Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Our community
Endorsed Members
Hackevents 
Member Articles Program Activity
Browse public program activity and get an insight into which programs are receiving attention.
Browse publicly disclosed writeups from HackerOne sorted by vulnerability type. Discover which vulnerabilities are most commonly found on which programs to help aid you in your hunt.
12553 total disclosed
$8,079,287 total publicly paid out
Recently Disclosed
- $1000 Reflected XSS on https://www.uber.com
- No bounty Cookie Bombing cause DOS - businesses.uber.com
- $9000 RCE via npm misconfig -- installing internal libraries from the public registry
- No bounty AWS hosting bucket for Legal Robots set as public browse and list contents: s3://legalrobot
- $500 Subdomain Takeover Via unclaimed Heroku Instance tim-exclusive.shopify.com
- $200 SSRF allows reading AWS EC2 metadata using "readapi" variable in Streamlabs Cloudbot
- $500 DNS rebinding in --inspect (insufficient fix of CVE-2018-7160)
- No bounty information disclosure lead to disclose users private notes
- $200 Cookie poisoning leads to DOS and Privacy Violation
- No bounty Race Condition allows to get more free trials and get more than 100 languages and strings for free
- $6500 Arbitrary File Reading on Uber SSL VPN
- No bounty [usuppliers.uber.com] - Server Side Request Forgery via XXE OOB
- No bounty Uber employees are sharing information on productforums.google.com
- $250 Listing of email addresses of whitelisted business users visible at business.uber.com
- No bounty Disclosure of Co-Rider user (Uber-pooling) profile picture at Amazon AWS Cloudfront within HTTP RESPONSE
- $500 Outdated Wordpress installation and plugins at www.uberxgermany.com create CSRF and XSS vulnerabilities
- $500 Stored XSS on auth.uber.com/oauth/v2/authorize via redirect_uri parameter leads to Account Takeover
- No bounty stack trace exposed on https://receipts.uber.com/
- $500 Thumbor misconfiguration at blogapi.uber.com can lead to DoS
- No bounty Stealing app credentials by reflected xss on Lark Suite
- $500 Improper generating of access link at go.larksuite.com leads to access to other organizations/users' private data
- No bounty DNS Misconfiguration (Subdomain Takeover) █.staging.█.8x8.com
- No bounty DOM-based XSS in d.miwifi.com on IE 11
- No bounty CORS Misconfiguration, could lead to disclosure of users information
- No bounty External storage app saves password for all users in the database
- No bounty Reflected XSS when renaming a file with a vulnerable name which results in an error
- No bounty Acting under any different user via DB-stored credentials
- No bounty Memory Dump and Env Disclosure via Spring Boot Actuator
- No bounty Minor Account Privacy can Set to Everyone.
- No bounty Leaking Rockset API key on Github
- No bounty hackyholidays CTF Writeup
- No bounty Grinchs website takendown with various other exploits
- No bounty User with single department permission can view applicant list of all department's
- $50 Lack of session expiration after password reset on TikTok Careers Portal
- No bounty The password of a mail share is not set if the password is given when the share is created (Nextcloud < 18)
- No bounty Formula Injection vulnerability in CSV export feature
- No bounty Sensitive information of helpdesk is being leaked.
- No bounty Command injection in OptionParser.load
- $500 Ruby OpenSSL Library - IV Reuse in GCM Mode
- No bounty DRb denial of service vulnerability
- No bounty Inadequate Cryptographic Key Size and Insecure Cryptographic Mode. File Name :- curl_ntlm_core.c
- No bounty Proxy-Authorization header carried to a new host on a redirect
- No bounty GraphQL Query leads to sensitive information disclosure
- No bounty Disclosure of Merchant_id into the source code without entered OTP code leads to Victims MID takeover.
- No bounty Stored XSS in the banner block description
- No bounty [information disclosure] Validate existence of a private project.
