Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed Hackevent Reports 
Our community
Honourable Members
Member Contributions Program Activity
Browse public program activity and get an insight into which programs are receiving attention.
Browse publicly disclosed writeups from HackerOne sorted by vulnerability type. Discover which vulnerabilities are most commonly found on which programs to help aid you in your hunt.
8697 total disclosed
$6,984,201 total publicly paid out
Recently Disclosed
- No bounty private keys exposed on the GitHub repository
- $250 [185.30.178.57:8080] - Vulnerable to Jetleak
- No bounty [Biz] [Mailer] Кроп любых* изображений расположенных на сервере
- No bounty [mtn.com.af] Multiple vulnerabilities allow to Application level DoS
- $1000 CVE-2021-22946: Protocol downgrade required TLS bypassed
- $250 Organization Members in Snap Kit may Deactivate Apps
- No bounty com.duckduckgo.mobile.android - Cache corruption
- No bounty Use of a Broken or Risky Cryptographic Algorithm
- $1500 CVE-2021-22947: STARTTLS protocol injection via MITM
- No bounty Path Traversal on meetcqpub1.gsa.gov allows attackers to see arbitrary file listings.
- $50 IDOR in https://moneybird.com/user/accountant_company/edit(change company name)
- No bounty Broken link profile in the website leads to identity theft.
- $12000 UrnState Heap Overflow
- No bounty Use of Ruby Forwardable module and runtime meta-programming may introduce vulnerabilities
- $300 Загружаем видеозаписи в основной альбом любой открытой группе/паблику.
- $344 XW 6.2.0 firmware: 5 Reflected XSS issues in link.cgi
- No bounty Bypassing Rate limit for forgot password by using different ip addresses
- $1800 Java: Static initialization vector
- $1000 Node Validation Admission does not observe all oldObject fields
- No bounty Unix time unlock_time values have dangerous validation rules enabling a number of exploits
- $1000 Man in the middle using LoadBalancer or ExternalIPs services
- No bounty e-mail verification bypass through interception & modification of response status
- $200 A profile page of a user can be denied from loading by appending .html to the username
- $2000 CVE-2021-3711: SM2 decrypt buffer overflow
- $100 Ability to subscribe to inactive Post+ creators
- No bounty subdomain takeover disney.samokat.ru
- No bounty Cache Posioning leading to denial of service at `█████████` - Bypass fix from report #1198434
- $150 HTML injection leads to reflected XSS
- $250 Broken link hijacing in https://kubernetes-csi.github.io/docs/drivers.html
- No bounty Path Traversal CVE-2021-26086 CVE-2021-26085
- $100 IDOR on www.acronis.com API lead to steal private business user information
- No bounty Hackers can reveal the names of private programs that have an external link and Enterprise Product Edition
- No bounty User Account has been taken out
- $250 Clients do not verify server public key
- No bounty Hacker can bypass minimum bounty amount restrictions in "invitation preferences" setting via UpdateInvitationPreferencesMutation GraphQL operation
- $500 1-byte heap buffer overflow in DNS resolver
- No bounty SSRF bypass
- $1000 CVE-2021-22945: UAF and double-free in MQTT sending
- $750 Privilege Escalation vulnerability in steam's Remote Play feature leads to arbitrary kernel-mode driver installation
- No bounty RXSS - ████
- No bounty SSRF to AWS file read
- $1800 [Java] CWE-502: Unsafe deserialization with three JSON frameworks
- No bounty Missing rate limit in current password change settings leads to Account takeover
- No bounty Access to alerta.khanacademy.org leak sensitive data
- No bounty Stored unauth XSS in calendar event via CSRF
- No bounty HTML Injection in Email
- $150 Built-in TLS module unexpectedly treats "rejectUnauthorized: undefined" as "rejectUnauthorized: false", disabling all certificate validation
