Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
10
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
1 Click to 'Close Account and Refund' via POSTMESSAGE
TikTok Improper Access Control - Generic (CWE-284)
Medium
2024-01-03
Unauthorized access to Argo dashboard on █████
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
Medium
2023-12-21
Organization members can delete reports in teams they have no access to
HackerOne Improper Access Control - Generic (CWE-284)
Medium
2023-11-22
Improper Access Control allows OTP bypass
Lark Technologies Improper Access Control - Generic (CWE-284)
Medium
2023-10-25
Information Disclosure FrontPage Configuration Information
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
Medium
2023-10-20
After the upload of an private file, using transformations, the file becomes public without the possibility of changing it.
Mozilla Improper Access Control - Generic (CWE-284)
Medium
2023-10-20
Deny Admin from Editing LinkedIn Company Page using Gen Form Visibility via POST /voyager/api/voyagerOrganizationDashCompanies/{id}
LinkedIn Improper Access Control - Generic (CWE-284)
Medium
2023-10-19
Circuit Breaker Authorization Issue
Cosmos Improper Access Control - Generic (CWE-284)
Medium
2023-09-18
IDOR: Authorization Bypass in LockReport Mutation for public reports
HackerOne Improper Access Control - Generic (CWE-284)
Medium
2023-09-13
Permissions not respected when copying entire group folders
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2023-39952
Medium
2023-09-09
Staff and Triage can modify the initial post of a report, including of already disclosed reports
HackerOne Improper Access Control - Generic (CWE-284)
Medium
2023-08-28
Any (non-admin) user from an instance can destroy any (user and/or global) external filesystem
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2023-39962
Medium
2023-08-10
Disavowed an email without any authentication
Liberapay Improper Access Control - Generic (CWE-284)
Medium
2023-07-31
fs.openAsBlob() bypasses permission system
Node.js Improper Access Control - Generic (CWE-284)CVE-2023-30583
Medium
2023-07-20
fs module's file watching is not restricted by --allow-fs-read
Node.js Improper Access Control - Generic (CWE-284)CVE-2023-30582
Medium
2023-07-20
[Hubs] - Broken access control in placing objects in hubs room
Mozilla Improper Access Control - Generic (CWE-284)
Medium
2023-07-20
Banned user still able to invited to reports as a collabrator and reset the password
HackerOne Improper Access Control - Generic (CWE-284)
Medium
2023-07-06
Docker Registry without authentication leads to docker images download
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
Medium
2023-06-23
Subdomain takeover http://accessday.opn.ooo/
Omise Improper Access Control - Generic (CWE-284)
Medium
2023-06-11
Huge amount of Subdomains Takeovers at Reddit.com
Reddit Improper Access Control - Generic (CWE-284)
Medium
2023-05-18
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895