High-Value Targets (Prioritized Programs)¶

This list highlights programs with the highest recent bounty payouts, prioritized for focused research. Rankings are based on aggregated HackerOne hacktivity for the 6-month window 2025-03 to 2025-08.

Last updated: 2025-09-01

Top Programs (last 6 months)¶

Rank	Program	Total Payout	Reports	Program Page
1	Uber	$20,340.00	24	https://hackerone.com/uber
2	Eternal	$9,300.00	12	https://hackerone.com/eternal
3	OKG	$7,500.00	6	https://hackerone.com/okg
4	TikTok	$6,000.00	12	https://hackerone.com/tiktok
5	Sheer	$900.00	6	https://hackerone.com/sheer_bbp
6	GitLab	$600.00	12	https://hackerone.com/gitlab
7	PayPal	$600.00	6	https://hackerone.com/paypal
8	Ferrero	$0.00	30	https://hackerone.com/ferrero
9	MediaTek	$0.00	24	https://hackerone.com/mediatek
10	Zooplus	$0.00	18	https://hackerone.com/zooplus

Strategic High-Value Additions¶

Newly Interesting Public HackerOne Targets (2026-03-31 scan)¶

These showed up again in the public HackerOne program page as especially worth a closer look: - 1Password — creative/manual research is explicitly favored; scanners are unlikely to help. - Akamai — CDN/origin/proxy trust boundaries; soft-launch / invite-only posture. - Airbnb — huge real-world workflow surface; strong fit for authZ, recovery, and trust-boundary chains. - Airlock Secure Access Hub — WAF + IAM stack protecting 30k+ apps; edge and identity bugs can be high impact. - Amazon Vulnerability Research Program — broad surface with mature triage expectations. - Anduril Industries — reproducible reports and structured disclosure language suggest higher signal. - Atlassian — large enterprise SaaS surface with frequent workflow/auth complexity.

Operator-quality cue from public advisories (2026-06-30)¶

A June 30 public-advisory refresh adds an edge, data-platform, and collaboration target cue: Undertow's HTTP/2 MadeYouReset DoS, Dgraph GraphQL/DQL password-query injection, Apache CXF LDAP/XML/JMS trust-boundary issues, Concrete CMS backend CSRF/IDOR/XSS, and additional Mattermost repository/WebSocket/plugin/image-processing flaws all reinforce programs that scope API gateways, graph databases, SOAP/enterprise integration stacks, CMS admin workflows, and chatops/plugin surfaces. Score HTTP/2 reset/resource ceilings, GraphQL-to-query parameterization, LDAP/XML/JMS configuration hardening, backend CSRF + object authorization, WebSocket frame limits, plugin body-size enforcement, and media parser allocation ceilings. Sources: https://github.com/advisories/GHSA-95h4-w6j8-2rp8, https://github.com/advisories/GHSA-q2m9-6jp9-c6mc, https://github.com/advisories/GHSA-pg32-686q-qh6x, https://github.com/advisories/GHSA-vmm5-fjgx-2jhp, https://github.com/advisories/GHSA-2hvc-5c6v-f533, https://github.com/advisories/GHSA-xjg6-5v39-v7fc, https://github.com/advisories/GHSA-jqvq-gv67-3567, https://github.com/advisories/GHSA-q9fm-mpg8-8jqm, https://github.com/advisories/GHSA-r5vf-grcx-5vqp, https://github.com/advisories/GHSA-w9m8-p4cc-4qj9, https://github.com/advisories/GHSA-jmvr-r5hm-fxfr, https://github.com/advisories/GHSA-37j2-3vv8-cf24