- No bounty Clickjacking URLS
- No bounty Apple Pay cryptogram replay and amount tampering
- $500 Dangling cloud instance at vpn.inverselink.com
- No bounty HTML Injection + XSS Vulnerability - https://████████/ | Proof of Concept [PoC]
| Vulnerability Type | Statistics |
|---|---|
None supplied |
241 programs 1346 disclosed |
Information Disclosure |
207 programs 1210 disclosed |
Cross-site Scripting (XSS) - Generic |
134 programs 943 disclosed |
Violation of Secure Design Principles |
176 programs 738 disclosed |
Improper Authentication - Generic |
161 programs 705 disclosed |
Improper Access Control - Generic |
144 programs 615 disclosed |
Cross-site Scripting (XSS) - Reflected |
110 programs 538 disclosed |
Cross-site Scripting (XSS) - Stored |
113 programs 505 disclosed |
Cross-Site Request Forgery (CSRF) |
121 programs 438 disclosed |
Privilege Escalation |
132 programs 422 disclosed |
Business Logic Errors |
109 programs 317 disclosed |
Denial of Service |
86 programs 315 disclosed |
Insecure Direct Object Reference (IDOR) |
89 programs 307 disclosed |
Open Redirect |
122 programs 298 disclosed |
SQL Injection |
67 programs 279 disclosed |
Code Injection |
97 programs 272 disclosed |
Server-Side Request Forgery (SSRF) |
88 programs 231 disclosed |
Command Injection - Generic |
78 programs 205 disclosed |
Path Traversal |
54 programs 199 disclosed |
Cryptographic Issues - Generic |
82 programs 169 disclosed |
Memory Corruption - Generic |
46 programs 161 disclosed |
Cross-site Scripting (XSS) - DOM |
67 programs 146 disclosed |
Uncontrolled Resource Consumption |
36 programs 140 disclosed |
UI Redressing (Clickjacking) |
50 programs 117 disclosed |
Misconfiguration |
29 programs 76 disclosed |
HTTP Request Smuggling |
28 programs 66 disclosed |
Privacy Violation |
37 programs 64 disclosed |
Cleartext Storage of Sensitive Information |
35 programs 63 disclosed |
OS Command Injection |
29 programs 59 disclosed |
Improper Input Validation |
30 programs 59 disclosed |
CRLF Injection |
27 programs 53 disclosed |
Improper Authorization |
28 programs 52 disclosed |
Brute Force |
27 programs 51 disclosed |
Classic Buffer Overflow |
18 programs 47 disclosed |
Buffer Over-read |
14 programs 45 disclosed |
Use After Free |
13 programs 44 disclosed |
Heap Overflow |
16 programs 42 disclosed |
Deserialization of Untrusted Data |
26 programs 40 disclosed |
Cleartext Transmission of Sensitive Information |
21 programs 40 disclosed |
Improper Restriction of Authentication Attempts |
22 programs 39 disclosed |
Improper Certificate Validation |
15 programs 38 disclosed |
Insecure Storage of Sensitive Information |
19 programs 37 disclosed |
XML External Entities (XXE) |
21 programs 34 disclosed |
Insufficient Session Expiration |
27 programs 34 disclosed |
Phishing |
24 programs 33 disclosed |
Out-of-bounds Read |
9 programs 32 disclosed |
Information Exposure Through an Error Message |
24 programs 31 disclosed |
NULL Pointer Dereference |
12 programs 31 disclosed |
Resource Injection |
17 programs 29 disclosed |
Insufficiently Protected Credentials |
15 programs 28 disclosed |
Allocation of Resources Without Limits or Throttling |
7 programs 28 disclosed |
Information Exposure Through Debug Information |
19 programs 26 disclosed |
Stack Overflow |
11 programs 24 disclosed |
Information Exposure Through Directory Listing |
14 programs 23 disclosed |
Man-in-the-Middle |
15 programs 22 disclosed |
Insufficient Logging |
2 programs 22 disclosed |
Integer Overflow |
7 programs 19 disclosed |
Information Exposure Through Sent Data |
7 programs 19 disclosed |
HTTP Response Splitting |
11 programs 17 disclosed |
Client-Side Enforcement of Server-Side Security |
10 programs 17 disclosed |
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
13 programs 17 disclosed |
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) |
12 programs 17 disclosed |
Authentication Bypass Using an Alternate Path or Channel |
13 programs 17 disclosed |
Time-of-check Time-of-use (TOCTOU) Race Condition |
12 programs 16 disclosed |
Remote File Inclusion |
12 programs 14 disclosed |
Session Fixation |
11 programs 14 disclosed |
