Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,262
CVE-linked
1,866
Programs
343
New This Week
0
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 658 Improper Authentication - Generic 654 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
MemeCTF serial exploitation to local file read to Papertrail access via API-token leakage and more
h1-5411-CTF Improper Access Control - Generic (CWE-284)
High
2018-10-22
[ux.shopify.com] Subdomain takeover
Shopify Improper Access Control - Generic (CWE-284)
Medium
2018-10-19
linkinfo - openbasedir bypass on Windows PHP
Internet Bug Bounty Improper Access Control - Generic (CWE-284)
Medium
2018-10-15
CORS on (ws.infogram.com)
Infogram Improper Access Control - Generic (CWE-284)
Low
2018-10-08
Cross-origin resource sharing: arbitrary origin trusted on chatws25.stream.highwebmedia.com
Chaturbate Improper Access Control - Generic (CWE-284)
None
2018-10-04
Stats Token doesn't expire after deactivating account
Chaturbate Improper Access Control - Generic (CWE-284)
Low
2018-09-27
Private and group tokens per minute endpoint active for disabled users
Chaturbate Improper Access Control - Generic (CWE-284)
Low
2018-09-27
Access control issue -- [Allow file system access not validated when using session auth]
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2018-16466
Medium
2018-09-25
Users may still able to view chat room panel of password protected rooms
Chaturbate Improper Access Control - Generic (CWE-284)
Medium
2018-09-20
Improper Access Control on Onelogin in multi-layered architecture
Uber Improper Access Control - Generic (CWE-284)
Unknown
2018-08-08
svcardproxydevus.starbucks.com Subdomain take over
Starbucks Improper Access Control - Generic (CWE-284)
High
2018-07-23
Suspended users can bypass UGC upload ban
Valve Improper Access Control - Generic (CWE-284)
Low
2018-07-02
[engineering.udemy.com] - Subdomain Takeover (ghost.io)
Udemy Improper Access Control - Generic (CWE-284)
Low
2018-06-27
Hacktivity of a private program visible to banned user if he gets invited to a program by hackbot
HackerOne Improper Access Control - Generic (CWE-284)
Low
2018-06-27
File access control rules not enforced on image files
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2018-3762
Low
2018-06-15
Improper access check by Kit leads to controlling attributes of store & getting analytics by deleted Store member via dual messenger A/C
Shopify Improper Access Control - Generic (CWE-284)
Low
2018-06-15
Origin IP found, Cloudflare bypassed
Liberapay Improper Access Control - Generic (CWE-284)
Medium
2018-06-02
GitHub import allows user to create child group under existing namespace
GitLab Improper Access Control - Generic (CWE-284)CVE-2017-0919
High
2018-05-24
ability to install paid themes for free
Shopify Improper Access Control - Generic (CWE-284)
Medium
2018-05-16
Unintentional file creation caused at Tempfile with directory traversal
Ruby Improper Access Control - Generic (CWE-284)CVE-2018-6914
Unknown
2018-04-01
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817 $2,257
HackerOne609
Nextcloud584
Shopify465
curl464
Node.js third-party modules307
GitLab258
X / xAI250 $7,000
Uber239