Operator-quality cue from public advisories (2026-06-29)¶

A June 29 updated-advisory pass adds identity, edge, and integration target cues: slack-go empty signing secrets, Turbo login callback CSRF/session fixation, SCIM filter stack exhaustion, old Netty request smuggling metadata refresh, JS-YAML merge-key DoS, and Froxlor incomplete-fix drift all reinforce programs that scope Slack/webhook verification, OAuth/login callbacks, SCIM/identity provisioning parsers, Java edge stacks, YAML/config ingestion, and hosting-control-panel patch validation. Score explicit non-empty shared-secret preconditions, state/nonce/session rotation on callbacks, parser depth ceilings, request-smuggling-safe canary guidance, config parser resource limits, and re-testable fix claims. Sources: https://github.com/advisories/GHSA-gxhx-2686-5h9g, https://github.com/advisories/GHSA-hcf7-66rw-9f5r, https://github.com/advisories/GHSA-r5fr-9gmv-jggh, https://github.com/advisories/GHSA-p979-4mfw-53vg, https://github.com/advisories/GHSA-h67p-54hq-rp68, https://github.com/advisories/GHSA-j6fm-9rfm-j5hx
A late operator pass over public advisories adds MCP, identity, static-path, and panel-file target cues: unauthenticated or LAN-exposed MCP transports, OAuth scopes checked only at session setup, SAML assertions accepted without real signature verification, string-prefix static/template containment, HTTP/2 request-boundary disagreement, and game/server panels applying file operations outside tenant containers. Prioritize AI-agent, desktop-bridge, SSO, framework, dev-server, API-gateway, and hosting-panel programs that explicitly scope bind-address defaults, per-tool authorization, SAML negative controls, normalized filesystem containment, HTTP/2 desync canaries, and tenant-root host-boundary checks. Sources: https://github.com/advisories/GHSA-rp72-5v5q-2446, https://github.com/advisories/GHSA-73cv-556c-w3g6, https://github.com/advisories/GHSA-2r68-g678-7qr3, https://github.com/advisories/GHSA-4hf8-5mjm-rfgq, https://github.com/advisories/GHSA-jv46-xfwm-36j7, https://github.com/advisories/GHSA-wpvj-hjcr-h3p2, https://github.com/advisories/GHSA-3p34-w4f6-5xh2, https://github.com/advisories/GHSA-pw9p-jvrm-f7rm, https://github.com/advisories/GHSA-rhq6-9rgh-v45c
CMS, renderer, HTTP-client, registry, and package-manager advisories add another quality cue: favor programs where control-panel helper routes, HTML-to-PDF options, outbound HTTP clients, webhook signature validators, registry/blob redirects, and package-manager cache/credential behavior are in scope. Durable seams include role matrices for hidden helper endpoints, renderer URL/file/binary-path inputs, redirect credential stripping, URL canonicalization before SSRF allowlists, registry credential scoping, and repository-controlled package-manager config that may leak fake environment markers before scripts run. Sources: https://github.com/advisories/GHSA-2497-6pwj-pwg7, https://github.com/advisories/GHSA-x8g9-h984-pc36, https://github.com/advisories/GHSA-h73q-4w9q-82h4, https://github.com/advisories/GHSA-pj7v-xfvx-wmjq, https://github.com/advisories/GHSA-jq42-7mfv-hm57, https://github.com/advisories/GHSA-p688-r7jv-fm6f, https://github.com/advisories/GHSA-8jgf-23q5-x7xx, https://github.com/advisories/GHSA-qvqc-4c52-x6qp, https://github.com/advisories/GHSA-3qhv-2rgh-x77r
The June 29 public advisory batch adds a CMS/plugin and business-app target cue: Business Directory, MainWP, WP User Frontend, Wallet System for WooCommerce, WooCommerce Designer Pro, Link Whisper Free, ARForms, Jobify, Landing Page Builder, BEAR, and Colissimo Officiel issues cluster around unauthenticated/subscriber XSS, broken access control, IDOR, and e-commerce object ownership. Prioritize CMS/site-builder/marketplace programs that explicitly scope plugin roles, managed customer sites, nonce/capability checks, stored-content escaping, wallet/order/shipping authorization, and patch-SLA visibility. Sources: https://github.com/advisories/GHSA-j7vw-hgqm-mjq6, https://github.com/advisories/GHSA-mfg7-q8ff-25x2, https://github.com/advisories/GHSA-jqjh-8jhc-v62j, https://github.com/advisories/GHSA-5m7g-c794-p955, https://github.com/advisories/GHSA-h2vf-g593-6wfx, https://github.com/advisories/GHSA-q34r-767v-46h6, https://github.com/advisories/GHSA-33cv-ffrg-w682, https://github.com/advisories/GHSA-2gv4-h2pg-hjh9, https://github.com/advisories/GHSA-m2vm-g496-48qp, https://github.com/advisories/GHSA-77c2-57x5-fjmg, https://github.com/advisories/GHSA-w5v2-p57c-3889, https://github.com/advisories/GHSA-rxh5-g3fx-mmx7
Page Builder CK arbitrary file upload, Paid Videochat Turnkey Site file deletion, phpUploader information disclosure, FrontAccounting SQL injection, and acl symlink traversal add adjacent scoring seams for admin-media, finance/ERP, backup/sync, CI, and file-management targets. Favor programs with documented upload-root confinement, delete authorization, direct-file serving controls, report/export query hardening, symlink/hardlink refusal, canonical path handling, and least-privilege file operations. Sources: https://github.com/advisories/GHSA-gxrr-wfg5-xqqf, https://github.com/advisories/GHSA-752c-x542-h98f, https://github.com/advisories/GHSA-wghr-7f2j-9x3f, https://github.com/advisories/GHSA-w5j4-x499-pfwp, https://github.com/advisories/GHSA-8ccm-j5hq-9jhr, https://github.com/advisories/GHSA-53ch-pxc8-6g72
A late June 29 advisory refresh adds enterprise edge and collaboration target cues: Tomcat HTTP/0.9 method/security-constraint disagreement, Mattermost API input handling that can crash plugin processing, and OpenAM OAuth/server-side-script issues around PKCE enforcement, private_key_jwt JWKS cache boundaries, and realm-admin script sandbox escape. Prioritize programs that scope Java servlet edge behavior, chatops/plugin APIs, SSO/OAuth providers, dynamic client registration, realm isolation, and admin scripting guardrails. Sources: https://github.com/advisories/GHSA-qq5r-98hh-rxc9, https://github.com/advisories/GHSA-rmvv-8v8w-rf7x, https://github.com/advisories/GHSA-4v2w-2wqp-mc85, https://github.com/advisories/GHSA-f2cx-463q-7m2c, https://github.com/advisories/GHSA-69j4-qvqr-hpw3
The same late refresh adds TYPO3 extension signals for CMS/search/crawler programs: extension-provided SQL builders, crawler metadata deserialization, file-indexer path normalization, OOXML external-entity handling, and arbitrary table/field indexing can turn backend configuration privileges into database, filesystem, SSRF, or code-execution impact. Score programs higher when CMS extension ecosystems, backend-editor roles, indexer/crawler jobs, document parsing, and patch-version transparency are explicitly in scope. Sources: https://github.com/advisories/GHSA-3h52-6v6j-6wwv, https://github.com/advisories/GHSA-jr8m-x4p7-p3v5, https://github.com/advisories/GHSA-c72x-mc2p-wv7x, https://github.com/advisories/GHSA-fq39-62gx-8hqx, https://github.com/advisories/GHSA-67j3-jmm3-32xc

Operator-quality cue from public advisories (2026-06-28)¶

The June 28 public advisory batch adds a sharper runner/agent/control-plane target cue: Gitea act_runner Docker option handling, Flowise Custom MCP stdio environment filtering, DocsGPT/MLflow/SkyPilot AI-data control-plane issues, and GLPI/MyBB/WordPress file-manager authorization problems all reinforce that high-value programs should explicitly scope self-hosted CI runners, MCP/tool environment construction, cloud/model execution boundaries, support portals, limited-admin role assignment, and authenticated file actions. Prioritize programs with safe non-invasive proof guidance for container privilege boundaries, secret/env allowlists, tenant/role field ceilings, and per-session authorization. Sources: https://github.com/advisories/GHSA-8qf9-pc52-j7cm, https://github.com/advisories/GHSA-rqqr-m697-6jq3, https://github.com/advisories/GHSA-v4h4-747p-qjgx, https://github.com/advisories/GHSA-wfp4-8wh2-c48v, https://github.com/advisories/GHSA-mh3f-459p-p84f, https://github.com/advisories/GHSA-8cgc-j54m-4q3w, https://github.com/advisories/GHSA-cvxv-xfvj-jmc4, https://github.com/advisories/GHSA-hhrc-vf2p-x5h3
RustDesk, nghttpx, Nmap, and libssh2 advisories from the same batch add a network/control-plane quality signal: favor remote-support, proxy/API-gateway, scanner, SSH/SFTP, and network-management programs that document session-level capability enforcement, protocol-upgrade behavior, parser resource ceilings, packet-boundary validation, and dependency patch cadence. Sources: https://github.com/advisories/GHSA-vp3r-hwqm-x826, https://github.com/advisories/GHSA-xrr7-82jr-v58x, https://github.com/advisories/GHSA-wxvj-hc4r-fq45, https://github.com/advisories/GHSA-mf77-5hj2-98w9, https://github.com/advisories/GHSA-c5f3-hwj2-xp5p
pyLoad and Publify advisories from the same public feed add a self-hosted automation/CMS cue: prioritize programs that explicitly scope download managers, background task/package creation APIs, admin-session permission changes, CSRF coverage for API routes, localhost/private-network request restrictions, and redirect/XSS handling in content-management flows. Safe proof should focus on negative authorization and session-invalidating behavior rather than destructive downloads or package execution. Sources: https://github.com/advisories/GHSA-fj52-5g4h-gmq8, https://github.com/advisories/GHSA-pgpj-v85q-h5fm, https://github.com/advisories/GHSA-x698-5hjm-w2m5, https://github.com/advisories/GHSA-8fm5-gg2f-f66q

