Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,262
CVE-linked
1,866
Programs
343
New This Week
0
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 654 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Rate limit function bypass can leads to occur huge critical problem into website.
Courier Improper Access Control - Generic (CWE-284)
Medium
2021-01-08
████.
Omise Improper Access Control - Generic (CWE-284)
Medium
2021-01-02
CORS misconfiguration in TikTok ads portal
TikTok Improper Access Control - Generic (CWE-284)
Low
2020-12-30
Create an account on auth-sandbox.elastic.co with email @elastic.co or any other @domain.com
Elastic Improper Access Control - Generic (CWE-284)
High
2020-12-28
Internal API endpoint is accesible for everyone
WHO COVID-19 Mobile App Improper Access Control - Generic (CWE-284)
Medium
2020-12-28
User Able to Reopen a Ticket by Modify the Request
TikTok Improper Access Control - Generic (CWE-284)
Low
2020-12-18
Unrestricted File Upload Leads to RCE on mobile.starbucks.com.sg
Starbucks Improper Access Control - Generic (CWE-284)
Critical
2020-12-09
Low Privileged Staff Member Can Export Billing Charges
Shopify Improper Access Control - Generic (CWE-284)
Medium
2020-11-26
SharePoint Web Services Exposed to Anonymous Access
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
Medium
2020-11-24
{███} It is posible download all information and files via S3 Bucket Misconfiguration
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
Medium
2020-11-23
CORS misconfiguration which leads to the disclosure
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
Medium
2020-11-23
Apparent ██████████ website is publicly exposed, suggests default account details on page and has expired SSL/TLS cert
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
Low
2020-11-23
No Email Checking at Invitation Confirmation Link leads to Account Takeover without User Interaction at CrowdSignal
Automattic Improper Access Control - Generic (CWE-284)
Critical
2020-11-18
Can buy Atavist Magazine subscription for free
Automattic Improper Access Control - Generic (CWE-284)
High
2020-11-18
Captcha checker "pd-captcha_form_SURVEYID" cookie is accepting any value
Automattic Improper Access Control - Generic (CWE-284)
Medium
2020-11-18
Improper access control to messages of Social app
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2020-8278
Medium
2020-11-17
Improper Access Control in LINE Timeline API that returns a list of hidden friends
LY Corporation Improper Access Control - Generic (CWE-284)
Medium
2020-11-17
Forbidden access to https://apps-staging.pingone.com but "/packages.json" visible and full path disclosure
Ping Identity Improper Access Control - Generic (CWE-284)
Low
2020-11-16
Ticket Trick at https://account.acronis.com
Acronis Improper Access Control - Generic (CWE-284)
High
2020-11-10
Guest users can change the confidentiality attribute on those issues that have been assigned to them
GitLab Improper Access Control - Generic (CWE-284)
Low
2020-11-09
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud584
Shopify465
curl464
Node.js third-party modules307
GitLab258
X / xAI250 $7,000
Uber239