Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
10
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Password reset link remains valid after email change
Nextcloud Improper Authentication - Generic (CWE-287)
Unknown
2016-12-13
BruteForce in to Admin Account
Nextcloud Improper Authentication - Generic (CWE-287)
High
2016-12-04
Rate-limit bypass
Slack Improper Authentication - Generic (CWE-287)
Unknown
2016-11-28
AWS Signature Disclosure in www.digitalsellz.com allows access to S3
DigitalSellz Improper Authentication - Generic (CWE-287)
High
2016-11-27
Unauthorized team members can leak information and see all API calls through /1/admin/* endpoints, even after they have been removed.
Algolia Improper Authentication - Generic (CWE-287)
Unknown
2016-11-27
SMB User Authentication Bypass and Persistence
ownCloud Improper Authentication - Generic (CWE-287)CVE-2016-9463
Unknown
2016-11-26
Bypassing "You've requested your data the maximum number of times today." + "Please Verify an email address with snapchat to continue"
Snapchat Improper Authentication - Generic (CWE-287)
Unknown
2016-11-25
User with no permissions can access full wdcalendar feed
drchrono Improper Authentication - Generic (CWE-287)
Unknown
2016-11-25
User with no permissions can create, edit, delete favorite prescriptions /erx/
drchrono Improper Authentication - Generic (CWE-287)
Unknown
2016-11-25
Unauthenticated Docker registry
Imgur Improper Authentication - Generic (CWE-287)
Unknown
2016-11-22
Subdomain Takeover on http://kiosk.owox.com/
OWOX, Inc. Improper Authentication - Generic (CWE-287)
Critical
2016-11-17
Unsecured Grafana instance
Pushwoosh Improper Authentication - Generic (CWE-287)
Critical
2016-11-15
No rate-limit in SERVER_SECURITY_CHECK
Bumble Improper Authentication - Generic (CWE-287)
Low
2016-11-10
[oneclickdrsfdc-test.informatica.com] Tomcat Example Scripts Exposed Unauthenticated
Informatica Improper Authentication - Generic (CWE-287)
Low
2016-11-02
Bybass The Closing of the account and logged again to your account
Yelp Improper Authentication - Generic (CWE-287)
Unknown
2016-10-21
Users can falsely declare their own Uber account info on the monthly billing application
Uber Improper Authentication - Generic (CWE-287)
Unknown
2016-10-20
Authentication bypass leads to sensitive data exposure (token+secret)
Slack Improper Authentication - Generic (CWE-287)
Unknown
2016-10-19
password less login token expiration issue
Shopify Improper Authentication - Generic (CWE-287)
Unknown
2016-10-19
Missing access control exposing detailed information on all users
WP API Improper Authentication - Generic (CWE-287)
Unknown
2016-10-17
Subdomain Takeover of Brave.com
Brave Software Improper Authentication - Generic (CWE-287)
None
2016-10-14
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895