HackerOne: Access to limited confidential information of private program as a Ex-reporter, Report Participant(external user) & Ex-staff member

The report described a vulnerability that allowed access to limited confidential information of a private program by ex-reporters, report participants, and ex-staff members of the program. The vulnerability was due to an endpoint that exposed details about the private program, including its...

HackerOne: Some limited confidential information can still be accessed after a user exits a private program

Vulnerability description not provided...

HackerOne: Attachment in published HackerOne report exposure private program

Vulnerability description not provided...

HackerOne: Scope information is leaked when visiting policy scopes tab of any External Program

Scope information was leaked when visiting the policy scopes tab of any external program on HackerOne, allowing unauthorized users to view private program details. The vulnerability was caused by the new scope policy feature that displayed all program names and scopes using the new functionality...

HackerOne: Leaked H1's Employees Email addresses,meeting info on private bug bounty program ████████

Summary: Dear Team, I am finding bugs on this private program █████████ and after logged in with provided credential. I have search some peoples in the list and I have seen Hackerone's employee account there. Looking at H1 personal stuff some sensitive information are exposed like email addresses...

HackerOne: Disclosure handle private program with external link

Summary: Hi team. It looks like we can identify private programs that have an external link Steps To Reproduce 1. http POST /graphql HTTP/1.1 Host: hackerone.com Connection: close Content-Length: 168 accept: / X-Auth-Token: yourtoken User-Agent: Mozilla/5.0 Windows NT 10.0; Win64; x64...

Earn up to $10K from the Opera Bug Bounty program

Security Earn up to $10K from the Opera Bug Bounty program Share April 30th, 2021 Join the Opera Bug Bounty program, find vulnerabilities in scope, tell us how you did it, and collect rewards. We pay up to $10K for confirmed high-value submissions. Opera has two bug bounty programs operated by...

HackerOne: Private program disclosure of `██████████` through notifications

Summary: Private program disclosure of ██████ through notifications Description: It looks like there is a private program called ████████ - https://hackerone.com/████████ which I'm not yet invited yet. However, I received a notification alert in my H1 account notification box indicating the priva...

HackerOne: Getting New Invitations without Leaving Programs

Hello there, I hope all is well! Description When you leave the private program, you get a chance to get a new invitation. But using this vulnerability, I can get new invitations without leaving private programs. Steps: 1. Go to any private bug bounty program. 2. Click Leave Program button 3. Cli...

HackerOne: An invite-only's program submission state is accessible to users no longer part of the program

Related This Report: 645299 Steps To Reproduce: ██████ Private Program: 1. I was invited by █████: https://hackerone.com/███ 2. Submitted a report/vulnerabilty. https://hackerone.com/reports/519502 3. Accepted by ████ and mark as resolved. 4. Try to leave the program. 5. The █████████ Program is...

HackerOne: Private program disclosure via `vpn_suspended` GraphQL query

Summary: vpnsuspended of Team object got exposed Description: An attacker can get vpnsuspended value of any program including external program which also have private program eg. █████ and external program which does not have private program What an attacker can do with this ? If an external...

HackerOne: Manipulate hacker profile and private program hacktivity to expose your name as researchers who is actively submitting reports with resolve status

Hi Team, Summary: First of all, the issue that i have found have multiple steps, so please make sure to follow the steps accordingly. I was able to put my hacker name on private program hacktivity profile showing that i have report that was resolved, this will also reflect to my hacker profile...

HackerOne: Custom Field Attributes may be created and updated for customers with Custom Field Trial enabled

The Custom Field feature is currently only available for customers on the Enterprise product edition. A trial period can be given by enabling the custom-fields-trial feature for programs who are not on that product edition yet. However, when enabling this feature, the incorrect ordering of an ACL...

HackerOne: Race Condition in Flag Submission

Summary: This report describes a Race Condition Vulnerability which allow an authenticated user to submit the same Flag multiple times. Increasing the user points and therefore the chances to get an invitation to a private program. Steps To Reproduce To reproduce this bug, you need to: 1. Login...

HackerOne: Attacker can claim credentials for private program that has a published external program

An attacker can obtain credentials for private programs that have a published external program, even when the attacker doesn't have access to the private program. Here is the regression spec to proof the security vulnerability: diff diff --git...

HackerOne: Proper verification is not done before sending invitations to researchers for certain private programs with rules e.g. "Participants must be US-based"

Hi, I would like to report something I just recently noticed upon receiving an automated invite from Hackerone for a private program. The program brief clearly states the following in program rules: █████ This is where I believe the issue is. I live in ███ and according to the program rules I...

HackerOne: Disclosing a private program in an external link if program is paused

Summary: Hi team Description: If the program is paused that we will not be able to send reports to this program and if we try to directly contact the link https://hackerone.com/externalprogrammpaused/reports/new we will be returned to the main page https://hackerone.com/externalprogrammpaused Ste...

HackerOne: Discrepancy in hacker profile report count may reveal existence of a private program by publishing a report

Hi team , @pei, @jobert , @bencode Summary: Again We have publish report page https://hackerone.com/hacktivity/publish But we have bypass query 401476 this description The profile page counts the number of created your reports. But it does not consider the reports that are created in the sandbox...

HackerOne: Private program policy page still accessible after user left the program

Hi Team, Summary: I have found a critical sensitive information disclosure, I'm not sure if this is a result of a new hackerone UI update, I observed that some of the UI has been change such as Hacktivity etc. BUG: Now all private program policy page together with the updates is visible to me...

HackerOne: Hacktivity of a private program visible to banned user if he gets invited to a program by hackbot

Summary: The hacktivity of a private program is visible to banned user if he gets invited to a program by hackbot. Description: Back in 2016 i was banned by █████'s private program ███ due to some conflict between me and their security team, i think they manually put me in banned users list, but...