| Legal Robot |
- |
design issue exists on login page |
| Legal Robot |
- |
Coding error ! |
| TTS Bug Bounty |
- |
{REDACTED}.data.gov subdomain takeover. |
| Legal Robot |
- |
Insufficient Security Configurability-Weak Registration Implementation-Allows Disposable Email Addresses |
| Legal Robot |
- |
I cant login to my account |
| TTS Bug Bounty |
- |
Email Spoofing - SPF record set to Neutral |
| TTS Bug Bounty |
- |
Email Spoofing - SPF record set to Neutral |
| Legal Robot |
- |
Improper error message |
| Legal Robot |
- |
Email Length Verification |
| TTS Bug Bounty |
- |
federalist.18f.gov vulnerable to Sweet32 attack |
| TTS Bug Bounty |
- |
Subdomain take-over of {REDACTED}.18f.gov |
| Legal Robot |
- |
Name can't be numbers or email |
| Gratipay |
- |
Reflected XSS - gratipay.com |
| HackerOne ★ |
- |
IDOR on HackerOne Feedback Review |
| Gratipay |
- |
Gratipay rails secret token (secret_key_base) publicly exposed in GitHub |
| Legal Robot |
- |
Password Restriction On Change |
| Legal Robot |
- |
UX: JS error on Password Safety link |
| Gratipay |
- |
xss |
| Unikrn |
$200 |
HTML injection in email in unikrn.com |
| Legal Robot |
- |
Information disclosure |
| Rockstar Games |
$500 |
dom based xss in http://www.rockstargames.com/GTAOnline/ (Fix bypass) |
| Legal Robot |
- |
Special characters are not filtered out on profile fields |
| Legal Robot |
- |
Change password session fixed |
| Legal Robot |
- |
Weak Cryptography for Passwords |
| Legal Robot |
$20 |
No length limit in invite_code can cause server degradation |
| Legal Robot |
$20 |
CSP script-src includes "unsafe-inline" |
| Legal Robot |
$20 |
Improper validation of parameters while creating issues |
| Legal Robot |
$100 |
Update any profile |
| Legal Robot |
- |
Invalid Email Verification |
| Legal Robot |
$20 |
first name and last name restrictions bypass |
| Legal Robot |
$20 |
TabNabbing issue (due to taget=_blank) |
| Legal Robot |
- |
Tampering the mail id on chatbox |
| Legal Robot |
$20 |
Incorrect error message |
| Legal Robot |
$20 |
Incorrect email content when disabling 2FA |
| Legal Robot |
$20 |
Lengthy manual entry of 2FA secret |
| Trello |
$128 |
A CRLF injection into the redirect URL of https://trello.com/1/authorize can be used to cause a denial of service when later redirected to |
| Udemy |
- |
No password length restriction |
| ownCloud |
- |
owncloud.com open redirect |
| Quora |
$500 |
[Quora Android] Possible to steal arbitrary files from mobile device |
| WordPress |
- |
Clickjacking - https://mercantile.wordpress.org/ |
| Snapchat |
$5,000 |
RCE/LFI on test Jenkins instance due to improper authentication flow |
| Gratipay |
- |
Sub domain take over in gratipay.com |
| Ruby |
- |
Open aws s3 bucket s3://rubyci |
| Udemy |
- |
CSRF Token |
| Legal Robot |
$40 |
Code injection |
| Khan Academy |
- |
Weak Bithdate Validation Implemented on Sign Up |
| WakaTime |
- |
Impersonation of Wakatime user using Invitation functionality. |
| ownCloud |
- |
This is not the security issue. |
| Legal Robot |
$20 |
User enumeration from failed login error message |
| Udemy |
- |
Violation of secure design principle |
| Udemy |
- |
Weak Password |
| Legal Robot |
- |
Mixed Content over HTTPS |
| Brave Software |
$200 |
URL Spoof / Brave Shield Bypass |
| Khan Academy |
- |
Password Functionality not working correctly |
| Legal Robot |
$20 |
Change password logic inversion |
| Legal Robot |
$20 |
Profile fields validation bypass |
| arxius |
- |
No Email Verification and No email sent on Forget Pasword |
| Phabricator |
- |
Credential gets exposed |
| Legal Robot |
- |
LUCKY13 (CVE-2013-0169) effects legalrobot.com |
| WakaTime |
- |
Failure to check password history |
| Legal Robot |
- |
Create Api Key is not working |
| Legal Robot |
$20 |
Profile shows incorrect account creation date |
| Legal Robot |
- |
Password Reset page Session Fixation |
| Legal Robot |
- |
Lack of input validation in e-mail & user name, job title, company name field |
| Legal Robot |
- |
SSL : breach compression attack (CVE-2013-3587) effects legalrobot.com |
| Coinbase |
- |
Device confirmation Flaw |
| Rockstar Games |
$500 |
dom based xss in https://www.rockstargames.com/GTAOnline/ |
| Bitvise |
$100 |
The POODLE attack (SSLv3 supported) |
| Unikrn |
$50 |
Escaping images directory in S3 bucket when saving new avatar, using Path Traversal in filename |
| Boozt Fashion AB |
$60 |
Password reset token issue |
| Legal Robot |
$20 |
[Cross-domain Referer leakage] Password reset token leakage via referer |
| Automattic |
$225 |
XSS Vulnerability in WooCommerce Product Vendors plugin |
| Rockstar Games |
$600 |
CSRF Vulnerability allows attackers to steal SocialClub private token. |
| Dropbox |
- |
Missing URL sanitization in comments can be leveraged for phishing |
| Phabricator |
- |
Hyper Link Injection In email and Space Characters Allowed at Password Field. |
| Tor |
- |
[Android org.torproject.android] Possible to force list of bridges |
| Legal Robot |
$20 |
Token leakage by referrer header & analytics |
| Zomato |
$500 |
Restaurant payment information leakage |
| Unikrn |
$40 |
Flash CSRF: Update Ad Frequency %: [cp-ng.pinion.gg] |
| Frans Visits Vegas |
- |
Frans Visits Vegas Announcement |
| Zomato |
$100 |
Length extension attack leading to HTML injection |
| Legal Robot |
$20 |
No notification on change password feature |
| Legal Robot |
$20 |
Meta characters are not filtered into full name on profile page |
| Legal Robot |
$20 |
Pages don't render in old browsers like IE11 |
| Legal Robot |
$60 |
Missing Issuer parameter on TOTP 2FA |
| Moneybird |
$50 |
Stored XSS at Moneybird |
| Legal Robot |
- |
Subdomain misconfiguration [mail.legalrobot.com] |
| Legal Robot |
$20 |
[New Feature] Password history check |
| TTS Bug Bounty |
$150 |
The Federalsit session cookie (federalist.sid) is not properly invalidated - backdoor access to the account is possible |
| ExpressionEngine |
- |
Potential code injection in fun delete_directory |
| Legal Robot |
$20 |
User enumeration |
| Cuvva |
- |
CSRF on cuvva.insure allows to attacker to send multiple SMS to download the app without visiting the cuvva |
| ExpressionEngine |
- |
Image lib - unescaped file path |
| Legal Robot |
$20 |
Password complexity ignores empty spaces |
| Legal Robot |
$60 |
Users with 2FA can have multiple sessions |
| Legal Robot |
$20 |
Account profile shows encryption recovery box for all users |
| Legal Robot |
$60 |
Enhancement: email confirmation for 2FA recovery |
| Legal Robot |
$20 |
Intercom chat session information persists after logout |
| Legal Robot |
$60 |
2FA Error Handling on Google Authenticator |
| Legal Robot |
- |
2FA user enumeration via login |
| Legal Robot |
$90 |
2FA user enumeration via password reset |
| Legal Robot |
$40 |
Password complexity not evenly enforced |
| Legal Robot |
$90 |
Missing link to 2FA recovery code |
| Legal Robot |
$90 |
Missing link to TOTP manual enroll option |
| Legal Robot |
$60 |
Non-functional 2FA recovery codes |
| TTS Bug Bounty |
$150 |
Race condition on the Federalist API endpoints can lead to the Denial of Service attack |
| Zomato |
$50 |
Posting to Twitter CSRF on php/post_twitter_authenticate.php |
| Trello |
- |
Unpatched (https://hackerone.com/reports/221928)- Unviladate File Upload to XSS on trello-attachment Bucket |
| Grabtaxi Holdings Pte Ltd |
$1,000 |
Git repository found |
| Twitter |
$10,080 |
XXE on sms-be-vip.twitter.com in SXMP Processor |
| Coinbase |
$100 |
Information disclosure same issue #176002 |
| Grabtaxi Holdings Pte Ltd |
$200 |
[parcel.grab.com] DOM XSS at /assets/bower_components/lodash/perf/ |
| concrete5 |
- |
Stored XSS vulnerability in RSS Feeds Description field |
| Gratipay |
- |
SQL TEST |
| HackerOne ★ |
$1,500 |
Reading redacted data via hackbot's answers |
| concrete5 |
- |
Stored XSS in Name field in User Groups/Group Details form |
| concrete5 |
- |
Stored XSS in Private Messages 'Reply' allows to execute malicious JavaScript against any user while replying to the message which contains payload |
| Grabtaxi Holdings Pte Ltd |
$200 |
Dom based xss affecting all pages from https://www.grab.com/. |
| WakaTime |
- |
Session Duplication due to Broken Access Control |
| Zomato |
$250 |
Bypass OTP verification when placing Order |
| Moneybird |
- |
Moneybird customers invoices leak in cacheable urls |
| VK.com |
$100 |
Узнать название частной группы и ее аватарку по видеоролику. |
| ICQ |
- |
Apache Server-Status Detected |
| Zomato |
$500 |
[█████████] Hardcoded credentials in Android App |
| Twitter |
$420 |
Open Redirect |
| WakaTime |
- |
by pass rate limit exceed |
| Pornhub |
- |
Private videos can be added to our playlists |
| Snapchat |
$250 |
[spectacles.com] Bypassing quantity limit in orders |
| Coinbase |
$100 |
Captcha Bypass in Coinbase SignUp Form |
| Rockstar Games |
$500 |
Reflected XSS via Double Encoding |
| WakaTime |
- |
[Privilege Escalation] Authenticated users can manipulate others fullname without their knowledge [Team Vector] |
| Zomato |
$300 |
SQL Injection, exploitable in boolean mode |
| WakaTime |
- |
Running 2 accounts with a single email |
| Mixmax |
- |
Public calendar link can be invisible |
| WakaTime |
- |
Password Policy Issue |
| TTS Bug Bounty |
$350 |
[IDOR] The authenticated user can restart website build or view build logs on any another Federalist account |
| TTS Bug Bounty |
$300 |
The user, who was deleted from Github Organization, still can access all functions of federalist, in case he didn't do logout |
| Gratipay |
- |
self cross site scripting |
| WakaTime |
- |
Blocking users to sign up on the site |
| WakaTime |
- |
No rate limit on creating private leaderboards. |
| Weblate |
- |
[debian.weblate.org]-Missing SPF Record |
| WakaTime |
- |
Sensitive Cookie Without 'HttpOnly' Flag |
| Zomato |
$1,000 |
Login to any account with the emailaddress |
| WakaTime |
- |
JSON CSRF on POST Heartbeats API |
| WakaTime |
- |
