| Blind Stored XSS in HackerOne's Sal 4.1.4.2149 (sal.████.com) |
Cross-site Scripting (XSS) - Stored |
nahamsec |
None |
2020-11-09 |
| Getting New Invitations without Leaving Programs |
Business Logic Errors |
mygf |
Low |
2020-10-16 |
| 2020-10-09 Credential Stuffing Attack |
None supplied |
jobert |
No rating |
2020-10-13 |
| Making program preference -> program visibilty feature usless and disclosing API Identifier in the progress and data that may cause potential IDORS. |
Information Disclosure |
spongebhav |
Low |
2020-10-02 |
| Reflected XSS on www.hackerone.com via Wistia embed code |
Cross-site Scripting (XSS) - Reflected |
vakzz |
Low |
2020-09-24 |
| Team object in GraphQL disclosed private_comment |
Information Disclosure |
haxta4ok00 |
Medium |
2020-09-10 |
| Graphql: Sorting the reports by jira_status field resulted to different value |
Improper Access Control - Generic |
0619 |
Low |
2020-08-27 |
| Recently added 'Country' field doesn't send email notification when changed |
Violation of Secure Design Principles |
bugra |
Low |
2020-08-25 |
| Pentester can obtain information about other pentesters who applied for the same test, but weren't accepted |
Information Disclosure |
haxta4ok00 |
Low |
2020-08-24 |
| GraphQL field on Team node can be used to determine if External Program runs invite-only program |
Information Disclosure |
kunal94 |
Medium |
2020-07-25 |
| SAML Response Reuse on hackerone.com/users/saml/auth |
Improper Authentication - Generic |
samtink |
Low |
2020-07-24 |
| Near to Infinite loop when changing Group's name that has API token as Team Member |
None supplied |
lucenaxpl0it |
Medium |
2020-07-23 |
| Uploading large payload on domain instructions causes server-side DoS |
Denial of Service |
one- |
Medium |
2020-06-20 |
| Attacker may be able to bounce enough emails which suspend HackerOne's SES service and cause a DoS of HackerOne's email service |
Denial of Service |
iamr0000t |
Medium |
2020-06-12 |
| Login CSRF vulnerability on hackerone.com |
Cross-Site Request Forgery (CSRF) |
what_web |
Low |
2020-06-12 |
| Unauthorized access to metadata of undisclosed reports that were retested |
Information Disclosure |
msdian7 |
Medium |
2020-06-05 |
| Attacker with an Old account might still be able to DoS ctf.hacker101.com by sending a Crafted request |
Denial of Service |
iamr0000t |
Low |
2020-05-25 |
| Disclosure of the name of a program that has a private part with an external link |
Information Disclosure |
haxta4ok00 |
Low |
2020-05-22 |
| 404-response contains debug-information with all headers |
Information Exposure Through Debug Information |
p4fg |
Low |
2020-05-16 |
| Subdomain takeover of resources.hackerone.com |
None supplied |
amans |
Low |
2020-05-15 |
| Rounding errors on rewarding a bounty leads to bypassing the 20% H1 commission fee |
Business Logic Errors |
haxta4ok00 |
Low |
2020-05-15 |
| Changes to data in a CVE request after draft via GraphQL query |
Modification of Assumed-Immutable Data (MAID) |
haxta4ok00 |
Low |
2020-05-15 |
| A team member of the program with Report rights can ban the Admin |
Business Logic Errors |
haxta4ok00 |
Low |
2020-05-15 |
| Customer private program can disclose email any users through invited via username |
Information Disclosure |
haxta4ok00 |
High |
2020-05-15 |
| GraphQL node interface for ActiveResource models lacks encoding for resource identifier, enabling parameter injection in Payments backend |
Information Disclosure |
jobert |
Medium |
2020-05-11 |
| Reflected XSS on www.hackerone.com and resources.hackerone.com |
Cross-site Scripting (XSS) - Reflected |
todayisnew |
Low |
2020-05-05 |
| Potential stored Cross-Site Scripting vulnerability in Support Backend |
Cross-site Scripting (XSS) - Stored |
jobert |
Medium |
2020-05-04 |
| Read-only team members can read all properties of webhooks |
Improper Access Control - Generic |
bencode |
Low |
2020-04-29 |
| An invite-only's program submission state is accessible to users no longer part of the program |
Information Disclosure |
d4rk_g1rl |
Low |
2020-04-22 |
| program_analytics_benchmarks query shows information not visible in public |
Information Disclosure |
qw3ty |
Low |
2020-03-27 |
| profile-picture name parameter with large value lead to DoS for other users and programs on the platform |
Denial of Service |
red_assassin |
Medium |
2020-03-25 |
| Race Condition leads to undeletable group member |
Time-of-check Time-of-use (TOCTOU) Race Condition |
yashrs |
Low |
2020-03-20 |
| Unauthenticated users can obtain information about Checklist objects with unclaimed ChecklistCheck objects |
Improper Access Control - Generic |
jobert |
Medium |
2020-03-20 |
| Disabled account can still use GraphQL endpoint |
Improper Access Control - Generic |
tolo7010 |
Low |
2020-03-12 |
| HackerOne Pentesters can access any structured scope object through GraphQL node interface |
Improper Access Control - Generic |
jobert |
High |
2020-03-11 |
| Total Paid Bounty Paid can be disclose |
Information Disclosure |
zrachessanasz |
Low |
2020-02-28 |
| "Bounties paid in the last 90 days" discloses the undisclosed bounty amount in program statistics |
Information Disclosure |
japz |
Low |
2020-02-21 |
| Email address of any user can be queried on Report Invitation GraphQL type when username is known |
Improper Authorization |
msdian7 |
High |
2020-02-20 |
| Unauthorized user can obtain `report_sources` attribute through Team GraphQL object |
Information Disclosure |
haxta4ok00 |
Medium |
2020-02-10 |
| How the Bug stole hacking |
Insecure Direct Object Reference (IDOR) |
the_arch_angel |
None |
2019-12-20 |
| ActiveStorage throws exception when using whitespace as filename, may lead to denial of service of multiple pages |
Denial of Service |
ninetynine |
Medium |
2019-12-13 |
| Account takeover via leaked session cookie |
Improper Authentication - Generic |
haxta4ok00 |
High |
2019-12-03 |
| Account takeover via leaked session cookie |
Improper Authentication - Generic |
haxta4ok00 |
High |
2019-12-03 |
| Disclosure of `payment_transactions` for programs via GraphQL query |
Information Disclosure |
msdian7 |
Medium |
2019-12-01 |
| Team object in GraphQL disclosed of private programs via the industry |
None supplied |
haxta4ok00 |
Low |
2019-11-23 |
