Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
10
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Missing authentication on Notification setting .
Uber Improper Authentication - Generic (CWE-287)
Unknown
2016-07-26
Uber for Business Allows Administrators to Change Uber Driver Ratings Due to Failure to Authenticate `fast-rating` Endpoint
Uber Improper Authentication - Generic (CWE-287)
Unknown
2016-07-26
Defect-Security | Driver-Broken Authentication | Able to update the Subscription Setting anonymously
Uber Improper Authentication - Generic (CWE-287)
Unknown
2016-07-26
User credentials are not strong on vault.uber.com
Uber Improper Authentication - Generic (CWE-287)
Unknown
2016-07-26
Can add employee in business.uber.com without add payment method
Uber Improper Authentication - Generic (CWE-287)
Unknown
2016-07-26
An adversary can overwhelm the resources by automating Forgot password/Sign Up requests
Coinbase Improper Authentication - Generic (CWE-287)
Unknown
2016-07-24
Read-only share recipient can restore old versions of file
Nextcloud Improper Authentication - Generic (CWE-287)CVE-2016-9462
Unknown
2016-07-19
Uploading files to a folder where invited user don't have any EDIT privilege
Nextcloud Improper Authentication - Generic (CWE-287)CVE-2016-9461
Unknown
2016-07-19
Stealing livechat token and using it to chat as the user - user information disclosure
Shopify Improper Authentication - Generic (CWE-287)
Unknown
2016-07-19
newsletter.nextcloud.com: Bypass firewall protection
Nextcloud Improper Authentication - Generic (CWE-287)
Unknown
2016-07-18
The application uses basic authentication.
Nextcloud Improper Authentication - Generic (CWE-287)
Unknown
2016-07-18
Authentication Bypass on Icinga monitoring server
Shopify Improper Authentication - Generic (CWE-287)
Unknown
2016-07-17
User enumeration in wp-admin
Ian Dunn Improper Authentication - Generic (CWE-287)
Unknown
2016-07-16
Change any Uber user's password through /rt/users/passwordless-signup - Account Takeover (critical)
Uber Improper Authentication - Generic (CWE-287)
Unknown
2016-07-14
Administrator access to a Django Administration Panel on *.sc-corp.net via bruteforced credentials
Snapchat Improper Authentication - Generic (CWE-287)
Unknown
2016-07-14
strengthen Diffie-Hellman (DH) key exchange parameters in grtp.co
Gratipay Improper Authentication - Generic (CWE-287)
Low
2016-07-14
[Critical] - Steal OAuth Tokens
X / xAI Improper Authentication - Generic (CWE-287)
Unknown
2016-07-11
Authentication Issue for easter egg on bonjour.uber.com
Uber Improper Authentication - Generic (CWE-287)
Unknown
2016-07-07
Airship doesn't reject weak passwords
Paragon Initiative Enterprises Improper Authentication - Generic (CWE-287)
Unknown
2016-07-02
Unauthorized Team members viewing
HackerOne Improper Authentication - Generic (CWE-287)
Unknown
2016-07-02
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895