Broken Object Level Authorization in the Wild: An Empirical Taxonomy from 100+ Bug Bounty Disclosures

Broken Object Level Authorization (BOLA) is consistently ranked the most critical API security vulnerability, yet the existing literature remains almost entirely conceptual. This paper presents one of the first large-scale empirical analyses of BOLA in publicly disclosed bug bounty reports. We constructed a reproducible sampling frame of 200 HackerOne disclosures tagged IDOR or Improper Access Control (2021-2026) and applied a three-criterion inclusion filter, yielding 107 fully classified reports. Classification used an LLM-assisted schema-completion procedure under constrained, human-adjudicated criteria against a six-family BOLA taxonomy. Of 107 classified reports, 84 (78.5%) were confirmed in-scope BOLA. Action-Level Object BOLA, defined by unauthorized state-changing actions on another user's objects, accounts for 41.7% of confirmed cases and emerges alongside Direct Object Reference BOLA as one of the two dominant families observed in the dataset. This shows a pattern historically underrepresented in practitioner guidance. Approximately 21.5% of classified reports are out-of-scope under strict criteria, indicating that tag-counting on platforms like HackerOne significantly overstates the BOLA-specific signal. We report distributions across family, action type, authorization direction, industry sector, identifier format, and exploit mechanism. Key secondary findings include an 11.9% rate of vertical (user-to-admin) privilege failures and systematic exploitation of GraphQL Global IDs across major platforms. Findings have direct implications for API security testing protocols, developer education, and OWASP guidance.