports.
1 reports
1 disclosed
Internet
1 disclosed

Missing Encryption of Sensitive Data


Click here to view disclosed reports.
1 reports
1 disclosed
Cloudflare
1 disclosed

Key Exchange without Entity Authentication


Click here to view disclosed reports.
1 reports
1 disclosed
Semrush
1 disclosed

Buffer Under-read


Click here to view disclosed reports.
1 reports
1 disclosed
Ruby
1 disclosed

Use of Externally-Controlled Format String


Click here to view disclosed reports.
1 reports
1 disclosed
Ubnt
1 disclosed

Reliance on Reverse DNS Resolution for a Security-Critical Action


Click here to view disclosed reports.
1 reports
1 disclosed
Shipt
1 disclosed

Improper Handling of Insufficient Permissions or Privileges


Click here to view disclosed reports.
1 reports
1 disclosed
Razer
1 disclosed

Use of Hard-coded Cryptographic Key


Click here to view disclosed reports.
1 reports
1 disclosed
Slack
1 disclosed

Exposed Dangerous Method or Function


Click here to view disclosed reports.
1 reports
1 disclosed
Stripo
1 disclosed

Security Through Obscurity


Click here to view disclosed reports.
1 reports
1 disclosed
Twitter
1 disclosed

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)


Click here to view disclosed reports.
1 reports
1 disclosed
Hannob
1 disclosed

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)


Click here to view disclosed reports.
1 reports
1 disclosed
Grammarly
1 disclosed

Improper Handling of URL Encoding (Hex Encoding)


Click here to view disclosed reports.
1 reports
1 disclosed
Razer
1 disclosed

XML Injection


Click here to view disclosed reports.
1 reports
1 disclosed
Topcoder
1 disclosed

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)


Click here to view disclosed reports.
1 reports
1 disclosed
Zomato
1 disclosed

Use of Hard-coded Password


Click here to view disclosed reports.
1 reports
1 disclosed
Deptofdefense
1 disclosed

Improper Export of Android Application Components


Click here to view disclosed reports.
1 reports
1 disclosed
Tiktok
1 disclosed

Download of Code Without Integrity Check


Click here to view disclosed reports.
1 reports
1 disclosed
Yelp
1 disclosed