Browse publicly disclosed writeups from HackerOne sorted by vulnerability type. Discover which vulnerabilities are most commonly found on which programs to help aid you in your hunt.


8393
total disclosed

$6,643,733
total publicly paid out



Recently Disclosed


Vulnerability Type Statistics Most Disclosed

None supplied


View disclosed reports.
174 programs
972 disclosed
Mailru
56 disclosed

Cross-site Scripting (XSS) - Generic


View disclosed reports.
121 programs
879 disclosed
Mailru
71 disclosed

Information Disclosure


View disclosed reports.
168 programs
874 disclosed
Hackerone
97 disclosed

Violation of Secure Design Principles


View disclosed reports.
153 programs
661 disclosed
Hackerone
78 disclosed

Improper Authentication - Generic


View disclosed reports.
121 programs
571 disclosed
Shopify
42 disclosed

Cross-Site Request Forgery (CSRF)


View disclosed reports.
96 programs
363 disclosed
Mailru
22 disclosed

Cross-site Scripting (XSS) - Stored


View disclosed reports.
77 programs
343 disclosed
Mailru
58 disclosed

Denial of Service


View disclosed reports.
81 programs
306 disclosed
Shopify-scripts
80 disclosed

Privilege Escalation


View disclosed reports.
95 programs
298 disclosed
Newrelic
28 disclosed

Cross-site Scripting (XSS) - Reflected


View disclosed reports.
75 programs
263 disclosed
Mailru
54 disclosed

Improper Access Control - Generic


View disclosed reports.
87 programs
239 disclosed
Shopify
18 disclosed

Open Redirect


View disclosed reports.
92 programs
232 disclosed
Shopify
17 disclosed

SQL Injection


View disclosed reports.
48 programs
193 disclosed
Mailru
47 disclosed

Code Injection


View disclosed reports.
70 programs
189 disclosed
Deptofdefense
21 disclosed

Command Injection - Generic


View disclosed reports.
62 programs
162 disclosed
Nodejs-ecosystem
22 disclosed

Business Logic Errors


View disclosed reports.
66 programs
159 disclosed
Legalrobot
12 disclosed

Memory Corruption - Generic


View disclosed reports.
41 programs
150 disclosed
Shopify-scripts
45 disclosed

Cryptographic Issues - Generic


View disclosed reports.
74 programs
150 disclosed
Twitter
10 disclosed

Insecure Direct Object Reference (IDOR)


View disclosed reports.
55 programs
144 disclosed
Mailru
21 disclosed

Server-Side Request Forgery (SSRF)


View disclosed reports.
55 programs
142 disclosed
Mailru
20 disclosed

Cross-site Scripting (XSS) - DOM


View disclosed reports.
47 programs
103 disclosed
Mailru
17 disclosed

UI Redressing (Clickjacking)


View disclosed reports.
42 programs
98 disclosed
Legalrobot
8 disclosed

Path Traversal


View disclosed reports.
26 programs
98 disclosed
Nodejs-ecosystem
45 disclosed

Brute Force


View disclosed reports.
24 programs
48 disclosed
Mailru
16 disclosed

Privacy Violation


View disclosed reports.
22 programs
37 disclosed
Nordvpn
6 disclosed

HTTP Request Smuggling


View disclosed reports.
19 programs
33 disclosed
Paypal
5 disclosed

OS Command Injection


View disclosed reports.
18 programs
33 disclosed
Starbucks
5 disclosed

Buffer Over-read


View disclosed reports.
10 programs
28 disclosed
Ibb-data
8 disclosed

XML External Entities (XXE)