- No bounty RCE Apache Struts2 remote command execution (S2-045) on [wifi-partner.mtn.com.gh]
- $240 "urllib" will result to deny of service
- $50 XSS Stored in Cacheable response
| Vulnerability Type | Statistics |
|---|---|
None supplied |
182 programs 1016 disclosed |
Information Disclosure |
173 programs 908 disclosed |
Cross-site Scripting (XSS) - Generic |
123 programs 881 disclosed |
Violation of Secure Design Principles |
160 programs 673 disclosed |
Improper Authentication - Generic |
123 programs 581 disclosed |
Cross-Site Request Forgery (CSRF) |
99 programs 371 disclosed |
Cross-site Scripting (XSS) - Stored |
81 programs 359 disclosed |
Privilege Escalation |
101 programs 321 disclosed |
Denial of Service |
86 programs 315 disclosed |
Cross-site Scripting (XSS) - Reflected |
77 programs 277 disclosed |
Improper Access Control - Generic |
91 programs 254 disclosed |
Open Redirect |
94 programs 236 disclosed |
SQL Injection |
49 programs 198 disclosed |
Code Injection |
72 programs 195 disclosed |
Business Logic Errors |
71 programs 174 disclosed |
Command Injection - Generic |
63 programs 163 disclosed |
Memory Corruption - Generic |
41 programs 152 disclosed |
Cryptographic Issues - Generic |
76 programs 152 disclosed |
Insecure Direct Object Reference (IDOR) |
60 programs 151 disclosed |
Server-Side Request Forgery (SSRF) |
58 programs 147 disclosed |
Cross-site Scripting (XSS) - DOM |
48 programs 106 disclosed |
Path Traversal |
33 programs 106 disclosed |
UI Redressing (Clickjacking) |
43 programs 99 disclosed |
Brute Force |
26 programs 50 disclosed |
HTTP Request Smuggling |
21 programs 39 disclosed |
Privacy Violation |
24 programs 39 disclosed |
OS Command Injection |
18 programs 34 disclosed |
Classic Buffer Overflow |
12 programs 29 disclosed |
Buffer Over-read |
10 programs 28 disclosed |
XML External Entities (XXE) |
18 programs 27 disclosed |
Cleartext Storage of Sensitive Information |
19 programs 27 disclosed |
Heap Overflow |
13 programs 25 disclosed |
Improper Authorization |
13 programs 25 disclosed |
Out-of-bounds Read |
7 programs 24 disclosed |
Information Exposure Through an Error Message |
18 programs 23 disclosed |
CRLF Injection |
17 programs 23 disclosed |
Phishing |
16 programs 22 disclosed |
NULL Pointer Dereference |
6 programs 19 disclosed |
Deserialization of Untrusted Data |
14 programs 17 disclosed |
Man-in-the-Middle |
12 programs 17 disclosed |
Insufficient Session Expiration |
15 programs 17 disclosed |
Improper Input Validation |
13 programs 17 disclosed |
Cleartext Transmission of Sensitive Information |
13 programs 15 disclosed |
Improper Certificate Validation |
12 programs 15 disclosed |
Use After Free |
9 programs 15 disclosed |
Information Exposure Through Debug Information |
13 programs 14 disclosed |
Misconfiguration |
10 programs 14 disclosed |
Stack Overflow |
8 programs 13 disclosed |
Information Exposure Through Directory Listing |
6 programs 11 disclosed |
Insecure Storage of Sensitive Information |
7 programs 11 disclosed |
HTTP Response Splitting |
8 programs 10 disclosed |
Weak Password Recovery Mechanism for Forgotten Password |
8 programs 10 disclosed |
Resource Injection |
10 programs 10 disclosed |
Modification of Assumed-Immutable Data (MAID) |
4 programs 10 disclosed |
Remote File Inclusion |
7 programs 8 disclosed |
Weak Cryptography for Passwords |
6 programs 8 disclosed |
Use of Hard-coded Credentials |
7 programs 8 disclosed |
Session Fixation |
6 programs 8 disclosed |
Client-Side Enforcement of Server-Side Security |
6 programs 8 disclosed |
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
7 programs 8 disclosed |
Array Index Underflow |
6 programs 7 disclosed |
Unrestricted Upload of File with Dangerous Type |
5 programs 7 disclosed |
Insufficiently Protected Credentials |