Bypassing Access control, changing owner's name in a private leaderboard |
| WakaTime |
- |
Lack of Password Confirmation When Changing Email |
| WakaTime |
- |
Missing Account Deletion Notification |
| WakaTime |
- |
Two email addresses can access the same account |
| WakaTime |
- |
Missing filteration of meta characters in all full name field on wakatime.com |
| Mapbox |
- |
null pointer dereference and segfault in tile-count-merge |
| TTS Bug Bounty |
$300 |
Double Stored Cross-Site scripting in the admin panel |
| WakaTime |
- |
No rate limiting for confirmation email, can spam anyone with confirmation emails |
| WakaTime |
- |
Session not expired on logout |
| WakaTime |
- |
No notificatoin sent on email after account deletion. |
| WakaTime |
- |
Clickjacking on authorized page https://wakatime.com/share/embed |
| WakaTime |
- |
No redirect uri for Twitter Oath resulting in token leak |
| WakaTime |
- |
Login page password - guessing attack |
| shopify-scripts ★ |
$800 |
Use after free in mruby-mpdecimal |
| WakaTime |
- |
Session Not Expired On Logout |
| Paragon Initiative Enterprises |
- |
[Critical] billion dollars issue |
| WakaTime |
- |
No rate limit when creating new goals [https://wakatime.com/goals] |
| WakaTime |
- |
Logout CSRF |
| WakaTime |
- |
https://wakatime.com/ website CSP "script-src" includes "unsafe-inline" |
| WakaTime |
- |
Unsafe Inline and Eval CSP Usage |
| Mail.Ru |
- |
Open Redirect on [My.com] |
| WakaTime |
- |
UI Redressing on Embedded Charts |
| WakaTime |
- |
Add arbitrary content to Password Reset Email |
| WakaTime |
- |
Forgot password link doesn't expire after used, only after some hours |
| WakaTime |
- |
IDOR create accounts and verify them with original account email |
| WakaTime |
- |
Password token validation in https://wakatime.com/ |
| WakaTime |
- |
Password reset links should expire after being used, instead of at specific time |
| WakaTime |
- |
[Privilege Escalation] Authenticated users can manipulate others fullname without their knowledge |
| WakaTime |
- |
Email Spoofing Via /api/v1/users/reset_password |
| WakaTime |
- |
Mailgun misconfiguration |
| Apache httpd (IBB) |
$1,500 |
Apache HTTP Request Parsing Whitespace Defects CVE-2016-8743 |
| WakaTime |
- |
[https://wakatime.com/reset_password/] Leaking password reset token via referrer |
| WakaTime |
- |
Missing SPF Flags |
| Weblate |
- |
Password token validation in Weblate Bypass #2 |
| arxius |
- |
Missing Rate Limit for Password Reset Verification - Vulnerable to brute force |
| Gratipay |
- |
SSl Weak Ciphers |
| Shopify |
$500 |
IDOR [partners.shopify.com] - User with ONLY Manage apps permission is able to get shops info and staff names from inside the shop |
| Weblate |
- |
Password token validation in Weblate Bypass |
| Weblate |
- |
Error Message When Changing Username |
| Weblate |
- |
Improper validation of unicode characters #3 |
| Weblate |
- |
No Rate Limitation on Regenerate Api Key |
| Weblate |
- |
Previous password could set as new password |
| Weblate |
- |
Improper validation of unicode characters still not fixed #2 |
| Weblate |
- |
The username of an account can be .. |
| Weblate |
- |
Reset password more than once with a reset link |
| arxius |
- |
Disclose of phpmyadmin |
| arxius |
- |
another local file disclosure via ffmpeg |
| Mixmax |
- |
SSRF via webhook |
| RubyGems |
$1,000 |
Installing a crafted gem package may create or overwrite files CVE-2017-0901 |
| Mixmax |
- |
Improper parsing of input could lead to future XSS vulnerabilities in Sequences |
| arxius |
- |
Open redirects protection bypass |
| Airbnb |
- |
Call back number not verified |
| RubyGems |
- |
No limit of summary length allows Denail of Service CVE-2017-0900 |
| Weblate |
- |
No filteration of null characters in name field |
| Rockstar Games |
$1,000 |
XSS in http://www.rockstargames.com/theballadofgaytony/js/jquery.base.js |
| arxius |
- |
Local File Disclosure via ffmpeg |
| Gratipay |
- |
Possible User Session Hijack using Invalid HTTPS certificate on inside.gratipay.com domain |
| Quora |
- |
Possibility of DOS Through logging System |
| VK.com |
$100 |
Нет маркера на добавление песни в плейлист пользователя |
| shopify-scripts ★ |
$800 |
Null pointer dereference with send/method_missing |
| Maximum |
$50 |
Open redirect on https://werkenbijdefensie.nl/ |
| Pornhub |
$500 |
Stored XSS in the any user profile using website link |
| Weblate |
- |
Improper validation of unicode characters |
| Gratipay |
- |
Possible user session hijack by invalid HTTPS certificate on inside.gratipay.com domain |
| Weblate |
- |
Persistence of Third Party Association. |
| Apache httpd (IBB) |
$1,500 |
ap_find_token() Buffer Overread CVE-2017-7668 |
| Weblate |
- |
Full Name Overwrite on Third party login |
| Weblate |
- |
Improper validation of unicode characters still not fixed |
| Starbucks |
$2,000 |
Possible subdomain takeover at openapi.starbucks.com |
| Gratipay |
- |
CSP Policy Bypass and javascript execution Still Not Fixed |
| Rockstar Games |
$500 |
flash injection in http://www.rockstargames.com/IV/imgPlayer/imageEmbed.swf |
| Python (IBB) |
$500 |
Unsafe arithmetic in PyString_DecodeEscape |
| Pornhub |
$750 |
pornhub.com/user/welcome/basicinfo nickname field is vulnerable on xss |
| Gratipay |
- |
CSP Policy Bypass and javascript execution |
| Shopify |
$500 |
Stored XSS in *.myshopify.com |
| Zomato |
- |
xss found in zomato |
| Gratipay |
- |
Email Spoofing |
| Yelp |
- |
Firefly's verify_access_token() function does a byte-by-byte comparison of HMAC values. |
| Stellar.org |
- |
heap-buffer-overflow (READ of size 1) in cpptoml::parser::consume_whitespace() |
| Mixmax |
- |
Design issue with webhook (several) notifications on mixmax.com |
| Maximum |
$350 |
Open Redirect & Information Disclosure [mijn.werkenbijdefensie.nl] |
| Stellar.org |
- |
HTTP - Basic Authentication on https://www.stellar.org/wp-login.php |
| Stellar.org |
- |
Session Cookie without HttpOnly and secure flag set |
| Bumble |
- |
CSRF bug |
| Algolia |
- |
Text injection on status.algolia.com |
| Mixmax |
- |
Stored XSS in Templates>Enahance>Social Badges |
| Algolia |
- |
SAUCE Access_key and User_name leaked in Travis CI build logs |
| Parrot Sec |
- |
XSS on http://irc.parrotsec.org |
| Parrot Sec |
- |
http://lists.parrotsec.org vulnerable to MITM |
| Weblate |
- |
Open redirect while disconnecting Email |
| Mail.Ru |
$100 |
BruteForce Any [My.com] Account Credentials. |
| Mixmax |
- |
Stored XSS templates -> 'call for action' feature |
| Nextcloud |
- |
ci.nextcloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service) |
| Shopify |
- |
SQL Exception thrown during product import |
| Automattic |
$800 |
SSRF and local file disclosure in https://wordpress.com/media/videos/ via FFmpeg HLS processing |
| Snapchat |
$500 |
CRLF Injection at vpn.bitstrips.com |
| HackerOne ★ |
- |
Invitation tokens leak to Google Analytics |
| Mixmax |
- |
no string size restriction on team name |
| Mixmax |
- |
[app.mixmax.com] Stored XSS on Adding new enhancement. |
| Coinbase |
- |
X-Frame-Options |
| ExpressionEngine |
- |
Open redirects protection bypass |
| Cuvva |
- |
Session cookie without secure flag on https://underwriter.partner.cuvva.com |
| Mixmax |
- |
Email Leakage in staging environment |
| Mixmax |
- |
Blind SSRF due to img tag injection in career form |
| Starbucks |
- |
Unable to register in starbucks app |
| Mixmax |
- |
Missing restriction on string size of contact field |
| MapsMarker.com e.U. |
$20 |
Cross-site Scripting (XSS) in /updates-pro/archive/ |
| Mixmax |
- |
[compose.mixmax.com] Stored XSS on compose.mixmax.com in contact names. |
| ToyTalk |
$200 |
Host Header Injection and Cache Poisoning |
| Mixmax |
- |
Privilege escalation-User who does not have access is able to add notes to the contact |
| Cuvva |
- |
Sensitive Support Mail Disclosure |
| Mixmax |
- |
CRLF Injection on https://vpn.mixmax.com |
| Mixmax |
- |
Clickjacking on Mixmax.com |
| Mixmax |
- |
Security Vulnerability - SMTP protection not used |
| Perl (IBB) |
$500 |
heap-buffer-overflow (READ of size 61) in Perl_re_intuit_start() |
| Mixmax |
- |
Subdomain takeover (sales.mixmax.com) |
| Mixmax |
- |
Possible Subdomain Takeover |
| Mixmax |
- |
Attacker can trick other into logging in as themselves |
| Mixmax |
- |
mailbomb through invite feature on chrome addon |
| Weblate |
- |
API Does Not Apply Access Controls to Translations |
| Cuvva |
- |
Missing rate-limits at endpoints |
| Starbucks |
- |
Full Api Access and Run All Functions via Starbucks App |
| Weblate |
- |
Uploaded XLF files result in External Entity Execution |
| Cuvva |
- |
IDOR spam anyone's cellphone number through Cuvva app link |
| Rockstar Games |
$250 |
Control characters incorrectly handled on Crew Status Update |
| Keybase |
$500 |
Universal Cross-Site Scripting in Keybase Chrome extension |
| Cuvva |
- |
Missing Rate limiting on https://underwriter.partner.cuvva.com/login |
| U.S. Dept Of Defense |
- |
Remote Code Execution (RCE) vulnerability in a DoD website |
| Ubiquiti Networks |
- |
CRLF Injection on openvpn.svc.ubnt.com CVE-2017-5868 |
| Weblate |
- |
Improper Cookie expiration | Cookies Expiration Set to Future |
| Cuvva |
- |
Subdomain take over oh-no.cuvva.co and ohno.cuvva.co |
| Shopify |
$5,000 |
XSS on $shop$.myshopify.com/admin/ and partners.shopify.com via whitelist bypass in SVG icon for sales channel applications |
| Perl (IBB) |
$500 |
heap-buffer-overflow (READ of size 11) in Perl 5.25.x |
| U.S. Dept Of Defense |
- |
Remote Code Execution (RCE) in a DoD website |
| Cuvva |
- |
Verification code for Underwriter dashboard can be brute-forced |
| ThisData |
- |
Insecure Cache-Control Leading to API key Retrieval |
| Coinbase |
- |
Open redirect on sign in |
| Cuvva |
- |
Your two domain login email address are disclosed in |
| OLX |
- |
OLX is vulnerable to clickjaking |
| Cuvva |
- |
Clickjacking vulnerability in support-dashboard.corp.cuvva.co |
| U.S. Dept Of Defense |