| latest_activity_id and latest_activity_at may disclose information about internal activities to unauthorized users |
Information Disclosure |
egrep |
Low |
2019-11-10 |
| Searching from Hacktivity returns hits for words in limited disclosure reports that are not visible |
Information Disclosure |
nathand |
Medium |
2019-11-08 |
| Reporter, external users, collaborators can mark sent swag awarded to reporter as unsent |
Insecure Direct Object Reference (IDOR) |
jobert |
Medium |
2019-10-25 |
| Any user with access to program can resume and suspend HackerOne Gateway |
Insecure Direct Object Reference (IDOR) |
jobert |
Medium |
2019-10-21 |
| Private program disclosure via `vpn_suspended` GraphQL query |
Information Disclosure |
unknown_person |
None |
2019-10-21 |
| Disclosure of Email title report in quick award paypout email (no content mode) |
Information Disclosure |
kunal94 |
Low |
2019-10-11 |
| Manipulate hacker profile and private program hacktivity to expose your name as researchers who is actively submitting reports with resolve status |
Information Disclosure |
japz |
Low |
2019-09-29 |
| [Bypass #645264] Report title disclosure despite the program settings for email notification is set to "No Content" |
None supplied |
japz |
Low |
2019-09-09 |
| Private information exposed through GraphQL filters |
Information Disclosure |
reigertje |
Medium |
2019-07-23 |
| Race Condition in Flag Submission |
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
dropper |
Low |
2019-07-22 |
| Team member with Program permission only can escalate to Admin permission |
Privilege Escalation |
metnew |
Medium |
2019-06-26 |
| Password not checked when disabling 2FA on HackerOne |
Violation of Secure Design Principles |
tester1231233 |
Low |
2019-06-08 |
| Account recovery text message is sending a wrong domain to users. |
Business Logic Errors |
lowkey-tech |
Low |
2019-05-31 |
| Account recovery text message is sending a wrong domain to users. |
Business Logic Errors |
lowkey-tech |
Low |
2019-05-31 |
| Banned researcher gets email updates on a private program. |
None supplied |
fixit |
No rating |
2019-05-18 |
| DOM Based XSS in www.hackerone.com via PostMessage (bypass of #398054) |
Cross-site Scripting (XSS) - DOM |
honoki |
Low |
2019-05-04 |
| Discrepancy in hacker profile report count may reveal existence of a private program by publishing a report |
Information Disclosure |
haxta4ok00 |
Medium |
2019-04-24 |
| Unreleased CTF Levels are Revealed on /group/user/ID1?user=USERID endpoint |
Insecure Direct Object Reference (IDOR) |
spaceraccoon |
Low |
2019-04-23 |
| Emails of invited collaborators are disclosed in full in payload for report participants |
Information Disclosure |
flashdisk |
Low |
2019-04-09 |
| Client-Side Race Condition using Marketo, allows sending user to data-protocol in Safari when form without onSuccess is submitted on www.hackerone.com |
Business Logic Errors |
fransrosen |
Low |
2019-04-05 |
| DOM Based XSS in www.hackerone.com via PostMessage |
Cross-site Scripting (XSS) - DOM |
adac95 |
Low |
2019-02-21 |
| Cross-site Scripting (XSS) on HackerOne careers page |
Cross-site Scripting (XSS) - DOM |
khoiasd |
Low |
2019-02-18 |
| Confidential data of users and limited metadata of programs and reports accessible via GraphQL |
Information Disclosure |
yashrs |
Critical |
2019-02-03 |
| Race condition in performing retest allows duplicated payments |
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
cablej |
Medium |
2018-12-27 |
| Denial of service via cache poisoning |
Denial of Service |
albinowax |
Medium |
2018-12-22 |
| SQL injection in GraphQL endpoint through embedded_submission_form_uuid parameter |
SQL Injection |
jobert |
Critical |
2018-11-30 |
| IE only: stored Cross-Site Scripting (XSS) vulnerability through Program Asset identifier |
Cross-site Scripting (XSS) - Stored |
dagruxxx |
Medium |
2018-11-27 |
| Accidental Access to Programs Information via SAML Login |
None supplied |
npbhatter17 |
Critical |
2018-11-14 |
| Self DOM-Based XSS in www.hackerone.com |
Cross-site Scripting (XSS) - DOM |
adac95 |
Low |
2018-11-08 |
| Disclosure of top 10 vulnerability types for programs that haven't enabled the Insights feature |
Information Disclosure |
tolo7010 |
Low |
2018-11-08 |
| Proper verification is not done before sending invitations to researchers for certain private programs with rules e.g. "Participants must be US-based" |
Improper Access Control - Generic |
ateek |
Medium |
2018-11-07 |
| Hacker can bypass 2FA requirement and reporter blacklist through embedded submission form |
Improper Authorization |
japz |
Medium |
2018-10-31 |
| Hacker can bypass 2FA requirement and reporter blacklist through embedded submission form |
Improper Authorization |
japz |
Medium |
2018-10-31 |
| Improper UUID validation results in bypass of #419896 |
Improper Input Validation |
popeax |
High |
2018-10-26 |
| User with privilege to maintain External Programs can update certain churned HackerOne programs |
Improper Authorization |
haxta4ok00 |
Low |
2018-10-25 |
| Unauthenticated user can upload an attachment to the last updated report draft |
Improper Null Termination |
jobert |
High |
2018-10-10 |
| Internal usage of AdBlockPlus may expose PoC URLs to unknown third-parties |
Information Disclosure |
dudez |
Low |
2018-08-17 |
| Private program policy page still accessible after user left the program |
Information Disclosure |
japz |
Medium |
2018-08-12 |
| TeamProfile exposes partially sensitive information through GraphQL |
Information Disclosure |
amjamjamj |
Low |
2018-08-09 |
| Content spoofing and potential Cross-Site Scripting vulnerability on www.hackerone.com |
Cross-site Scripting (XSS) - Generic |
suresh1c |
Medium |
2018-08-04 |
| HackerOne customer submitted sensitive link to VirusTotal, exposing confidential information |
Information Disclosure |
mohammed__fayez |
None |
2018-07-26 |
| Information leakage - Private reports cached by Google |
Information Disclosure |
tisisire |
No rating |
2018-07-23 |
| Team object exposes amount of participants in a private program to non-invited users |
Information Disclosure |
kapytein |
Medium |
2018-07-20 |
| Ajouter le même utilisateur que celui déjà inscrit dans les équipes |
None supplied |
rbcafe |
No rating |
2018-07-17 |
