Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
9
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
SharePoint Web Services Exposed to Anonymous Access Users
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
Medium
2020-07-14
multiple email usage -my.stripo.email-
Stripo Inc Improper Access Control - Generic (CWE-284)
Medium
2020-07-03
User with removed manage shops permissions is still able to make changes to a shop
Shopify Improper Access Control - Generic (CWE-284)
Medium
2020-06-12
Improper Access Control in Buddypress core allows reply,delete any user's activity
WordPress Improper Access Control - Generic (CWE-284)
Medium
2020-05-22
SharePoint exposed web services in a subdomain
MTN Group Improper Access Control - Generic (CWE-284)
Medium
2020-05-16
No ACL on S3 Bucket in [https://www.██████████/]
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
Medium
2020-05-14
Sourcemaps and Unminified Source Code Exposed on Pages
Imgur Improper Access Control - Generic (CWE-284)
Medium
2020-05-07
API - Amazon S3 bucket misconfiguration
BCM Messenger Improper Access Control - Generic (CWE-284)
Medium
2020-04-14
Unrestricted access to any "connected pack" on docs
Superhuman (formerly Grammarly) Improper Access Control - Generic (CWE-284)
Medium
2020-04-14
User can delete data in shared folders he's not autorized to access
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2020-8153
Medium
2020-04-10
Subdomain takeover on mta1a1.spmail.uber.com
Uber Improper Access Control - Generic (CWE-284)
Medium
2020-04-06
Information Disclosure FrontPage Configuration Information /_vti_inf.html in https://www.mtn.co.za/
MTN Group Improper Access Control - Generic (CWE-284)
Medium
2020-04-03
Unauthenticated users can obtain information about Checklist objects with unclaimed ChecklistCheck objects
HackerOne Improper Access Control - Generic (CWE-284)
Medium
2020-03-20
xmlrpc.php is enabled - Nextcloud
Nextcloud Improper Access Control - Generic (CWE-284)
Medium
2020-03-01
Race condition (TOCTOU) in NordVPN can result in local privilege escalation
Nord Security Improper Access Control - Generic (CWE-284)
Medium
2020-02-21
Cross Origin Resource Sharing Misconfiguration | Lead to sensitive information
Nord Security Improper Access Control - Generic (CWE-284)
Medium
2020-02-21
CORS Misconfiguration on nordvpn.com leading to Private Information Disclosure,Account takeover
Nord Security Improper Access Control - Generic (CWE-284)
Medium
2020-02-21
Potential leak of server side software at repogohi.nordvpn.com
Nord Security Improper Access Control - Generic (CWE-284)
Medium
2020-02-16
Share recipient can modify a share's expiration date
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2020-8122
Medium
2020-01-31
Update App Store: Django account high jacking vulnerability
Nextcloud Improper Access Control - Generic (CWE-284)
Medium
2020-01-31
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895