- |
Remote Code Execution (RCE) vulnerability in multiple DoD websites |
| Gratipay |
- |
Gratipay Website CSP "script-scr" includes "unsafe-inline" |
| Cuvva |
- |
CRLF Injection [vpn.corp.cuvva.com] CVE-2017-5868 |
| Snapchat |
$15,000 |
Open prod Jenkins instance |
| Rockstar Games |
$1,000 |
Stored XSS in profile activity feed messages |
| Cuvva |
- |
https://admin.corp.cuvva.co/ is vulnerable to Clickjacking attacks due to missing X-Frame-Options |
| Rockstar Games |
$1,000 |
Stored XSS in snapmatic comments |
| Cuvva |
- |
Missing rate limit on https://underwriter.partner.cuvva.com/login |
| Cuvva |
- |
cuvva.com website CSP "script-src" includes "unsafe-inline" |
| Gratipay |
- |
CSP "script-src" includes "unsafe-inline" in https://gratipay.com |
| Cuvva |
- |
RC4 cipher suit in use in vpn.corp.cuvva.co |
| Weblate |
- |
CSP "script-src" includes "unsafe-inline" in weblate.org and demo.weblate.org |
| Shopify |
$3,000 |
XSS on any Shopify shop via abuse of the HTML5 structured clone algorithm in postMessage listener on "/:id/digital_wallets/dialog" |
| Uber ★ |
- |
Session not expired When logout [partners.uber.com] |
| U.S. Dept Of Defense |
- |
Arbitary file download vulnerability on a DoD website |
| Weblate |
- |
CSRF bypass ( Delate Source Translation From dictionaries ) in demo.weblate.org |
| Zomato |
- |
CSRF To Like/Unlike Photos |
| Cuvva |
- |
cuvva.com vulnerable to sweet32 |
| U.S. Dept Of Defense |
- |
Arbitary file download vulnerability on a DoD website |
| VK.com |
$100 |
CSRF на сброс ключа трансляции. |
| Cuvva |
- |
Reflected XSS on Branch domain |
| Cuvva |
- |
No rate limiting at POST /2/2017-05-22/send_identifier_token |
| Weblate |
- |
Weblate |Security Misconfiguration| Method Enumeration Possible on domain |
| Weblate |
- |
Weblate- Banner Grabbing-Ngnix Server version |
| WordPress |
- |
Vulnerable to clickjacking |
| Legal Robot |
$20 |
Domain takeover (legalrobot.co.za) |
| Coinbase |
- |
CSRF bug on password change |
| WordPress |
$275 |
DOM Based XSS In mercantile.wordpress.org |
| Coinbase |
- |
Csrf bug on signup session |
| Trello |
- |
api flaw |
| concrete5 |
- |
Stored XSS in Headline TextControl element in Express forms [ concrete5 8.1.0 ] |
| WordPress |
- |
[mercantile.wordpress.org] Reflected XSS via AngularJS Template Injection |
| WordPress |
$275 |
Stored self-XSS in mercantile.wordpress.org checkout |
| Mail.Ru |
$150 |
XSS в портальной навигации |
| Weblate |
- |
Option method enabled |
| Zomato |
- |
Reflected XSS in Zomato Mobile - category parameter |
| Paragon Initiative Enterprises |
- |
Full directory path listing |
| Weblate |
- |
Takeover of an account via reset password options after removing the account |
| concrete5 |
- |
Stored XSS in Pages SEO dialog Name field (concrete5 8.1.0) |
| Weblate |
- |
Password token validation in https://demo.weblate.org/ |
| Trello |
- |
XML entity expansion using svg file |
| Weblate |
- |
Password Restriction |
| Weblate |
- |
No notificatoin sent on email after account deletion. |
| Weblate |
- |
Adding Email lacks Password validation |
| Weblate |
- |
Rate Limit Issue on hosted.weblate.org |
| Weblate |
- |
Missing restriction on string size |
| Weblate |
- |
Self-XSS can be achieved in the editor link using filter bypass |
| Zomato |
- |
Amazon S3 bucket misconfiguration (share) |
| Weblate |
- |
Information Disclosure on demo.weblate.org |
| Nextcloud |
- |
Email Spoofing Vulnerability from nextcloud. |
| Weblate |
- |
Captcha bypass at registration |
| Weblate |
- |
Old password can be new password |
| Weblate |
- |
Captcha Bypass at Email Reset can lead to Spamming users. |
| Weblate |
- |
Login CSRF : Login Authentication Flaw |
| Weblate |
- |
No Rate Limiting at /contact |
| Weblate |
- |
Improper validation of unicode characters |
| Weblate |
- |
Design Flaw in session management of password reset |
| Weblate |
- |
Csrf in watch-unwatch projects |
| U.S. Dept Of Defense |
- |
Limited code execution vulnerability on a DoD website |
| PortSwigger Web Security |
- |
Misconfiguration: Missing Custom Error Page (CWE-12 & CWE-756) |
| HackerOne ★ |
$10,000 |
WannaCrypt “Killswitch” |
| Quora |
- |
self xss in |
| Mail.Ru |
$500 |
Xss в https://e.mail.ru/ |
| Pornhub |
$250 |
Partial disclosure of Private Videos through data-mediabook attribute information leak |
| Discourse |
$256 |
Any authenticated user can download full list of users, including email |
| Discourse |
$64 |
SSRF in upload IMG through URL |
| Teradici |
- |
Weak Password Policy on techsupport.teradici.com |
| Paragon Initiative Enterprises |
$50 |
Directory Disclose,Email Disclose Zendmail vulnerability |
| Maximum |
$50 |
Cross-site Scripting (XSS) on [maximum.nl] |
| Trello |
$256 |
Cross-Site Scripting on Trello's iPhone App |
| Instacart |
$150 |
Reverse Tab-nabbing at www.instacart.com/store/partner_recipe?recipe_url= |
| Instacart |
$100 |
XSS at in instacart.com/store/partner_recipe |
| shopify-scripts ★ |
$100 |
Heap Overflow in fiber_switch triggered from Fiber.transfer |
| Dashlane |
$100 |
[https://www.dashlane.com] Test Panel Disclosure |
| Teradici |
- |
Weak password requirement on techsupport.teradici.com |
| U.S. Dept Of Defense |
- |
Cross-site scripting (XSS) vulnerability on a DoD website |
| U.S. Dept Of Defense |
- |
SQL Injection vulnerability in a DoD website |
| Maximum |
$300 |
IDOR in editing courses |
| Shopify |
- |
API Webhooks Fire And Are Unlisted After Permissions Removed |
| Mail.Ru |
$500 |
Xss в https://e.mail.ru/ |
| Harvest |
$300 |
[platform.harvestapp.com] Reflected XSS in Error Message via URL parameters |
| Nextcloud |
- |
Nextcloud Server Remote Command Execution |
| Ubiquiti Networks |
$100 |
HTML Injection on airlink.ubnt.com |
| VK.com |
$1,000 |
local file disclosure via FFmpeg hls processing |
| Paragon Initiative Enterprises |
- |
Broken Authentication & Session Management - Failure to Invalidate Session on all other browsers at Password change |
| concrete5 |
- |
Password Reset link hijacking via Host Header Poisoning |
| Gratipay |
- |
Unauthorized access to the slack channel via inside.gratipay.com/appendices/chat |
| Mail.Ru |
- |
IDOR in tender.mail.ru leading to Information Disclosure |
| Mixmax |
- |
CSRF |
| Paragon Initiative Enterprises |
- |
no session logout after changing the password in https://bridge.cspr.ng/ |
| Paragon Initiative Enterprises |
- |
Full Path Disclousure on https://airship.paragonie.com |
| Paragon Initiative Enterprises |
- |
There is an vulnerability in https://bridge.cspr.ng where an attacker can users directory |
| Shopify |
$2,000 |
Reflected XSS in <any>.myshopify.com through theme preview |
| U.S. Dept Of Defense |
- |
Information disclosure vulnerability on a DoD website |
| HackerOne ★ |
$500 |
HackerOne reports escalation to JIRA is CSRF vulnerable |
| Shopify |
- |
Open Redirect in shopify app URL |
| RubyGems |
$500 |
Escape sequence injection in "summary" field CVE-2017-0899 |
| Paragon Initiative Enterprises |
- |
Improper validation of Email |
| U.S. Dept Of Defense |
- |
Remote code execution (RCE) in multiple DoD websites |
| Paragon Initiative Enterprises |
- |
directory information disclose |
| U.S. Dept Of Defense |
- |
SQL Injection vulnerability in a DoD website |
| Paragon Initiative Enterprises |
$50 |
Cross-site-Scripting |
| shopify-scripts ★ |
$200 |
OP_SCALL in LHS of a OP_ASGN resulting in arbitrary memory write |
| HackerOne ★ |
$1,000 |
Changing Victim's JIRA Integration Settings Through Multiple Bugs |
| YouPorn |
- |
I am because bug |
| Nextcloud |
- |
I am because bug |
| Paragon Initiative Enterprises |
- |
I am because bug |
| Nextcloud |
- |
Wordpress Vulnerable to Potential Unauthorized Password Reset |
| U.S. Dept Of Defense |
- |
Cross-site scripting (XSS) vulnerability on a DoD website |
| Weblate |
- |
Missing filteration of meta characters in full name field on registration page https://demo.weblate.org/accounts/register |
| Dashlane |
$350 |
Throttling Bypass - ws1.dashlane.com |
| HackerOne ★ |
- |
www.hackerone.com website CSP "script-src" includes "unsafe-inline" |
| Dashlane |
$300 |
Extract Billing admin email address using random team id |
| Weblate |
- |
Facebook share URL should be HTTPS |
| HackerOne ★ |
- |
Insecure SHA1withRSA in b5s.hackerone-ext-content.com and a4l.hackerone-ext-content.com |
| Weblate |
- |
7BO: Binary Option Robot URL should be HTTPS |
| Weblate |
- |
Account Takeover using Third party Auth CSRF |
| Weblate |
- |
ClickJacking on Debug |
| Weblate |
- |
Incorrect HTTPS Certificate |
| Mapbox |
$300 |
Node modules path disclosure due to lack of error handling |
| Weblate |
- |
full path disclosure at hosted.weblate.org/admin/accounts/profile/ |
| Uber ★ |
$2,000 |
phone number exposure for riders/drivers given email/uuid |
| Weblate |
- |
CSRF to Connect third party Account |
| Nextcloud |
- |
Missing Rate Limiting protection leading to mass triggering of e-mails |
| Dropbox |
- |
SSL Key Certificate expires |
| Weblate |
- |
Weak password policy |
| Weblate |
- |
Rate Limit Bypass on login Page |
| Weblate |
- |
session id missing secure flag - Hosted Website |
| Weblate |
- |
Invalidate session after password reset - hosted website |
| Weblate |
- |
Bypassing captcha in registration on Hosted site |
| Weblate |
- |
Open redirect while disconnecting authenticated account |
| Weblate |
- |
CSV Injection with the CVS export feature - Glossary |
| Weblate |
- |
Email verification over an unencrypted channel |
| WordPress |
- |
Lack of Password Confirmation when Changing Password and Email |
| GitLab |
- |
Missing/Breach of Internal Security Boundary - Access to Job Queue Results in Remote Code Execution |
| Weblate |
- |
Email spoofing at weblate.org |
| Nextcloud |
- |
Cross Site Scripting |
| Shopify |
- |
ShopifyAPI is vulnerable to timing attacks. |
| ownCloud |
- |
password reset email spamming |
| Weblate |
- |
Running 2 accounts with a single email |
| Weblate |
- |