| CSRF at [Apply to this program] that lead to submit your request automatic with out any validations |
Violation of Secure Design Principles |
modam3r5 |
Low |
2018-07-06 |
| Team object in GraphQL that have a published external program may expose existence of a private program |
Information Disclosure |
nismo |
None |
2018-07-04 |
| Blind SSRF on errors.hackerone.net due to Sentry misconfiguration |
Server-Side Request Forgery (SSRF) |
ruvlol |
Low |
2018-07-04 |
| Hacktivity of a private program visible to banned user if he gets invited to a program by hackbot |
Improper Access Control - Generic |
parth |
Low |
2018-06-27 |
| Invalid Phabricator API token revealed through error message when escalating a report |
Information Exposure Through an Error Message |
bigbug |
None |
2018-06-27 |
| User object in GraphQL exposes number of trial reports for External Programs that also have a Private Program |
Information Disclosure |
ashish_r_padelkar |
None |
2018-06-27 |
| People who interviewed for HackerOne security analyst position can be enumerated and their personal email address may be exposed |
Information Disclosure |
r3naissance |
Low |
2018-06-25 |
| Exposing hackerone users personally identifiable information by abusing sandbox with swag reward enabled |
Information Disclosure |
japz |
None |
2018-06-07 |
| Lack of cross-origin request blocking allows leaking of sensitive information on several endpoints |
Information Disclosure |
herrera |
No rating |
2018-06-07 |
| HackerOne support disclosing report state without checking user identity |
None supplied |
amans |
Low |
2018-06-02 |
| Private program email forwarding response invitation not expire after first use. |
Violation of Secure Design Principles |
japz |
High |
2018-05-30 |
| Team object in GraphQL disclosed total number of whitelisted hackers |
Information Disclosure |
haxta4ok00 |
Medium |
2018-05-12 |
| Program metrics disclosed response_efficiency_percentage via /program_name json response despite the team decided not to show on their profile |
Information Disclosure |
japz |
Medium |
2018-05-08 |
| Team object in GraphQL discloses team group names and permissions |
Information Disclosure |
haxta4ok00 |
Medium |
2018-05-04 |
| Email Forwarding invitations for Drafts are not marked as accepted, allowing multiple users to join a program after disabling Email Forwarding |
Business Logic Errors |
d4rk_g1rl |
Low |
2018-04-18 |
| Harvesting all private invites using leave program fast-tracked invitation and security@ email forwarding feature |
Business Logic Errors |
japz |
Medium |
2018-04-18 |
| Unicorn worker pool exhaustion by continuously updating payout preferences |
Denial of Service |
blackni9ht |
Medium |
2018-03-31 |
| Extra program metrics disclosed via /PROGRAM_NAME json response |
Information Disclosure |
yaworsk |
Medium |
2018-03-28 |
| h1-202 leaderboard photo discloses local wifi password |
Insufficiently Protected Credentials |
0x0g |
Medium |
2018-03-25 |
| Leakage badges on disabled user |
Information Disclosure |
e333jsjs7se |
Low |
2018-03-15 |
| HTTP Parameter Pollution using semicolons in iframe element at hackerone.com/careers allows loading external Greenhouse forms |
None supplied |
kapytein |
None |
2018-03-13 |
| Can read features from any user |
Information Disclosure |
firs0v |
Medium |
2018-03-12 |
| Program profile_metrics.json contains time to triage for deptofdefense even it's turned off |
Information Disclosure |
kunal94 |
None |
2018-03-09 |
| Open Redirection in index.php page |
Open Redirect |
prashantkumar96 |
None |
2018-03-07 |
| Information Disclosure which violate program privacy |
Privacy Violation |
eqbang |
Low |
2018-02-20 |
| The request tells the number of private programs, the new system of authorization /invite/token |
Information Disclosure |
haxta4ok00 |
Medium |
2018-02-14 |
| ImageMagick GIF coder vulnerability leading to memory disclosure |
Information Disclosure |
kunal94 |
Low |
2018-02-07 |
| Reputation gain split by company can be used to track the existence of otherwise undisclosed reports |
Information Disclosure |
aidantwoods |
Low |
2018-02-02 |
| Updating payout preference to CurrencyCloud doesn't notify user via email |
Violation of Secure Design Principles |
dr_dragon |
None |
2018-01-31 |
| Domain spoofing in redirect page using RTLO |
Open Redirect |
ashish_r_padelkar |
Low |
2018-01-30 |
| Markdown parsing issue enables insertion of malicious tags and event handlers |
Cross-site Scripting (XSS) - Stored |
dr_dragon |
High |
2018-01-29 |
| While adding a payment method - Notification email not sent to newly added email ID as well as there is no verification for new email id (Paypal) |
Violation of Secure Design Principles |
us111 |
Low |
2018-01-23 |
| Common response suggestion is sent to Google Analytics when user accepts duplicate comment Genius suggestion |
Violation of Secure Design Principles |
bigbug |
Low |
2018-01-22 |
| Submitted reports state logs leakage |
Information Disclosure |
666reda |
Medium |
2018-01-19 |
| Invitation token leaks to https://bat.bing.com |
Information Disclosure |
zuriel |
Low |
2018-01-11 |
| Partial disclosure of undisclosed programs through <meta> tags |
Information Disclosure |
bigbug |
No rating |
2018-01-11 |
| Missing Password Confirmation at a Critical Function (Payout Method) |
Violation of Secure Design Principles |
hk755a |
Medium |
2018-01-10 |
| Open redirect deceive in hackerone.com via another open redirect link. |
Open Redirect |
abidbaseer |
Low |
2017-12-13 |
| Content Security Policy not applied to error pages at multiple HackerOne endpoints |
Violation of Secure Design Principles |
brad07 |
Low |
2017-12-12 |
| Able To Check The Exact Bounty Balance of any Bug Bounty Program |
Information Disclosure |
cjlegacion |
Medium |
2017-12-06 |
| Invalid Host detection at https://hackerone.com/redirect |
Violation of Secure Design Principles |
shailesh4594 |
Low |
2017-12-03 |
| GraphQL sessions aren't immediately invalidated when user password is changed |
Violation of Secure Design Principles |
bigbug |
No rating |
2017-11-30 |
| Query parameter reordering causes redirect page to render unsafe URL |
Cross-site Scripting (XSS) - Reflected |
kenziy |
Medium |
2017-11-30 |
