Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports

12,219

CVE-linked

1,854

Programs

342

New This Week

Severity: All Critical High Medium Low

Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375

Administration Authentication Bypass on https://█████

U.S. Dept Of Defense Improper Authentication - Generic (CWE-287)

Critical

2021-04-20

Authentication bypass and RCE on the https://████ due to exposed Cisco TelePresence SX80 with default credentials

U.S. Dept Of Defense Improper Authentication - Generic (CWE-287)

Critical

2021-01-12

Absence of Token expiry leads to Unauthorized login Access

Affirm Improper Authentication - Generic (CWE-287)

Critical

2020-12-01

https://██████ vulnerable to CVE-2020-3187 - Unauthenticated arbitrary file deletion in Cisco ASA/FTD

U.S. Dept Of Defense Improper Authentication - Generic (CWE-287)CVE-2020-3187

Critical

2020-11-23

[H1-2006 2020] Multiple vulnerabilities lead to CEO account takeover and paid bounties

h1-ctf Improper Authentication - Generic (CWE-287)

Critical

2020-06-18

████ - Complete account takeover

U.S. Dept Of Defense Improper Authentication - Generic (CWE-287)

Critical

2020-05-11

█████ - Pre-generation of VIEWSTATE allows CAC bypass

U.S. Dept Of Defense Improper Authentication - Generic (CWE-287)

Critical

2020-05-11

[h1-415 2020] My writeup on how to retrieve the special secret document

h1-ctf Improper Authentication - Generic (CWE-287)

Critical

2020-02-03

H1514 [*.(my)shopify.com] - Viewing Password Protected Content

Shopify Improper Authentication - Generic (CWE-287)

Critical

2019-05-22

Redirect on authorization allows account compromise

GSA Bounty Improper Authentication - Generic (CWE-287)

Critical

2018-11-06

Unauthenticated access to Zendesk tickets through athena-flex-production.shopifycloud.com Okta bypass

Shopify Improper Authentication - Generic (CWE-287)

Critical

2018-09-19

Unauthorized access to jiratest.starbucks.com

Starbucks Improper Authentication - Generic (CWE-287)

Critical

2018-05-30

Access to GitLab's Slack by abusing issue creation from e-mail

GitLab Improper Authentication - Generic (CWE-287)

Critical

2017-09-21

Ability to log in as any user without authentication if █████████ is empty

Ubiquiti Inc. Improper Authentication - Generic (CWE-287)

Critical

2017-08-08

Authentication bypass on auth.uber.com via subdomain takeover of saostatic.uber.com

Uber Improper Authentication - Generic (CWE-287)

Critical

2017-07-13

Subdomain Takeover on http://blog.owox.com/

OWOX, Inc. Improper Authentication - Generic (CWE-287)

Critical

2017-05-22

Subdomain Takeover on OWOX.RU

OWOX, Inc. Improper Authentication - Generic (CWE-287)

Critical

2017-05-22

Broken Authentication & Session Management (Login Bypass) at support.owox.com

OWOX, Inc. Improper Authentication - Generic (CWE-287)

Critical

2017-05-22

password reset token leaking allowed for ATO of an Uber account

Uber Improper Authentication - Generic (CWE-287)

Critical

2017-05-17

Broken Authentication & Session Management - Failure to Invalidate Session on all other browsers at Password change

Paragon Initiative Enterprises Improper Authentication - Generic (CWE-287)

Critical

2017-05-07

Top Weakness Types

Most Active Programs

Program	Reports	Max $
U.S. Dept Of Defense	896	—
Internet Bug Bounty	817	—
HackerOne	609	—
Nextcloud	582	—
Shopify	464	—
curl	439	—
Node.js third-party modules	307	—
GitLab	258	—
X / xAI	250	$2,500
Uber	239	$9,895

Goal Reached Thanks to every supporter — we hit 100%!

Bug Bounty Intelligence