Skip to main content

HackerOne Case Studies

30 real HackerOne bug bounty reports reconstructed as reasoning challenges. Each case: static configuration evidence, a question about what's unsafe, and what a reasoning engine finds that a scanner misses.

Getting Started

New to the case studies? Start here — download fixtures, answer five questions by hand, then see what Stave finds.

  1. Overview
  2. Setup
  3. Questions
  4. Run Stave
  5. Debrief

Public Exposure (11 cases)

Buckets open by ACL, policy, or both. Can you tell from the static config alone whether the resource is exposed?

Dangling References & Takeover (9 cases)

DNS records pointing at deleted resources. A 404 today is a takeover tomorrow. Can you prove the reference is claimable?

These cases connect directly to Stave's ghost-reference controls and the Unit 42 bucket-hijacking research.

Presigned URL & Policy Scope (4 cases)

Upload policies scoped too wide. Can you prove the write boundary is broken from the policy alone?

Compound & Cross-Service (6 cases)

Multi-resource attack chains where no single setting is the vulnerability. The risk emerges from how settings combine across resources.

These are the strongest Stave differentiator — graph-level findings that single-resource scanners cannot produce.

  • DoD #2083771 — Jenkins console + IMDSv1 = credential theft chain
  • Shopify #98819 — anonymous write (ACL) + cross-account read (policy) = data injection pipeline
  • Kubernetes #1580493 — EKS aws-auth maps AccessKeyID as identity
  • AWS #3021451 — CloudTrail configured but ElastiCache calls bypass logging
  • AWS #3022516 — CloudTrail configured but Forecast calls not delivered
  • Kubernetes #1238482 — controller reconciles SGs from unchecked annotations