| Validation message in Bounty award endpoint can be used to determine program balances |
Information Disclosure |
cyriac |
Medium |
2017-11-29 |
| IDOR on Program Visibilty (Revealed / Concealed) against other team members |
Insecure Direct Object Reference (IDOR) |
japz |
Medium |
2017-11-23 |
| Introspection query leaks sensitive graphql system information. |
Violation of Secure Design Principles |
zuriel |
No rating |
2017-11-22 |
| Reverse Tabnabbing Vulnerability in Outgoing Links |
None supplied |
what94 |
Medium |
2017-11-21 |
| Pending member invitations are not revoked on program name change |
Information Disclosure |
ashish_r_padelkar |
None |
2017-11-18 |
| Issue with password change in Disabled Account |
Violation of Secure Design Principles |
clarckowen_ |
Low |
2017-11-17 |
| Private Program all members disclosed |
Information Disclosure |
khalifah |
No rating |
2017-11-16 |
| Additional bypass allows SSRF for internal netblocks |
Server-Side Request Forgery (SSRF) |
edoverflow |
No rating |
2017-11-16 |
| Program profile metrics endpoint contains mean time to triage, even when turned off |
Information Disclosure |
flashdisk |
Medium |
2017-11-14 |
| Blind SSRF in "Integrations" by abusing a bug in Ruby's native resolver. |
Server-Side Request Forgery (SSRF) |
edoverflow |
No rating |
2017-11-09 |
| Private partial disclosure of h1 infrastructure |
Information Disclosure |
exadmin |
None |
2017-11-03 |
| View Any Program's Team Members through GET https://hackerone.com/invitations/ |
Information Disclosure |
nickcas |
Medium |
2017-11-01 |
| Search query text, including from potentially undisclosed reports, sent to Google Analytics on Inbox query page |
Information Disclosure |
holvonix-advay |
None |
2017-11-01 |
| Adding or removing a new non-preferred payout method does not trigger an e-mail or account notification |
Business Logic Errors |
mohammed__fayez |
Medium |
2017-11-01 |
| Report Private Links Leaks to Google Analytics via Query String Param |
Information Disclosure |
axolotl |
Medium |
2017-10-26 |
| Homograph fix Bypass |
Violation of Secure Design Principles |
hk755a |
Medium |
2017-10-16 |
| resolved bugs in a program are public despite the program settings |
Information Disclosure |
flashdisk |
Low |
2017-10-14 |
| Lack of input sanitization in Marketo form leads to execution of HTML in lead emails |
Server-Side Request Forgery (SSRF) |
encrypt |
No rating |
2017-10-03 |
| IDOR on HackerOne Feedback Review |
Insecure Direct Object Reference (IDOR) |
japz |
Low |
2017-09-02 |
| HackerOne reports escalation to JIRA is CSRF vulnerable |
Cross-Site Request Forgery (CSRF) |
whhackersbr |
Medium |
2017-08-30 |
| Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP |
Violation of Secure Design Principles |
fransrosen |
No rating |
2017-08-29 |
| Missing Certificate Authority Authorization rule |
Cryptographic Issues - Generic |
ericlaw |
No rating |
2017-08-17 |
| Reading redacted data via hackbot's answers |
Information Disclosure |
inhibitor181 |
Medium |
2017-07-27 |
| Invitation tokens leak to Google Analytics |
Information Disclosure |
h33t |
Low |
2017-07-16 |
| Insecure SHA1withRSA in b5s.hackerone-ext-content.com and a4l.hackerone-ext-content.com |
Use of a Broken or Risky Cryptographic Algorithm |
evanricafort |
No rating |
2017-06-22 |
| Subdomain takeover #3 at info.hacker.one |
Privilege Escalation |
ak1t4 |
Low |
2017-06-21 |
| Subdomain takeover #4 at info.hacker.one |
Privilege Escalation |
ak1t4 |
Low |
2017-06-21 |
| A HackerOne employee's GitHub personal access token exposed in Travis CI build logs |
Information Exposure Through an Error Message |
sainaen |
Medium |
2017-05-23 |
| www.hackerone.com website CSP "script-src" includes "unsafe-inline" |
Violation of Secure Design Principles |
rootkid |
None |
2017-05-23 |
| Report invitation links not restricted to any existing user |
Information Disclosure |
japz |
Low |
2017-05-23 |
| Changing Victim's JIRA Integration Settings Through Multiple Bugs |
Business Logic Errors |
whhackersbr |
Medium |
2017-05-23 |
| Information leakage via CSV when content is valid JavaScript |
Cross-Site Request Forgery (CSRF) |
mikkocarreon |
Low |
2017-05-23 |
| Race condition leads to duplicate payouts |
Improper Access Control - Generic |
jigarthakkar39 |
Low |
2017-05-23 |
| WannaCrypt “Killswitch” |
None supplied |
malwaretech |
No rating |
2017-05-13 |
| CRLF injection in info.hacker.one |
CRLF Injection |
thalaivarsubu |
No rating |
2017-05-03 |
| Subdomain takeover #2 at info.hacker.one |
Privilege Escalation |
ak1t4 |
Low |
2017-04-28 |
| Able to create basic user account via Google login on HackerOne Drupal CMS |
Improper Authentication - Generic |
ishahriyar |
No rating |
2017-04-25 |
| HackerOne is still prone to Internet Explorer UXSS |
Cross-Site Request Forgery (CSRF) |
zombiehelp54 |
No rating |
2017-04-19 |
| javascript: and mailto: links are allowed in JIRA integration settings |
Violation of Secure Design Principles |
jamesclyde |
Low |
2017-04-10 |
| Example HackerOne security@ forward domain is not registered |
Violation of Secure Design Principles |
intidc |
No rating |
2017-04-10 |
| Transitioning a Private Program to Public Does Not Clear Previously Private Updates to Hackers |
Information Disclosure |
0xffe4 |
Medium |
2017-04-05 |
| IE 11 Self-XSS on Jira Integration Preview Base Link |
Cross-site Scripting (XSS) - Generic |
ziot |
Low |
2017-03-29 |
| Subdomain takeover at info.hacker.one |
Privilege Escalation |
ak1t4 |
Low |
2017-03-27 |
| Limited Open redirection using SSO-SAML |
Open Redirect |
shailesh4594 |
Low |
2017-03-26 |
| Google Analytics could be used as CSP bypass for data exfiltration on hackerone.com |
Violation of Secure Design Principles |
aaron_costello |
Low |
2017-03-26 |
| Websites opened from reports can change url of report page |
Open Redirect |
devil13 |
Medium |
2017-02-25 |
| Report redaction doesn't apply to report title update activities |
Violation of Secure Design Principles |
1lastbr3ath |
Low |
2017-02-25 |
| Disclose any user's private email through API |
Information Disclosure |
zombiehelp54 |
Medium |
2017-02-24 |
| Information Disclosure in /skills call |
Information Disclosure |
deepankerchawla |
Medium |
2017-01-05 |
| Bypass rate limiting on /users/password (possibly site-wide rate limit bypass?) |
