| Leaked H1's Employees Email addresses,meeting info on private bug bounty program ████████ |
Information Disclosure |
superman85 |
Medium |
2021-11-08 |
| HackerOne Staging uses Production data for testing |
Privacy Violation |
tk0 |
Low |
2021-11-05 |
| User's who are banned from program can still be invited to the new reports as collaborators |
Business Logic Errors |
muon4 |
Low |
2021-09-22 |
| Used email confirmation link reveals the email address which is tied to it |
Information Disclosure |
muon4 |
None |
2021-09-22 |
| Hacker can bypass minimum bounty amount restrictions in "invitation preferences" setting via UpdateInvitationPreferencesMutation GraphQL operation |
Client-Side Enforcement of Server-Side Security |
frozensolid |
Low |
2021-09-20 |
| Disclosure handle private program with external link |
None supplied |
haxta4ok00 |
Medium |
2021-08-24 |
| Attachment object in GraphQL continues to grant access to files, even if they are removed from rendering |
Information Disclosure |
haxta4ok00 |
Medium |
2021-08-24 |
| Hackers can find out the ID of private programs |
Information Disclosure |
haxta4ok00 |
Low |
2021-08-24 |
| The possibility of disrupting the normal operation of frontend using markdown |
Denial of Service |
haxta4ok00 |
Low |
2021-08-24 |
| Hackers can reveal the names of private programs that have an external link and Enterprise Product Edition |
Information Disclosure |
haxta4ok00 |
Low |
2021-08-24 |
| Tab nabbing in Hackerone inbox. |
Open Redirect |
adhamsadaqah |
Low |
2021-08-09 |
| PII data Leakage through hackerone reports |
Information Disclosure |
iamr0000t |
Low |
2021-08-09 |
| Partial report contents leakage - via HTTP/2 concurrent stream handling |
Information Disclosure |
tomvg |
Medium |
2021-08-05 |
| Private program disclosure through notifications |
Improper Access Control - Generic |
sunil_yedla |
Low |
2021-08-05 |
| Mishandling of hackerone clear background checks resulting in disclosure of other hacker's information |
Off-by-one Error |
frozensolid |
Medium |
2021-08-05 |
| Internal Gitlab Ticket Disclosure via External Slack Channels |
Information Disclosure |
none_of_the_above |
High |
2021-08-04 |
| Information disclosure - Feedback is accessible on Public profile even after 'disallowed' at https://hackerone.com/settings/feedback |
Information Disclosure |
brdoors3 |
Low |
2021-08-03 |
| Slack integration setup lacks CSRF protection |
Cross-Site Request Forgery (CSRF) |
whhackersbr |
High |
2021-07-07 |
| New link opening method makes hackerone vulnerable to tabnabbing |
Open Redirect |
recon_ninja |
Low |
2021-07-07 |
| Report Bulk endpoint "agree-on-going-public" action may reveal Report disclosure state for invite-only programs |
Information Disclosure |
clubbable |
Low |
2021-06-30 |
| Report Duplicate Detector can match deleted and draft reports, may disclose title and vulnerability information |
Information Disclosure |
jobert |
Low |
2021-06-24 |
| Stored XSS in IE11 on hackerone.com via custom fields |
Cross-site Scripting (XSS) - Stored |
tester2020 |
Medium |
2021-06-24 |
| Second-order SOQL injection through email and campaign name parameter in Salesforce lead submission |
None supplied |
jobert |
Low |
2021-06-18 |
| HackerOne making payments in USDC (Coinbase stable coin) |
None supplied |
arl_rose |
None |
2021-06-17 |
| Hackerone is not properly deleting user id |
Business Logic Errors |
hack3r_anies |
Medium |
2021-06-11 |
| Private program disclosure of `██████████` through notifications |
Improper Access Control - Generic |
h13- |
Low |
2021-06-09 |
| Lack warning label when receiving a letter |
Phishing |
haxta4ok00 |
Low |
2021-05-13 |
| Changing the 2FA secret key and backup codes without knowing the 2FA OTP |
Modification of Assumed-Immutable Data (MAID) |
whhackersbr |
Medium |
2021-05-06 |
| HackerOne Jira integration plugin Leaked JWT to unauthorized jira users |
Improper Authentication - Generic |
updatelap |
Medium |
2021-04-01 |
| HackerOne Jira integration plugin Leaked JWT to unauthorized jira users |
Improper Authentication - Generic |
updatelap |
Medium |
2021-04-01 |
| Stored XSS on https://events.hackerone.com |
Cross-site Scripting (XSS) - Stored |
nagli |
None |
2021-03-26 |
| Open Redirect on http://events.hackerone.com/redirect?url=https://naglinagli.github.io |
Open Redirect |
nagli |
None |
2021-03-26 |
| Indexing of urls on the "External link warning" pages discloses many vulnerable endpoints from the past and unlisted videos/photos |
Violation of Secure Design Principles |
nagli |
Medium |
2021-03-25 |
| Security@ email forwarding and Embedded Submission drafts can be used to obtain copy of deleted attachments from other HackerOne users |
Insecure Direct Object Reference (IDOR) |
jobert |
High |
2020-11-17 |
| Getting New Invitations without Leaving Programs |
Business Logic Errors |
ali |
Low |
2020-10-15 |
| Email address of any user can be queried on Report Invitation GraphQL type when username is known |
Improper Authorization |
msdian7 |
High |
2020-02-20 |
| Account takeover via leaked session cookie |
Improper Authentication - Generic |
haxta4ok00 |
High |
2019-12-03 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles