Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,250
CVE-linked
1,864
Programs
343
New This Week
6
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 653 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Initial mirror user can be assigned by other user even if the mirror was removed
GitLab Improper Access Control - Generic (CWE-284)
Medium
2020-08-26
CRITICAL-CLICKJACKING at Yelp Reservations Resulting in exposure of victim Private Data (Email info) + Victim Credit Card MissUse.
Yelp Improper Access Control - Generic (CWE-284)
Medium
2020-08-21
Password reset link not expired at Stocky App
Shopify Improper Access Control - Generic (CWE-284)
Unknown
2020-08-18
Unauthorized Access and updation of EMAIL settings of other user at https://app.dropcontact.io/app/sponsorship/ by changing the " email " parameter.
Dropcontact Improper Access Control - Generic (CWE-284)
High
2020-08-11
Unauthenticated users can access all food.grammarly.io user's data
Superhuman (formerly Grammarly) Improper Access Control - Generic (CWE-284)
Low
2020-08-10
Private list members disclosure via GraphQL
X / xAI Improper Access Control - Generic (CWE-284)
Low
2020-08-04
Insufficient access control on all BCRM instances leading to the ability to create admin accounts using the API
LY Corporation Improper Access Control - Generic (CWE-284)
High
2020-08-03
Cross-Site WebSocket Hijacking Lead to Steal XSRF-TOKEN
Stripo Inc Improper Access Control - Generic (CWE-284)
High
2020-07-27
app.lemlist.com : Admin Panel Access
lemlist Improper Access Control - Generic (CWE-284)
None
2020-07-23
Edit Policy restriction does not prevent comments.
Phabricator Improper Access Control - Generic (CWE-284)
Medium
2020-07-17
SharePoint Web Services Exposed to Anonymous Access Users
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
Medium
2020-07-14
multiple email usage -my.stripo.email-
Stripo Inc Improper Access Control - Generic (CWE-284)
Medium
2020-07-03
[█████████] Administrative access to Oracle WebLogic Server using default credentials
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
Critical
2020-06-25
[H1-2006 2020] Multiple vulnerabilities allow to leak sensitive information
h1-ctf Improper Access Control - Generic (CWE-284)
Unknown
2020-06-22
[H1-2006] CTF Writeup
h1-ctf Improper Access Control - Generic (CWE-284)
Critical
2020-06-19
[H1-2006 2020] The Story of Making Bounty Hunters Happy
h1-ctf Improper Access Control - Generic (CWE-284)
Unknown
2020-06-19
Unauthorised Account Detail Modification
Khan Academy Improper Access Control - Generic (CWE-284)
High
2020-06-19
[H1-2006 2020] In-depth resolution of the h1-2006 CTF
h1-ctf Improper Access Control - Generic (CWE-284)
Critical
2020-06-18
[H1-2006 2020] Writeup
h1-ctf Improper Access Control - Generic (CWE-284)
Unknown
2020-06-18
[H1-2006 2020] Bounty Pay CTF challenge
h1-ctf Improper Access Control - Generic (CWE-284)
Critical
2020-06-18
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud584
Shopify464
curl459
Node.js third-party modules307
GitLab258
X / xAI250 $7,000
Uber239