Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
11
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Improper Authentication - any user can login as other user with otp/logout & otp/login
Snapchat Improper Authentication - Generic (CWE-287)
Critical
2021-09-03
Password reset link not expiring after changing password in settings
Basecamp Improper Authentication - Generic (CWE-287)
Low
2021-08-10
pam_ussh does not properly validate the SSH certificate authority
Uber Improper Authentication - Generic (CWE-287)
Medium
2021-07-21
your-store.myshopify.com preview link is leak on third party website lead to preview all action from store owner Without store Password.
Shopify Improper Authentication - Generic (CWE-287)
Medium
2021-07-12
PIN bypass
MyEtherWallet Improper Authentication - Generic (CWE-287)
Critical
2021-06-29
Firebase Database Takeover in Zego Sense Android app
Zego Improper Authentication - Generic (CWE-287)
High
2021-06-23
Federated shares are not password protected
Nextcloud Improper Authentication - Generic (CWE-287)
Medium
2021-06-16
Attacker can obtain write access to any federated share/public link
Nextcloud Improper Authentication - Generic (CWE-287)CVE-2021-32654
High
2021-06-10
No Valid SPF Records/don't have DMARC record
Sifchain Improper Authentication - Generic (CWE-287)
None
2021-05-14
Email spoofing
Sifchain Improper Authentication - Generic (CWE-287)
None
2021-05-13
Disavowing an account doesn't disable it
Liberapay Improper Authentication - Generic (CWE-287)
Low
2021-05-07
Member still able close another user poll on communities topic
VK.com Improper Authentication - Generic (CWE-287)
Unknown
2021-04-27
Administration Authentication Bypass on https://█████
U.S. Dept Of Defense Improper Authentication - Generic (CWE-287)
Critical
2021-04-20
Ability to DOS any organization's SSO and open up the door to account takeovers
Superhuman (formerly Grammarly) Improper Authentication - Generic (CWE-287)
High
2021-04-15
HackerOne Jira integration plugin Leaked JWT to unauthorized jira users
HackerOne Improper Authentication - Generic (CWE-287)
Medium
2021-04-01
User can upload files even after closing his account
Basecamp Improper Authentication - Generic (CWE-287)
Unknown
2021-03-29
Misconfigured AWS S3 bucket leaks senstive data such of admin, Prdouction,beta, localhost and many more directories....
U.S. Dept Of Defense Improper Authentication - Generic (CWE-287)
Medium
2021-03-24
Subdomain Takeover Via unclaimed Heroku Instance tim-exclusive.shopify.com
Shopify Improper Authentication - Generic (CWE-287)
Unknown
2021-02-24
CVE 2020 14179 on jira instance
U.S. Dept Of Defense Improper Authentication - Generic (CWE-287)
Medium
2021-02-18
email verification bypass
Algolia Improper Authentication - Generic (CWE-287)
Medium
2021-02-18
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895