View disclosed reports.
18 programs
27 disclosed
Mailru
5 disclosed

Heap Overflow


View disclosed reports.
13 programs
25 disclosed
Ibb-perl
6 disclosed

Classic Buffer Overflow


View disclosed reports.
11 programs
25 disclosed
Valve
12 disclosed

Out-of-bounds Read


View disclosed reports.
7 programs
24 disclosed
Nodejs-ecosystem
10 disclosed

Information Exposure Through an Error Message


View disclosed reports.
17 programs
22 disclosed
Mailru
3 disclosed

CRLF Injection


View disclosed reports.
17 programs
22 disclosed
Vkcom
2 disclosed

Cleartext Storage of Sensitive Information


View disclosed reports.
15 programs
22 disclosed
Deptofdefense
3 disclosed

Improper Authorization


View disclosed reports.
10 programs
22 disclosed
Razer
5 disclosed

Phishing


View disclosed reports.
15 programs
21 disclosed
Mailru
4 disclosed

NULL Pointer Dereference


View disclosed reports.
6 programs
19 disclosed
Shopify-scripts
8 disclosed

Insufficient Session Expiration


View disclosed reports.
15 programs
16 disclosed
Visma
2 disclosed

Improper Input Validation


View disclosed reports.
12 programs
16 disclosed
Mailru
3 disclosed

Deserialization of Untrusted Data


View disclosed reports.
12 programs
15 disclosed
Deptofdefense
4 disclosed

Use After Free


View disclosed reports.
9 programs
15 disclosed
Ibb-php
6 disclosed

Man-in-the-Middle


View disclosed reports.
10 programs
14 disclosed
Portswigger
4 disclosed

Improper Certificate Validation


View disclosed reports.
12 programs
14 disclosed
Nextcloud
2 disclosed

Stack Overflow


View disclosed reports.
8 programs
13 disclosed
Valve
5 disclosed

Cleartext Transmission of Sensitive Information


View disclosed reports.
11 programs
13 disclosed
Uber
3 disclosed

Information Exposure Through Debug Information


View disclosed reports.
12 programs
13 disclosed
Dropcontact
2 disclosed

Information Exposure Through Directory Listing


View disclosed reports.
6 programs
11 disclosed
Nextcloud
3 disclosed

Weak Password Recovery Mechanism for Forgotten Password


View disclosed reports.
8 programs
10 disclosed
Wakatime
3 disclosed

Insecure Storage of Sensitive Information


View disclosed reports.
6 programs
10 disclosed
Mailru
3 disclosed

Modification of Assumed-Immutable Data (MAID)


View disclosed reports.
4 programs
10 disclosed
Nodejs-ecosystem
7 disclosed

Misconfiguration


View disclosed reports.
8 programs
10 disclosed
Line
3 disclosed

HTTP Response Splitting


View disclosed reports.
7 programs
9 disclosed
Brave
2 disclosed

Resource Injection


View disclosed reports.
9 programs
9 disclosed
Owncloud
1 disclosed

Remote File Inclusion


View disclosed reports.
7 programs
8 disclosed
Mailru
2 disclosed

Use of Hard-coded Credentials


View disclosed reports.
7 programs
8 disclosed
Starbucks
2 disclosed

Session Fixation


View disclosed reports.
6 programs
8 disclosed
Legalrobot
2 disclosed

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')


View disclosed reports.
7 programs
8 disclosed
Hackerone
2 disclosed

Weak Cryptography for Passwords


View disclosed reports.
5 programs
7 disclosed
Weblate
2 disclosed

Array Index Underflow


View disclosed reports.
6 programs
7 disclosed
Valve
2 disclosed

Client-Side Enforcement of Server-Side Security


View disclosed reports.
5 programs
7 disclosed
Newrelic
3 disclosed

Unrestricted Upload of File with Dangerous Type


View disclosed reports.
5 programs
7 disclosed
Visma
2 disclosed

Insufficiently Protected Credentials


View disclosed reports.
6 programs
6 disclosed
Mixmax
1 disclosed

Password in Configuration File


View disclosed reports.
6 programs
6 disclosed
Torproject
1 disclosed

Missing Authentication for Critical Function


View disclosed reports.
4 programs
6 disclosed
Paypal
3 disclosed

Improper Null Termination


View disclosed reports.
4 programs
5 disclosed
Ibb-php
2 disclosed

Externally Controlled Reference to a Resource in Another Sphere


View disclosed reports.
3 programs
5 disclosed
Mailru
3 disclosed

Forced Browsing


View disclosed reports.
4 programs
4 disclosed
Ubnt
1 disclosed

Double Free


View disclosed reports.
4 programs
4 disclosed
Shopify-scripts
1 disclosed

Reliance on Cookies without Validation and Integrity Checking in a Security Decision


