Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,220
CVE-linked
1,854
Programs
342
New This Week
8
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
No Valid SPF Records/don't have DMARC record
UPchieve Improper Access Control - Generic (CWE-284)
Critical
2021-05-18
Zero click account Takeover due to Api misconfiguration 🏂🎩
UPchieve Improper Access Control - Generic (CWE-284)
Critical
2021-05-14
Full account takeover of any user through reset password
UPchieve Improper Access Control - Generic (CWE-284)
Critical
2021-05-14
Subdomain Takeover At the Main Domain Of Your Site
Sifchain Improper Access Control - Generic (CWE-284)
Low
2021-05-07
Improper access control in place for "member only" groups via root.YUI_config.flickr.api.site_key
Flickr Improper Access Control - Generic (CWE-284)
Medium
2021-05-03
Unexpected federated shares added via public link
Nextcloud Improper Access Control - Generic (CWE-284)
Medium
2021-04-26
PI leakage By Brute Forcing and Phone number deleting without using password
X / xAI Improper Access Control - Generic (CWE-284)
Medium
2021-04-22
bypassing dashboard without account + Information disclosure trough websockets
Nextcloud Improper Access Control - Generic (CWE-284)
High
2021-04-20
Staff with no permissions could possibly list and accept billing promotions
Shopify Improper Access Control - Generic (CWE-284)
Low
2021-04-08
Improper Access Control - Generic on https://████
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
High
2021-04-02
Access control issue on invoice documents downloading feature.
Moneybird Improper Access Control - Generic (CWE-284)
Low
2021-04-01
[Fixed] KIS for macOS is vulnerable to AV bypass due to improper client authorization on XPC service
Kaspersky Improper Access Control - Generic (CWE-284)CVE-2021-26718
Medium
2021-04-01
Account Confirmation bypass leads to acess some fucntionality
Acronis Improper Access Control - Generic (CWE-284)
Medium
2021-03-30
Revoked User can still view the Merge Request created by him via API
GitLab Improper Access Control - Generic (CWE-284)
Medium
2021-03-15
param allows any external resource to be downloadable | https://████████
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
High
2021-03-11
Sensitive information of helpdesk is being leaked.
Lark Technologies Improper Access Control - Generic (CWE-284)
Medium
2021-03-06
Unauthorized access to █████████.com allows access to Uber Brazil tax documents and system.
Uber Improper Access Control - Generic (CWE-284)
Low
2021-03-06
The password of a mail share is not set if the password is given when the share is created (Nextcloud < 18)
Nextcloud Improper Access Control - Generic (CWE-284)
Low
2021-03-04
Acting under any different user via DB-stored credentials
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2021-22877
High
2021-03-01
DNS rebinding in --inspect (insufficient fix of CVE-2018-7160)
Node.js Improper Access Control - Generic (CWE-284)CVE-2021-22884CVE-2018-7160
High
2021-02-23
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258 $1,730
X / xAI250 $2,500
Uber239 $9,895