Violation of Secure Design Principles |
zseano |
None |
2016-12-08 |
| Internal attachments can be exported via "Export as .zip" feature |
Information Disclosure |
japz |
High |
2016-11-30 |
| Partial disclosure of report activity through new "Export as .zip" feature |
Information Disclosure |
faisalahmed |
High |
2016-11-29 |
| Partial disclosure of report activity through new "Export as .zip" feature |
Information Disclosure |
faisalahmed |
High |
2016-11-29 |
| Researcher gets email updates on a private program after he/she quits that program. |
Information Disclosure |
sasi2103 |
Low |
2016-11-21 |
| Information disclosure via policy update notifications after removal from program |
Information Disclosure |
staytuned |
Low |
2016-10-29 |
| (HackerOne SSO-SAML) Login CSRF, Open Redirect, and Self-XSS Possible Exploitation |
Cross-site Scripting (XSS) - Generic |
whhackersbr |
Low |
2016-10-27 |
| Possible CSRF during external programs |
Cross-Site Request Forgery (CSRF) |
malcolmx |
Low |
2016-10-18 |
| Obtain the username & the uid of the one doing the S3 sync on Hackerone |
Information Disclosure |
rbcafe |
No rating |
2016-10-03 |
| Hacker.One Subdomain Takeover |
Violation of Secure Design Principles |
geekboy |
Low |
2016-09-20 |
| Ability to enumerate private programs using SAML |
Information Disclosure |
ayoubfathi |
No rating |
2016-09-15 |
| Users contents on AWS is cacheable |
Information Disclosure |
abdullah |
No rating |
2016-09-06 |
| Know undisclosed Bounty Amount when Bounty Statistics are enabled. |
Information Disclosure |
vijay_kumar |
No rating |
2016-09-02 |
| Disclosure of external users invited to a specific report |
Information Disclosure |
kirils |
No rating |
2016-09-01 |
| Non-secure requests are not automatically upgraded to HTTPS |
None supplied |
koenrh |
No rating |
2016-08-19 |
| Requesting Mediation possible on reports that are too old for mediation |
Privilege Escalation |
troubleshooter |
No rating |
2016-08-18 |
| Information leakage of private program |
Information Disclosure |
faisalahmed |
No rating |
2016-08-18 |
| Ability to monitor reports' submission in real time |
Privilege Escalation |
saeedhashem |
No rating |
2016-08-17 |
| Reward Money Leakage |
Information Disclosure |
xsserboiii |
No rating |
2016-08-09 |
| Race Conditions in Popular reports feature. |
Memory Corruption - Generic |
shmoo |
No rating |
2016-08-03 |
| Report title and issue information prepopulated |
None supplied |
yaworsk |
No rating |
2016-07-16 |
| Possible CSRF during joining report as participant |
Cross-Site Request Forgery (CSRF) |
ehsahil |
No rating |
2016-07-12 |
| Able to remove the admin access of my program |
Violation of Secure Design Principles |
pardeepbattu02 |
No rating |
2016-07-06 |
| Unauthorized Team members viewing |
Improper Authentication - Generic |
temmyscript |
No rating |
2016-07-02 |
| Manipulate report timeline activity by using null byte. |
Violation of Secure Design Principles |
siddiki |
No rating |
2016-07-01 |
| Web Authentication Endpoint Credentials Brute-Force Vulnerability |
Improper Authentication - Generic |
arneswinnen |
No rating |
2016-06-24 |
| Old titles are not hidden in reports with limited disclosure |
Information Disclosure |
jthetechguy |
No rating |
2016-06-22 |
| Hackerone Email Addresses Enumeration |
Information Disclosure |
eronx |
No rating |
2016-06-18 |
| RCE in profile picture upload |
Code Injection |
c666a323be94d57 |
No rating |
2016-06-08 |
| Denial of service in report view. |
Denial of Service |
apok |
No rating |
2016-05-28 |
| Content Spoofing via reports |
Violation of Secure Design Principles |
testoid |
No rating |
2016-05-25 |
| URL Crashing browser. {Tested on firefox, Chrome and Safari} |
Denial of Service |
avicoder_ |
No rating |
2016-05-25 |
| Redirection Page throwing error instead of redirecting to site |
Violation of Secure Design Principles |
mafia |
No rating |
2016-05-25 |
| DOS Report FILE html inside <code> in markdown |
Denial of Service |
pisarenko |
No rating |
2016-05-21 |
| HackerOne Important Emails Notification are sent in clear-text |
Improper Authentication - Generic |
ala_arfaoui |
No rating |
2016-05-19 |
| LinkedIN URL should be HTTPS |
None supplied |
teo |
No rating |
2016-05-18 |
| Inadequate access controls in "Vote" functionality??? |
Privilege Escalation |
apok |
No rating |
2016-05-12 |
| Spamming any user from Reset Password Function |
Violation of Secure Design Principles |
coolboss |
No rating |
2016-05-03 |
| SECURITY: Referencing previous Reports attachment_IDs on new Reports via Draft_Sync DELETES Attachments |
Violation of Secure Design Principles |
nismo |
No rating |
2016-04-30 |
| New hacktivity view discloses report IDs of non-public reports |
None supplied |
ayoubfathi |
No rating |
2016-04-26 |
| Race Conditions Exist When Accepting Invitations |
Violation of Secure Design Principles |
yaworsk |
No rating |
2016-04-26 |
| Reflected File Download |
Violation of Secure Design Principles |
0xdeadpool |
No rating |
2016-04-25 |
| Mediation link can be accepted by other users |
Improper Authentication - Generic |
kirkj |
No rating |
2016-04-25 |
| CSV Injection via the CSV export feature |
Command Injection - Generic |
stewie |
No rating |
2016-04-25 |
| Signals get affected once reports closed as self |
Violation of Secure Design Principles |
kpr |
No rating |
2016-04-25 |
| Reflected Filename Download |
Code Injection |
dsopas |
No rating |
2016-04-25 |
| Add text to the title of the page "Thanks" |
Violation of Secure Design Principles |
ragnar |
No rating |
2016-04-25 |
| All Active user sessions should be deleted when user change his password! |
Violation of Secure Design Principles |
faisalahmed |
No rating |
2016-04-25 |
| Distinguish EP+Private vs Private programs in HackerOne |
Information Disclosure |
nismo |
No rating |
2016-04-25 |
| Increase number of bugs by sending duplicate of your own valid report |
Violation of Secure Design Principles |
ashish_r_padelkar |
No rating |
2016-04-25 |
| Accepting Invalid characters on email address |
Violation of Secure Design Principles |
siddiki |
No rating |
2016-04-25 |
| Internal bounty and swag details disclosed as part of JSON response |
Information Disclosure |
