Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
10
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
user with no draft order permission can still perform action on draft order's in stocky app (idor)
Shopify Improper Authentication - Generic (CWE-287)
Unknown
2020-07-14
[www.stripo.email] There is no rate limit for /it/contact-us/ endpoints
Stripo Inc Improper Authentication - Generic (CWE-287)
Low
2020-07-03
Bypassing Digits origin validation which leads to account takeover
X / xAI Improper Authentication - Generic (CWE-287)
Unknown
2020-06-24
SAML authentication bypass
Rocket.Chat Improper Authentication - Generic (CWE-287)
High
2020-06-18
[H1-2006 2020] Multiple vulnerabilities lead to CEO account takeover and paid bounties
h1-ctf Improper Authentication - Generic (CWE-287)
Critical
2020-06-18
AWS S3 bucket writeable for authenticated AWS users
Nutanix Improper Authentication - Generic (CWE-287)
None
2020-05-26
████ - Complete account takeover
U.S. Dept Of Defense Improper Authentication - Generic (CWE-287)
Critical
2020-05-11
█████ - Pre-generation of VIEWSTATE allows CAC bypass
U.S. Dept Of Defense Improper Authentication - Generic (CWE-287)
Critical
2020-05-11
India - OTP bypass on Phone number verification for account creation
Starbucks Improper Authentication - Generic (CWE-287)
Medium
2020-04-21
Outdated Coturn is vulnerable to known vulnerabilities (High)
8x8 Improper Authentication - Generic (CWE-287)CVE-2018-4059CVE-2018-4056CVE-2018-4058CVE-2020-6062CVE-2020-6061
High
2020-04-13
Account Take over of millions of MTN users account due to lack of Rate limiting when sending OTP code
MTN Group Improper Authentication - Generic (CWE-287)
High
2020-04-13
Unauthenticated request allows changing hostname
Ubiquiti Inc. Improper Authentication - Generic (CWE-287)CVE-2020-8148
Medium
2020-04-10
Account Takeover with old password and login QR
BCM Messenger Improper Authentication - Generic (CWE-287)
None
2020-03-12
Talk - Leak of password-protected room name via already existent resource addition
Nextcloud Improper Authentication - Generic (CWE-287)CVE-2019-15620
Low
2020-03-01
Bypass configured 2FA provider with another provider that can be set up at login
Nextcloud Improper Authentication - Generic (CWE-287)CVE-2019-15617
Medium
2020-03-01
No Rate Limit On Forgot Password Page Of affiliates.nordvpn.com
Nord Security Improper Authentication - Generic (CWE-287)
Medium
2020-02-24
Bypassing Verify Humans Page
Stellar.org Improper Authentication - Generic (CWE-287)
None
2020-02-23
Email address is not validated, No Rate Limit and RCE On Forgot Password Page Of affiliates.nordvpn.com
Nord Security Improper Authentication - Generic (CWE-287)
Medium
2020-02-21
Broken Authentication and session management OWASP A2
WakaTime Improper Authentication - Generic (CWE-287)
Unknown
2020-02-19
No Rate Limit On Forgot Password Page Of NordVPN
Nord Security Improper Authentication - Generic (CWE-287)
Medium
2020-02-08
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895