Array Index Underflow |
11 programs 14 disclosed |
Modification of Assumed-Immutable Data (MAID) |
5 programs 14 disclosed |
Double Free |
5 programs 13 disclosed |
Use of a Broken or Risky Cryptographic Algorithm |
10 programs 13 disclosed |
Use of Hard-coded Credentials |
11 programs 13 disclosed |
Incorrect Authorization |
10 programs 12 disclosed |
Weak Cryptography for Passwords |
8 programs 11 disclosed |
Weak Password Recovery Mechanism for Forgotten Password |
9 programs 11 disclosed |
Externally Controlled Reference to a Resource in Another Sphere |
8 programs 11 disclosed |
Unrestricted Upload of File with Dangerous Type |
9 programs 11 disclosed |
Forced Browsing |
9 programs 10 disclosed |
Password in Configuration File |
9 programs 10 disclosed |
Missing Encryption of Sensitive Data |
10 programs 10 disclosed |
Authentication Bypass by Primary Weakness |
1 programs 10 disclosed |
Improper Null Termination |
8 programs 9 disclosed |
Missing Required Cryptographic Step |
5 programs 8 disclosed |
File and Directory Information Exposure |
8 programs 8 disclosed |
Use of Externally-Controlled Format String |
5 programs 7 disclosed |
Missing Authentication for Critical Function |
5 programs 7 disclosed |
Inadequate Encryption Strength |
6 programs 6 disclosed |
Reliance on Cookies without Validation and Integrity Checking in a Security Decision |
6 programs 6 disclosed |
Type Confusion |
4 programs 6 disclosed |
Plaintext Storage of a Password |
5 programs 6 disclosed |
Incorrect Calculation of Buffer Size |
5 programs 5 disclosed |
Buffer Underflow |
3 programs 5 disclosed |
Security Through Obscurity |
4 programs 5 disclosed |
Improper Check or Handling of Exceptional Conditions |
2 programs 5 disclosed |
Improper Privilege Management |
5 programs 5 disclosed |
Missing Authorization |
4 programs 5 disclosed |
User Interface (UI) Misrepresentation of Critical Information |
5 programs 5 disclosed |
Path Traversal: '.../...//' |
5 programs 5 disclosed |
Use of Insufficiently Random Values |
5 programs 5 disclosed |
LLM06: Sensitive Information Disclosure |
4 programs 5 disclosed |
Use of a Key Past its Expiration Date |
4 programs 4 disclosed |
Integer Underflow |
4 programs 4 disclosed |
Improper Neutralization of HTTP Headers for Scripting Syntax |
4 programs 4 disclosed |
Use of Hard-coded Cryptographic Key |
4 programs 4 disclosed |
Reliance on Untrusted Inputs in a Security Decision |
4 programs 4 disclosed |
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
4 programs 4 disclosed |
LDAP Injection |
2 programs 4 disclosed |
Off-by-one Error |
3 programs 4 disclosed |
Exposure of Data Element to Wrong Session |
1 programs 4 disclosed |
Authentication Bypass |
4 programs 4 disclosed |
Cache Poisoning |
2 programs 4 disclosed |
Write-what-where Condition |
3 programs 3 disclosed |
Use of Inherently Dangerous Function |
3 programs 3 disclosed |
Reusing a Nonce, Key Pair in Encryption |
3 programs 3 disclosed |
Improper Handling of Insufficient Permissions or Privileges |
3 programs 3 disclosed |
Execution with Unnecessary Privileges |
2 programs 3 disclosed |
Exposed Dangerous Method or Function |
2 programs 3 disclosed |
Improper Handling of URL Encoding (Hex Encoding) |
3 programs 3 disclosed |
XML Injection |
2 programs 3 disclosed |
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) |
3 programs 3 disclosed |
Use of Hard-coded Password |
3 programs 3 disclosed |
Storing Passwords in a Recoverable Format |
3 programs 3 disclosed |
Expected Behavior Violation |
1 programs 3 disclosed |
Relative Path Traversal |
3 programs 3 disclosed |
Improper Validation of Certificate with Host Mismatch |
1 programs 3 disclosed |
External Control of File Name or Path |
1 programs 3 disclosed |
LLM01: Prompt Injection |
2 programs 3 disclosed |
Key Exchange without Entity Authentication |
2 programs 2 disclosed |
Buffer Under-read |
2 programs 2 disclosed |
Reliance on Reverse DNS Resolution for a Security-Critical Action |
2 programs 2 disclosed |
Malware |
1 programs 2 disclosed |
Unverified Password Change |
2 programs 2 disclosed |
External Control of Critical State Data |
2 programs 2 disclosed |
