Practise like a pro Browse publicly disclosed writeups from HackerOne sorted by vulnerability type. Discover which vulnerabilities are most commonly found on which programs to help aid you in your hunt.
7889
total disclosed
$5,371,461
total publicly paid out
Most Disclosed
-
bobrov91 disclosed -
sp1d3rs56 disclosed -
jobert50 disclosed -
jon_bottarini48 disclosed -
netfuzzer42 disclosed -
japz41 disclosed -
edoverflow41 disclosed -
skavans41 disclosed -
bigbear_38 disclosed -
geeknik38 disclosed
Programs that disclosure
Mailru542 disclosed 
Hackerone388 disclosed 
Shopify308 disclosed 
Deptofdefense220 disclosed 
Nextcloud209 disclosed Twitter206 disclosed
Nodejs-ecosystem193 disclosed
Newrelic184 disclosed
Uber175 disclosed 
Shopify-scripts157 disclosed
Top Bounties
- Makerdao_bbp rewarded Steal ALL collateral during liquidation by exploiting lack of validation in `flip.kick` with a $50,000 bounty!
- Makerdao_bbp rewarded Steal collateral during `end` process, by earning DSR interest after `flow`. with a $25,000 bounty!
- Valve rewarded SQL Injection in report_xml.php through countryFilter[] parameter with a $25,000 bounty!
- Internet rewarded Key Reinstallation Attacks: Breaking WPA2 by forcing nonce reuse with a $25,000 bounty!
- Shopify rewarded SSRF in Exchange leads to ROOT access in all instances with a $25,000 bounty!
- Shopify rewarded Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation with a $22,500 bounty!
- Shopify rewarded Takeover an account that doesn't have a Shopify ID and more with a $22,500 bounty!
- Coinbase rewarded ETH contract handling errors with a $21,000 bounty!
- Coinbase rewarded ETH contract handling errors with a $21,000 bounty!
- Twitter rewarded Potential pre-auth RCE on Twitter VPN with a $20,160 bounty!
- Twitter rewarded Potential pre-auth RCE on Twitter VPN with a $20,160 bounty!
- Hackerone rewarded Account takeover via leaked session cookie with a $20,000 bounty!
- Paypal rewarded Bypass for #488147 enables stored XSS on https://paypal.com/signin again with a $20,000 bounty!
- Hackerone rewarded Confidential data of users and limited metadata of programs and reports accessible via GraphQL with a $20,000 bounty!
- Valve rewarded Getting all the CD keys of any game with a $20,000 bounty!
- Valve rewarded Getting all the CD keys of any game with a $20,000 bounty!
- Shopify rewarded Shopify admin authentication bypass using partners.shopify.com with a $20,000 bounty!
- Hackerone rewarded Account takeover via leaked session cookie with a $20,000 bounty!
- Paypal rewarded Bypass for #488147 enables stored XSS on https://paypal.com/signin again with a $20,000 bounty!
- Gitlab rewarded Arbitrary file read via the UploadsRewriter when moving and issue with a $20,000 bounty!
Recently Disclosed
- $100 Bugpoc Solution for XSS challenge wacky.buggywebsite.com
- Nodejs-ecosystem [systeminformation] Command Injection via insecure command formatting
- Bugpoc Reflected XSS at wacky.buggywebsite.com/frame.html
- Nextcloud Improper access control to messages of Social app
- $200 Cs_money Content Spoofing/Text Injection in https://support.cs.money and JS file not minified and uglyfied which makes it clearly readable
- Deptofdefense SharePoint Web Services Exposed to Anonymous Access
- Deptofdefense SharePoint Web Services Exposed to Anonymous Access
- Mailru Information Disclosure
- $400 Mailru lenta_proxy information disclosure
- Deptofdefense View another user information with IDOR vulnerability
- Deptofdefense Apparent ██████████ website is publicly exposed, suggests default account details on page and has expired SSL/TLS cert
- Deptofdefense {███} It is posible download all information and files via S3 Bucket Misconfiguration
- Deptofdefense Unauthenticated Arbitrary File Deletion "CVE-2020-3187" in █████
- Deptofdefense Local File Inclusion In Registration Page
- Deptofdefense CORS misconfiguration which leads to the disclosure