Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
10
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
[www.drive2.ru] Insufficient Security Configurability - The user can using the same password as your current ID.
DRIVE.NET, Inc. Improper Authentication - Generic (CWE-287)
Low
2020-10-23
[www.drive2.ru] Insufficient Security Configurability - Notification email is not sent when email is changed.
DRIVE.NET, Inc. Improper Authentication - Generic (CWE-287)
Low
2020-10-23
[www.drive2.ru] Insufficient Security Configurability - Email notification is not being sent while changing passwords
DRIVE.NET, Inc. Improper Authentication - Generic (CWE-287)
Low
2020-10-22
SAML Response Reuse on hackerone.com/users/saml/auth
HackerOne Improper Authentication - Generic (CWE-287)
Low
2020-07-24
[www.stripo.email] There is no rate limit for /it/contact-us/ endpoints
Stripo Inc Improper Authentication - Generic (CWE-287)
Low
2020-07-03
Talk - Leak of password-protected room name via already existent resource addition
Nextcloud Improper Authentication - Generic (CWE-287)CVE-2019-15620
Low
2020-03-01
Staging Rabbitmq instance is exposed to the internet with default credentials
Unikrn Improper Authentication - Generic (CWE-287)
Low
2019-12-09
Last pipeline status for MR leaked
GitLab Improper Authentication - Generic (CWE-287)
Low
2019-10-01
Bypass of biometrics security functionality is possible in Android application (com.shopify.mobile)
Shopify Improper Authentication - Generic (CWE-287)
Low
2019-08-14
Bypassing lock protection
Nextcloud Improper Authentication - Generic (CWE-287)CVE-2019-5455
Low
2019-07-26
Cross Domain leakage of sensitive information - Leading to Account Takeover at Instagram Brand
Automattic Improper Authentication - Generic (CWE-287)
Low
2019-06-22
Deleting other people's comments on ModeratorMessages
Valve Improper Authentication - Generic (CWE-287)
Low
2019-01-23
SMS URL verification link does not expire on phone number change and lacks rate limiting
Uber Improper Authentication - Generic (CWE-287)
Low
2018-12-19
SMS/Call spamming due to truncated phone number
Uber Improper Authentication - Generic (CWE-287)
Low
2018-11-13
twofactor_auth bypassable if provider fails to load
Nextcloud Improper Authentication - Generic (CWE-287)CVE-2018-16465
Low
2018-09-27
Administrator can create user without entering high security mode
Phabricator Improper Authentication - Generic (CWE-287)
Low
2018-05-22
CORS (Cross-Origin Resource Sharing)
Semrush Improper Authentication - Generic (CWE-287)
Low
2018-03-20
Cross-origin resource sharing misconfig
Semrush Improper Authentication - Generic (CWE-287)
Low
2018-03-13
Oauth flow on the comments widget login can lead to the access code leakage
Ed Improper Authentication - Generic (CWE-287)
Low
2017-11-24
Can link to websites from profile
WakaTime Improper Authentication - Generic (CWE-287)
Low
2017-10-07
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895