Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,219
CVE-linked
1,854
Programs
342
New This Week
10
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Program filter: starbucks
China – Limited Partner PII Regarding Work Scheduling via Unauthenticated API Endpoint
Starbucks Information Disclosure (CWE-200)
Critical
2020-04-01
Singapore - IDOR in campaign.starbucks.com.sg
Starbucks Insecure Direct Object Reference (IDOR) (CWE-639)
Medium
2020-03-17
China - president-starbucks.com.cn DNS configuration reported as takeover
Starbucks Privilege Escalation (CAPEC-233)
High
2020-03-17
Minimal information disclosure of internal asset names and links which were not publicly accessible.
Starbucks Information Disclosure (CWE-200)
Low
2020-03-17
athome.starbucks.com - URL parameter tampering of review forms permitted possible content injection
Starbucks Improper Input Validation (CWE-20)
Medium
2020-03-17
DOM XSS on app.starbucks.com via ReturnUrl
Starbucks Cross-site Scripting (XSS) - DOM (CWE-79)
Medium
2020-03-17
Korea - LFI via path traversal at https://msr.istarbucks.co.kr:6443/appif/
Starbucks Path Traversal (CWE-22)
Critical
2020-03-10
Hong Kong - Open Redirect on card.starbucks.com.hk
Starbucks Open Redirect (CWE-601)
Low
2020-03-10
sdrc.starbucks.com - Information Disclosure via unsecured attachment directory
Starbucks Information Disclosure (CWE-200)
Critical
2020-02-26
Thailand - Insecure Direct Object Reference permits an unauthorized user to transfer funds from a victim using only the victims Starbucks card
Starbucks Insecure Direct Object Reference (IDOR) (CWE-639)
High
2020-02-11
Account take over of 'light' starbuckscardb2b users
Starbucks Improper Authentication - Generic (CWE-287)
High
2020-01-29
WAF bypass via double encoded non standard ASCII chars permitted a reflected XSS on response page not found pages - (629745 bypass)
Starbucks Cross-site Scripting (XSS) - Reflected (CWE-79)
Low
2020-01-29
China - ecjobsdc.starbucks.com.cn html/shtml file upload vulnerability
Starbucks Privilege Escalation (CAPEC-233)
High
2020-01-29
Norway - store.starbucks.no - CSRF on email change
Starbucks Cross-Site Request Forgery (CSRF) (CWE-352)
High
2020-01-23
JumpCloud API Key leaked via Open Github Repository.
Starbucks Use of Hard-coded Credentials (CWE-798)
Critical
2019-12-30
Store Development Resource Center was vulnerable to a Remote Code Execution - Unauthenticated Remote Command Injection (CVE-2019-0604)
Starbucks OS Command Injection (CWE-78)CVE-2019-0604
Critical
2019-12-12
Reflected XSS on card.starbucks.com.sg/unsubRevert.php via the 'ct' Parameter
Starbucks Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2019-12-12
Reflected XSS on card.starbucks.com.sg/unsub.php via the 'ct' Parameter
Starbucks Cross-site Scripting (XSS) - Reflected (CWE-79)
Medium
2019-12-12
Bulgaria - Subdomain takeover of mail.starbucks.bg
Starbucks Privilege Escalation (CAPEC-233)
High
2019-12-12
India - An Insecure Direct Object Reference (IDOR) allowed unauthorized access to view card index number and monetary balance
Starbucks Insecure Direct Object Reference (IDOR) (CWE-639)
Medium
2019-12-12
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud582
Shopify464
curl439
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239 $9,895