Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,262
CVE-linked
1,866
Programs
343
New This Week
0
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 654 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
User with removed manage shops permissions is still able to make changes to a shop
Shopify Improper Access Control - Generic (CWE-284)
Medium
2020-06-12
Bypass Email activation on http://axa.dxi.eu
8x8 Improper Access Control - Generic (CWE-284)
High
2020-06-09
Docker Registry HTTP API v2 exposed in HTTP without authentication leads to docker images dumping and poisoning
Semmle Improper Access Control - Generic (CWE-284)
Critical
2020-06-06
Allows any user to share their "Root" level folder by sharing "."
Nextcloud Improper Access Control - Generic (CWE-284)
None
2020-06-03
Organization Takeover
Helium Improper Access Control - Generic (CWE-284)
High
2020-05-27
[Critical] Insufficient Access Control On Registration Page of Webapps Website Allows Privilege Escalation to Administrator
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
Critical
2020-05-27
Improper Access Control in Buddypress core allows reply,delete any user's activity
WordPress Improper Access Control - Generic (CWE-284)
Medium
2020-05-22
SharePoint exposed web services in a subdomain
MTN Group Improper Access Control - Generic (CWE-284)
Medium
2020-05-16
Unauthorised access to pagespeed global admin at https://webtools.paloalto.com/
Palo Alto Software Improper Access Control - Generic (CWE-284)
Unknown
2020-05-14
No ACL on S3 Bucket in [https://www.██████████/]
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
Medium
2020-05-14
CORS Misconfiguration Leads to Exposing User Data
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
High
2020-05-14
[██████████] Unauthorized access to admin panel
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
High
2020-05-14
Unrestricted File Upload
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
Critical
2020-05-11
Sourcemaps and Unminified Source Code Exposed on Pages
Imgur Improper Access Control - Generic (CWE-284)
Medium
2020-05-07
Open S3 Bucket Accessible by any Aws User
Greenhouse.io Improper Access Control - Generic (CWE-284)
Low
2020-05-01
IDOR in the https://market.semrush.com/
Semrush Improper Access Control - Generic (CWE-284)
Critical
2020-04-30
Read-only team members can read all properties of webhooks
HackerOne Improper Access Control - Generic (CWE-284)
Low
2020-04-29
API - Amazon S3 bucket misconfiguration
BCM Messenger Improper Access Control - Generic (CWE-284)
Medium
2020-04-14
Unrestricted access to any "connected pack" on docs
Superhuman (formerly Grammarly) Improper Access Control - Generic (CWE-284)
Medium
2020-04-14
User can delete data in shared folders he's not autorized to access
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2020-8153
Medium
2020-04-10
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud584
Shopify465
curl464
Node.js third-party modules307
GitLab258
X / xAI250 $7,000
Uber239