View disclosed reports.
4 programs
4 disclosed
Cuvva
1 disclosed

Integer Overflow


View disclosed reports.
4 programs
4 disclosed
Ibb-python
1 disclosed

Time-of-check Time-of-use (TOCTOU) Race Condition


View disclosed reports.
4 programs
4 disclosed
Shopify
1 disclosed

File and Directory Information Exposure


View disclosed reports.
4 programs
4 disclosed
Solana-bbp
1 disclosed

Authentication Bypass Using an Alternate Path or Channel


View disclosed reports.
4 programs
4 disclosed
Gitlab
1 disclosed

Use of a Key Past its Expiration Date


View disclosed reports.
3 programs
3 disclosed
Ubnt
1 disclosed

Write-what-where Condition


View disclosed reports.
3 programs
3 disclosed
Shopify-scripts
1 disclosed

Use of a Broken or Risky Cryptographic Algorithm


View disclosed reports.
3 programs
3 disclosed
Hackerone
1 disclosed

Integer Underflow


View disclosed reports.
3 programs
3 disclosed
Ibb-perl
1 disclosed

Information Exposure Through Sent Data


View disclosed reports.
3 programs
3 disclosed
Chaturbate
1 disclosed

Buffer Underflow


View disclosed reports.
2 programs
3 disclosed
Ibb-php
2 disclosed

Plaintext Storage of a Password


View disclosed reports.
3 programs
3 disclosed
Midpoint_h1c
1 disclosed

Reliance on Untrusted Inputs in a Security Decision


View disclosed reports.
3 programs
3 disclosed
Datastax
1 disclosed

Incorrect Authorization


View disclosed reports.
3 programs
3 disclosed
Stripo
1 disclosed

LDAP Injection


View disclosed reports.
2 programs
3 disclosed
Nodejs-ecosystem
2 disclosed

Allocation of Resources Without Limits or Throttling


View disclosed reports.
2 programs
3 disclosed
Solana-bbp
2 disclosed

Missing Required Cryptographic Step


View disclosed reports.
2 programs
2 disclosed
Phabricator
1 disclosed

Inadequate Encryption Strength


View disclosed reports.
2 programs
2 disclosed
Weblate
1 disclosed

Use of Inherently Dangerous Function


View disclosed reports.
2 programs
2 disclosed
Brave
1 disclosed

Reusing a Nonce, Key Pair in Encryption


View disclosed reports.
2 programs
2 disclosed
Internet
1 disclosed

Missing Encryption of Sensitive Data


View disclosed reports.
2 programs
2 disclosed
Cloudflare
1 disclosed

Type Confusion


View disclosed reports.
2 programs
2 disclosed
Coinbase
1 disclosed

Improper Neutralization of HTTP Headers for Scripting Syntax


View disclosed reports.
2 programs
2 disclosed
Weblate
1 disclosed

Execution with Unnecessary Privileges


View disclosed reports.
1 programs
2 disclosed
Evernote
2 disclosed

Malware


View disclosed reports.
1 programs
2 disclosed
Valve
2 disclosed

Unverified Password Change


View disclosed reports.
2 programs
2 disclosed
Khanacademy
1 disclosed

Improper Check or Handling of Exceptional Conditions


View disclosed reports.
1 programs
2 disclosed
Innogames
2 disclosed

Improper Privilege Management


View disclosed reports.
2 programs
2 disclosed
Nextcloud
1 disclosed

Missing Authorization


View disclosed reports.
2 programs
2 disclosed
Visma
1 disclosed

User Interface (UI) Misrepresentation of Critical Information


View disclosed reports.
2 programs
2 disclosed
Mailru
1 disclosed

Incorrect Calculation of Buffer Size


View disclosed reports.
1 programs
1 disclosed
Legalrobot
1 disclosed

Key Exchange without Entity Authentication


View disclosed reports.
1 programs
1 disclosed
Semrush
1 disclosed

Buffer Under-read


View disclosed reports.
1 programs
1 disclosed
Ruby
1 disclosed

Use of Externally-Controlled Format String


View disclosed reports.
1 programs
1 disclosed
Ubnt
1 disclosed

Reliance on Reverse DNS Resolution for a Security-Critical Action


View disclosed reports.
1 programs
1 disclosed
Shipt
1 disclosed

Improper Handling of Insufficient Permissions or Privileges


View disclosed reports.
1 programs
1 disclosed
Razer
1 disclosed

Use of Hard-coded Cryptographic Key


View disclosed reports.
1 programs
1 disclosed
Slack
1 disclosed

Exposed Dangerous Method or Function


View disclosed reports.
1 programs
1 disclosed
Stripo
1 disclosed

Security Through Obscurity


View disclosed reports.
1 programs
1 disclosed
Twitter
1 disclosed

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)


View disclosed reports.
1 programs
1 disclosed
Hannob
1 disclosed

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)


View disclosed reports.
1 programs
1 disclosed
Grammarly
1 disclosed

Improper Handling of URL Encoding (Hex Encoding)


View disclosed reports.
1 programs
1 disclosed
Razer
1 disclosed

XML Injection


View disclosed reports.
1 programs
1 disclosed
Topcoder
1 disclosed

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)


View disclosed reports.
1 programs
1 disclosed
Zomato
1 disclosed

Use of Hard-coded Password


View disclosed reports.
1 programs
1 disclosed
Deptofdefense
1 disclosed

Improper Export of Android Application Components


View disclosed reports.
1 programs
1 disclosed
Tiktok
1 disclosed

Download of Code Without Integrity Check


View disclosed reports.
1 programs
1 disclosed
Yelp
1 disclosed

Storing Passwords in a Recoverable Format


View disclosed reports.
1 programs
1 disclosed
Upchieve
1 disclosed

Off-by-one Error


View disclosed reports.
1 programs
1 disclosed
Security
1 disclosed

External Control of Critical State Data


View disclosed reports.
1 programs
1 disclosed
Mtn_group
1 disclosed

Incorrect Permission Assignment for Critical Resource


View disclosed reports.
1 programs
1 disclosed
Shopify
1 disclosed