Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
14
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Program filter: shopify
xss stored in https://your store.myshopify.com/admin/
Shopify Cross-site Scripting (XSS) - Stored (CWE-79)
Low
2020-08-24
increased privileges on staff account
Shopify
Medium
2020-08-24
Ability to generate shipping labels in another store orders
Shopify Insecure Direct Object Reference (IDOR) (CWE-639)
Unknown
2020-08-19
Password reset link not expired at Stocky App
Shopify Improper Access Control - Generic (CWE-284)
Unknown
2020-08-18
Some store settings/data are accessible to "No Access" permission users on GraphQL LiveView operation
Shopify Information Disclosure (CWE-200)
Unknown
2020-08-18
Get analytics token using only apps permission
Shopify Information Disclosure (CWE-200)
Medium
2020-08-18
OrderListInitial leaks order details
Shopify Information Disclosure (CWE-200)
Medium
2020-08-18
access permission is not revoked even if the email has been deleted or changed on the partner account -partners.shopify-
Shopify
Medium
2020-08-18
Blind Stored XSS Via Staff Name
Shopify Cross-site Scripting (XSS) - Stored (CWE-79)
High
2020-08-18
Stored XSS in my staff name fired in another your internal panel
Shopify Cross-site Scripting (XSS) - Stored (CWE-79)
High
2020-07-29
GraphQL AdminGenerateSessionPayload is leaked to staff with no permission
Shopify
Medium
2020-07-16
Account takeover intercepting magic link for Arrive app
Shopify Insufficiently Protected Credentials (CWE-522)
Low
2020-07-15
Ability to link a Google account to another staff account/store owner that isn't linked yet
Shopify
Unknown
2020-07-14
user with no draft order permission can still perform action on draft order's in stocky app (idor)
Shopify Improper Authentication - Generic (CWE-287)
Unknown
2020-07-14
Subdomain Takeover of multiple *.ttcdn.co domains
Shopify Violation of Secure Design Principles (CWE-657)
Low
2020-07-14
IDOR on stocky application-Low Stock-Varient-Settings-Columns
Shopify Insecure Direct Object Reference (IDOR) (CWE-639)
Medium
2020-07-14
Open Redirect - www.shopify.com
Shopify Open Redirect (CWE-601)
Low
2020-07-14
Stored XSS on demo app link
Shopify Cross-site Scripting (XSS) - Stored (CWE-79)
Medium
2020-06-12
User with removed manage shops permissions is still able to make changes to a shop
Shopify Improper Access Control - Generic (CWE-284)
Medium
2020-06-12
Session works after logout from Shopify account and password of online store is displayed
Shopify
Low
2020-04-27
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895