Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
10
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Login as root without password on EdgeSwitchX
Ubiquiti Inc. Improper Authentication - Generic (CWE-287)CVE-2019-5426
Medium
2019-03-31
No rate limiting on https://biz.uber.com/confirm allowed an attacker to join arbitrary business.uber.com accounts
Uber Improper Authentication - Generic (CWE-287)
Medium
2018-11-13
Stealing Users OAUTH Tokens via redirect_uri
BOHEMIA INTERACTIVE a.s. Improper Authentication - Generic (CWE-287)
Medium
2018-09-14
Improper authentication on registration
Semrush Improper Authentication - Generic (CWE-287)
Medium
2018-08-24
Able to reset other user's password in https://card.starbucks.com.sg/
Starbucks Improper Authentication - Generic (CWE-287)
Medium
2018-07-23
resetreportedcount & updatetags doesn't verify appid param
Valve Improper Authentication - Generic (CWE-287)
Medium
2018-07-02
No authentication on email address for password reset functionality/ https://platform.thecoalition.com/forgot-password
Coalition, Inc. Improper Authentication - Generic (CWE-287)
Medium
2018-05-03
Bypass CAPTCHA protection
Rockstar Games Improper Authentication - Generic (CWE-287)
Medium
2018-04-23
Configuration and/or source code files on uchat-staging.uberinternal.com can be viewed without OneLogin SSO Authentication
Uber Improper Authentication - Generic (CWE-287)CVE-2005-2169CVE-2005-0202
Medium
2017-12-26
It's possible to view configuration and/or source code on uchat.awscorp.uberinternal.com without
Uber Improper Authentication - Generic (CWE-287)CVE-2005-2169CVE-2005-0202
Medium
2017-12-26
No Rate limit on Password Reset Function
Infogram Improper Authentication - Generic (CWE-287)
Medium
2017-12-12
Cross Site WebSocket Hijacking
Legal Robot Improper Authentication - Generic (CWE-287)
Medium
2017-10-16
Subdomain Takeover via Unclaimed WordPress site
Snapchat Improper Authentication - Generic (CWE-287)
Medium
2017-10-06
protect against tabnabbing in statement
Gratipay Improper Authentication - Generic (CWE-287)
Medium
2017-10-01
Race Conditions in OAuth 2 API implementations
Internet Bug Bounty Improper Authentication - Generic (CWE-287)
Medium
2017-09-19
Two-factor authentication bypass on Grab Android App
Grab Improper Authentication - Generic (CWE-287)
Medium
2017-09-12
The user, who was deleted from Github Organization, still can access all functions of federalist, in case he didn't do logout
GSA Bounty Improper Authentication - Generic (CWE-287)
Medium
2017-09-05
S3 ACL misconfiguration
Legal Robot Improper Authentication - Generic (CWE-287)
Medium
2017-08-29
Password reset access control
Legal Robot Improper Authentication - Generic (CWE-287)
Medium
2017-08-16
Clickjacking or URL Masking
Brave Software Improper Authentication - Generic (CWE-287)
Medium
2017-08-10
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895