Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
14
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Program filter: shopify
subdomain Takeover at blog.exchangemarketplace.com
Shopify
Low
2018-10-01
Stored XSS on buy button
Shopify Cross-site Scripting (XSS) - Stored (CWE-79)
Low
2018-09-29
Open redirection in OAuth
Shopify Open Redirect (CWE-601)
Low
2018-09-24
Unauthenticated access to Zendesk tickets through athena-flex-production.shopifycloud.com Okta bypass
Shopify Improper Authentication - Generic (CWE-287)
Critical
2018-09-19
From full-access account to Account Owner
Shopify Privilege Escalation (CAPEC-233)
Unknown
2018-09-18
Stored XSS on activity
Shopify Cross-site Scripting (XSS) - Stored (CWE-79)
High
2018-08-14
Preview bar: Incomplete message origin validation results in XSS
Shopify Cross-site Scripting (XSS) - DOM (CWE-79)
Medium
2018-07-26
Potential SSRF and disclosure of sensitive site on *shopifycloud.com
Shopify Server-Side Request Forgery (SSRF) (CWE-918)
Low
2018-07-19
[out-of-scope] toxiproxy: Lack of CSRF protection allows an attacker to gain access to internal Shopify network
Shopify Server-Side Request Forgery (SSRF) (CWE-918)
Medium
2018-07-11
Subdomain Takeover - https://competition.shopify.com/
Shopify Privilege Escalation (CAPEC-233)
Medium
2018-06-19
Improper access check by Kit leads to controlling attributes of store & getting analytics by deleted Store member via dual messenger A/C
Shopify Improper Access Control - Generic (CWE-284)
Low
2018-06-15
Publicly Accessible Datadog link
Shopify Information Disclosure (CWE-200)
None
2018-06-15
SSRF in Exchange leads to ROOT access in all instances
Shopify Server-Side Request Forgery (SSRF) (CWE-918)
Medium
2018-05-23
ability to install paid themes for free
Shopify Improper Access Control - Generic (CWE-284)
Medium
2018-05-16
Potential to abuse pricing errors in saved carts
Shopify Business Logic Errors (CWE-840)
Medium
2018-05-02
Replace other user files in Inbox messages
Shopify Insecure Direct Object Reference (IDOR) (CWE-639)
Medium
2018-05-01
Stored XSS in partners dashboard
Shopify Cross-site Scripting (XSS) - Stored (CWE-79)
Low
2018-04-18
Order notifications being sent for a deactivated staff account
Shopify Improper Authorization (CWE-285)
Low
2018-04-12
XSS *.myshopify.com/collections/vendors?q=
Shopify Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2018-04-08
XSS on "widgets.shopifyapps.com" via "stripping" attribute and "shop" parameter
Shopify Cross-site Scripting (XSS) - DOM (CWE-79)
None
2018-04-03
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895