HACKERONE · COORDINATED DISCLOSURE
Bug Bounty Reports

Real bug bounty submissions — vulnerability research, exploitation methodology, and proof-of-concept writeups from coordinated disclosure programs. Every report reflects actual hands-on testing under authorized program scope.

VIEW REPORTS ↓
SUBMISSIONS
Programstested
01
MEDIUM SEVERITY AWAITING TRIAGE CORS MISCONFIGURATION REST API RECON AT SCALE
Automattic (WordPress.com) — CORS Misconfiguration
Identified a Cross-Origin Resource Sharing misconfiguration on public-api.wordpress.com — the server reflects any attacker-controlled Origin header with Access-Control-Allow-Credentials: true across the entire /wpcom/v2/ API path, allowing a malicious site to make authenticated requests on behalf of any logged-in user. Full writeup covers subdomain enumeration at scale (16K+), Subzy/Corsy triage, authenticated PoC requests, IDOR testing, and source-level review of Jetpack/WooCommerce security commits. Report #3786821 — submitted to HackerOne, awaiting triage.
1
Reports Submitted
16K+
Subdomains Enumerated
3
Vuln Classes Tested
5+
Tools Used