Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
11
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
View-only guests could see deleted Collectives pages in the trashbin
Nextcloud Improper Access Control - Generic (CWE-284)
Low
2026-05-08
Bypassing Inbox Privacy Settings and Enabling Spam on Pixiv.net
pixiv Improper Access Control - Generic (CWE-284)
Low
2026-04-27
Improper Access Control in `fizzy.do` import flow allows cross-tenant ActionText reference resolution and data disclosure
Basecamp Improper Access Control - Generic (CWE-284)
Low
2026-04-14
User Can Delete Other Users' Personal Access Tokens at /delete-token/{token_id}/ on Mozilla Pontoon
Mozilla Improper Access Control - Generic (CWE-284)
Low
2026-04-10
CVE-2024-36137 Patch Bypass - FileHandle.chmod/chown
Node.js Improper Access Control - Generic (CWE-284)CVE-2026-21716
Low
2026-03-30
Lack of Validation in Reward Redemption Allows Unlimited Burp Suite License Abuse
HackerOne Improper Access Control - Generic (CWE-284)
Low
2026-03-18
Previous commentor on post can still comment even after comment permission is changed to disabled
LinkedIn Improper Access Control - Generic (CWE-284)
Low
2026-02-03
Spam & Clearance checks disabled with existing referenced Message-ID
Basecamp Improper Access Control - Generic (CWE-284)
Low
2026-01-21
Can download files on Android app without permission
Nextcloud Improper Access Control - Generic (CWE-284)
Low
2026-01-16
fs.futimes() Bypasses Read-Only Permission Model
Node.js Improper Access Control - Generic (CWE-284)CVE-2025-55132
Low
2026-01-15
Access to the business emails of Rockstar Support agents through the support platform
Rockstar Games Improper Access Control - Generic (CWE-284)
Low
2025-10-02
Unauthorized Blogs Creation
Lichess Improper Access Control - Generic (CWE-284)
Low
2025-09-02
Invalid
WakaTime Improper Access Control - Generic (CWE-284)
Low
2025-08-19
Facebook Username Takeover via Broken Link in Footer
Omise Improper Access Control - Generic (CWE-284)
Low
2025-05-30
Enable 2FA without verifying the email
XVIDEOS Improper Access Control - Generic (CWE-284)
Low
2025-05-09
Broken Access Control Exposes Email Verification Status and Privacy Settings via API Endpoint
WakaTime Improper Access Control - Generic (CWE-284)
Low
2025-04-29
Privilege Escalation - A Non Owner User Who Does not Have access to the user management can invite other users to the restaurant page
Yelp Improper Access Control - Generic (CWE-284)
Low
2025-01-29
Privilege Escalation - A Low Privilege User who does not have access to the user management module can remove the owner of the business account
Yelp Improper Access Control - Generic (CWE-284)
Low
2025-01-28
Blind SSRF Vulnerability in Appstore Release Upload Form
Nextcloud Improper Access Control - Generic (CWE-284)
Low
2025-01-14
Access to limited confidential information of private program as a Ex-reporter, Report Participant(external user) & Ex-staff member
HackerOne Improper Access Control - Generic (CWE-284)
Low
2024-12-24
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895