Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
10
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Found Origin IP's lead to access to gitlab
GitLab Improper Access Control - Generic (CWE-284)
Medium
2022-08-02
Open S3 Bucket Accessible by any Aws User
GoCD Improper Access Control - Generic (CWE-284)
None
2022-07-31
Possible to make restricted files public on Phabricator via Diffusion
Phabricator Improper Access Control - Generic (CWE-284)
Unknown
2022-07-29
unauth mosquitto ( client emails, ips, license keys exposure )
Acronis Improper Access Control - Generic (CWE-284)
Medium
2022-07-18
Github base action takeover which is used in `github.com/Shopify/unity-buy-sdk`
Shopify Improper Access Control - Generic (CWE-284)
Low
2022-07-12
[h1-2102] Improper Access Control at https://shopify.plus/[id]/users/api in operation UpdateOrganizationUserTfaEnforcement
Shopify Improper Access Control - Generic (CWE-284)
Medium
2022-07-11
Collaborators and Staff members without all necessary permissions are able to create, edit and install custom apps
Shopify Improper Access Control - Generic (CWE-284)
Medium
2022-07-11
Theme editor `oseid` parameter is leaked to third-party services through the `Referer` header which leads to somekind of storefront password bypass.
Shopify Improper Access Control - Generic (CWE-284)
Low
2022-07-11
Unauthorized packages modification or secrets exfiltration via GitHub actions
Linux Foundation Decentralized Trust Improper Access Control - Generic (CWE-284)
High
2022-07-08
Federated editing allows iframing possibly malicious remotes
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2022-31024
Low
2022-07-02
Unauthorized Access to Internal Server Panel without Authentication
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
Medium
2022-06-27
Authentication token and CSRF token bypass
Enjin Improper Access Control - Generic (CWE-284)
High
2022-06-19
"External status checks" can be accepted by users below developer access if the user is either author or assignee of the target merge request
GitLab Improper Access Control - Generic (CWE-284)
Medium
2022-06-08
Store Admin Page Accessible Without Authentication at http://www.grouplogic.com/ADMIN/store/index.cfm
Acronis Improper Access Control - Generic (CWE-284)
Medium
2022-06-07
Github Account Takeover from Docs page of `kubernetes-csi.github.io`
Kubernetes Improper Access Control - Generic (CWE-284)
Low
2022-06-04
Deprecated owners.query API bypasses object view policy
Phabricator Improper Access Control - Generic (CWE-284)
Unknown
2022-05-31
Waitlist bypass for accessing SIGN.PLUS Beta
Alohi Improper Access Control - Generic (CWE-284)
Low
2022-05-30
[com.exness.android.pa Android] Universal XSS in webview. Lead to steal user cookies
EXNESS Improper Access Control - Generic (CWE-284)
Low
2022-05-24
Sensitive files/ data exists post deletion of user account
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2022-29160
Low
2022-05-20
error parse uri path in curl
curl Improper Access Control - Generic (CWE-284)
High
2022-05-13
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895