Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
10
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
No Valid SPF Records
Dropcontact Improper Authentication - Generic (CWE-287)
Medium
2020-08-24
Missing rate limit in signup Form
Courier Improper Authentication - Generic (CWE-287)
Medium
2020-07-28
Account takeover w/o interaction for a user that doesn't have 2fa enabled via 2fa linking and improper auth at /api/2fa/verify
Helium Improper Authentication - Generic (CWE-287)
Medium
2020-07-26
No Rate Limiting On Phone Number Login Leads to Login Bypass
Smule Improper Authentication - Generic (CWE-287)
Medium
2020-07-24
No Rate Limit On Reset Password
Staging.every.org Improper Authentication - Generic (CWE-287)
Medium
2020-07-17
India - OTP bypass on Phone number verification for account creation
Starbucks Improper Authentication - Generic (CWE-287)
Medium
2020-04-21
Unauthenticated request allows changing hostname
Ubiquiti Inc. Improper Authentication - Generic (CWE-287)CVE-2020-8148
Medium
2020-04-10
Bypass configured 2FA provider with another provider that can be set up at login
Nextcloud Improper Authentication - Generic (CWE-287)CVE-2019-15617
Medium
2020-03-01
No Rate Limit On Forgot Password Page Of affiliates.nordvpn.com
Nord Security Improper Authentication - Generic (CWE-287)
Medium
2020-02-24
Email address is not validated, No Rate Limit and RCE On Forgot Password Page Of affiliates.nordvpn.com
Nord Security Improper Authentication - Generic (CWE-287)
Medium
2020-02-21
No Rate Limit On Forgot Password Page Of NordVPN
Nord Security Improper Authentication - Generic (CWE-287)
Medium
2020-02-08
Bypass to report #280389 [Thinking The issue is not fixed Yet]
Infogram Improper Authentication - Generic (CWE-287)
Medium
2020-02-07
Access to ██████████████ due to weak credentials
8x8 Improper Authentication - Generic (CWE-287)
Medium
2020-01-08
Password Reset Link not expiring after changing the email Leads To Account Takeover
Imgur Improper Authentication - Generic (CWE-287)
Medium
2019-12-03
Attackers can control which security questions they are presented (████████)
U.S. Dept Of Defense Improper Authentication - Generic (CWE-287)
Medium
2019-12-02
Session is not expire after logout
OWOX, Inc. Improper Authentication - Generic (CWE-287)
Medium
2019-11-08
“email” MFA mode allows bypassing MFA from victim’s device when the device trust is not expired
Superhuman (formerly Grammarly) Improper Authentication - Generic (CWE-287)
Medium
2019-08-12
No Valid SPF Records.
Chainlink Improper Authentication - Generic (CWE-287)
Medium
2019-07-18
Обходим 2FA и/или получаем access_token, если мы когда-либо были на аккаунте жертвы
VK.com Improper Authentication - Generic (CWE-287)
Medium
2019-07-04
Open AWS S3 bucket leaks all Images uploaded to Zomato chat
Eternal Improper Authentication - Generic (CWE-287)
Medium
2019-05-01
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895