6 programs 6 disclosed |
Password in Configuration File |
6 programs 6 disclosed |
Missing Authentication for Critical Function |
4 programs 6 disclosed |
Double Free |
4 programs 5 disclosed |
Time-of-check Time-of-use (TOCTOU) Race Condition |
5 programs 5 disclosed |
Improper Null Termination |
4 programs 5 disclosed |
Externally Controlled Reference to a Resource in Another Sphere |
3 programs 5 disclosed |
Authentication Bypass Using an Alternate Path or Channel |
5 programs 5 disclosed |
Forced Browsing |
4 programs 4 disclosed |
Use of a Key Past its Expiration Date |
4 programs 4 disclosed |
Reliance on Cookies without Validation and Integrity Checking in a Security Decision |
4 programs 4 disclosed |
Use of a Broken or Risky Cryptographic Algorithm |
4 programs 4 disclosed |
Integer Overflow |
4 programs 4 disclosed |
Information Exposure Through Sent Data |
4 programs 4 disclosed |
File and Directory Information Exposure |
4 programs 4 disclosed |
Missing Required Cryptographic Step |
3 programs 3 disclosed |
Write-what-where Condition |
3 programs 3 disclosed |
Integer Underflow |
3 programs 3 disclosed |
Type Confusion |
3 programs 3 disclosed |
Buffer Underflow |
2 programs 3 disclosed |
Plaintext Storage of a Password |
3 programs 3 disclosed |
Reliance on Untrusted Inputs in a Security Decision |
3 programs 3 disclosed |
Incorrect Authorization |
3 programs 3 disclosed |
LDAP Injection |
2 programs 3 disclosed |
Allocation of Resources Without Limits or Throttling |
2 programs 3 disclosed |
Inadequate Encryption Strength |
2 programs 2 disclosed |
Use of Inherently Dangerous Function |
2 programs 2 disclosed |
Reusing a Nonce, Key Pair in Encryption |
2 programs 2 disclosed |
Missing Encryption of Sensitive Data |
2 programs 2 disclosed |
Improper Neutralization of HTTP Headers for Scripting Syntax |
2 programs 2 disclosed |
Improper Handling of Insufficient Permissions or Privileges |
2 programs 2 disclosed |
Execution with Unnecessary Privileges |
1 programs 2 disclosed |
Malware |
1 programs 2 disclosed |
Unverified Password Change |
2 programs 2 disclosed |
Improper Check or Handling of Exceptional Conditions |
1 programs 2 disclosed |
Improper Privilege Management |
2 programs 2 disclosed |
Missing Authorization |
2 programs 2 disclosed |
User Interface (UI) Misrepresentation of Critical Information |
2 programs 2 disclosed |
Off-by-one Error |
2 programs 2 disclosed |
Incorrect Calculation of Buffer Size |
1 programs 1 disclosed |
Key Exchange without Entity Authentication |
1 programs 1 disclosed |
Buffer Under-read |
1 programs 1 disclosed |
Use of Externally-Controlled Format String |
1 programs 1 disclosed |
Reliance on Reverse DNS Resolution for a Security-Critical Action |
1 programs 1 disclosed |
Use of Hard-coded Cryptographic Key |
1 programs 1 disclosed |
Exposed Dangerous Method or Function |
1 programs 1 disclosed |
Security Through Obscurity |
1 programs 1 disclosed |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) |
1 programs 1 disclosed |
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
1 programs 1 disclosed |
Improper Handling of URL Encoding (Hex Encoding) |
1 programs 1 disclosed |
XML Injection |
1 programs 1 disclosed |
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) |
1 programs 1 disclosed |
Use of Hard-coded Password |
1 programs 1 disclosed |
Improper Export of Android Application Components |
1 programs 1 disclosed |
Download of Code Without Integrity Check |
1 programs 1 disclosed |
Storing Passwords in a Recoverable Format |
1 programs 1 disclosed |
External Control of Critical State Data |
1 programs 1 disclosed |
Incorrect Permission Assignment for Critical Resource |
1 programs 1 disclosed |
Path Traversal: '.../...//' |
1 programs 1 disclosed |
Unchecked Error Condition |
1 programs 1 disclosed |