techguynoob |
No rating |
2016-04-25 |
| Possible XSS |
Cross-site Scripting (XSS) - Generic |
paulos_ |
No rating |
2016-04-22 |
| Abusing HOF rankings in limited circumstances |
Violation of Secure Design Principles |
ashish_r_padelkar |
No rating |
2016-04-22 |
| Websites opened from reports can change url of report page |
Cross-Site Request Forgery (CSRF) |
cablej |
No rating |
2016-04-21 |
| Multiple issues with Markdown and URL parsing |
Violation of Secure Design Principles |
pisarenko |
No rating |
2016-04-21 |
| Deleted name still present via mouseover functionality for user accounts |
Information Disclosure |
meals |
No rating |
2016-04-21 |
| User with Read-Only permissions can manually public disclosure the report |
Violation of Secure Design Principles |
techguynoob |
No rating |
2016-04-21 |
| Reputation Manipulation (Theoretical) |
Violation of Secure Design Principles |
paulos_ |
No rating |
2016-04-20 |
| New hacktivity view discloses report IDs of non-public reports |
Violation of Secure Design Principles |
paresh_parmar |
No rating |
2016-04-05 |
| AWS S3 bucket writeable for authenticated aws users |
Improper Authentication - Generic |
yaworsk |
No rating |
2016-04-05 |
| External links should use rel="noopener" or use the redirect service |
Open Redirect |
lukasreschke |
No rating |
2016-04-05 |
| Putting link inside link in markdown |
Denial of Service |
pikachu |
No rating |
2016-04-02 |
| External programs revealing info |
Improper Authentication - Generic |
1337coder |
No rating |
2016-04-01 |
| User with Read-Only permissions can edit the SwagAwarded Activities on Bug Reports |
Privilege Escalation |
techguynoob |
No rating |
2016-04-01 |
| User with Read-Only permissions can edit the Internal comment Activities on Bug Reports After Revoke the team access permissions |
Privilege Escalation |
techguynoob |
No rating |
2016-04-01 |
| Disclosure of private programs that have an "external" page on HackerOne |
Information Disclosure |
saeedhashem |
No rating |
2016-04-01 |
| Email Address Leak |
Information Disclosure |
mikkz |
No rating |
2016-03-31 |
| Sending emails (via HackerOne) impersonating other users |
Violation of Secure Design Principles |
anshuman_bh |
No rating |
2016-03-18 |
| Private program activity timeline information disclosure |
Improper Authentication - Generic |
charfe |
No rating |
2016-03-16 |
| Edit Auto Response Messages |
Violation of Secure Design Principles |
rohk |
No rating |
2016-03-15 |
| Denial of Service any Report |
Denial of Service |
cyberunit |
No rating |
2016-03-10 |
| Private Program Disclosure in /:handle/settings/allow_report_submission.json endpoint |
Information Disclosure |
charfee |
No rating |
2016-02-25 |
| Interstitial redirect bypass / open redirect in https://hackerone.com/zendesk_session |
Open Redirect |
zombiehelp54 |
No rating |
2016-02-24 |
| Unintended HTML inclusion as a result of https://hackerone.com/reports/110578 |
None supplied |
yaworsk |
No rating |
2016-02-24 |
| Null byte injection |
None supplied |
zombiehelp54 |
No rating |
2016-02-23 |
| Requesting unknown file type returns Ruby object w/ address |
Information Disclosure |
run |
No rating |
2016-02-19 |
| User with Read-Only permissions can request/approve public disclosure |
Violation of Secure Design Principles |
aboukir |
No rating |
2016-02-19 |
| CSV Injection via the CSV export feature |
Command Injection - Generic |
zombiehelp54 |
No rating |
2016-02-16 |
| Private Program Disclosure in /:handle/reports/draft.json endpoint |
Improper Authentication - Generic |
charfe |
No rating |
2016-02-16 |
| attack in not an authorized user |
Denial of Service |
pisarenko |
No rating |
2016-02-16 |
| Team Member(s) associated with a Group have Read-only permission (Post internal comments) can post comment to all the participants |
Privilege Escalation |
dz_samir |
No rating |
2016-01-27 |
| HTML injection can lead to data theft |
Violation of Secure Design Principles |
intidc |
No rating |
2016-01-26 |
| Know whether private program for company exist or not |
Information Disclosure |
ashish_r_padelkar |
No rating |
2016-01-15 |
| Improve signals in reputation |
Violation of Secure Design Principles |
ashish_r_padelkar |
No rating |
2016-01-07 |
| CSRF possible when SOP Bypass/UXSS is available |
Cross-Site Request Forgery (CSRF) |
avlidienbrunn |
No rating |
2015-12-30 |
| Team Member███ associated with a Custom Group Created with 'Program Managment' only permissions can Comments on Bug Reports |
Improper Authentication - Generic |
h13- |
No rating |
2015-12-29 |
| Parameter pollution in social sharing buttons |
Violation of Secure Design Principles |
goro |
No rating |
2015-12-19 |
| HackerOne Private Programs users disclosure and de-anonymous-ize |
Information Disclosure |
symbiansymoh |
No rating |
2015-12-08 |
| profile cover can also load external URL's |
Violation of Secure Design Principles |
smiegles |
No rating |
2015-12-02 |
| HTTP header injection in info.hackerone.com allows setting cookies for hackerone.com |
None supplied |
harisec |
No rating |
2015-12-02 |
| Limited CSRF bypass. |
Cross-Site Request Forgery (CSRF) |
defmax |
No rating |
2015-12-02 |
| Pre-generation of 2FA secret/backup codes seems like an unnecessary risk |
None supplied |
danlec |
No rating |
2015-12-02 |
| Hackerone impersonation |
None supplied |
abhisheksingh |
No rating |
2015-12-02 |
| Cross-domain AJAX request |
Open Redirect |
ragnar |
No rating |
2015-11-14 |
| Send AJAX request to external domain |
Cross-site Scripting (XSS) - Generic |
r0x33d |
No rating |
2015-11-14 |
| Content spoofing on invitations page |
None supplied |
rohan_x3 |
No rating |
2015-10-21 |
| Minimum bounty of a private program is visible for users that were removed from the program |
Information Disclosure |
coolboss |
No rating |
2015-10-21 |
| Minor Bug: Public un-compiled CSS with original sass, versioning, source map, comments, etc. |
Information Disclosure |
ericr |
No rating |
2015-09-25 |
| CSV Injection with the CVS export feature |
Command Injection - Generic |
appsec3 |
No rating |
2015-09-22 |
| Weak HSTS age in support hackerone site |
Violation of Secure Design Principles |
codequick |
No rating |
2015-09-18 |
| Private Program and bounty details disclosed as part of JSON search response |