Specify maximal length in translation |
| Weblate |
- |
HttpOnly Flag not set |
| Weblate |
- |
CSV export filter bypass leads to formula injection. |
| Weblate |
- |
Specify maximal length in new comment |
| Weblate |
- |
No Password Length Restriction leads to Denial of Service |
| Weblate |
- |
Setting a password with a single character |
| Weblate |
- |
Access to completion page without performing any action |
| Nextcloud |
- |
information disclose |
| Weblate |
- |
weblate.org: X-XSS-Protection not enabled |
| Weblate |
- |
Open redirect in Signing in via Social Sites |
| Weblate |
- |
No Rate Limitting at Change Password |
| Weblate |
- |
Self XSS at translation page through Editor Link at demo.weblate.org |
| Weblate |
- |
demo.weblate.org is vulnerable to SWEET32 Vulnerability |
| Weblate |
- |
[hosted.weblate.org]Account Takeover |
| Weblate |
- |
Content Spoofing |
| Weblate |
- |
Null Password - Setting a new password doesn't check for empty spaces |
| Weblate |
- |
Notify user about password change |
| VK.com |
$100 |
Посмотреть видеоролики, которые пользователь когда-либо скидывал в ЛС. |
| Weblate |
- |
Abuse of Api that causes spamming users and possible DOS due to missing rate limit |
| Weblate |
- |
Missing DMARC on weblate.org |
| Weblate |
- |
Abuse of Api that causes spamming users and possible DOS due to missing rate limit on contact form |
| Weblate |
- |
User Enumeration when adding email to account |
| Weblate |
- |
Spamming any user from Reset Password Function |
| Weblate |
- |
Existing sessions valid after removing third party auth |
| Weblate |
- |
Weak e-mail change functionality could lead to account takeover |
| Weblate |
- |
Content Spoofing in error message |
| Weblate |
- |
Missing restriction on string size of Full Name at https://demo.weblate.org/accounts/register/ |
| Weblate |
- |
Open SMTP port can let anyone send email from mail.chihar.com |
| Weblate |
- |
Improper access control when an added email address is deleted from authentication |
| Weblate |
- |
Content Spoofing |
| Weblate |
- |
Login using disconnected google account i.e login using old email id |
| Weblate |
- |
hosted.weblate.org: X-XSS-Protection not enabled |
| Weblate |
- |
Clickjacking docs.weblate.org |
| Weblate |
- |
Directory Listing |
| Weblate |
- |
You can simply just use passwords that simply are as 123456 |
| Weblate |
- |
CSRF - Changing the full name / adding a secondary email identity of an account via a GET request |
| Weblate |
- |
Improper Password Reset Policy on https://hosted.weblate.org/ |
| Weblate |
- |
Insecure Account Removal |
| Weblate |
- |
Web server is vulnerable to Beast Attack |
| Weblate |
- |
CSRF : Lock and Unlock Translation |
| Weblate |
- |
CSV Injection with the CSV export feature |
| Weblate |
- |
Already Registered Email Disclosure |
| Weblate |
- |
Activation tokens are not expiring |
| Weblate |
- |
No BruteForce Protection |
| Weblate |
- |
CSRF : Reset API |
| Weblate |
- |
[demo.weblate.org] Stored Self-XSS via Editor Link in Profile |
| Weblate |
- |
Logout CSRF |
| Weblate |
- |
No expiration of session ID after Password change |
| Weblate |
- |
Open Redirect via "next" parameter in third-party authentication |
| Weblate |
- |
Registration captcha bypass |
| Uber ★ |
$8,500 |
SAML Authentication Bypass on uchat.uberinternal.com |
| Phabricator |
$300 |
IRC-Bot exposes information |
| Nextcloud |
- |
Stored XSS in Gallery application (NC-SA-2017-010) CVE-2017-0893 |
| Nextcloud |
- |
Content (Text) Injection at https://nextcloud.com |
| Nextcloud |
- |
Clickjacking In https://demo.nextcloud.com |
| Mapbox |
$500 |
Open Aws Amazon S3 Buckets |
| Nextcloud |
- |
Possible SSRF in email server settings(SMTP mode) |
| Nextcloud |
- |
The email API to test email-server settings is unlimited and can be used as a email bomb |
| Pornhub |
- |
XSS on pornhubselect.com |
| Pornhub |
$350 |
Mixed Reflected-Stored XSS on pornhub.com (without user interaction) in the playlist playing section |
| shopify-scripts ★ |
$800 |
heap-use-after-free in mrb_vm_exec - vm.c:1247 |
| ICQ |
$1,000 |
Дубликат: https://hackerone.com/reports/219171 (доступ к аккаунту, через сброс пароля) |
| WordPress |
$150 |
Stored but [SELF] XSS in mercantile.wordpress.org |
| shopify-scripts ★ |
$100 |
heap use after free in fiber_switch |
| Homebrew |
- |
Stack Trace on jenkins.brew.sh |
| Homebrew |
- |
[bot.brew.sh] Full Path Disclosure |
| OWOX, Inc. |
- |
Broken Authentication & Session Management (Login Bypass) at support.owox.com |
| Nextcloud |
- |
The email API to reset password is unlimited and can be used as a email bomb |
| Homebrew |
- |
Sensitive information disclosure via response headers on jenkins.brew.sh |
| Nextcloud |
- |
Content Spoofing/Text Injection in https://demo.nextcloud.com |
| WordPress |
$387.50 |
Reflected XSS at https://da.wordpress.org/themes/?s= via "s=" parameter |
| The Internet |
$500 |
Mercurial can be tricked into granting authorized users access to the Python debugger CVE-2017-9462 |
| Homebrew |
- |
Server version disclosure on [jenkins.brew.sh] |
| Phabricator |
- |
The special code in editor has no Authority control and can lead to Information Disclosure |
| Phabricator |
- |
The mailbox verification API interface is unlimited and can be used as a mailbox bomb |
| Trello |
$128 |
Malicious file can be hidden as Card Attachment or Card Cover image |
| Homebrew |
- |
Host header Injection |
| WordPress |
$275 |
XSS in the search bar of mercantile.wordpress.org |
| YouPorn |
$250 |
DOM-based XSS on youporn.com (main page) |
| Homebrew |
- |
[https://jenkins.brew.sh] Jenkins in Debug Mode with Stack Traces Enabled |
| OpenSSL (IBB) |
$500 |
Excessive allocation of memory in dtls1_preprocess_fragment() (CVE-2016-6308) CVE-2016-6308 |
| OpenSSL (IBB) |
$500 |
Excessive allocation of memory in tls_get_message_header() (CVE-2016-6307) CVE-2016-6307 |
| OpenSSL (IBB) |
$500 |
Certificate message OOB reads (CVE-2016-6306) CVE-2016-6306 |
| OpenSSL (IBB) |
$500 |
OOB read in TS_OBJ_print_bio() (CVE-2016-2180) CVE-2016-2180 |
| OpenSSL (IBB) |
$500 |
OOB write in BN_bn2dec() (CVE-2016-2182) CVE-2016-2182 |
| OpenSSL (IBB) |
$500 |
Malformed SHA512 ticket DoS (CVE-2016-6302) CVE-2016-6302 |
| OpenSSL (IBB) |
$500 |
OOB write in MDC2_Update() (CVE-2016-6303) CVE-2016-6303 |
| ok.ru |
$300 |
Blind SQL Injection |
| WordPress |
- |
Administrator(s) Information disclosure via JSON on wordpress.org |
| shopify-scripts ★ |
$800 |
Null pointer dereferences in kh_copy_mt |
| Brave Software |
- |
homograph-attack (unicode vuln) |
| concrete5 |
- |
Stored XSS in RSS Feeds Title (Concrete5 v8.1.0) |
| GlobaLeaks |
- |
Information Disclosure |
| Twitter |
$560 |
HTTP 401 response injection on "amp.twimg.com/amplify-web-player/prod/source.html" through "image_src" parameter |
| concrete5 |
- |
Stored XSS in Express Objects - Concrete5 v8.1.0 |
| Nextcloud |
- |
GIT Detected |
| Starbucks |
- |
Java Deserialization RCE via JBoss on card.starbucks.in |
| LibSass |
- |
heap-use-after-free in Sass::SharedPtr::incRefCount() |
| LibSass |
- |
null pointer dereference in Sass::Eval::operator()(Sass::Map*) |
| shopify-scripts ★ |
$800 |
heap-buffer-overflow (read outside of buffer) in mrb_vm_exec() |
| Nextcloud |
- |
CSRF token validation is missing |
| Nextcloud |
- |
https://portal.nextcloud.com/.htaccess file is readable |
| Phabricator |
- |
Autoclose can close any task regardless of policies/spaces |
| Open-Xchange |
$200 |
Critical : View/Edit access to private appointments of calendar folder by read only user (Vertical privilege escalation) |
| Open-Xchange |
$200 |
Unauthorized access to attachments details of Private Calendar appointments (Access control issue) |
| Mavenlink |
$50 |
Tabnabbing via Window.Opener @Mavenlink |
| Ubiquiti Networks |
$100 |
Expired SSL certificate |
| Algolia |
$200 |
[GitHub Extension] Unsanitised HTML leading to XSS on GitHub.com |
| HackerOne ★ |
$750 |
Race condition leads to duplicate payouts |
| Skyliner |
- |
Password reset Token not expiring |
| Ubiquiti Networks |
- |
200 http code in 403 forbidden directories on main Ubnt.com domain |
| HackerOne ★ |
$500 |
Subdomain takeover #4 at info.hacker.one |
| shopify-scripts ★ |
$100 |
mirb only: stack-buffer-overflow (OOB write) in main() |
| Maximum |
$25 |
XSS |
| U.S. Dept Of Defense |
- |
Reflected XSS on a DoD website |
| VK.com |
$100 |
api.vk.com отдаёт в ответ HTML авторизированную страницу vk.com |
| Dovecot |
$600 |
Dovecot authentication is vulnerable to timing attacks. |
| Gratipay |
- |
Transferring incorrect data to the http://gip.rocks/v1 endpoint with correct Content-Type leads to local paths disclosure through the error message |
| Mail.Ru |
- |
Open Redirection at https://it.mail.ru/ |
| Gratipay |
- |
POODLE SSLv3.0 |
| Mail.Ru |
- |
Open Redirect |
| shopify-scripts ★ |
$100 |
Invalid Pointer reference in L_RESCUE |
| Harvest |
$400 |
Client can redirect payment, causing payment discrepancy between Harvest and PayPal |
| Uber ★ |
$5,000 |
Authentication bypass on auth.uber.com via subdomain takeover of saostatic.uber.com |
| Harvest |
- |
Login bypass on travel.██████████ aka "Harvest Spring Summit 2017" |
| Twitter |
$280 |
[██████████.gnip.com] .htpasswd disclosure |
| Open-Xchange |
$200 |
Resend invitation to members by Read only user(Privilege Escalation) |
| VK.com |
$2,000 |
Возможность взлома любого пользователя, не использующего двухфакторной аутентификации, через получения кода восстановления на чужой номер. |
| Ubiquiti Networks |
$150 |
XSS |
| Ubiquiti Networks |
$500 |
[dev-unifi-go.ubnt.com] Insecure CORS, Stealing Cookies |
| Nextcloud |
- |
Share tokens for public calendars disclosed (NC-SA-2017-011) CVE-2017-0894 |
| GitLab |
- |
Stored XSS on Files overview by abusing git submodule URL |
| shopify-scripts ★ |
$100 |
SIGABRT in sym_validate_len - symbol.c:44 |
| Adobe |
- |
Parameter tampering can result in product price manipulation |
| Nextcloud |
- |