Incorrect Permission Assignment for Critical Resource |
2 programs 2 disclosed |
Improper Verification of Cryptographic Signature |
2 programs 2 disclosed |
Improper Neutralization of Value Delimiters |
1 programs 2 disclosed |
Improper Neutralization of Escape, Meta, or Control Sequences |
1 programs 2 disclosed |
Exposure of Sensitive Information Due to Incompatible Policies |
2 programs 2 disclosed |
Information Exposure Through Timing Discrepancy |
2 programs 2 disclosed |
Incorrect Privilege Assignment |
1 programs 2 disclosed |
Using Components with Known Vulnerabilities |
2 programs 2 disclosed |
Missing Critical Step in Authentication |
2 programs 2 disclosed |
Inclusion of Functionality from Untrusted Control Sphere |
2 programs 2 disclosed |
Cross-Site Scripting (XSS) |
2 programs 2 disclosed |
Insufficient Verification of Data Authenticity |
2 programs 2 disclosed |
Leftover Debug Code (Backdoor) |
2 programs 2 disclosed |
Insecure Temporary File |
1 programs 2 disclosed |
Improper Export of Android Application Components |
1 programs 1 disclosed |
Download of Code Without Integrity Check |
1 programs 1 disclosed |
Unchecked Error Condition |
1 programs 1 disclosed |
ASI05: Unexpected Code Execution (RCE) |
1 programs 1 disclosed |
Uncontrolled Recursion |
1 programs 1 disclosed |
Insertion of Sensitive Information into Log File |
1 programs 1 disclosed |
Incorrect Comparison |
1 programs 1 disclosed |
Improper Handling of Highly Compressed Data (Data Amplification) |
1 programs 1 disclosed |
Missing Release of Memory after Effective Lifetime |
1 programs 1 disclosed |
Reachable Assertion |
1 programs 1 disclosed |
Acceptance of Extraneous Untrusted Data With Trusted Data |
1 programs 1 disclosed |
Reversible One-Way Hash |
1 programs 1 disclosed |
Weak Password Requirements |
1 programs 1 disclosed |
Improper Handling of Exceptional Conditions |
1 programs 1 disclosed |
Improper Initialization |
1 programs 1 disclosed |
File Content Injection |
1 programs 1 disclosed |
Improper Handling of Unexpected Data Type |
1 programs 1 disclosed |
Improper Neutralization of Whitespace |
1 programs 1 disclosed |
Improper Validation of Syntactic Correctness of Input |
1 programs 1 disclosed |
Inclusion of Sensitive Information in an Include File |
1 programs 1 disclosed |
LLM05: Supply Chain Vulnerabilities |
1 programs 1 disclosed |
LLM04: Model Denial of Service |
1 programs 1 disclosed |
Improper Link Resolution Before File Access ('Link Following') |
1 programs 1 disclosed |
Loop with Unreachable Exit Condition ('Infinite Loop') |
1 programs 1 disclosed |
Improper Neutralization of Formula Elements in a CSV File |
1 programs 1 disclosed |
Origin Validation Error |
1 programs 1 disclosed |
Reusing Session IDs (aka Session Replay) |
1 programs 1 disclosed |
Integer Overflow to Buffer Overflow |
1 programs 1 disclosed |
Reflected XSS |
1 programs 1 disclosed |
File Manipulation |
1 programs 1 disclosed |
Leveraging Race Conditions |
1 programs 1 disclosed |
Free of Memory not on the Heap |
1 programs 1 disclosed |
Encoding Error |
1 programs 1 disclosed |
Misinterpretation of Input |
1 programs 1 disclosed |
Improper Resource Shutdown or Release |
1 programs 1 disclosed |
Improper Check for Certificate Revocation |
1 programs 1 disclosed |
Blind SQL Injection |
1 programs 1 disclosed |
Cleartext Storage in a File or on Disk |
1 programs 1 disclosed |
Content Spoofing |
1 programs 1 disclosed |
Inconsistency Between Implementation and Documented Design |
1 programs 1 disclosed |
Improper Synchronization |
1 programs 1 disclosed |
Use of Default Credentials |
1 programs 1 disclosed |
Path Traversal: 'dir\..\..\filename' |
1 programs 1 disclosed |
Use of Incorrectly-Resolved Name or Reference |
1 programs 1 disclosed |
Use of Cache Containing Sensitive Information |
1 programs 1 disclosed |
Improper Removal of Sensitive Information Before Storage or Transfer |
1 programs 1 disclosed |
PHP Local File Inclusion |
1 programs 1 disclosed |
Untrusted Search Path |
1 programs 1 disclosed |
Improper Following of a Certificate's Chain of Trust |
1 programs 1 disclosed |
Wrap-around Error |
1 programs 1 disclosed |