Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,262
CVE-linked
1,866
Programs
343
New This Week
0
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 654 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
[h1-415 2020] h1ctf{y3s_1m_c0sm1c_n0w}
h1-ctf Improper Access Control - Generic (CWE-284)
Critical
2020-02-03
[h1-415 2020] I got the flag
h1-ctf Improper Access Control - Generic (CWE-284)
Critical
2020-02-03
Share recipient can modify a share's expiration date
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2020-8122
Medium
2020-01-31
Github repo's wiki publicly editable
Nextcloud Improper Access Control - Generic (CWE-284)
Unknown
2020-01-31
Update App Store: Django account high jacking vulnerability
Nextcloud Improper Access Control - Generic (CWE-284)
Medium
2020-01-31
Disclosure of Users Information On Wordpress Api [https://jitsi.org/]
8x8 Improper Access Control - Generic (CWE-284)
Low
2020-01-23
open Firebase Database: msdict-dev.firebaseio.com
MobiSystems Ltd. Improper Access Control - Generic (CWE-284)
Medium
2020-01-20
Lack or Origin check leads to Cross-Site Websocket Hijacking (CSWSH)
Superhuman (formerly Grammarly) Improper Access Control - Generic (CWE-284)
High
2020-01-04
Add store to new partner account without confirming email address.
Shopify Improper Access Control - Generic (CWE-284)
Medium
2020-01-02
Group search leaks private MRs, code, commits
GitLab Improper Access Control - Generic (CWE-284)CVE-2019-5487
High
2019-12-14
Group search with Elastic search enable leaks unrelated data
GitLab Improper Access Control - Generic (CWE-284)
High
2019-12-14
Blocked user Git access through CI/CD token
GitLab Improper Access Control - Generic (CWE-284)CVE-2019-15589
Medium
2019-12-13
Container scanning and Dependency scanning report leaked to unauthorized users
GitLab Improper Access Control - Generic (CWE-284)CVE-2019-15591CVE-2017-18269CVE-2017-16997CVE-2018-1000001CVE-2016-10228CVE-2018-18520CVE-2010-4052CVE-2018-16869CVE-2018-18311CVE-2014-3488CVE-2017-12794CVE-2018-1000201
Medium
2019-12-13
Head pipeline leaked to unauthorized users via blocking merge request feature
GitLab Improper Access Control - Generic (CWE-284)CVE-2019-15580
Low
2019-12-13
GraphQL query "namespace" leaks data
GitLab Improper Access Control - Generic (CWE-284)
Medium
2019-12-03
Able to view Backend Database dur to improper authentication
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
Medium
2019-12-02
Thailand - a small number of SMB CCTV footage backup servers were accessible without authentication.
Starbucks Improper Access Control - Generic (CWE-284)
Medium
2019-11-19
доступ к com.vk.usersstore.UsersContentProvider, возможна утечка exchange_token на android < 21
VK.com Improper Access Control - Generic (CWE-284)
Low
2019-11-18
Permissive CORS policy trusting arbitrary extensions origin
Superhuman (formerly Grammarly) Improper Access Control - Generic (CWE-284)
Medium
2019-11-06
Bypass report #416983 - Removed Staff members who had "Apps" permission can still modify flow app connections
Shopify Improper Access Control - Generic (CWE-284)
Medium
2019-10-10
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud584
Shopify465
curl464
Node.js third-party modules307
GitLab258
X / xAI250 $7,000
Uber239