Design Issues on ( ███ ) Lead to show ( IPS of Users ) |
| HackerOne ★ |
- |
Example HackerOne security@ forward domain is not registered |
| Coinbase |
$100 |
[buy.coinbase.com]Content Injection |
| shopify-scripts ★ |
$800 |
Invalid pointer dereference in OP_ENTER |
| shopify-scripts ★ |
$800 |
SIGSEGV in array_copy - array.c:71 |
| Twitter |
$560 |
[Gnip Blogs] Reflected XSS via "plupload.flash.swf" component vulnerable to SOME |
| Ruby |
- |
RCE (Remote Code Execution) Vulnerability on Ruby |
| Phabricator |
- |
An unsafe design practice in the Passphrase may result in Secret being accidentally changed. |
| Kaspersky Lab |
$400 |
In App purchase Hack |
| Automattic |
$500 |
An Automattic employee's GitHub personal access token exposed in Travis CI build logs |
| shopify-scripts ★ |
$800 |
Null pointer dereference in OP_ENTER |
| Starbucks |
$500 |
Stored XSS in comments on https://www.starbucks.co.uk/blog/* |
| Nextcloud |
- |
Directory Listing In Subdomain Of nextcloud.com |
| U.S. Dept Of Defense |
- |
Reflected XSS vulnerability on a DoD website |
| RubyGems |
$1,000 |
Request Hijacking Vulnerability in RubyGems 2.6.11 and earlier CVE-2017-0902 |
| Shopify |
$1,000 |
XSS in $shop$.myshopify.com/admin/ via twine template injection in "Shopify.API.Modal.input" method when using a malicious app |
| U.S. Dept Of Defense |
- |
Information disclosure vulnerability on a DoD website |
| Shopify |
$800 |
XSS in $shop$.myshopify.com/admin/ via "Button Objects" in malicious app |
| shopify-scripts ★ |
$800 |
kh_put_iv SEGFAULT - mruby 1.2.0 |
| Maximum |
$300 |
Possible to view and takeover other user's education and courses @ mijn.werkenbijdefensie.nl |
| Maximum |
$150 |
Possible to unsubscribe from activities using CSRF @ mijn.werkenbijdefensie.nl |
| Udemy |
- |
sweet32 |
| Starbucks |
- |
[connect.teavana.com] Open Redirect and abuse of connect.teavana.com |
| ownCloud |
- |
doc.owncloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service) |
| HackerOne ★ |
$1,000 |
Subdomain takeover #3 at info.hacker.one |
| U.S. Dept Of Defense |
- |
Reflected XSS in a DoD Website |
| shopify-scripts ★ |
$100 |
SIGSEGV in mrb_vm_exec |
| shopify-scripts ★ |
$800 |
SIGSEGV in mrb_str_inum |
| HackerOne ★ |
- |
CRLF injection in info.hacker.one |
| Mail.Ru |
$750 |
Stored XSS in e.mail.ru (payload affect multiple users) |
| Dropbox |
- |
CSV Injection with the CVS export feature |
| shopify-scripts ★ |
$800 |
Heap Buffer Overflow in mrb_hash_keys |
| OpenSSL (IBB) |
$2,500 |
OCSP Status Request extension unbounded memory growth (CVE-2016-6304) |
| Nextcloud |
$450 |
Reflected XSS in error pages (NC-SA-2017-008) CVE-2017-0891 |
| Pornhub |
$250 |
Reflected XSS in login redirection module |
| Phabricator |
$750 |
Phabricator is vulnerable to padding oracle attacks and chosen-ciphertext attacks. |
| shopify-scripts ★ |
$800 |
SIGABRT - in free |
| shopify-scripts ★ |
$800 |
heap use-after-free in mrb_vm_exec() |
| U.S. Dept Of Defense |
- |
SQL Injection vulnerability in a DoD website |
| shopify-scripts ★ |
$800 |
Crash in ary_concat() |
| Pornhub |
- |
Reflected XSS on ht.pornhub.com - /export/GetPreview |
| GitLab |
- |
Unfiltered `class` attribute in markdown code |
| Shopify |
$500 |
Full access at an internal service of Shopify |
| Pornhub |
$500 |
Blind Stored XSS against Pornhub employees using Amateur Model Program |
| Uber ★ |
- |
deleting payment profile during active trip puts account into arrears but active trip is temporarily “free” |
| shopify-scripts ★ |
$800 |
Null pointer dereferences in mrb_get_args |
| Legal Robot |
- |
Big XSS vulnerability! |
| Urban Dictionary |
- |
Session replay vulnerability in www.urbandictionary.com |
| GitLab |
- |
CSV injection in gitlab.com via issues export feature. |
| Udemy |
- |
CSRF Token Design Flaw |
| GitLab |
- |
[Repository Import] Open Redirect via "continue[to]" parameter |
| shopify-scripts ★ |
$800 |
SIGABRT in mrb_debug_info_append_file |
| shopify-scripts ★ |
$800 |
Null pointer dereference in mrb_class |
| shopify-scripts ★ |
$300 |
Garbage collector crash |
| HackerOne ★ |
$2,000 |
A HackerOne employee's GitHub personal access token exposed in Travis CI build logs |
| shopify-scripts ★ |
$800 |
SIGSEGV in mrb_class |
| ownCloud |
$150 |
HTML Injection in Owncloud |
| GitLab |
- |
[Subgroups] Unprivileged User Can Disclose Private Group Names |
| Twitter |
$2,520 |
CSRF on Periscope Web OAuth authorization endpoint |
| Nextcloud |
- |
Server version/OS type disclosure via HTTP Response Header |
| VK.com |
$200 |
Подмена SSL-сертификата для любой группы в секции Управление группой->Работа с API неавторизированным пользователем. |
| Ubiquiti Networks |
$6,000 |
Ability to log in as any user without authentication if █████████ is empty |
| Brave Software |
$100 |
[iOS] URL can be replaceState by blob URL in iOS Brave |
| shopify-scripts ★ |
$800 |
SIGSEGV in mrb_vm_exec |
| HackerOne ★ |
$500 |
Report invitation links not restricted to any existing user |
| Rockstar Games |
$350 |
Profile bio at rockstar is accepting control characters |
| shopify-scripts ★ |
$800 |
Null pointer dereference in ary_concat |
| Mail.Ru |
- |
Reflected XSS on frag.mail.ru |
| CloudFlare |
- |
Cloudflare based XSS for IE11 |
| Shopify |
$500 |
Stored passive XSS at scheduled posts (kitcrm.com) |
| shopify-scripts ★ |
$100 |
SIGABRT - mirb - Double Free |
| Rockstar Games |
$350 |
Login form on non-HTTPS page |
| Airbnb |
- |
Nginx Version Disclosure |
| Mail.Ru |
- |
Stored XSS |
| Gratipay |
- |
Content-Length restriction bypass to heap overflow in gip.rocks. |
| Blockchain |
- |
HTTP Header Injection/HTTP_Response_Splitting |
| Trello |
$768 |
Rate limiting of incorrect Two Factor Authentication codes not enforced |
| Nextcloud |
- |
Content spoofing due to the improper behavior of the 403 page |
| shopify-scripts ★ |
$800 |
Null pointer dereferences in ary_concat |
| Yelp |
$100 |
Clickjacking Vulnerability found on Yelp |
| Shopify |
$1,500 |
Stored XSS in [shop].myshopify.com/admin/orders/[id] |
| GitLab |
- |
Open redirect |
| Discourse |
$512 |
Admin Command Injection via username in user_archive ExportCsvFile |
| BrickFTP |
$600 |
File access controls incorrectly enforced for files shared via QuickLink - Unshared files can be accessed |
| shopify-scripts ★ |
$800 |
SIGABRT - mirb and mruby |
| Shopify |
- |
Setting Arbitrary Cookie at kitcrm.com |
| Phabricator |
$600 |
Differential "Show Raw File" feature exposes generated files to unauthorised users |
| Legal Robot |
$60 |
Token leakage by referrer |
| Nextcloud |
- |
Update php-saml library to 2.10.5 |
| shopify-scripts ★ |
$800 |
SIGSEGV - mrb_obj_value |
| U.S. Dept Of Defense |
- |
Remote Command Execution on a DoD website |
| Legal Robot |
- |
Password Policy Bypass |
| Discourse |
$512 |
Arbitrary Local-File Read from Admin - Restore From Backup due to Symlinks |
| Trello |
- |
Phone verification code fails to expire and can be used multiple times also in different accounts to verify same cellphone number on Trello.com |
| Trello |
- |
Email authentication token fails to expire and can be used multiple times for same Email address on Trello.com |
| Nextcloud |
- |
Content Spoofing/Text Injection in nextcloud.com |
| Nextcloud |
- |
SSRF at apps.nextcloud.com/developer/apps/releases/new |
| shopify-scripts ★ |
$800 |
Use-after-free leading to an invalid pointer dereference |
| shopify-scripts ★ |
$100 |
SIGSEGV in str_buf_cat |
| U.S. Dept Of Defense |
- |
Blind SQLi vulnerability in a DoD Website |
| Nextcloud |
$250 |
DOM XSS vulnerability in search dialogue (NC-SA-2017-007) CVE-2017-0890 |
| Starbucks |
- |
Reflected XSS in openapi.starbucks.com /searchasyoutype/v1/search?x-api-key= |
| Legal Robot |
$40 |
Password reset form ignores email field |
| GitLab |
- |
Gitlab.com is vulnerable to reverse tabnabbing via AsciiDoc links. (#3) |
| U.S. Dept Of Defense |
- |
Remote Code Execution (RCE) in a DoD website |
| Nextcloud |
- |
Invalid request may lead content spoofing for phishing |
| U.S. Dept Of Defense |
- |
Remote code execution vulnerability on a DoD website |
| shopify-scripts ★ |
$800 |
SIGABRT in only mirb |
| Nextcloud |
- |
Content spoofing due to the improper behavior of the 403 page |
| HackerOne ★ |
$750 |
IE 11 Self-XSS on Jira Integration Preview Base Link |
| Imgur |
$5,000 |
RCE by command line argument injection to `gm convert` in `/edit/process?a=crop` |
| GitLab |
- |
Gitlab.com is vulnerable to reverse tabnabbing. (#2) |
| Trello |
- |
Exporting JSON of other Boards |
| shopify-scripts ★ |
$800 |
SIGSEGV - kh_get_n2s - in /src/symbol.c:37 |
| Ubiquiti Networks |
- |
XSS via SVG file |
| shopify-scripts ★ |
$100 |
sprintf gem - format string combined attack |
| shopify-scripts ★ |
$800 |
Null pointer dereference in mrb_class |
| shopify-scripts ★ |
$800 |
SIGSEGV - mrb_yield_with_class |
| Algolia |
$100 |
An “algobot”-s GitHub access token was leaked |
| U.S. Dept Of Defense |
- |
Remote Code Execution (RCE) in a DoD website |
| Starbucks |
- |
Unable to register in starbucks IN app |
| Moneybird |
$50 |
Stored Cross Site Scripting in Customer Name |
| Shopify |
$500 |
Stealing users' facebook access tokens - kitcrm.com |
| Rockstar Games |
$150 |
Source Code Disclosure (CGI) |
| U.S. Dept Of Defense |
- |
Remote Code Execution (RCE) in a DoD website |
| Nextcloud |
- |
https://xmpp.nextcloud.com///;@www.google.com allows open redirect |
| Nextcloud |
- |
Version 4.7.2 of wordpress is vulnerable |
| Gratipay |
$1 |
Inadequate/dangerous jQuery behavior |
| VK.com |
$200 |
Написать от имени любого пользователя на его стене, если он перейдет по ссылке. https://vk.com/al_video.php |
| GitLab |
- |
Gitlab.com is vulnerable to reverse tabnabbing. |
| shopify-scripts ★ |
$800 |
Null pointer dereference in 'get_file' |
| Rockstar Games |
$350 |
Control Character Injection In Messages |
| LocalTapiola |
$100 |
XSS on 3rd party service Localtapiola is using |
| Rockstar Games |
$300 |
use of unsafe host header leads to open redirect |
