Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
10
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Program filter: shopify
[h1-2102] Break permissions waterfall
Shopify
Low
2022-02-12
Bypass For #997350 your-store.myshopify.com preview link is leak on third party website Via Online Store
Shopify Improper Authentication - Generic (CWE-287)
Low
2022-02-10
Orders full read for a staff with only `Customers` permissions.
Shopify Improper Access Control - Generic (CWE-284)
Low
2022-02-10
staffOrderNotificationSubscriptionDelete Could Be Used By Staff Member With Settings Permission
Shopify Improper Authorization (CWE-285)
Low
2022-02-09
staffOrderNotificationSubscriptionCreate Is Not Blocked Entirely From Staff Member With Settings Permission
Shopify Improper Authorization (CWE-285)
Low
2022-02-09
Xss At Shopify Email App
Shopify Cross-site Scripting (XSS) - Generic (CWE-79)
Low
2021-12-24
[h1-2102] Wholesale - CSRF to Generate Invitation Token for a Customer and Move Customer to Invited Status
Shopify Cross-Site Request Forgery (CSRF) (CWE-352)
Low
2021-12-06
[h1-2102] [Yaworski's Broskis] Suspected overcharge and chargebacks in PoS
Shopify Business Logic Errors (CWE-840)
Low
2021-12-03
Ability to add address without being an admin or staff in the store via wholesale store
Shopify
Low
2021-12-03
Bypassing HTML filter in "Packing Slip Template" Lead to SSRF to Internal Kubernetes Endpoints
Shopify Server Side Request Forgery (CAPEC-664)
Low
2021-12-02
Insufficient session expiration in the **com.shopify.ping** android app
Shopify Insufficient Session Expiration (CWE-613)
Low
2021-11-26
Shopify.com Web Cache Deception vulnerability leads to personal information and CSRF tokens leakage
Shopify Violation of Secure Design Principles (CWE-657)
Low
2021-10-21
Store Deletion or Sell without authentication
Shopify Improper Authentication - Generic (CWE-287)
Low
2021-10-21
Low Privileged user can add or remove cash to/from sales register
Shopify Privilege Escalation (CAPEC-233)
Low
2021-06-16
The POS app doesn't revoke the Xauth token
Shopify Insufficient Session Expiration (CWE-613)
Low
2021-04-08
Staff with no permissions could possibly list and accept billing promotions
Shopify Improper Access Control - Generic (CWE-284)
Low
2021-04-08
xss on polaris.shopify.com/demo using postMessage
Shopify Cross-site Scripting (XSS) - DOM (CWE-79)
Low
2021-02-11
The authentication code when activating 2FA can be used again to log in
Shopify Improper Access Control - Generic (CWE-284)
Low
2021-02-11
Inject page in admin panel via Shopify.API.pushState [New Payload]
Shopify Cross-site Scripting (XSS) - DOM (CWE-79)
Low
2020-12-27
Inject page in admin panel via Shopify.API.pushState with protocol invalid
Shopify Cross-site Scripting (XSS) - DOM (CWE-79)
Low
2020-12-27
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895