Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
10
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Disavowed an email without any authentication
Liberapay Improper Access Control - Generic (CWE-284)
Medium
2023-07-31
Process-based permissions can be bypassed with the "inspector" module.
Node.js Improper Access Control - Generic (CWE-284)CVE-2023-30587
High
2023-07-20
fs.openAsBlob() bypasses permission system
Node.js Improper Access Control - Generic (CWE-284)CVE-2023-30583
Medium
2023-07-20
fs module's file watching is not restricted by --allow-fs-read
Node.js Improper Access Control - Generic (CWE-284)CVE-2023-30582
Medium
2023-07-20
[Hubs] - Broken access control in placing objects in hubs room
Mozilla Improper Access Control - Generic (CWE-284)
Medium
2023-07-20
Banned user still able to invited to reports as a collabrator and reset the password
HackerOne Improper Access Control - Generic (CWE-284)
Medium
2023-07-06
Rider can forcefully get passenger's order accepted resulting in multiple impacts including PII reveal and more mentioned in the report.
inDrive Improper Access Control - Generic (CWE-284)
High
2023-06-28
Docker Registry without authentication leads to docker images download
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
Medium
2023-06-23
' Full Account Takeover ' at █████
Mars Improper Access Control - Generic (CWE-284)
Critical
2023-06-23
End-to-end encrypted file-drops can be made inaccessible
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2023-35173
High
2023-06-22
Error in Booking an appointment reveals the full path of the website
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2023-33183
Low
2023-06-18
Subdomain takeover http://accessday.opn.ooo/
Omise Improper Access Control - Generic (CWE-284)
Medium
2023-06-11
Leaks of username and password leads to CVE-2018-18862 exploitation
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)CVE-2018-18862
High
2023-06-02
Any one can view collaborater email address via path /reports/<id>/participants
HackerOne Improper Access Control - Generic (CWE-284)
Low
2023-06-01
Huge amount of Subdomains Takeovers at Reddit.com
Reddit Improper Access Control - Generic (CWE-284)
Medium
2023-05-18
Users can set up workflows using restricted and invisible system tags
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2023-30539
Medium
2023-05-17
LDAP Server NULL Bind Connection Information Disclosure
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
High
2023-05-15
Delete any LinkedIn comment on learning API of other users
LinkedIn Improper Access Control - Generic (CWE-284)
Medium
2023-05-12
LDAP anonymous access enabled at certrep.pki.state.gov:389
U.S. Department of State Improper Access Control - Generic (CWE-284)
Medium
2023-05-11
Reset password link sent over unsecured http protocol
Mattermost Improper Access Control - Generic (CWE-284)
High
2023-05-10
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895