Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
11
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Program filter: shopify
Self xss in product reviews
Shopify Cross-site Scripting (XSS) - Generic (CWE-79)
Medium
2020-11-19
Staff Member can Get POS Access Without User Interaction
Shopify
Medium
2020-11-19
Privilege Escalation in Point Of Sale Application from POS Manage Staff Role to potentially Store Owner
Shopify
Medium
2020-11-19
authenticity token not verfied leads to change business name
Shopify Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2020-10-23
Undocumented `fileCopy` GraphQL API
Shopify Improper Access Control - Generic (CWE-284)
Medium
2020-10-22
A staff member with no permissions can edit Store Customer Email
Shopify Insecure Direct Object Reference (IDOR) (CWE-639)
Medium
2020-10-22
User sensitive information disclosure
Shopify Privacy Violation (CWE-359)
Medium
2020-10-22
Ability to see password protected content by bypassing the password page of shopify preview URL for new development stores (as of August 17, 2020)
Shopify Information Disclosure (CWE-200)
Medium
2020-08-25
Path Traversal in App Proxy
Shopify Path Traversal (CWE-22)
Medium
2020-08-24
STAFF "No-Permissions" on the Store can retrieve the details Order via exchangeReceiptSend
Shopify Information Disclosure (CWE-200)
Medium
2020-08-24
Subdomain takeover in help.tictail.com pointing to Zendesk (a Shopify acquisition)
Shopify Privilege Escalation (CAPEC-233)
Medium
2020-08-24
increased privileges on staff account
Shopify
Medium
2020-08-24
Get analytics token using only apps permission
Shopify Information Disclosure (CWE-200)
Medium
2020-08-18
OrderListInitial leaks order details
Shopify Information Disclosure (CWE-200)
Medium
2020-08-18
access permission is not revoked even if the email has been deleted or changed on the partner account -partners.shopify-
Shopify
Medium
2020-08-18
GraphQL AdminGenerateSessionPayload is leaked to staff with no permission
Shopify
Medium
2020-07-16
IDOR on stocky application-Low Stock-Varient-Settings-Columns
Shopify Insecure Direct Object Reference (IDOR) (CWE-639)
Medium
2020-07-14
Stored XSS on demo app link
Shopify Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2020-06-12
User with removed manage shops permissions is still able to make changes to a shop
Shopify Improper Access Control - Generic (CWE-284)
Medium
2020-06-12
CSRF on connecting Paypal as Payment Provider
Shopify Cross-Site Request Forgery (CSRF) (CWE-352)
Medium
2020-04-10
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895