Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Bug Bounty Intelligence

Source: HackerOne public disclosures · updated every 6h

Browse publicly disclosed bug bounty reports from HackerOne. Filter by severity, weakness type, or program. Cross-referenced with CVE IDs where available.

Disclosed Reports
12,222
CVE-linked
1,855
Programs
342
New This Week
5
Severity: All CriticalHighMediumLow
Type: All Information Disclosure 1173 Cross-site Scripting (XSS) … 747 Violation of Secure Design … 719 Improper Access Control - Generic 656 Improper Authentication - Generic 652 Cross-site Scripting (XSS) … 513 Uncontrolled Resource Consumption 483 Cross-site Scripting (XSS) … 461 Cross-Site Request Forgery (CSRF) 421 Privilege Escalation 375
Bypassing push rules via MRs created by Email
GitLab Improper Access Control - Generic (CWE-284)
Medium
2019-10-01
Periscope-all Firebase database takeover
X / xAI Improper Access Control - Generic (CWE-284)
Critical
2019-09-25
Access Projects And create projects in gitlab pre production server
GitLab Improper Access Control - Generic (CWE-284)
Low
2019-08-28
Subdomain takeover on healthyhackathon.khanacademy.org and hackweek.khanacademy.org
Khan Academy Improper Access Control - Generic (CWE-284)
High
2019-08-25
xmlrpc.php file enabled - data.gov
GSA Bounty Improper Access Control - Generic (CWE-284)
Medium
2019-08-19
Previously created sessions continue being valid after MFA activation
Superhuman (formerly Grammarly) Improper Access Control - Generic (CWE-284)
Medium
2019-08-19
Can register any mobile number in MFA without current code.
Superhuman (formerly Grammarly) Improper Access Control - Generic (CWE-284)
Low
2019-08-15
Github wikis are editable by anyone https://github.com/paragonie/password_lock/wiki
Paragon Initiative Enterprises Improper Access Control - Generic (CWE-284)
Medium
2019-07-29
In Dockerized Environments, Failing to Read config.php Grants Any Anonymous User Full Admin Access
Nextcloud Improper Access Control - Generic (CWE-284)
High
2019-07-27
Add users to groups who have restricted group invites
WordPress Improper Access Control - Generic (CWE-284)
High
2019-07-27
Able to bypass "Device credentials" Lock
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2019-5451
Low
2019-07-26
Combination of content provider allows private data disclosure
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2019-5452
Low
2019-07-26
Milestones leaked via search API
GitLab Improper Access Control - Generic (CWE-284)
Low
2019-07-19
any staff members have the ability to comment in [discounts] he/she can disable comment section it to other staff even the admin of the store
Shopify Improper Access Control - Generic (CWE-284)
Low
2019-07-15
Possibility to overwrite any file in the vpe.cdn.vimeo.tv leads to the Stored XSS for the all customers on the embed.vhx.tv
Vimeo Improper Access Control - Generic (CWE-284)
High
2019-07-10
Custom Field Attributes may be created and updated for customers with Custom Field Trial enabled
HackerOne Improper Access Control - Generic (CWE-284)
Medium
2019-07-05
Attacker is able to access commit title and team member comments which are supposed to be private
GitLab Improper Access Control - Generic (CWE-284)
High
2019-07-03
Expired reshare links allow access to all files in share
Nextcloud Improper Access Control - Generic (CWE-284)CVE-2020-8121
Critical
2019-06-27
Verify any unused email address
X / xAI Improper Access Control - Generic (CWE-284)
Unknown
2019-06-24
Broken access control on apps
Rocket.Chat Improper Access Control - Generic (CWE-284)
Critical
2019-06-22
Top Weakness Types
Most Active Programs
ProgramReportsMax $
U.S. Dept Of Defense896
Internet Bug Bounty817
HackerOne609
Nextcloud583
Shopify464
curl440
Node.js third-party modules307
GitLab258
X / xAI250 $2,500
Uber239