Operator-quality cue from public advisories (2026-06-27)¶

The late June pnpm advisory cluster sharpens a high-value CI/developer-platform cue: repository-controlled package-manager state can cross into privileged execution, filesystem writes, lockfile alias escapes, patch deletion, global tool removal, or secret-bearing registry requests before ordinary scripts run. Prioritize programs that explicitly scope repo ingestion, JavaScript package installation, monorepo CI, build cache/provenance, and low-privilege runners; score lockfile trust, configDependencies, alias/path canonicalization, lifecycle approvals, patch confinement, and secret-safe registry resolution. Sources: https://github.com/advisories/GHSA-w466-c33r-3gjp, https://github.com/advisories/GHSA-gj8w-mvpf-x27x, https://github.com/advisories/GHSA-5wx6-mg75-v57r, https://github.com/advisories/GHSA-qrv3-253h-g69c, https://github.com/advisories/GHSA-fr4h-3cph-29xv, https://github.com/advisories/GHSA-v23m-ccfg-pq9h, https://github.com/advisories/GHSA-72r4-9c5j-mj57, https://github.com/advisories/GHSA-4gxm-v5v7-fqc4, https://github.com/advisories/GHSA-3qhv-2rgh-x77r
Subsonic/gonic playlist advisories, Nezha dashboard issues, and Statamic CMS advisories add durable target-selection cues for media libraries, observability panels, and CMS/admin products: prioritize object ownership on playlist/file IDs, write-root confinement, DDNS/notification secret redaction, OAuth redirect canonicalization, WebSocket resource ceilings, preview permission parity, CSV export hardening, and DNS-rebinding/private-network defenses in server-side image/fetch pipelines. Sources: https://github.com/advisories/GHSA-hmgp-w9jm-vp95, https://github.com/advisories/GHSA-2fp4-5v5c-4448, https://github.com/advisories/GHSA-4gxv-p5g5-j7w7, https://github.com/advisories/GHSA-ww5p-j6cj-6mqq, https://github.com/advisories/GHSA-9rc6-8cjv-rcvx, https://github.com/advisories/GHSA-jg62-j5h6-8mpq, https://github.com/advisories/GHSA-7mqq-4v55-88gh, https://github.com/advisories/GHSA-h77m-qrj7-jxcw, https://github.com/advisories/GHSA-v5c4-wcpj-x73m

Operator-quality cue from public advisories (2026-06-26)¶

Late-day Incus advisories (GHSA-f6m5-xw2g-xc4x, GHSA-v6mj-8pf4-hhw4, GHSA-ccjc-4qc3-jxqc, GHSA-vxp5-584q-c479) plus Apptainer path-limit matching (GHSA-cr2j-534f-mf3g) sharpen the container/runner control-plane cue: prioritize programs that explicitly scope untrusted image import, backup restore, S3-compatible upload paths, template expansion, archive extraction, compression-command selection, path confinement, host-file exposure, and per-job workspace isolation. The same advisory batch adds adjacent agent/supply-chain cues from pydantic-ai IPv6 SSRF blocklist bypass (GHSA-cg7w-rg45-pc59), Sigstore DSSE payload-type binding (GHSA-jfc7-64v2-mr8c), and Remark42 content-type spoofed image upload XSS (GHSA-4c8j-mgm4-qqvp): score AI/agent, signing, comment/CMS, and media-upload programs higher when URL canonicalization, private-network blocking, DSSE type/audience binding, upload MIME validation, and render-origin isolation are in scope. Sources: https://github.com/advisories/GHSA-f6m5-xw2g-xc4x, https://github.com/advisories/GHSA-v6mj-8pf4-hhw4, https://github.com/advisories/GHSA-ccjc-4qc3-jxqc, https://github.com/advisories/GHSA-vxp5-584q-c479, https://github.com/advisories/GHSA-cr2j-534f-mf3g, https://github.com/advisories/GHSA-cg7w-rg45-pc59, https://github.com/advisories/GHSA-jfc7-64v2-mr8c, https://github.com/advisories/GHSA-4c8j-mgm4-qqvp
Keycloak account-link proof scoping (GHSA-m6qj-3mpp-57v8), WebAuthn policy bypass (GHSA-g8vr-x4qh-25qg), and layered token-revocation/introspection drift (GHSA-83c4-ffjp-mxp9) sharpen the identity-platform cue: prioritize programs that explicitly scope account linking, IdP brokering, passwordless/MFA enrollment, OIDC introspection, token revocation, and session invalidation. The late June golang.org/x/crypto/ssh advisory cluster also raises priority for git hosting, CI/CD, deployment, bastion, device-management, and SSH/SFTP-backed SaaS when host-key revocation, security-key presence, callback permission enforcement, and connection resource ceilings are in scope. Sources: https://github.com/advisories/GHSA-m6qj-3mpp-57v8, https://github.com/advisories/GHSA-g8vr-x4qh-25qg, https://github.com/advisories/GHSA-83c4-ffjp-mxp9, https://github.com/advisories/GHSA-x527-x647-q7gg, https://github.com/advisories/GHSA-5cgq-3rg8-m6cv, https://github.com/advisories/GHSA-89gr-r52h-f8rx, https://github.com/advisories/GHSA-rm3j-f69w-wqmq, https://github.com/advisories/GHSA-vgwf-h737-ff37
Fluentd log-ingestion advisories (GHSA-44hj-4m45-frj3, GHSA-72f5-rr8c-r6gr, GHSA-pr7j-96cj-549h, GHSA-j9cw-hwqf-85w7, GHSA-xv9w-7v6q-hpjh) and MindsDB upload traversal to package-install execution (GHSA-4894-xqv6-vrfq) add priority for observability, SIEM, AI/data-platform, connector/plugin, and notebook programs where untrusted tenants, workloads, CI jobs, or low-privilege users can influence log tags/records, collector destinations, monitor APIs, upload filenames, temporary file roots, or runtime install workflows. Sources: https://github.com/advisories/GHSA-44hj-4m45-frj3, https://github.com/advisories/GHSA-72f5-rr8c-r6gr, https://github.com/advisories/GHSA-pr7j-96cj-549h, https://github.com/advisories/GHSA-j9cw-hwqf-85w7, https://github.com/advisories/GHSA-xv9w-7v6q-hpjh, https://github.com/advisories/GHSA-4894-xqv6-vrfq

Operator-quality cue from public advisories (2026-06-25)¶

OpenTofu provider-cache symlink writes (GHSA-wcmj-x466-56mm), Filament unauthenticated temporary uploads on auth pages (GHSA-44wp-g8f4-f4v5), OpenTelemetry eBPF profiler local DoS (GHSA-f2r5-5m7w-p5cx), and additional Snipe-IT self/bulk permission advisories (GHSA-52fw-7fw2-fmv5, GHSA-6f75-x745-xcpr) add durable target-selection cues for IaC/deployment platforms, admin panels, node agents, and ITAM/user-management SaaS. Prioritize programs that explicitly scope provider/plugin installation, unauthenticated upload handling, local workload-to-agent isolation, self-edit field ceilings, bulk account mutations, and administrator lockout prevention. Sources: https://github.com/advisories/GHSA-wcmj-x466-56mm, https://github.com/advisories/GHSA-44wp-g8f4-f4v5, https://github.com/advisories/GHSA-f2r5-5m7w-p5cx, https://github.com/advisories/GHSA-52fw-7fw2-fmv5, https://github.com/advisories/GHSA-6f75-x745-xcpr

