Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,262
CVE-linked
1,866
Programs
343
New This Week
0
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 654 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Examples directory is PUBLIC on https://████████mil, leading to multiple vulns
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
Critical
2019-10-10
Found Origin IP's Lead To Access To [ Grafana Instance , PgHero Instance [ Can SQL Injection ]
Omise Improper Access Control - Generic (CWE-284)
Medium
2019-10-09
Bypassing push rules via MRs created by Email
GitLab Improper Access Control - Generic (CWE-284)
Medium
2019-10-01
Periscope-all Firebase database takeover
X / xAI Improper Access Control - Generic (CWE-284)
Critical
2019-09-25
Access Projects And create projects in gitlab pre production server
GitLab Improper Access Control - Generic (CWE-284)
Low
2019-08-28
Subdomain takeover on healthyhackathon.khanacademy.org and hackweek.khanacademy.org
Khan Academy Improper Access Control - Generic (CWE-284)
High
2019-08-25
xmlrpc.php file enabled - data.gov
GSA Bounty Improper Access Control - Generic (CWE-284)
Medium
2019-08-19
Previously created sessions continue being valid after MFA activation
Superhuman (formerly Grammarly) Improper Access Control - Generic (CWE-284)
Medium
2019-08-19
Can register any mobile number in MFA without current code.
Superhuman (formerly Grammarly) Improper Access Control - Generic (CWE-284)
Low
2019-08-15
Github wikis are editable by anyone https://github.com/paragonie/password_lock/wiki
Paragon Initiative Enterprises Improper Access Control - Generic (CWE-284)
Medium
2019-07-29
In Dockerized Environments, Failing to Read config.php Grants Any Anonymous User Full Admin Access
Nextcloud Improper Access Control - Generic (CWE-284)
High
2019-07-27
Add users to groups who have restricted group invites
WordPress Improper Access Control - Generic (CWE-284)
High
2019-07-27
Able to bypass "Device credentials" Lock
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2019-5451
Low
2019-07-26
Combination of content provider allows private data disclosure
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2019-5452
Low
2019-07-26
Milestones leaked via search API
GitLab Improper Access Control - Generic (CWE-284)
Low
2019-07-19
any staff members have the ability to comment in [discounts] he/she can disable comment section it to other staff even the admin of the store
Shopify Improper Access Control - Generic (CWE-284)
Low
2019-07-15
Possibility to overwrite any file in the vpe.cdn.vimeo.tv leads to the Stored XSS for the all customers on the embed.vhx.tv
Vimeo Improper Access Control - Generic (CWE-284)
High
2019-07-10
Custom Field Attributes may be created and updated for customers with Custom Field Trial enabled
HackerOne Improper Access Control - Generic (CWE-284)
Medium
2019-07-05
Attacker is able to access commit title and team member comments which are supposed to be private
GitLab Improper Access Control - Generic (CWE-284)
High
2019-07-03
Expired reshare links allow access to all files in share
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2020-8121
Critical
2019-06-27
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud584
Shopify465
curl464
Node.js third-party modules307
GitLab258
X / xAI250 $7,000
Uber239