| shopify-scripts ★ |
$800 |
Null pointer dereferences from mrb_vm_exec |
| Slack |
$850 |
Bypass to postMessage origin validation via FTP |
| Rockstar Games |
$150 |
Full path Disclosure in Rockstargames.com/img/global/ |
| U.S. Dept Of Defense |
- |
Information disclosure vulnerability on a DoD website |
| shopify-scripts ★ |
$800 |
mrb_vm_exec - null ptr dereference |
| Mail.Ru |
- |
Open Redirect |
| Rockstar Games |
$150 |
SSLv3 POODLE Vulnerability |
| shopify-scripts ★ |
$800 |
Invalid Pointer Reference from OP_RESCUE |
| HackerOne ★ |
$500 |
Transitioning a Private Program to Public Does Not Clear Previously Private Updates to Hackers |
| Ubiquiti Networks |
- |
Subdomain takeover on https://cloudfront.ubnt.com/ due to non-used CloudFront DNS entry |
| shopify-scripts ★ |
$800 |
SIGSEGV - mark_context_stack |
| HackerOne ★ |
$100 |
javascript: and mailto: links are allowed in JIRA integration settings |
| Gratipay |
- |
URL Given leading to end users ending up in malicious sites |
| shopify-scripts ★ |
$800 |
Heap buffer overflow in mruby value_move |
| Starbucks |
$250 |
DOM XSS on teavana.com via "pr_zip_location" parameter |
| Greenhouse.io |
- |
Content Spoofing on link.greenhouse.io |
| shopify-scripts ★ |
$800 |
Heap buffer overflow with long array assignment |
| LocalTapiola |
$264 |
HTML Injection in email from http://www.lahitapiola.fi/henkilo/sivut/tonttutesti |
| Ruby |
$500 |
public report - Reproducible - Writable RubyCi Amazon s3 bucket[207053] |
| Ruby |
$500 |
Open S3 Bucket WriteAble To Any Aws User |
| HackerOne ★ |
$1,000 |
Subdomain takeover #2 at info.hacker.one |
| Twitter |
$7,560 |
[URGENT] Opportunity to publish tweets on any twitters account |
| Brave Software |
- |
Address bar spoofing in Brave browser via. window close warnings |
| BrickFTP |
$100 |
CSRF @ configuration |
| Udemy |
$50 |
Subdomain Takeover at Landing.udemy.com |
| VK.com |
$100 |
Обход: "Аудиозапись недоступна для прослушивания в Вашем регионе." |
| Ubiquiti Networks |
$100 |
Reflected cross-site scripting (XSS) vulnerability in scores.ubnt.com allows attackers to inject arbitrary web script via p parameter. |
| ownCloud |
- |
Outdated Jenkins server hosted at OwnCloud.org |
| U.S. Dept Of Defense |
- |
Cross-site scripting (XSS) vulnerability on a DoD website |
| shopify-scripts ★ |
$800 |
Null pointer dereference in mark_context_stack |
| U.S. Dept Of Defense |
- |
Remote file inclusion vulnerability on a DoD website |
| Lyst |
$100 |
Site configured improperly at subdomain of lyst.co.uk |
| HackerOne ★ |
- |
Able to create basic user account via Google login on HackerOne Drupal CMS |
| shopify-scripts ★ |
$100 |
Memory corrouption in mrb_gc_mark |
| LocalTapiola |
$200 |
Brute force unsubscription on /webApp/unsub_sb (viestinta.lahitapiola.fi) |
| LocalTapiola |
$50 |
/icons/README is still available on viestinta.lahitapiola.fi |
| Perl (IBB) |
$1,000 |
read outside of buffer (heap buffer overflow) in S_regmatch - regexec.c:6057 |
| Pornhub |
$50 |
http://ht.pornhub.com/ stored XSS in widget stylesheet |
| U.S. Dept Of Defense |
- |
Reflected XSS vulnerability in a DoD website |
| shopify-scripts ★ |
$800 |
Heap use-after-free in mrb_vm_exec |
| Ubiquiti Networks |
$1,000 |
sqli |
| Shopify |
$500 |
Subdomain takeover on s3.shopify.com |
| Khan Academy |
- |
No Security check at changing password and at adding mobile number which leads to account takeover and spam |
| Khan Academy |
- |
SSL/TLS Vulnerability at khanacademy.org |
| Dovecot |
- |
SSL Certification Expired And TLS Vulnerability |
| Lyst |
$100 |
Mixed Active content issue on https://www.lyst.com |
| shopify-scripts ★ |
$100 |
Controlled address leak due to type confusion - ASLR bypass |
| HackerOne ★ |
$750 |
Information leakage via CSV when content is valid JavaScript |
| U.S. Dept Of Defense |
- |
Potentially sensitive information disclosure on a DoD website |
| Slack |
$3,000 |
Stealing xoxs-tokens using weak postMessage / call-popup redirect to current team domain |
| U.S. Dept Of Defense |
- |
Insecure Direct Object Reference (IDOR) vulnerability in a DoD website |
| Ruby |
$500 |
Writable RubyCi Amazon s3 bucket |
| HackerOne ★ |
$1,500 |
Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP |
| ownCloud |
- |
HTML injection in Desktop Client |
| Uber ★ |
$2,500 |
SQL injection in 3rd party software Anomali |
| Robinhood |
$100 |
Open Redirect located at https://www.robinhood.com/oauth2/authorize/? |
| YouPorn |
$100 |
XSS via login cookie |
| OLX |
- |
Subdomain Takeover (http://docs.olx.ph/ , http://calendar.olx.ph/, http://sites.olx.ph/) |
| PortSwigger Web Security |
- |
Email Spoofing |
| Starbucks |
$750 |
Persistent CSRF in /GiftCert-AddToBasket prevents purchases on eCommerce sites |
| shopify-scripts ★ |
$800 |
Heap Buffer Overflow while processing OP_SEND |
| Imgur |
$2,500 |
Remote Code Execution on Git.imgur-dev.com |
| OLX |
- |
Reflected XSS in olx.pt |
| shopify-scripts ★ |
$800 |
mruby heap use-after-free |
| OWOX, Inc. |
- |
Subdomain takeover in many subdomains |
| Boozt Fashion AB |
- |
Application code is not obfuscated -- OWASP M9 (2016) |
| LocalTapiola |
$50 |
show control page if you insert ' at http://viestinta.lahitapiola.fi/ |
| shopify-scripts ★ |
$100 |
Interger overflow in str_substr leading to read/write out of bound memory |
| shopify-scripts ★ |
$800 |
Use After Free in mrb_vm_exec |
| OLX |
- |
Combined attacks leading to stealing user's account |
| shopify-scripts ★ |
$800 |
Heap Buffer overflow in mrb_ary_unshift |
| GitLab |
- |
[Textile] XSS in project README files |
| GitLab |
- |
[reStructuredText] XSS in project README files |
| shopify-scripts ★ |
$100 |
SIGABRT - method_missing - mark_context_stack |
| Nextcloud |
- |
Missing SPF Flags on nextcloud.com |
| Zopim |
$50 |
express config leaking stacktrace |
| Informatica |
- |
[wave.informatica.com]- Subdomain missconfiguration |
| Uber ★ |
$1,500 |
pam-ussh may be tricked into using another logged in user's ssh-agent |
| shopify-scripts ★ |
$800 |
A crash when an exception is caught in a caller and the receiver returned from `ensure` |
| shopify-scripts ★ |
$100 |
segafult in mruby's sprintf - mrb_str_format |
| WordPress |
$350 |
Infrastructure - Photon - SSRF |
| shopify-scripts ★ |
$800 |
Heap buffer oveflow with many arguments |
| Rockstar Games |
$1,400 |
<- Critical IDOR vulnerability in socialclub allow to insert and delete comments as another user and it discloses sensitive information -> |
| LocalTapiola |
$315 |
High server resource usage on captcha (viestinta.lahitapiola.fi) |
| Brave Software |
- |
Clickjacking or URL Masking |
| Ubiquiti Networks |
- |
Weak credentials for nutty.ubnt.com |
| YouPorn |
- |
[Android API] SQL injection ( errortoken.json ) |
| shopify-scripts ★ |
$1,000 |
Segmentation fault while printing backtrace |
| YouPorn |
$250 |
Reflected XSS in Meta Tag |
| YouPorn |
$2,500 |
Time Based SQL-inject in post-parametr login[username] [domain - youporn.com] |
| Informatica |
- |
Stored XSS via Discussion Title and Send as Email attribute in [marketplace.informatica.com] |
| Greenhouse.io |
$100 |
Open Redirect in <customer>.greenhouse.io |
| Ubiquiti Networks |
$150 |
AirFibre products vulnerable to HTTP Header injection |
| Phabricator |
- |
Restricted file access when it exists in old versions of task or wiki document |
| Phabricator |
- |
Enumerating emails through "Forgot Password" form |
| U.S. Dept Of Defense |
- |
Remote code execution vulnerability on a DoD website |
| shopify-scripts ★ |
$800 |
forgot to add the patch |
| Nextcloud |
$183 |
Calendar and addressbook names disclosed (NC-SA-2017-012) CVE-2017-0895 |
| WordPress |
$350 |
Wordpress 4.7.2 - Two XSS in Media Upload when file too large. |
| shopify-scripts ★ |
$100 |
SIGSEGV - mrb_vm_exec - line:1312 |
| Gratipay |
- |
HTTP trace method is enabled on aspen.io |
| Ubiquiti Networks |
- |
Content Spoofing or Text Injection in (403 forbidden page injection) and Nginx version disclosure via response header |
| Gratipay |
- |
Content length restriction bypass can lead to DOS by reading large files on gip.rocks |
| Gratipay |
- |
HTTP trace method is enabled on gip.rocks |
| U.S. Dept Of Defense |
- |
Bypass file access control vulnerability on a DoD website |
| Algolia |
$100 |
Reflected XSS |
| Brave Software |
- |
Brave payments remembers history even after clearing all browser data. |
| U.S. Dept Of Defense |
- |
Cross-site scripting (XSS) on a DoD website |
| YouPorn |
$150 |
Find whether a video has been favourited or not, for any user [via YouPorn Mobile API] |
| Informatica |
- |
[marketplace.informatica.com]- Stored XSS on Image title and Edit Property |
| Pornhub |
$1,500 |
Wordpress Content injection |
| Pornhub |
- |
Debug.log file Exposed to Public \Full Path Disclosure\ |
| Zomato |
- |
Unauthorised Access to Anyone's User Account |
| OLX |
- |
yaman.olx.ph/wordpress is using a very vulnerable version of WordPress and contains directory listing |
| Twitter |
$7,560 |
Vine all registered user Private/sensitive information disclosure .[ Ip address/phone no/email and many other informations ] |
| U.S. Dept Of Defense |
- |
Cross-site request forgery (CSRF) vulnerability in a DoD website |
| WebSummit |
- |
found a vulnerability in your website |
| ExpressionEngine |
- |
Type Juggling -> PHP Object Injection -> SQL Injection Chain |
| HackerOne ★ |
$1,000 |
Subdomain takeover at info.hacker.one |
| VK.com |
$400 |
Missing Server Side Rate Limiting can Lead to VK Account Take over |
| Mapbox |
$750 |
Public access to objects in AWS S3 bucket |
| arxius |
- |
XSS in content type header when uploading file. |
| U.S. Dept Of Defense |
- |
Remote command execution (RCE) vulnerability on a DoD website |
| U.S. Dept Of Defense |
- |
SQL injection vulnerability on a DoD website |
| shopify-scripts ★ |
$800 |
Denial of service (segfault) due to null pointer dereference in mrb_vm_exec |
| shopify-scripts ★ |
$800 |