Operator-quality cue from public advisories (2026-06-24)¶

OpenAM Community Edition (GHSA-p462-xxwx-pqf4, GHSA-6c99-87fr-6q7r), OliveTin (GHSA-7fq5-7wr8-rjwj, GHSA-prj9-97mp-mwh2, GHSA-f637-w7p2-m7fx), and the late Snipe-IT advisory batch add a sharper target-selection cue for legacy IAM/federation endpoints, self-service command/runbook panels, and multi-tenant asset-management SaaS. Prioritize programs that explicitly scope legacy SOAP/federation receivers, WebAuthn/storage-attribute trust, per-request command-template isolation, reserved argument namespaces, authenticated introspection APIs, API/web authorization parity, tenant-scoped mass assignment, and signed-object URL authorization before issuance. Sources: https://github.com/advisories/GHSA-p462-xxwx-pqf4, https://github.com/advisories/GHSA-6c99-87fr-6q7r, https://github.com/advisories/GHSA-7fq5-7wr8-rjwj, https://github.com/advisories/GHSA-prj9-97mp-mwh2, https://github.com/advisories/GHSA-f637-w7p2-m7fx, https://github.com/advisories/GHSA-pwpj-p52h-q484, https://github.com/advisories/GHSA-33g4-646g-qwmm, https://github.com/advisories/GHSA-hf68-g98v-wp9g, https://github.com/advisories/GHSA-x667-r589-43m7, https://github.com/advisories/GHSA-6mmj-jhqj-6c6q
Claude Desktop Cowork VM image integrity (GHSA-g2fx-c284-xq7h), Python tarfile streaming EOF handling (GHSA-wqxf-pjxh-hh4h), Fortra FIM stored-XSS/live-import permission issues (GHSA-r6vh-m36j-r62m, GHSA-3x8g-cjc2-45qp), GeoVision GV-I/O Box network control-plane advisories, and libslirp TCP urgent-data handling (GHSA-4243-hp56-4m7f) add target-selection cues for local agent sandboxes, artifact/CI ingestion, security-admin consoles, embedded/physical-security control planes, and virtualization/runner products. Prioritize programs that explicitly scope signed runtime images, archive parser resource limits, live role import authZ, shell-free network configuration, default management-service auth, and guest-to-host network-emulation boundaries. Sources: https://github.com/advisories/GHSA-g2fx-c284-xq7h, https://github.com/advisories/GHSA-wqxf-pjxh-hh4h, https://github.com/advisories/GHSA-r6vh-m36j-r62m, https://github.com/advisories/GHSA-3x8g-cjc2-45qp, https://github.com/advisories/GHSA-fx96-c5xr-q273, https://github.com/advisories/GHSA-x4j6-xvjv-qp6p, https://github.com/advisories/GHSA-4243-hp56-4m7f
Additional late June Snipe-IT/phpMyFAQ/Flask-Security advisories (GHSA-6x4j-8954-5hxm, GHSA-p68w-rgmg-3c2v, GHSA-mr8g-2mj4-pcq2, GHSA-8c6h-7g6x-m5x4, GHSA-w2j7-f3c6-g8cw) sharpen the admin-control-plane cue: prioritize ITAM/helpdesk/wiki/admin-console programs that explicitly scope MFA reset authorization, CSV/import role ceilings, TOTP/rate-limit policy, API write-permission parity, and canonical redirect handling. Sources: https://github.com/advisories/GHSA-6x4j-8954-5hxm, https://github.com/advisories/GHSA-p68w-rgmg-3c2v, https://github.com/advisories/GHSA-mr8g-2mj4-pcq2, https://github.com/advisories/GHSA-8c6h-7g6x-m5x4, https://github.com/advisories/GHSA-w2j7-f3c6-g8cw

Operator-quality cue from public advisories (2026-06-23)¶

Gogs advisories (GHSA-wv27-2vqp-j7g5, GHSA-pwx3-qcgw-vh7h, GHSA-p9f5-h3rx-j5qw, GHSA-jq8v-rmf6-65jw) add a git-forge target cue: raise priority for programs that explicitly scope repository import/mirror paths, organization administration, attachment downloads, and notebook/Markdown rendering. Durable seams include local repository import allowlists, state-changing GET/CSRF enforcement, parent-object authorization on files, and render-origin separation. Sources: https://github.com/advisories/GHSA-wv27-2vqp-j7g5, https://github.com/advisories/GHSA-pwx3-qcgw-vh7h, https://github.com/advisories/GHSA-p9f5-h3rx-j5qw, https://github.com/advisories/GHSA-jq8v-rmf6-65jw
Budibase advisories (GHSA-gfq7-5x4g-3xhf, GHSA-4q6h-8p4v-67vq, GHSA-w7mq-r738-x278, GHSA-35c4-rvc8-frhm, GHSA-rgvg-3wpc-h44p) add a low-code/automation target cue: raise priority when builder permissions, datasource credentials, OAuth/fetcher URLs, uploaded zip/icon processing, webhook trigger bodies, object-store signed URLs, and workspace boundaries are in scope. Sources: https://github.com/advisories/GHSA-gfq7-5x4g-3xhf, https://github.com/advisories/GHSA-4q6h-8p4v-67vq, https://github.com/advisories/GHSA-w7mq-r738-x278, https://github.com/advisories/GHSA-35c4-rvc8-frhm, https://github.com/advisories/GHSA-rgvg-3wpc-h44p
@actual-app/sync-server GHSA-cq9c-6w48-qmfg, scim-patch GHSA-9m6g-wc8r-q59c, and skillctl GHSA-74p7-6h78-gw8p add identity/provisioning and installer cues: favor programs that document session revocation after IdP disablement, SCIM PATCH parser hardening, and safe handling of repository-defined installer metadata, refspecs, output destinations, symlinks/hardlinks, and commit provenance. Sources: https://github.com/advisories/GHSA-cq9c-6w48-qmfg, https://github.com/advisories/GHSA-9m6g-wc8r-q59c, https://github.com/advisories/GHSA-74p7-6h78-gw8p

