Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
10
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
The password of a mail share is not set if the password is given when the share is created (Nextcloud < 18)
Nextcloud Improper Access Control - Generic (CWE-284)
Low
2021-03-04
The authentication code when activating 2FA can be used again to log in
Shopify Improper Access Control - Generic (CWE-284)
Low
2021-02-11
CORS misconfiguration in TikTok ads portal
TikTok Improper Access Control - Generic (CWE-284)
Low
2020-12-30
User Able to Reopen a Ticket by Modify the Request
TikTok Improper Access Control - Generic (CWE-284)
Low
2020-12-18
Apparent ██████████ website is publicly exposed, suggests default account details on page and has expired SSL/TLS cert
U.S. Dept Of Defense Improper Access Control - Generic (CWE-284)
Low
2020-11-23
Forbidden access to https://apps-staging.pingone.com but "/packages.json" visible and full path disclosure
Ping Identity Improper Access Control - Generic (CWE-284)
Low
2020-11-16
Guest users can change the confidentiality attribute on those issues that have been assigned to them
GitLab Improper Access Control - Generic (CWE-284)
Low
2020-11-09
Bypass "Industry Documents" Validation
TikTok Improper Access Control - Generic (CWE-284)
Low
2020-10-29
staff can able to extend shopify trial period without admin permission
Shopify Improper Access Control - Generic (CWE-284)
Low
2020-09-15
Ability to publish a paid theme without purchasing it.
Shopify Improper Access Control - Generic (CWE-284)
Low
2020-08-27
Ability to publish a paid theme without purchasing it.
Shopify Improper Access Control - Generic (CWE-284)
Low
2020-08-27
Graphql: Sorting the reports by jira_status field resulted to different value
HackerOne Improper Access Control - Generic (CWE-284)
Low
2020-08-27
Unauthenticated users can access all food.grammarly.io user's data
Superhuman (formerly Grammarly) Improper Access Control - Generic (CWE-284)
Low
2020-08-10
Private list members disclosure via GraphQL
X / xAI Improper Access Control - Generic (CWE-284)
Low
2020-08-04
Open S3 Bucket Accessible by any Aws User
Greenhouse.io Improper Access Control - Generic (CWE-284)
Low
2020-05-01
Read-only team members can read all properties of webhooks
HackerOne Improper Access Control - Generic (CWE-284)
Low
2020-04-29
Disabled account can still use GraphQL endpoint
HackerOne Improper Access Control - Generic (CWE-284)
Low
2020-03-12
Improper protection of FileContentProvider
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2018-3765
Low
2020-03-01
Circle email-members have still access to a shared folder/file after they are removed from the circle
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2019-15610
Low
2020-03-01
Password Reset Link Works Multiple Times
Nord Security Improper Access Control - Generic (CWE-284)
Low
2020-02-24
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895