Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
11
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Exposed trip_no in WebSocket Responses Leading to Excessive information Disclosure
Bykea Improper Access Control - Generic (CWE-284)
Medium
2025-06-26
1 Click Account Takeover via Auth Token Theft on marketing.hostinger.com
hostinger Improper Access Control - Generic (CWE-284)
High
2025-06-06
Facebook Username Takeover via Broken Link in Footer
Omise Improper Access Control - Generic (CWE-284)
Low
2025-05-30
unauthorized access and add user and change personal information all users
Mars Improper Access Control - Generic (CWE-284)
Critical
2025-05-27
Shopify Partners Invitation Process Allows Privilege Escalation Without Email Verification
Shopify Improper Access Control - Generic (CWE-284)
Medium
2025-05-15
change part of personal information all users
Mars Improper Access Control - Generic (CWE-284)
Critical
2025-05-12
Enable 2FA without verifying the email
XVIDEOS Improper Access Control - Generic (CWE-284)
Low
2025-05-09
Ability to access policy and updates for unauthorized program
HackerOne Improper Access Control - Generic (CWE-284)
Medium
2025-05-08
`/names.nsf` and all `/names*` files route to public API on rubygems.org
RubyGems Improper Access Control - Generic (CWE-284)
None
2025-05-03
Privilege Persistence via Cloned Agent
Dust Improper Access Control - Generic (CWE-284)
Medium
2025-04-30
Broken Access Control Exposes Email Verification Status and Privacy Settings via API Endpoint
WakaTime Improper Access Control - Generic (CWE-284)
Low
2025-04-29
Privilege Escalation in Edit and Create Secret Endpoints Leads to Unauthorized Secret Modification
Dust Improper Access Control - Generic (CWE-284)
High
2025-04-24
UI flaw allows unauthorized users to add documents to restricted folders
Dust Improper Access Control - Generic (CWE-284)
Medium
2025-04-23
Unauthorized Table Creation by Member
Dust Improper Access Control - Generic (CWE-284)
Medium
2025-04-23
Limited Privilege User Can Create Unauthorized Referrals on partners.shopify.com
Shopify Improper Access Control - Generic (CWE-284)
Medium
2025-03-20
Admin Dashboard Access Leads to Updating Merchant Info
MTN Group Improper Access Control - Generic (CWE-284)
Critical
2025-03-02
Account Takeover via Password Reset without user interactions
GitLab Improper Access Control - Generic (CWE-284)
Critical
2025-02-26
Exposed proxy allows to access internal reddit domains
Reddit Improper Access Control - Generic (CWE-284)
High
2025-02-24
Applicant security exam Attachments/Documents accessible through an IDOR/BAC on the custom Apex controller on https://█████.mil
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
Critical
2025-02-12
Publicly Editable U.S. Air Force Google Spreadsheet Exposing Student Leave Data
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
Medium
2025-02-12
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895