Operator-quality cue from public advisories (2026-06-21)¶

Anki GHSA-869j-r97x-hx2g, SurrealDB advisories (GHSA-hv6h-hc26-q48p, GHSA-cc8f-fcx3-gpjr, GHSA-h5rg-8p7f-47g2, GHSA-h4h3-3rfj-x6fq, GHSA-jv2j-mqmw-xvv5), LangSmith SDK GHSA-f4xh-w4cj-qxq8, pydantic-settings GHSA-4xgf-cpjx-pc3j, Lokka GHSA-g2gw-q38m-vjfc, and githubtoplanguages GHSA-c3xh-98xp-6qhf add a June 21 target-selection cue: raise priority for programs that explicitly scope local HTTP control planes, graph/data authorization, analyzer/plugin config, tracing/debug middleware, secret-loader path handling, cloud API fetchers, and CI/chatops automation. These advisories point toward authZ traversal, file-read/path-canonicalization, SSRF/egress, and command-boundary classes that are durable across developer tools, databases, AI/LLM observability, and cloud-admin products. Sources: https://github.com/advisories/GHSA-869j-r97x-hx2g, https://github.com/advisories/GHSA-hv6h-hc26-q48p, https://github.com/advisories/GHSA-cc8f-fcx3-gpjr, https://github.com/advisories/GHSA-h5rg-8p7f-47g2, https://github.com/advisories/GHSA-h4h3-3rfj-x6fq, https://github.com/advisories/GHSA-jv2j-mqmw-xvv5, https://github.com/advisories/GHSA-f4xh-w4cj-qxq8, https://github.com/advisories/GHSA-4xgf-cpjx-pc3j, https://github.com/advisories/GHSA-g2gw-q38m-vjfc, https://github.com/advisories/GHSA-c3xh-98xp-6qhf
Craft CMS GHSA-fvwq-45qv-xvhv and CakePHP Authentication GHSA-hhpq-7wg4-36jm add a return-navigation cue: raise priority for web programs whose scope includes CMS/admin consoles, SSO/login flows, session-expiry pages, or marketplace dashboards with user-controlled returnUrl, next, continue, or redirect parameters. The durable seams are executable URL schemes, protocol-relative off-origin targets, encoded slash/backslash parser differentials, and validation-before-canonicalization in post-login helpers. Sources: https://github.com/advisories/GHSA-fvwq-45qv-xvhv, https://github.com/advisories/GHSA-hhpq-7wg4-36jm

Operator-quality cue from public advisories (2026-06-11)¶

Undertow GHSA-3gv6-g396-9v4r, GHSA-8v4x-mgvp-p658, and GHSA-vqqj-9cmv-hx43 add an edge-stack target cue: Java apps behind CDNs, WAFs, load balancers, API gateways, or service meshes deserve higher priority when proxy/origin HTTP parsing is explicitly in scope. Score request-smuggling-safe evidence paths, front-end/origin topology disclosure, header-name normalization, leading-whitespace handling, non-standard header terminators, and programs that accept harmless canary proof without requiring unsafe cross-user desync. Sources: https://github.com/advisories/GHSA-3gv6-g396-9v4r, https://github.com/advisories/GHSA-8v4x-mgvp-p658, https://github.com/advisories/GHSA-vqqj-9cmv-hx43
Keycloak GHSA-hm32-hfmw-rhvg / CVE-2026-7500 adds an identity feature-flag cue: disabled UI/modules are not a boundary unless every versioned or preview API route enforces the same gate. Raise priority for SSO/IAM/admin-console programs that document feature flags, account APIs, route inventories, and safe authenticated negative tests for disabled capabilities. Source: https://github.com/advisories/GHSA-hm32-hfmw-rhvg
PDM GHSA-78v8-vpjp-cjqh / CVE-2026-47764 and GHSA-ghq2-5c67-fprm / CVE-2026-47763 add a Python package-manager and CI runner cue: untrusted wheels and repository-local metadata can cross into filesystem writes by the invoking user. Prioritize developer-tool, CI, release-worker, and repo-ingestion programs when package install containment, symlink handling, workspace isolation, and least-privilege build users are in scope. Sources: https://github.com/advisories/GHSA-78v8-vpjp-cjqh, https://github.com/advisories/GHSA-ghq2-5c67-fprm
Claude Code Action GHSA-8q5r-mmjf-575q / CVE-2026-47751 adds a CI-agent MCP cue: pull-request-controlled .mcp.json or equivalent project-local tool configuration can become privileged runner execution if trusted automation loads it after checkout. Score programs higher when PR workflows, agent/tool configuration provenance, MCP server allowlists, approval state, and untrusted-contributor boundaries are explicitly testable. Source: https://github.com/advisories/GHSA-8q5r-mmjf-575q
The June Nebula/FUXA/MagicMirror/Langflow/MCP advisory batch reinforces a control-plane cue: mesh managers, industrial dashboards, AI-flow builders, and local automation connectors need explicit authorization, CSRF, config-injection, fetcher-egress, and filesystem-policy boundaries. Treat these as target-selection signals for programs that put management APIs, workflow builders, MCP/AWS connectors, or browser/SQL-driven automation in safe-harbor scope. Sources: https://github.com/advisories/GHSA-598g-h2vc-h5vg, https://github.com/advisories/GHSA-273q-qgh5-wrj6, https://github.com/advisories/GHSA-7hp6-g3pq-3pc3, https://github.com/advisories/GHSA-w86f-rf9w-h3x6, https://github.com/advisories/GHSA-h9fj-c2qr-76g2, https://github.com/advisories/GHSA-8ghr-w65f-j3qr, https://github.com/advisories/GHSA-ph6f-2cvq-79hq, https://github.com/advisories/GHSA-vwmf-pq79-vjvx, https://github.com/advisories/GHSA-2cpp-j2fc-qhp7, https://github.com/advisories/GHSA-hrj8-hjv8-mgwc, https://github.com/advisories/GHSA-9pg3-25fq-p6cc