Improper Authentication - Generic |
techguynoob |
No rating |
2015-08-31 |
| Gain reputation by creating a duplicate of an existing report |
Violation of Secure Design Principles |
huzaifa_jawaid |
No rating |
2015-08-14 |
| Number of invited researchers disclosed as part of JSON search response |
Information Disclosure |
jessescitech |
No rating |
2015-08-05 |
| Logical Issue (Boosting Reputation points) |
None supplied |
coolboss |
No rating |
2015-07-21 |
| Accessing title of the report of which you are marked as duplicate |
Improper Authentication - Generic |
mafia |
No rating |
2015-07-17 |
| Invitation is not properly cancelled while inviting to bug reports. |
Improper Authentication - Generic |
batman |
No rating |
2015-07-10 |
| In markdown, parsing things like @danlec and #46072 after links is unsafe |
None supplied |
danlec |
No rating |
2015-07-04 |
| Markdown code block sequence makes report unreadable |
None supplied |
danlec |
No rating |
2015-06-29 |
| Email Notification should be get while changing Paypal Email |
Improper Authentication - Generic |
mvcdabra |
No rating |
2015-06-20 |
| Open redirect in "Language change". |
Open Redirect |
seifelsallamy |
No rating |
2015-06-19 |
| mailto: link injection on https://hackerone.com/directory |
Violation of Secure Design Principles |
ashesh |
No rating |
2015-06-10 |
| Potential denial of service in hackerone.com/<program>/reward_settings |
Denial of Service |
ashesh |
No rating |
2015-06-10 |
| Flawed account creation process allows registration of usernames corresponding to existing file names |
None supplied |
robots-txt |
No rating |
2015-06-08 |
| Report title autocompletion |
Information Disclosure |
janpaul123 |
No rating |
2015-06-08 |
| SPF whitelist of mandrill leads to email forgery |
Improper Authentication - Generic |
mikebrooks |
No rating |
2015-06-08 |
| Reopen Disable Accounts/ Hidden Access After Disable |
Improper Authentication - Generic |
antrax |
No rating |
2015-06-08 |
| Privilege escalation..., or not?! |
Violation of Secure Design Principles |
tomvg |
No rating |
2015-06-08 |
| Logic error with notifications: user that has left team continues to receive notifications and can not 'clean' this area on account |
Violation of Secure Design Principles |
brdoors2 |
No rating |
2015-06-04 |
| External URL page bypass |
None supplied |
danielchatfield |
No rating |
2015-05-28 |
| Logical issues with account settings |
Violation of Secure Design Principles |
introvertmac |
No rating |
2015-05-28 |
| Email spoofing |
Violation of Secure Design Principles |
introvertmac |
No rating |
2015-05-28 |
| Autocomplete enabled in Paypal preferences |
Violation of Secure Design Principles |
xtross1 |
No rating |
2015-05-28 |
| RTL override symbol not stripped from file names |
Violation of Secure Design Principles |
mathias |
No rating |
2015-05-28 |
| Issue with remember_user_token |
Violation of Secure Design Principles |
dawidczagan |
No rating |
2015-05-28 |
| PNG compression DoS |
Denial of Service |
dutchgraa |
No rating |
2015-05-28 |
| Issue with password change |
Violation of Secure Design Principles |
dawidczagan |
No rating |
2015-05-28 |
| javascript: and mailto: links are allowed on users' profiles |
Cross-site Scripting (XSS) - Generic |
tectonic |
No rating |
2015-05-13 |
| Content Spoofing - External Link Warning Page |
Violation of Secure Design Principles |
vagg-a-bond |
No rating |
2015-05-11 |
| Fake URL + Additional vectors for homograph attack |
Violation of Secure Design Principles |
r0x33d |
No rating |
2015-05-09 |
| Making any Report Failed to load |
Denial of Service |
atom |
No rating |
2015-05-09 |
| Homograph Attack |
Open Redirect |
atom |
No rating |
2015-05-09 |
| Enumeration/Guess of Private (Invited) Programs |
Violation of Secure Design Principles |
prakharprasad |
No rating |
2015-05-09 |
| Homograph attack |
Violation of Secure Design Principles |
filedescriptor |
No rating |
2015-05-09 |
| (lack of) smtp transport layer security |
Cryptographic Issues - Generic |
leander |
No rating |
2015-05-05 |
| Homograph attack |
Violation of Secure Design Principles |
r0x33d |
No rating |
2015-05-03 |
| Marking notifications as read CSRF bug |
Cross-Site Request Forgery (CSRF) |
redkan |
No rating |
2015-04-28 |
| Denial of Service |
Denial of Service |
coolboss |
No rating |
2015-04-28 |
| Anti-MIME-Sniffing header X-Content-Type-Options header has not been set. |
Violation of Secure Design Principles |
uname |
No rating |
2015-04-28 |
| Logic Issue with Reputation: Boost Reputation Points |
Violation of Secure Design Principles |
prakharprasad |
No rating |
2015-04-28 |
| Open-redirect on hackerone.com |
Open Redirect |
r0x33d |
No rating |
2015-04-23 |
| Missing spf flags for hackerone.com |
Cryptographic Issues - Generic |
d1pakda5 |
No rating |
2015-04-23 |
| Reflected File Download attack allows attacker to 'upload' executables to hackerone.com domain |
Command Injection - Generic |
rickypaipie |
No rating |
2015-04-16 |
| Markdown parsing issue enables insertion of malicious tags and event handlers |
Cross-site Scripting (XSS) - Generic |
danlec |
High |
2015-04-07 |
| Team member invitations to sandboxed teams are not invalidated consistently |
Improper Authentication - Generic |
mazengamal |
No rating |
2015-03-28 |
| Restrict any user from logging into his account. |
Improper Authentication - Generic |
siddiki |
No rating |
2015-03-24 |
| "learn more here", reward email - domain expired. |
Open Redirect |
smiegles |
No rating |
2015-03-23 |
| Improperly validated fields allows injection of arbitrary HTML via spoofed React objects |
Cross-site Scripting (XSS) - Generic |
danlec |
High |
2015-03-18 |
| Substantially weakened authenticity verification when using 'Remember me for a week' |
Cryptographic Issues - Generic |
guido |
No rating |
2015-03-12 |
| Auto Approval of Invitation to join Team as a Team member |
Violation of Secure Design Principles |
h122- |
No rating |
2015-03-11 |
| HTTPS is not enforced for objects stored by HackerOne on Amazon S3 |
Violation of Secure Design Principles |
srkgupta |
No rating |
2015-03-08 |
| Team member invitations to sandboxed teams are not invalidated consistently (v2) |
Privilege Escalation |
siddiki |
No rating |
2015-02-28 |
