Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
10
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Subdomain takeover : URGENT
KIWI.KI GmbH Improper Authentication - Generic (CWE-287)
Unknown
2016-02-25
S3 Buckets open to the world thanks to 'Authenticated Users' ACL
Shopify Improper Authentication - Generic (CWE-287)
Unknown
2016-02-23
No Valid SPF Records.
Gratipay Improper Authentication - Generic (CWE-287)
Medium
2016-02-18
Private Program Disclosure in /:handle/reports/draft.json endpoint
HackerOne Improper Authentication - Generic (CWE-287)
Unknown
2016-02-16
OAuth authorization page vulnerable to clickjacking
Coinbase Improper Authentication - Generic (CWE-287)
Unknown
2016-02-07
test1.owncloud.com: Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability
ownCloud Improper Authentication - Generic (CWE-287)
Unknown
2016-02-01
IDOR- Activate Mopub on different organizations- steal api token- Fabric.io
X / xAI Improper Authentication - Generic (CWE-287)
Unknown
2016-01-25
Subdomain Expired
X / xAI Improper Authentication - Generic (CWE-287)
Unknown
2016-01-15
"Remember me" token generated when "Remember me" box unchecked
Shopify Improper Authentication - Generic (CWE-287)
Unknown
2016-01-13
apps.owncloud.com: Referer protection Bypassed
ownCloud Improper Authentication - Generic (CWE-287)
Unknown
2016-01-02
Team Member███ associated with a Custom Group Created with 'Program Managment' only permissions can Comments on Bug Reports
HackerOne Improper Authentication - Generic (CWE-287)
Unknown
2015-12-29
Cookie bug
Deriv.com Improper Authentication - Generic (CWE-287)
Unknown
2015-12-16
An administrator without any permission is able to get order notifications using his APNS Token.
Shopify Improper Authentication - Generic (CWE-287)
Unknown
2015-12-14
Transactions visible on Unconfirmed devices
Coinbase Improper Authentication - Generic (CWE-287)
Unknown
2015-12-11
Non-owner user can remove online store channel and re-add it.
Shopify Improper Authentication - Generic (CWE-287)
Unknown
2015-12-03
Email Verification Link can be Used as Password Reset Link!
Deriv.com Improper Authentication - Generic (CWE-287)
Unknown
2015-12-03
OAUTH pemission set as true= lead to authorize malicious application
Coinbase Improper Authentication - Generic (CWE-287)
Unknown
2015-12-01
GA code not verified on the server side allows sending Verification Documents on behalf of another user
Enter Improper Authentication - Generic (CWE-287)
Unknown
2015-11-27
An administrator without the 'Settings' permission is able to see payment gateways
Shopify Improper Authentication - Generic (CWE-287)
Unknown
2015-11-18
deleted staff member can add his amazon marketplace web services account to the store.
Shopify Improper Authentication - Generic (CWE-287)
Unknown
2015-11-18
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895