Operator-quality cue from public advisories (2026-05-31)¶

elFinder GHSA-8q4h-8crm-5cvc / CVE-2026-41247 adds a media-processing target cue: ImageMagick CLI-backed transformations can turn user-controlled image options into command execution. Raise priority for programs where DAM/CMS file managers, upload transformation pipelines, thumbnails, or back-office media operations are in scope, especially when they expose strict option validation, shell-free process execution, sandboxing, and file-worker privilege boundaries. Sources: https://github.com/advisories/GHSA-8q4h-8crm-5cvc, https://github.com/studio-42/elFinder/security/advisories/GHSA-8q4h-8crm-5cvc
Claude Code GHSA-qgqw-h4xq-7w8w adds a coding-agent approval-boundary cue: a find command-injection condition could bypass user approval. For local assistants, IDE agents, CI runners, and automation products, raise priority when tool invocation is represented as structured, revalidated action objects rather than shell strings, with argv-only execution, workspace constraints, and clear telemetry for unexpected flags/metacharacters. Sources: https://github.com/advisories/GHSA-qgqw-h4xq-7w8w, https://github.com/anthropics/claude-code/security/advisories/GHSA-qgqw-h4xq-7w8w
Fission GHSA-3g33-6vg6-27m8 / CVE-2026-46614 and GHSA-85g2-pmrx-r49q / CVE-2026-46617 add serverless/runner scoring cues: public-vs-internal invocation routes, function-name enumeration, trigger policy enforcement, per-container service-account isolation, automount defaults, declared-secret allowlists, and namespace RBAC minimization are high-value boundaries when serverless, workflow, or agent-execution platforms are in scope. Sources: https://github.com/advisories/GHSA-3g33-6vg6-27m8, https://github.com/advisories/GHSA-85g2-pmrx-r49q
MCP Registry GHSA-95c3-6vvw-4mrq / CVE-2026-44428 adds a registry/publisher OIDC cue: GitHub Actions tokens must be bound to the specific registry/control-plane audience, not just a shared product audience. Score CI publisher flows, package/plugin registries, namespace ownership checks, token replay defenses, and publish-audit logs accordingly. Sources: https://github.com/advisories/GHSA-95c3-6vvw-4mrq, https://github.com/modelcontextprotocol/registry/security/advisories/GHSA-95c3-6vvw-4mrq
A catch-up pass over public MCP connector advisories adds a connector/server quality cue: URL-source binding, OpenAPI/reference fetcher egress controls, local output sandboxing, untrusted fetched-content handling, and authenticated loopback-only MCP HTTP transports are now recurring high-value boundaries for agent-integration programs. Sources: https://github.com/advisories/GHSA-7r34-79r5-rcc9, https://github.com/advisories/GHSA-3xm7-qw7j-qc8v, https://github.com/advisories/GHSA-v6ph-xcq9-qxxj, https://github.com/advisories/GHSA-hv85-774v-26fg, https://github.com/advisories/GHSA-fj4g-2p96-q6m3
Spring AI MCP Security GHSA-qjp4-4jvr-xqg3 / CVE-2026-45609 and Pydantic-AI MCP Run Python GHSA-6fgp-m6q4-j3q5 / CVE-2026-25904 add a narrower MCP framework cue: OAuth metadata discovery, redirect/metadata URL canonicalization, localhost/private-network blocking, sandbox network defaults, and per-tool outbound policy are high-value boundaries when MCP servers, OAuth flows, or agent-tool runtimes are in scope. Sources: https://github.com/advisories/GHSA-qjp4-4jvr-xqg3, https://github.com/advisories/GHSA-6fgp-m6q4-j3q5
Sentry Python SDK GHSA-g92j-qhmh-64v2 / CVE-2024-40647 adds an observability/automation secret-boundary cue: instrumentation can change subprocess environment behavior. For Python CI, agents, and developer tooling, raise priority when subprocess wrappers, SDK monkeypatching, environment allowlists, and proofs that child tools do not inherit secrets are in scope. Sources: https://github.com/advisories/GHSA-g92j-qhmh-64v2, https://github.com/getsentry/sentry-python/security/advisories/GHSA-g92j-qhmh-64v2
CVE-2026-29023 / GHSA-qrvr-jqxg-65rv adds a concrete Shannon control-plane scoring signal: a hard-coded router API key meant a reachable router component could authenticate with public static key material and proxy requests using the victim's configured upstream provider credentials. For AI security-testing programs, raise priority when their scope includes router/control-plane exposure, per-instance key generation and rotation, upstream LLM/API credential scoping, default localhost binds, proxy logging, and safe deployment documentation. Do not publish or reuse any static key material. Sources: https://github.com/advisories/GHSA-qrvr-jqxg-65rv, https://nvd.nist.gov/vuln/detail/CVE-2026-29023, https://www.vulncheck.com/advisories/keygraph-shannon-hard-coded-router-api-key
The mitigating Shannon commit 023cc95 also names adjacent high-EV seams: Docker service port binding, MCP subprocess environment inheritance, Playwright MCP dependency pinning, host IPC removal, prompt-template include traversal guards, and untrusted-repository prompt-injection warnings. Source: https://github.com/KeygraphHQ/shannon/commit/023cc953db742602964b7826105278d15c28a420
A public Shannon issue and current Dockerfile add another runner-sandbox cue: global git safe.directory '*' trust overrides can weaken repository ownership checks when arbitrary third-party repos are cloned for analysis. For AI/code-runner programs, raise priority when scope includes repository ingestion, per-job filesystem isolation, safe-directory allowlists, and hardening of Git/workspace trust boundaries. Sources: https://github.com/KeygraphHQ/shannon/issues/316, https://github.com/KeygraphHQ/shannon/blob/main/Dockerfile
Shannon issue #339 adds a reliability/scoping cue for AI-pentesting products: model/provider safety filters can block the exploit phase on authorized attack-payload prompts even when earlier recon phases succeed. Raise priority when programs document provider support, payload-safe validation modes, fallback routing, and logs that distinguish model-policy blocking from target-side evidence. Source: https://github.com/KeygraphHQ/shannon/issues/339
A May 31 GitHub Advisory batch for Aider 0.86.3 adds a coding-agent target cue: pre-commit hook enforcement, architect/editor execution paths, generated-code sinks, and API-documentation fetchers/metadata blocking are all bounty-relevant local workflow boundaries when AI developer tools are in scope. Sources: https://github.com/advisories/GHSA-c3wr-3c4v-6rmh, https://github.com/advisories/GHSA-7w7m-v5vp-w699, https://github.com/advisories/GHSA-f9g4-qjmq-f49r, https://github.com/advisories/GHSA-hchg-qm84-cj9p
A May 29 GitHub Advisory batch for PraisonAI adds a broader AI-agent platform cue: default JWT signing secrets, unauthenticated sample-agent/tool execution, MCP workflow file reads, code-execution sandbox escape, and prompt URL-fetch behavior are all high-EV boundaries when agent platforms or local workflow automation are in scope. Sources: https://github.com/advisories/GHSA-3qg8-5g3r-79v5, https://github.com/advisories/GHSA-vg22-4gmj-prxw, https://github.com/advisories/GHSA-9cr9-25q5-8prj, https://github.com/advisories/GHSA-4mr5-g6f9-cfrh, https://github.com/advisories/GHSA-5cxw-77wg-jrf3
Git LFS GHSA-6pvw-g552-53c5 / CVE-2025-26625 adds a repository-materialization cue for developer-tool and AI-code-agent targets: untrusted repo imports, LFS checkout/pull behavior, symlink/hard-link collision handling, protected-path writes, bare-repository handling, and per-job workspace isolation are all bounty-relevant when local workflow tooling is in scope. Source: https://github.com/advisories/GHSA-6pvw-g552-53c5
LMDeploy GHSA-6w67-hwm5-92mq / CVE-2026-33626 adds a multimodal-inference SSRF cue: image/document URL fetchers, cloud metadata blocking, loopback/private-CIDR normalization, default API auth, inference-network segmentation, model-server IAM scoping, and fast patch SLAs are high-value boundaries when AI inference or agent platforms are in scope. CSA's May 2026 note says exploitation followed public disclosure within roughly 12 hours, so treat model-serving patch cadence as part of program quality. Sources: https://github.com/advisories/GHSA-6w67-hwm5-92mq, https://nvd.nist.gov/vuln/detail/CVE-2026-33626, https://labs.cloudsecurityalliance.org/research/csa-research-note-lmdeploy-cve-2026-33626-ai-inference-explo/
LMDeploy GHSA-9xq9-36w5-q796 / CVE-2026-46517 and GHSA-m549-qq94-fvhg / CVE-2026-46432 add a model-loading trust cue: hard-coded trust_remote_code=True means model initialization can cross from artifact parsing into code execution. For inference/model-serving programs, raise priority when scope covers model-source allowlists, explicit remote-code opt-in, signed artifacts, sandboxed loaders, least-privilege runner users, and model provenance audit logs. Sources: https://github.com/advisories/GHSA-9xq9-36w5-q796, https://github.com/advisories/GHSA-m549-qq94-fvhg
FastGPT CVE-2026-44286 and CVE-2026-44284 add an AI-agent workflow SSRF cue: URL fetchers in workflow nodes, MCP tool server URLs, stored configuration validation, preview/save/execution parity, metadata and loopback blocking, and workflow-runner egress controls are high-value boundaries when agent platforms or MCP-adjacent systems are in scope. Sources: https://nvd.nist.gov/vuln/detail/CVE-2026-44286, https://nvd.nist.gov/vuln/detail/CVE-2026-44284, https://github.com/labring/FastGPT/security/advisories/GHSA-xpx6-xcpf-76qg, https://github.com/labring/FastGPT/security/advisories/GHSA-cxxj-99f7-f5wq
The broader May 29 PraisonAI Platform advisory batch adds a multi-tenant agent-platform cue: owner promotion, member removal, cross-workspace object/label/dependency access, activity-log exposure, arbitrary file write, and default unauthenticated API deployment all point to role-transition and workspace-ownership boundaries worth prioritizing when safe negative testing is explicitly allowed. Sources: https://github.com/advisories/GHSA-c2m8-4gcg-v22g, https://github.com/advisories/GHSA-w388-2392-px73, https://github.com/advisories/GHSA-5jx9-w35f-vp65, https://github.com/advisories/GHSA-4x6r-9v57-3gqw, https://github.com/advisories/GHSA-h37g-4h4p-9x97, https://github.com/advisories/GHSA-6h6v-6m7w-7vxx, https://github.com/advisories/GHSA-h8q5-cp56-rr65, https://github.com/advisories/GHSA-27p4-pjqv-whgj, https://github.com/advisories/GHSA-gv23-xrm3-8c62, https://github.com/advisories/GHSA-hvhp-v2gc-268q, https://github.com/advisories/GHSA-8444-4fhq-fxpq
Additional PraisonAI advisories from the same May 29 batch add target cues for agent-call servers and helper tooling: unauthenticated call-server operations when a token is unset, spider-tool SSRF canonicalization gaps around alternate loopback host encodings, and dynamic module execution in generated-agent workflows. Raise priority when programs place call-server auth defaults, loopback/metadata URL normalization, dynamic import/plugin governance, and generated-agent pipeline isolation in scope. Sources: https://github.com/advisories/GHSA-86qc-r5v2-v6x6, https://github.com/advisories/GHSA-5c6w-wwfq-7qqm, https://github.com/advisories/GHSA-78r8-wwqv-r299
The stigmem-node advisory set adds a federated AI-memory cue: peer-registration approval, mTLS/non-loopback defaults, plugin-signature override controls, and storage namespace handling are worth prioritizing when a program exposes agent memory, federation, plugin loading, or MCP-adjacent infrastructure to authorized testing. Sources: https://github.com/advisories/GHSA-9vp8-3hmv-8fgh, https://github.com/advisories/GHSA-jmfc-hfjq-pxcp, https://github.com/advisories/GHSA-w7pm-9g55-mxfm, https://github.com/advisories/GHSA-9pc9-4crj-mhpj
A June 1 catch-up scan of April public advisories adds another AI-agent control-plane cue: event streams, agent instruction previews, approval allow-lists, and agent/API-key management routes need explicit authentication, tenant ownership checks, and default-deny deployment posture. Sources: https://github.com/advisories/GHSA-f292-66h9-fpmf, https://github.com/advisories/GHSA-pm96-6xpr-978x, https://github.com/advisories/GHSA-4wr3-f4p3-5wjh, https://github.com/advisories/GHSA-3xx2-mqjm-hg9x

Operator-quality cue from public releases (2026-05-29)¶

Agentic-pentesting targets just gained a sharper scoring signal from KeygraphHQ/Shannon v1.4.0: authenticated preflight sessions can be shared across agents, /etc/hosts entries are forwarded into worker containers, and fast-uri was bumped for CVE-2026-6321. For AI security-testing programs, raise priority when their scope includes session custody between preflight and exploitation agents, runner cookie/token isolation, worker-container DNS/hosts behavior, URL parser boundaries, metadata/local-network blocking, and dependency patch cadence. Sources: https://github.com/KeygraphHQ/shannon/releases/tag/v1.4.0, https://github.com/KeygraphHQ/shannon/commit/7813baf16a9ca6ff76a8fcbd42cafdd84c0726dd, https://github.com/KeygraphHQ/shannon/commit/35f59f30f6a36676627ee44d7c23487e6d570b1b, https://github.com/KeygraphHQ/shannon/commit/8f5d639f0d95ce29be918c81fb3f35d73e25d671

Operator-quality cue from public releases (2026-05-27)¶

Continuous agentic-pentesting products deserve an explicit watchlist bucket when their scope includes source-code ingestion, exploit execution, auth preflights, network egress checks, or local/container runner setup. KeygraphHQ/Shannon describes itself as an autonomous white-box AI pentester for web apps and APIs; its v1.3.0 release added auth-validation/email-login preflight support, blocked cloud metadata ranges in target URL checks, and hardened global npm installs with --ignore-scripts. Those are useful public signals for scoring AI security-testing targets: prioritize programs that document runner sandboxing, credential handling, target allow/block rules, and dependency-install boundaries. Sources: https://github.com/KeygraphHQ/shannon, https://github.com/KeygraphHQ/shannon/releases/tag/v1.3.0

Operator-quality cue from public advisories/research (2026-05-20)¶

AI coding-agent and workspace-edit products deserve a sharper EV bucket after Hacktron's VS Code Copilot applyPatchTool TOCTOU writeup: prioritize programs where issue/PR-to-agent automation, exact-effect approval, protected-path writes, Codespaces/dev-token exposure, or repository-control-file policies are in scope. Source: https://www.hacktron.ai/blog/rce-in-vscode-copilot
Identity federation disable/revoke paths are high-value when in scope. The May 20 Keycloak SAML broker advisory reinforces that “disabled IdP” must be enforced at every assertion/session-minting entrypoint, not just in admin UI discovery. Source: https://github.com/advisories/GHSA-x4p7-7chp-64hq
Developer control planes and automation glue are still underpriced target surface: Rclone RC, MLflow model serving, setup-php workflows, Diffusers trust_remote_code, and project-local LLM filters all show how tooling defaults can cross command, tenant, or trust boundaries.
JWT algorithm confusion and tenant-null authorization collapse remain practical identity seams. Prefer programs that explicitly include SSO, VPN/CAS, tenant/workspace administration, or support tooling in scope and allow safe negative testing.