Denial of service (segfault) due to null pointer dereference in mrb_obj_instance_eval |
| Pornhub |
$250 |
XSS Vulnerability at https://www.pornhubpremium.com/premium_signup? URL endpoint |
| Pornhub |
$250 |
[xss] pornhubpremium.com, /redeem?code= URL endpoint |
| Phabricator |
$300 |
User with only Viewing Privilege can send message to Room |
| U.S. Dept Of Defense |
- |
Stored XSS vulnerability on a DoD website |
| shopify-scripts ★ |
$100 |
Null pointer dereference in mrb_random_initialize |
| Coinbase |
- |
Requestor Email Disclosure via Email Notification |
| Instacart |
$100 |
Login with Google Not Authenticated on iOS App |
| Ubiquiti Networks |
$600 |
Wordpress directories/files visible to internet |
| Mail.Ru |
- |
Disclosure of information on static.dl.mail.ru |
| YouPorn |
$1,000 |
Account hijack via deleted PH account |
| shopify-scripts ★ |
$800 |
SIGSEGV - vm.c - line:1214 |
| shopify-scripts ★ |
$100 |
Segmentfault at mrb_vm_exec |
| shopify-scripts ★ |
$2,000 |
Recursion causing uninitialized memory reads leading to a segfault |
| Coinbase |
- |
Information disclosue in Android Application |
| Automattic |
$250 |
cloudup Subdomain Takeover That resolves to Desk.com ( CNAME cloudup.desk.com ) |
| LocalTapiola |
$400 |
Single user DOS on selectedLanguage -cookie (yrityspalvelu.lahitapiola.fi) |
| Ubiquiti Networks |
$150 |
Can upload files without authentication on AirFibre 3.2 |
| Zomato |
- |
test.zba.se is vulnerable to SSL POODLE |
| U.S. Dept Of Defense |
- |
SQL Injection vulnerability in a DoD website |
| Nextcloud |
- |
Wordpress 4.7.1 |
| OpenSSL (IBB) |
$1,000 |
CVE-2017-3730: Bad (EC)DHE parameters cause a client crash |
| LocalTapiola |
$100 |
Enumeration in unsubscribe -function of /omatalousuk (viestinta.lahitapiola.fi) |
| Twitter |
$5,040 |
Attacker can get vine repost user all informations even Ip address and location . |
| Informatica |
- |
[ipm.informatica.com]- Broken Authentication |
| LocalTapiola |
$150 |
Reflected XSS on iltakoulu_varkaus (viestinta.lahitapiola.fi) |
| PHP (IBB) |
$500 |
Out of bounds memory read in unserialize() CVE-2016-10161 |
| Algolia |
$100 |
[github.algolia.com] DOM Based XSS github-btn.html |
| shopify-scripts ★ |
$100 |
heap-use-after-free /home/operac/testafl/mruby/mrubylast/mruby/src/gc.c |
| LocalTapiola |
$1,350 |
SQL Injection /webApp/cancel_iltakoulu regId parameter (viestinta.lahitapiola.fi) |
| Nextcloud |
- |
Email Spoofing |
| Ubiquiti Networks |
$100 |
[nutty.ubnt.com] DOM Based XSS nuttyapp github-btn.html |
| Boozt Fashion AB |
- |
Email spoofing at booztlet.com |
| GitLab |
- |
[RDoc] XSS in project README files |
| LocalTapiola |
$50 |
CSRF bypass + XSS on verkkopalvelu.tapiola.fi |
| U.S. Dept Of Defense |
- |
SQL injection vulnerability on a DoD website |
| Dovecot |
- |
Information About Your System(Sensitive Directories) |
| Alvosec |
$3 |
Alvocrypt uses a cryptographically insecure PRNG. |
| Slack |
$1,000 |
Access of Android protected components via embedded intent |
| Pushwoosh |
- |
Clickjacking |
| shopify-scripts ★ |
$100 |
Incorrect code generation with redo inside NODE_RESCUE. |
| Zomato |
- |
MailPoet Newsletters <= 2.7.2 - Authenticated Reflected Cross-Site Scripting (XSS) |
| Zomato |
- |
XSS in flashmediaelement.swf (business-blog.zomato.com) |
| LocalTapiola |
$1,350 |
SQL Injection on /webApp/lapsuudenturva (viestinta.lahitapiola.fi) |
| LocalTapiola |
$350 |
Sql injection on /webApp/sijoituswebinaari (viestinta.lahitapiola.fi) |
| LocalTapiola |
$350 |
SQL Injection on /webApp/viivanalle (viestinta.lahitapiola.fi) |
| U.S. Dept Of Defense |
- |
Information disclosure vulnerability on a DoD website |
| Boozt Fashion AB |
- |
Bypass email validity in newsletter field |
| Informatica |
- |
[marketplace.informatica.com] Search XSS |
| Harvest |
$250 |
Persistent XSS on ForecastApp |
| HackerOne ★ |
$500 |
Google Analytics could be used as CSP bypass for data exfiltration on hackerone.com |
| shopify-scripts ★ |
$800 |
Aborted - proc.c - line:143 |
| Nextcloud |
- |
Missing Rate Limit for Current Password field in nextcloud.com |
| U.S. Dept Of Defense |
- |
Privilege Escalation on a DoD Website |
| Nextcloud |
- |
Nextcloud.com is vulnerable to SWEET32 attack |
| Legal Robot |
- |
SWEET32 TLS attack |
| Nextcloud |
- |
Group admin can remove user from all his groups via API |
| Brave Software |
- |
No user confirmation when an auto-updated extension gets more permissions |
| VK.com |
- |
HTML Injection possible due to bad filter |
| Nextcloud |
- |
Drone Nextcloud |
| New Relic |
- |
SSRF in alerts.newrelic.com exposes entire internal network |
| Nextcloud |
- |
HTTP-Basic Authentication on logs.nextcloud.com |
| Twitter |
$560 |
Clickjacking Periscope.tv on Chrome |
| Starbucks |
- |
Lack of Controls Allowing for Card and PIN Enumeration Leading to Fraud |
| Starbucks |
- |
csrf blogs.starbucks.com |
| shopify-scripts ★ |
$100 |
SIGABRT - mrb_realloc_simple - gc.c - line:201 |
| Starbucks |
- |
Time-based Blind SQLi on news.starbucks.com |
| U.S. Dept Of Defense |
- |
Reflected XSS vulnerability on a DoD website |
| QIWI |
$150 |
[XSS/pay.qiwi.com] Pay SubDomain Hard-Use XSS |
| QIWI |
$250 |
[XSS/3dsecure.qiwi.com] 3DSecure XSS |
| New Relic |
- |
Restricted User can view multiple account details including customer_root_account_id, payment method, date of first payment, etc. |
| Nextcloud |
- |
Disclosure of administrators via JSON on nextcloud.com Wordpress |
| Ubiquiti Networks |
$2,000 |
[EdgeSwitch] Web GUI command injection as root with Privilege-1 and Privilege-15 users |
| shopify-scripts ★ |
$100 |
Crash in print_backtrace |
| Discourse |
$256 |
Stored XSS in posts because of absence of oembed variables values escaping |
| U.S. Dept Of Defense |
- |
Misconfigured user account settings on DoD website |
| Discourse |
$256 |
Stored XSS in topics because of whitelisted_generic engine vulnerability |
| Nextcloud |
- |
WordPress <= 4.6.1 Stored XSS Via Theme File |
| Nextcloud |
- |
User Information Disclosure via REST API |
| ownCloud |
- |
User Information Disclosure via REST API |
| U.S. Dept Of Defense |
- |
SQL Injection vulnerability in a DoD website |
| shopify-scripts ★ |
$800 |
Null pointer dereference in mrb_str_modify |
| shopify-scripts ★ |
$800 |
Still heap overflow in mrb_ary_splice |
| shopify-scripts ★ |
$100 |
SIGSEGV - mrb_obj_extend - line:413 |
| shopify-scripts ★ |
$800 |
SIGSEGV - mrb_vm_exec - line:1681 |
| Starbucks |
- |
Starbucks.com is reachable via ip address thus possible to link any doamin to Starbucks. |
| Discourse |
$256 |
XSS in topics because of bandcamp preview engine vulnerability |
| VK.com |
$300 |
SSRF через Share-ботов |
| Rockstar Games |
$650 |
[IMP] - Blind XSS in the admin panel for reviewing comments |
| FormAssembly |
- |
formassembly.com is vulnerable to padding-oracle attacks. |
| OLX |
- |
Server Version Of https://www.olx.ph/ |
| Rockstar Games |
$500 |
Ability to post comments to a crew even after getting kicked out |
| YouPorn |
$1,000 |
IDOR - Access to private video thumbnails even if video requires password authentication |
| U.S. Dept Of Defense |
- |
Information disclosure vulnerability on a DoD website |
| FormAssembly |
- |
XSS on username when register to proffesional account |
| ownCloud |
- |
bug reporting template encourages users to paste config file with passwords |
| VK.com |
$100 |
Возможность смотреть видео рекомендации любого пользователя вконтакте |
| Nextcloud |
- |
bug reporting template encourages users to paste config file with passwords |
| Starbucks |
$375 |
Open redirect / Reflected XSS payload in root that affects all your sites (store.starbucks.* / shop.starbucks.* / teavana.com) |
| CodeIgniter |
- |
Vulnerable Javascript library |
| shopify-scripts ★ |
$800 |
Heap Buffer overflow in mrb_funcall_with_block |
| Mail.Ru |
- |
CSRF Send a message at street-combats.mail.ru |
| HackerOne ★ |
$2,000 |
Disclose any user's private email through API |
| Slack |
$200 |
dom xss in https://www.slackatwork.com |
| shopify-scripts ★ |
$800 |
Segmentation fault on program counter |
| U.S. Dept Of Defense |
- |
Information disclosure vulnerability on a DoD website |
| Shopify |
$500 |
apps.shopify.com - CSRF token leakage through Google Analytics |
| U.S. Dept Of Defense |
- |
Local file inclusion vulnerability on a DoD website |
| shopify-scripts ★ |
- |
Clearing , Shifting and Pop Value from Frozen Array |
| shopify-scripts ★ |
$800 |
SIGSEGV - mrb_vm_exec - vm.c in line:1272 |
| shopify-scripts ★ |
$800 |
SIGSEGV in mrb_vm_exec |
| HackerOne ★ |
- |
Report redaction doesn't apply to report title update activities |
| U.S. Dept Of Defense |
- |
Blind SQLi in a DoD Website |
| Snapchat |
$250 |
RTLO char allowed in chat |
| Instacart |
$100 |
XSS in instacart.com/store/partner_recipe |
| PHP (IBB) |
$500 |
Use of uninitialized memory in unserialize() CVE-2017-5340 |
| Mail.Ru |
- |
Излишние права при авторизации через интерфейс mail.ru |
| shopify-scripts ★ |
$100 |
Segmentation fault - mrb_gc_mark |
| U.S. Dept Of Defense |
- |
Information disclosure vulnerability on a DoD website |
| U.S. Dept Of Defense |
- |
Information disclosure vulnerability on a DoD website |
| U.S. Dept Of Defense |
- |
Information disclosure vulnerability on a DoD website |
| U.S. Dept Of Defense |
- |
Exposed Access Control Data Backup Files on DoD Website |
| U.S. Dept Of Defense |
- |
HTML Injection/Load Images vulnerability on a DoD website |
| Slack |
$100 |
Subdomain takeover on podcasts.slack-core.com |
| GlobaLeaks |
- |
No valid SPF records on demo.globaleaks.org |
| Starbucks |
$250 |
SAP Server - default credentials enabled |
| Shopify |
$1,000 |
CSRF in all API endpoints when authenticated using HTTP Authentication |
| GitLab |
- |
Users with guest access can post notes to private merge requests, issues, and snippets |
| GitLab |
- |
User with guest access can access private merge requests |
| GitLab |
- |
Every user can delete public deploy keys |
| GitLab |
- |
