Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
10
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Kroki Arbitrary File Read/Write
GitLab Improper Access Control - Generic (CWE-284)
High
2021-05-21
Improper Access Control on Lark Footer Feature
Lark Technologies Improper Access Control - Generic (CWE-284)
High
2021-05-18
bypassing dashboard without account + Information disclosure trough websockets
Nextcloud Improper Access Control - Generic (CWE-284)
High
2021-04-20
Improper Access Control - Generic on https://████
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
High
2021-04-02
param allows any external resource to be downloadable | https://████████
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
High
2021-03-11
Acting under any different user via DB-stored credentials
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2021-22877
High
2021-03-01
DNS rebinding in --inspect (insufficient fix of CVE-2018-7160)
Node.js Improper Access Control - Generic (CWE-284)CVE-2021-22884CVE-2018-7160
High
2021-02-23
Support incident can be opened for any user via /███████ and PII leak via █████████ field
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
High
2021-02-18
Public and secret api key leaked in JavaScript source
Top Echelon Software Improper Access Control - Generic (CWE-284)
High
2021-01-19
Create an account on auth-sandbox.elastic.co with email @elastic.co or any other @domain.com
Elastic Improper Access Control - Generic (CWE-284)
High
2020-12-28
Can buy Atavist Magazine subscription for free
Automattic Improper Access Control - Generic (CWE-284)
High
2020-11-18
Ticket Trick at https://account.acronis.com
Acronis Improper Access Control - Generic (CWE-284)
High
2020-11-10
Insufficient Type Check on GraphQL leading to Maintainer delete repository
GitLab Improper Access Control - Generic (CWE-284)
High
2020-11-02
Thailand - SNMP Publicly Accessible
Starbucks Improper Access Control - Generic (CWE-284)
High
2020-10-07
Missing server side controls when editing the board’s sharing permissions per user
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2020-8182
High
2020-09-28
Unauthorized updates to extended_info properties in /store/ajaxpackagesave
Valve Improper Access Control - Generic (CWE-284)
High
2020-09-09
Add apps to packages 0, 61, 62 with /store/ajaxpackagemerge
Valve Improper Access Control - Generic (CWE-284)
High
2020-09-09
Members from parent group keep their access level on a subgroup transfer and are invisible
GitLab Improper Access Control - Generic (CWE-284)
High
2020-09-08
Unauthorized Access and updation of EMAIL settings of other user at https://app.dropcontact.io/app/sponsorship/ by changing the " email " parameter.
Dropcontact Improper Access Control - Generic (CWE-284)
High
2020-08-11
Insufficient access control on all BCRM instances leading to the ability to create admin accounts using the API
LY Corporation Improper Access Control - Generic (CWE-284)
High
2020-08-03
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895