| CSP Bypass: Click handler for links with data-method="post" can cause authenticity_token to be sent off domain |
Cross-Site Request Forgery (CSRF) |
danlec |
No rating |
2015-02-26 |
| Insecure Direct Object Reference vulnerability |
Violation of Secure Design Principles |
anshuman_bh |
No rating |
2015-02-20 |
| Improper way of validating a program |
Cryptographic Issues - Generic |
atom |
No rating |
2015-02-04 |
| Vulnerability with the way \ escaped characters in <http://danlec.com> style links are rendered |
Cross-site Scripting (XSS) - Generic |
danlec |
High |
2015-02-03 |
| "early preview" programs disclosure |
Information Disclosure |
d4d1a179c0f3 |
No rating |
2015-01-21 |
| Breaking Bugs as team member |
Denial of Service |
melvin |
No rating |
2014-12-09 |
| File Name Enumeration |
Information Disclosure |
nahamsec |
No rating |
2014-11-17 |
| No email verification on username change |
Information Disclosure |
shahmeer-amir |
No rating |
2014-11-17 |
| Window Opener Property Bug |
None supplied |
prakharprasad |
No rating |
2014-10-29 |
| Redirect FILTER bypass in report/comment |
Open Redirect |
coolboss |
No rating |
2014-10-19 |
| Ability to see common response titles of other teams (limited) |
Information Disclosure |
prakharprasad |
No rating |
2014-10-15 |
| homograph attack. IDNs displayed in unicode in bug reports and on external link warning page |
Violation of Secure Design Principles |
mrrm |
No rating |
2014-10-09 |
| Enumeration of users |
Violation of Secure Design Principles |
dawidczagan |
No rating |
2014-10-03 |
| Password Reset Bug |
Violation of Secure Design Principles |
christypriory |
No rating |
2014-09-26 |
| Change Any username and profile link in hackerone |
Privilege Escalation |
looping |
No rating |
2014-09-26 |
| Redirect while opening links in new tabs |
Open Redirect |
thetime |
No rating |
2014-09-13 |
| Notification of previous signed out user leakage. |
Information Disclosure |
siddiki |
No rating |
2014-09-01 |
| Email changing |
None supplied |
djamel-ghorab |
No rating |
2014-08-28 |
| Account Hijacking (Only rare case scenario) |
Improper Authentication - Generic |
xtross1 |
No rating |
2014-08-23 |
| Category- Broken Authentication and Session Management (leads to account compromise if some conditions are met) |
Improper Authentication - Generic |
appsecure_in |
No rating |
2014-07-26 |
| No option to logout concurrent sessions |
None supplied |
ashesh |
No rating |
2014-07-18 |
| Account takeover |
Improper Authentication - Generic |
coolboss |
No rating |
2014-07-18 |
| Cache leads to Privacy leaks |
Improper Authentication - Generic |
ashesh |
No rating |
2014-07-18 |
| Session Hijacking attack (Different Scenario) |
Improper Authentication - Generic |
shahmeer-amir |
No rating |
2014-07-18 |
| Improper filtering of classes used in codeblocks in Markdown |
Cross-site Scripting (XSS) - Generic |
markijbema |
No rating |
2014-07-08 |
| Potential denial of service in hackerone.com/teams/new |
Denial of Service |
idps |
No rating |
2014-06-21 |
| Adding an user email address to the list before confirming. |
Violation of Secure Design Principles |
siddiki |
No rating |
2014-06-11 |
| Session not invalidated after password reset |
Violation of Secure Design Principles |
guido |
No rating |
2014-06-10 |
| harvesting attack on user registration |
None supplied |
niks |
No rating |
2014-05-19 |
| Flooding mailbox of user |
Violation of Secure Design Principles |
dawidczagan |
No rating |
2014-05-01 |
| Arbitrary file uploads to Amazon WS. |
Violation of Secure Design Principles |
leander |
No rating |
2014-04-27 |
| Criptographic Issue: Strisct Transport Security with not good max age..(TOO SHORT!) |
Cryptographic Issues - Generic |
simon90 |
No rating |
2014-04-22 |
| Securing sensitive pages from SearchBots |
Violation of Secure Design Principles |
siddiki |
No rating |
2014-04-20 |
| Weird Bug - Ability to see partial of other user's notification |
None supplied |
wcypierre |
No rating |
2014-04-19 |
| A password reset page does not properly validate the authenticity token at the server side. |
Cross-Site Request Forgery (CSRF) |
niks |
No rating |
2014-04-19 |
| Flawed account creation process allows registration of usernames corresponding to existing file names |
None supplied |
mortes |
No rating |
2014-04-19 |
| Session Management |
None supplied |
javidhussain21 |
No rating |
2014-04-19 |
| Session not expired on logout |
None supplied |
satishb3 |
No rating |
2014-04-19 |
| creating titleless and non-closable bugs |
None supplied |
leander |
No rating |
2014-04-17 |
| Control Characters Not Stripped From Username on Signup |
Violation of Secure Design Principles |
wkcaj |
No rating |
2014-03-11 |
| CSS leaks SCSS debug info |
Information Disclosure |
guido |
No rating |
2014-02-28 |
| Switching the user to the attacker's account |
Cross-Site Request Forgery (CSRF) |
dawidczagan |
No rating |
2014-02-20 |
| Improper session management |
Improper Authentication - Generic |
dawidczagan |
No rating |
2014-02-20 |
| Information disclosure (reset password token) and changing the user's password |
Cross-Site Request Forgery (CSRF) |
dawidczagan |
No rating |
2014-02-20 |
| Upload profile photo from URL |
Server-Side Request Forgery (SSRF) |
yeahyeah |
No rating |
2014-02-15 |
| DNS Misconfiguration |
None supplied |
szgru |
No rating |
2014-02-15 |
| Login page password-guessing attack |
None supplied |
gazly |
No rating |
2014-01-16 |
| CSRF login |
Cross-Site Request Forgery (CSRF) |
andrisatteka |
No rating |
2014-01-13 |
| Missing SPF for hackerone.com |
Violation of Secure Design Principles |
szgru |
No rating |
2014-01-09 |
| Broken Authentication and session management OWASP A2 |
Improper Authentication - Generic |
appsecure_in |
No rating |
2014-01-09 |
| DNS Cache Poisoning |
None supplied |
michael1026 |
No rating |
2014-01-09 |
| GIF flooding |
Denial of Service |
dutchgraa |
No rating |
2013-11-30 |
| Pixel flood attack |
Denial of Service |
dutchgraa |
No rating |
2013-11-30 |
| CSP not consistently applied |
Cross-site Scripting (XSS) - Generic |
janpaul123 |
No rating |
2013-11-30 |
| Real impersonation |
None supplied |
janpaul123 |
No rating |
2013-11-30 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles