Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
11
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Program filter: uber
pam_ussh does not properly validate the SSH certificate authority
Uber Improper Authentication - Generic (CWE-287)
Medium
2021-07-21
Chained Bugs to Leak Victim's Uber's FB Oauth Token
Uber Improper Authentication - Generic (CWE-287)
High
2019-01-25
Open Redirect on central.uber.com allows for account takeover
Uber Improper Authentication - Generic (CWE-287)
High
2019-01-25
SMS URL verification link does not expire on phone number change and lacks rate limiting
Uber Improper Authentication - Generic (CWE-287)
Low
2018-12-19
Physical Access to Mobile App Allows Local Attribute Updates without Authentication
Uber Improper Authentication - Generic (CWE-287)
None
2018-12-19
SMS/Call spamming due to truncated phone number
Uber Improper Authentication - Generic (CWE-287)
Low
2018-11-13
No rate limiting on https://biz.uber.com/confirm allowed an attacker to join arbitrary business.uber.com accounts
Uber Improper Authentication - Generic (CWE-287)
Medium
2018-11-13
Configuration and/or source code files on uchat-staging.uberinternal.com can be viewed without OneLogin SSO Authentication
Uber Improper Authentication - Generic (CWE-287)CVE-2005-2169CVE-2005-0202
Medium
2017-12-26
It's possible to view configuration and/or source code on uchat.awscorp.uberinternal.com without
Uber Improper Authentication - Generic (CWE-287)CVE-2005-2169CVE-2005-0202
Medium
2017-12-26
SAML Authentication Bypass on uchat.uberinternal.com
Uber Improper Authentication - Generic (CWE-287)
High
2017-09-05
Authentication bypass on auth.uber.com via subdomain takeover of saostatic.uber.com
Uber Improper Authentication - Generic (CWE-287)
Critical
2017-07-13
password reset token leaking allowed for ATO of an Uber account
Uber Improper Authentication - Generic (CWE-287)
Critical
2017-05-17
pam-ussh may be tricked into using another logged in user's ssh-agent
Uber Improper Authentication - Generic (CWE-287)
Medium
2017-03-20
Users can falsely declare their own Uber account info on the monthly billing application
Uber Improper Authentication - Generic (CWE-287)
Unknown
2016-10-20
Reading Emails in Uber Subdomains
Uber Improper Authentication - Generic (CWE-287)
Unknown
2016-09-14
Get organization info base on uuid
Uber Improper Authentication - Generic (CWE-287)
Unknown
2016-09-02
Wordpress Vulnerabilities in transparencyreport.uber.com and eng.uber.com domains
Uber Improper Authentication - Generic (CWE-287)
Unknown
2016-08-24
[IODR] Get business trip via organization id
Uber Improper Authentication - Generic (CWE-287)
Unknown
2016-08-15
[CRITICAL] -- Complete Account Takeover
Uber Improper Authentication - Generic (CWE-287)
Unknown
2016-08-15
Missing authentication on Notification setting .
Uber Improper Authentication - Generic (CWE-287)
Unknown
2016-07-26
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895