Program-quality cue from community chatter (2026-04-04)¶

Triage trust is still the strongest quality signal. Fresh Reddit chatter about boycotts, repeated N/A closures, and reward leakage reinforces that process quality can outweigh raw payout tables.
AI governance / browser-control products deserve their own EV bucket. If a program’s value depends on observing prompts, shadow-AI use, or policy enforcement across browser-side and alternate data paths, score it higher than a generic SaaS with the same payout range.
Supply-chain and release-provenance boundaries remain high-value. Public chatter around Cisco/Trivy and Adobe support compromise is another reminder that build pipelines, third-party support paths, and dependency trust are real attack surfaces when in scope.
Metrics-minded teams care about evidence that maps to actual risk reduction. Programs that define acceptable proof, remediation metrics, and re-validation criteria tend to be easier to work with and to profit from.
April 2’s heuristics still stand: prioritize programs that explain duplicate or “informative” closures, preserve context, and do not silently patch while refusing mediation.
Community distrust itself is a selection signal: when hunters start talking about boycotts, duplicate gaming, or reward leakage, treat that as a durable warning that the program’s process quality may be degrading even if the technical surface is still interesting.
Fairness for hard-to-demo classes is a selection signal in its own right: programs that clearly accept blind SSRF/OAST, authZ edge cases, cache poisoning, or desync-style evidence tend to have better ROI than programs that demand unsafe max-exploit proof.
Browser-side AI governance and shadow-AI monitoring are now a distinct premium target class: products that can inspect prompts, extension traffic, or in-browser copilots are exposing a trust boundary, not just a DLP use case.
VMs/process hygiene is a selection clue: if a team can’t connect scan volume to risk reduction, expect weaker prioritization and slower remediation, which usually means more triage friction for researchers.
Hidden build/bootstrap paths are still gold: CodeConnections-style connector tokens and CodeBuild pre-user-code requests are exactly the kind of seams that turn ordinary platform work into high-value trust-boundary research.
Outsourced support and account-recovery paths should be scored as first-class attack surfaces whenever the program can influence identity, tickets, or escalation state.

Program-quality cue from community chatter (2026-04-02)¶

April 2 Reddit chatter reinforced that triage transparency and contradiction handling matter more than raw payout numbers. Favor programs that explain duplicate or “informative” closures, preserve context, and don’t silently patch while refusing mediation.
Community distrust itself is a selection signal: when hunters start talking about boycotts, duplicate gaming, or reward leakage, treat that as a durable warning that the program’s process quality may be degrading even if the technical surface is still interesting.
AI/agent tooling programs should be weighted higher when they expose behavior-validation surfaces like sub-agents, retrieval, browser extensions, or tool-calling, because the high-EV bugs now live in state drift and wrong-tool execution as much as in prompt text.
Governance and browser-side mediation products are now a separate EV bucket: if a target’s value depends on observing or constraining user prompts, shadow-AI usage, or policy-bypass paths outside inline controls, score it higher than an ordinary SaaS with similar payout tables.
Build/release and dependency-provenance boundaries keep showing up in public incidents; if a program owns its own delivery pipeline or agent framework updates, treat patch cadence and version guidance as part of program quality.
Fairness for hard-to-demo classes is a selection signal in its own right: programs that clearly accept blind SSRF/OAST, authZ edge cases, cache poisoning, or desync-style evidence tend to have better ROI than programs that demand unsafe max-exploit proof.

Program-quality cue from community chatter (2026-03-31)¶

AskNetsec’s latest agent-validation discussion is another reminder that AI/tooling programs should be scored higher when they expose browser extensions, retrieval, sub-agents, or tool-calling flows. The EV is in behavior drift and policy bypass across alternate paths, not just prompt text visibility.

Program	Priority	Reason	Program Page
Coinbase	🚨 CRITICAL	Major crypto exchange, $50K+ critical bounties, 519 subdomains discovered	https://hackerone.com/coinbase
1Password	🔥 HIGH	Public page explicitly asks for creative researchers; scanners are unlikely to help, which usually means higher manual-EV surface	https://hackerone.com/1password
Akamai	🔥 HIGH	Public soft-launch / invite-only posture focused on CDN/origin/proxy-layer trust boundaries	https://hackerone.com/akamai
Airlock Secure Access Hub	🔥 HIGH	WAF + IAM platform protecting 30k+ apps; complex auth and edge paths tend to pay off	https://hackerone.com/airlock
Airbnb	🔥 HIGH	Massive real-world workflow surface plus rich public disclosure history; strong candidate for authZ, recovery, and trust-boundary chains	https://hackerone.com/airbnb
Amazon VRP	🔥 HIGH	Broad product surface with explicit reporting program and mature security posture; worth prioritizing for deep, chain-based testing	https://hackerone.com/amazonvrp
Anduril Industries	🔥 HIGH	Explicit reproducibility expectations and a mature disclosure policy suggest structured triage and higher-value operational/defense surfaces	https://hackerone.com/anduril_industries
Atlassian	🔥 HIGH	Large enterprise software surface with frequent releases and plenty of auth/workflow complexity	https://hackerone.com/atlassian
Basecamp	🔥 HIGH	Publicly values researcher insight and pays for quality; workflow-heavy SaaS tends to reward careful manual work	https://hackerone.com/basecamp

Historical Notes (recent activity)¶

Uber: Consistent “BountyAwarded” activity during 2025-03..2025-08 with multiple awards per month.
Eternal: Frequent awards in late August; steady reporter engagement.
OKG: Notable award spikes mid-to-late August 2025.
TikTok: Regular bounty activity; multiple awards in August 2025.
Sheer: Lower absolute payouts but steady cadence of awards.
GitLab: Smaller individual awards; consistent monthly activity.
PayPal: Intermittent awards, including early September.
Ferrero/MediaTek/Zooplus: High volume of resolved activity; limited public award amount exposure.

Program Quality Signals (Community/Operational Heuristics)¶

When two programs pay similar amounts, “program quality” often dominates expected value. Signals that repeatedly show up in community discussions:

Clear impact standards (esp. for Blind SSRF / OAST findings):
Programs that document what evidence they accept (e.g., DNS/HTTP callbacks, timing-based internal reachability, status-code differentials, header leaks) reduce report churn.
Watch for programs that require data exfiltration only for SSRF; this can be a time sink unless you can safely demonstrate higher impact.
Bonus signal: they explicitly recognize internal network mapping / WAF-bypass-by-proxy / protocol pivot proofs as meaningful impact when exfiltration is unsafe or impractical.
Fair, consistent triage:
Low “Informative / N/A” rates for valid vuln classes and predictable severity mapping.
Willingness to engage on nuance (business logic, chains, internal reachability) rather than rubber-stamping.
Fast feedback loop:
Reasonable response SLAs, low ghosting, and credible mediation outcomes.
Duplicate pressure vs. depth:
Programs with heavy “spray-and-pray” tooling overlap can have high duplicate rates; higher EV often comes from programs where manual, product-understanding bugs (logic, authZ, SSRF, cache poisoning/desync edge cases) are rewarded.
Community meta-signal: if hunters consistently report success with a “lighter” stack (proxy + notes + targeted automation) it often correlates with programs where understanding workflows beats running scanners.
Scope quality:
Modern asset inventory (well-defined subdomain patterns, APIs, mobile, integrations) and explicit third-party boundaries.
Disclosure and learning culture:
Public write-ups / hacktivity that show interesting classes being rewarded (authZ, SSRF, desync, supply-chain) is a strong indicator the program pays for real risk.
Remediation posture (especially VDPs):
Some high-signal targets (e.g., government VDPs) can have very long remediation timelines. Great for reputation/impact, but low expected value if you’re optimizing for payout/velocity.
“Contribution surface” / CI-CD exposure:
Community write-ups about exploits starting from PR comments, CI pipelines, webhooks, integrations, or supply-chain touchpoints are a signal to prioritize programs where those surfaces are in-scope (often higher severity, lower duplicate pressure).

Next Steps¶

Review each program page and policy for current scope and exclusions
Start or update program documentation directories using the templates
Track changes to scope over time (dated entries)