HackerOne


37 total issues disclosed

$64,001 total paid publicly


Most disclosed (11 disclosures) — Information Disclosure

View disclosed reports



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
Leaked H1's Employees Email addresses,meeting info on private bug bounty program ████████ Information Disclosure superman85 Medium 2021-11-08
HackerOne Staging uses Production data for testing Privacy Violation tk0 Low 2021-11-05
User's who are banned from program can still be invited to the new reports as collaborators Business Logic Errors muon4 Low 2021-09-22
Used email confirmation link reveals the email address which is tied to it Information Disclosure muon4 None 2021-09-22
Hacker can bypass minimum bounty amount restrictions in "invitation preferences" setting via UpdateInvitationPreferencesMutation GraphQL operation Client-Side Enforcement of Server-Side Security frozensolid Low 2021-09-20
Disclosure handle private program with external link None supplied haxta4ok00 Medium 2021-08-24
Attachment object in GraphQL continues to grant access to files, even if they are removed from rendering Information Disclosure haxta4ok00 Medium 2021-08-24
Hackers can find out the ID of private programs Information Disclosure haxta4ok00 Low 2021-08-24
The possibility of disrupting the normal operation of frontend using markdown Denial of Service haxta4ok00 Low 2021-08-24
Hackers can reveal the names of private programs that have an external link and Enterprise Product Edition Information Disclosure haxta4ok00 Low 2021-08-24
Tab nabbing in Hackerone inbox. Open Redirect adhamsadaqah Low 2021-08-09
PII data Leakage through hackerone reports Information Disclosure iamr0000t Low 2021-08-09
Partial report contents leakage - via HTTP/2 concurrent stream handling Information Disclosure tomvg Medium 2021-08-05
Private program disclosure through notifications Improper Access Control - Generic sunil_yedla Low 2021-08-05
Mishandling of hackerone clear background checks resulting in disclosure of other hacker's information Off-by-one Error frozensolid Medium 2021-08-05
Internal Gitlab Ticket Disclosure via External Slack Channels Information Disclosure none_of_the_above High 2021-08-04
Information disclosure - Feedback is accessible on Public profile even after 'disallowed' at https://hackerone.com/settings/feedback Information Disclosure brdoors3 Low 2021-08-03
Slack integration setup lacks CSRF protection Cross-Site Request Forgery (CSRF) whhackersbr High 2021-07-07
New link opening method makes hackerone vulnerable to tabnabbing Open Redirect recon_ninja Low 2021-07-07
Report Bulk endpoint "agree-on-going-public" action may reveal Report disclosure state for invite-only programs Information Disclosure clubbable Low 2021-06-30
Report Duplicate Detector can match deleted and draft reports, may disclose title and vulnerability information Information Disclosure jobert Low 2021-06-24
Stored XSS in IE11 on hackerone.com via custom fields Cross-site Scripting (XSS) - Stored tester2020 Medium 2021-06-24
Second-order SOQL injection through email and campaign name parameter in Salesforce lead submission None supplied jobert Low 2021-06-18
HackerOne making payments in USDC (Coinbase stable coin) None supplied arl_rose None 2021-06-17
Hackerone is not properly deleting user id Business Logic Errors hack3r_anies Medium 2021-06-11
Private program disclosure of `██████████` through notifications Improper Access Control - Generic h13- Low 2021-06-09
Lack warning label when receiving a letter Phishing haxta4ok00 Low 2021-05-13
Changing the 2FA secret key and backup codes without knowing the 2FA OTP Modification of Assumed-Immutable Data (MAID) whhackersbr Medium 2021-05-06
HackerOne Jira integration plugin Leaked JWT to unauthorized jira users Improper Authentication - Generic updatelap Medium 2021-04-01
HackerOne Jira integration plugin Leaked JWT to unauthorized jira users Improper Authentication - Generic updatelap Medium 2021-04-01
Stored XSS on https://events.hackerone.com Cross-site Scripting (XSS) - Stored nagli None 2021-03-26
Open Redirect on http://events.hackerone.com/redirect?url=https://naglinagli.github.io Open Redirect nagli None 2021-03-26
Indexing of urls on the "External link warning" pages discloses many vulnerable endpoints from the past and unlisted videos/photos Violation of Secure Design Principles nagli Medium 2021-03-25
[email protected] email forwarding and Embedded Submission drafts can be used to obtain copy of deleted attachments from other HackerOne users Insecure Direct Object Reference (IDOR) jobert High 2020-11-17
Getting New Invitations without Leaving Programs Business Logic Errors ali Low 2020-10-15
Email address of any user can be queried on Report Invitation GraphQL type when username is known Improper Authorization msdian7 High 2020-02-20
Account takeover via leaked session cookie Improper Authentication - Generic haxta4ok00 High 2019-12-03