HackerOne: New Hacktivity features:Bounty rewards leakage Where programs doesn’t decide to disclose bounty in limited disclosure report

The report describes a vulnerability where users could access hidden bounty information on the HackerOne Hacktivity page. Specifically, by using a filter to search for reports with a specific total awarded amount, the actual bounty amount was revealed, even if the program chose to limit the...

HackerOne: Manipulate hacker profile and private program hacktivity to expose your name as researchers who is actively submitting reports with resolve status

Hi Team, Summary: First of all, the issue that i have found have multiple steps, so please make sure to follow the steps accordingly. I was able to put my hacker name on private program hacktivity profile showing that i have report that was resolved, this will also reflect to my hacker profile...

HackerOne: Hacktivity of a private program visible to banned user if he gets invited to a program by hackbot

Summary: The hacktivity of a private program is visible to banned user if he gets invited to a program by hackbot. Description: Back in 2016 i was banned by █████'s private program ███ due to some conflict between me and their security team, i think they manually put me in banned users list, but...

Concrete CMS: Stored XSS on Add Event in Calendar

Greetings In crayons we trust Hello @Concrete5 Team. While checking the Hacktivity in your HackerOne Program I saw many reports regarding to XSS thus I will omit the vulnerability description I'm going to report now. After downloaded Concrete5 8.3.1 released at 12/20/17, while searching for some...

HackerOne: New hacktivity view discloses report IDs of non-public reports

url: https://hackerone.com/hacktivity.json this url reveals information of reporters Report id ./...