Case Studies — Discovery-First
Each case study takes one real HackerOne report and walks it the hard way first. You get the static evidence and a set of questions, then feel the reasoning wall — the point where per-setting tools run out — before any tool appears. Only after the pivot point does the reasoning engine show how it closes the gap and emits the prevention artifact.
Read the challenge setup, the five questions, and the debrief for the original S3 exercise these cases extend. The condensed, collapsible version of all 30 cases lives in HackerOne Case Challenges.
Public exposure
- Uber #361438 — confidential-tagged bucket publicly readable
- Slack #404822 — iOS test builds in a public bucket
- Shopify #1021906 — production API bucket publicly accessible
- Omise #1474017 — CDN origin readable via both ACL and policy
- Zomato #507097 — chat images in a public bucket
- Shopify #57505 — public listing not intended
- Greenhouse #819278 — marketing assets bucket public
- Shopify #94502 — partial remediation, read+write persist
- Mapbox #202725 — per-object ACLs on a "private" bucket
- Mozilla #2383486 —
.gitdirectory in a public bucket - DoD #2083771 — IMDSv1 credential exfiltration
Bucket and resource takeover
- Bime #121461 — dangling DNS to a deleted bucket
- DoD #918946 — government subdomain takeover
- Khan Academy #1777077 — S3 website hosting takeover
- Tendermint #1397826 — package distribution takeover
- Brave #1791558 — APT repository takeover
- Shopify #1295497 — EC2 IP takeover via dangling A record
Write scope and tenant isolation
- Unikrn #254200 — prefix-wide upload breaks tenant isolation
- Shopify #93691 — signed upload allows any key under prefix
- BCM #764243 — unrestricted upload API on a private bucket
- Shopify #98819 — anonymous writes plus cross-account reads
- Shopify #94087 — path traversal breaks tenant isolation
Identity and credentials
- Kubernetes #1580493 — IAM authenticator identity mapping bypass
- Kubernetes #1238482 — ALB controller tag confusion
Audit and transport
- AWS #3021451 — ElastiCache CloudTrail bypass
- AWS #3022516 — Forecast CloudTrail bypass
- HackerOne #43280 — HTTPS not enforced on S3
Supply chain and acquisition
- Brave #1835133 — dangling RPM bucket reference
- HackerOne #1598347 — widget bucket to script injection
- IBM #2498255 — post-acquisition bucket takeover