Users can download old project exports due to unclaimed namespace |
| U.S. Dept Of Defense |
- |
SQL injection vulnerability in a DoD website |
| Open-Xchange |
$250 |
Set Cookie Via SVG |
| Envoy |
- |
Primary Cloning of Envoy web application resulting confidential information disclosure |
| shopify-scripts ★ |
$800 |
Heap overflow due to off-by-one when expanding stack |
| shopify-scripts ★ |
$200 |
Heap use-after-free during range creation |
| shopify-scripts ★ |
- |
Deleting Key-value pair from Frozen HASH or Clearing a Frozen HASH |
| Shopify |
$500 |
Authentication Bypass on monitoring server |
| LocalTapiola |
$100 |
OpenSSL Padding Oracle Attack (CVE-2016-2107) on viestinta.lahitapiola.fi |
| GlobaLeaks |
- |
GlobaLeaks is vulnerable to timing attacks. |
| Nextcloud |
- |
Review remote code execution in SwiftMailer |
| Starbucks |
- |
Exposed Unencrypted Telnet Endpoint |
| Yelp |
$100 |
Able to download arbitrary PHP files at yelpblog.com |
| Skyport Systems |
$25 |
Nginx version disclosure via forbidden page |
| Starbucks |
- |
Brute Force Attack against PIN on Card History Page Could Lead to Card Information Discovery / Fraud |
| U.S. Dept Of Defense |
- |
Password reset vulnerability on a DoD website |
| U.S. Dept Of Defense |
- |
Reflected XSS on a DoD website |
| LocalTapiola |
$400 |
Reflected XSS and Open Redirect (verkkopalvelu.lahitapiola.fi) |
| Apache httpd (IBB) |
- |
DoS vulnerability in mod_auth_digest CVE-2016-2161 |
| U.S. Dept Of Defense |
- |
SQL injection vulnerability on a DoD website |
| U.S. Dept Of Defense |
- |
Misconfigured password reset vulnerability on a DoD website |
| Trello |
- |
The contact page is vulnerable to self-XSS via upload file name |
| shopify-scripts ★ |
$800 |
SIGABRT - mrb_default_allocf |
| VK.com |
- |
Способ узнать имя человека удаленной страницы 2 |
| Dovecot |
- |
Directory listing |
| shopify-scripts ★ |
$800 |
SIGSEGV - kh_resize_iv - Null Deref |
| shopify-scripts ★ |
$200 |
Double free of filename after codegen error |
| Gratipay |
- |
Session Fixation At Logout /Session Misconfiguration |
| shopify-scripts ★ |
$800 |
attempting double-free using the mruby compiler `mrbc` |
| U.S. Dept Of Defense |
- |
Reflected XSS on a DoD website |
| Starbucks |
- |
Create New User Whilst Logged On |
| Zendesk |
$2,000 |
a stored xss in web widget chat |
| U.S. Dept Of Defense |
- |
SQL injection vulnerability on a DoD website |
| VK.com |
- |
Способ узнать имя человека удаленной страницы |
| shopify-scripts ★ |
$800 |
Use After Free in str_replace |
| shopify-scripts ★ |
$800 |
Null pointer dereference in mrb_str_prepend |
| shopify-scripts ★ |
$800 |
mrb_str_modify try to write to memory not marked for writing |
| shopify-scripts ★ |
$800 |
SIGSEGV - mrb_check_intern_str() - NullPointer |
| WebSummit |
$20 |
Subdomain Takeover at http://gameday.websummit.net |
| CloudFlare |
- |
[http2.cloudflare.com] Open Redirect |
| Gratipay |
- |
User Enumeration |
| U.S. Dept Of Defense |
- |
Server-side include injection vulnerability in a DoD website |
| OWOX, Inc. |
- |
Stored XSS at https://finance.owox.com/customer/accountList |
| shopify-scripts ★ |
$1,000 |
Memory disclosure in timegm |
| Mapbox |
$1,000 |
Mapbox Android SDK uses Broadcast Receiver instead of Local Broadcast Manager |
| Nextcloud |
- |
Reflected XSS in U2F plugin by shipping the example endpoints |
| U.S. Dept Of Defense |
- |
XSS vulnerability on a DoD website |
| Starbucks |
- |
[newscdn.starbucks.com] CRLF Injection, XSS |
| shopify-scripts ★ |
$800 |
SIGSEGV Null Pointer mrb_str_concat() |
| shopify-scripts ★ |
$100 |
heap-buffer-overflow on mruby |
| YouPorn |
$1,000 |
Account takeover via Pornhub Oauth |
| LocalTapiola |
$150 |
Creating arbitrary cookies values /cs/CookieServer (www.lahitapiola.fi) |
| Discourse |
$128 |
Users can bookmark other user's messages |
| shopify-scripts ★ |
$800 |
kh_get_n2s() stack overrun |
| U.S. Dept Of Defense |
- |
Server side information disclosure |
| U.S. Dept Of Defense |
- |
Remote code execution vulnerability on a DoD website |
| shopify-scripts ★ |
$800 |
SIGABRT, SIGSEGV mspace_free() and mrb_default_allocf() |
| shopify-scripts ★ |
$800 |
SIGSEGV on mrb_vm_exec() Null Deref |
| Harvest |
$300 |
Unauthorised read Access to Expense Receipt of any user in the company(Vertical Privilege escalation) |
| Mail.Ru |
- |
[ml.money.mail.ru] Open Redirect |
| Mail.Ru |
- |
[cooking.lady.mail.ru] Open Redirect |
| shopify-scripts ★ |
$800 |
Heap Overflow in mrb_arb_splice |
| shopify-scripts ★ |
$100 |
mrb_vformat() heap overflow could lead to code execution |
| OLX |
- |
olx.ph is vulnerable to POODLE attack |
| shopify-scripts ★ |
$100 |
Integer Overflow in mrb_ary_set |
| Discourse |
$256 |
XSS vulnerability on Audio and Video parsers |
| Shopify |
$1,000 |
Stored XSS in blog comments through Shopify API |
| Coinbase |
- |
Information disclosure in coinbase android app |
| Shopify |
$500 |
XSS on postal codes |
| Badoo |
$280 |
CSRF Attack on (m.badoo.com)deleting account and erasing imported contacts |
| Ruby |
$500 |
Buffer underflow in sprintf |
| U.S. Dept Of Defense |
- |
SQL Injection vulnerability in a DoD website |
| U.S. Dept Of Defense |
- |
SQL Injection vulnerability in a DoD website |
| U.S. Dept Of Defense |
- |
Default credentials on a DoD website |
| shopify-scripts ★ |
$800 |
SIGSEGV mrb_obj_freeze() Manipulating Register RAX and RSI |
| Nextcloud |
$300 |
Limitation of app specific password scope can be bypassed (NC-SA-2017-009) CVE-2017-0892 |
| shopify-scripts ★ |
$800 |
SIGSEGV on mruby mrb_get_args() |
| Discourse |
$256 |
XSS Vulnerability on Image link parser |
| U.S. Dept Of Defense |
- |
HTML injection vulnerability on a DoD website |
| Discourse |
$256 |
DOM Based XSS in Discourse Search |
| Twitter |
- |
Remote Unrestricted file Creation/Deletion and Possible RCE. |
| U.S. Dept Of Defense |
- |
Cross-site request forgery (CSRF) vulnerability on a DoD website |
| U.S. Dept Of Defense |
- |
Server side information disclosure on a DoD website |
| shopify-scripts ★ |
$1,000 |
Incorrect code generation when result of NODE_NEGATE is not used |
| Pornhub |
$1,000 |
XSS vulnerability using GIF tags |
| Legal Robot |
$20 |
Password complexity requirements not enforced |
| U.S. Dept Of Defense |
- |
Cross-site request forgery vulnerability on a DoD website |
| LocalTapiola |
$1,350 |
SQL Injection on /webApp/sijoitustalousuk email-parameter + potential lack of CSRF Token (viestinta.lahitapiola.fi) |
| U.S. Dept Of Defense |
- |
DOM Based XSS on a DoD website |
| U.S. Dept Of Defense |
- |
DOM Based XSS on an Army website |
| LocalTapiola |
$450 |
Reflected XSS and Open Redirect in several parameters (viestinta.lahitapiola.fi) |
| U.S. Dept Of Defense |
- |
Reflected cross-site scripting (XSS) vulnerability on a DoD website |
| Twitter |
$1,680 |
CRLF and XSS stored on ton.twitter.com |
| OLX |
- |
Reflected XSS in [olx.qa] |
| shopify-scripts ★ |
$100 |
Invalid memory access in `mrb_str_format` |
| Twitter |
$140 |
Sub Domain Takeover at mk.prd.vine.co |
| U.S. Dept Of Defense |
- |
File upload vulnerability on a DoD website |
| PortSwigger Web Security |
- |
HTTP OPTION Method is Enabled on portswigger.net |
| Uber ★ |
$2,500 |
Authorization issue in Google G Suite allows DoS through HTTP redirect |
| Starbucks |
- |
http://digital.starbucks.com/ Creation of Google G Suite Account on Behalf of starbucks. |
| LocalTapiola |
$1,350 |
SQL Injection in lapsuudenturva (viestinta.lahitapiola.fi) |
| LocalTapiola |
$50 |
Reflected XSS on sankarikoulutus (viestinta.lahitapiola.fi) |
| Gratipay |
- |
Content type incorrectly stated |
| Shopify |
$500 |
XSS on manually entering Postal codes |
| PHP (IBB) |
$500 |
Invalid parameter in memcpy function trough openssl_pbkdf2 |
| Nextcloud |
- |
Stored XSS on new Calling plugin (spreed) |
| PHP (IBB) |
$500 |
imagefilltoborder stackoverflow on truecolor images |
| Starbucks |
$250 |
Reflected XSS on teavana.com (Locale-Change) |
| LocalTapiola |
$1,350 |
SQL Injection in sijoitustalous_peruutus (viestinta.lahitapiola.fi) |
| U.S. Dept Of Defense |
- |
Reflected XSS on a DoD website |
| Gratipay |
- |
Gratipay uses the random module's cryptographically insecure PRNG. |
| GoCD |
- |
Reflected XSS vector |
| Informatica |
- |
[marketplace.informatica.com] Profile stored XSS |
| U.S. Dept Of Defense |
- |
Reflected XSS on a DoD website |
| QIWI |
$100 |
[qiwi.com] .bash_history |
| Gratipay |
- |
Cookie HttpOnly Flag Not Set |
| LocalTapiola |
$400 |
Open Redirect bypass and cookie leakage on www.lahitapiola.com |
| shopify-scripts ★ |
$1,000 |
Segfault when passing invalid values to `values_at` |
| Informatica |
- |
[careers.informatica.com] XSS on "isJTN" |
| Informatica |
- |
[network.informatica.com] The login form XSS via the referer value |
| Gratipay |
- |
Certificate signed using SHA-1 |
| U.S. Dept Of Defense |
- |
Time Based SQL Injection vulnerability on a DoD website |
| Informatica |
- |
[kb.informatica.com] DOM based XSS in the bindBreadCrumb function |
| Quora |
$150 |
[Android] XSS via start ContentActivity |
| Quora |
$300 |
[controlsyou.quora.com] 429 Too Many Requests Error-Page XSS |
| HackerOne ★ |
$500 |
Websites opened from reports can change url of report page |
| shopify-scripts ★ |
- |
Segmentation fault due to invalid memory access in codegen when using break with the 127th argument a constant |
| U.S. Dept Of Defense |
- |
Server Side Request Forgery (SSRF) vulnerability in a DoD website |
| shopify-scripts ★ |
$10,000 |
Certain inputs cause tight C-level recursion leading to process stack overflow |
| Twitter |
- |
GNIP subdomain take over |
| U.S. Dept Of Defense |
- |
Information disclosure vulnerability on a DoD website |
| U.S. Dept Of Defense |
- |
Information disclosure on a DoD website |
| Shopify |
$500 |
Unauthenticated Stored XSS on <any>.myshopify.com via checkout page |
| Urban Dictionary |
- |
Text injection on Auth problem at urbandictionary.com |
| U.S. Dept Of Defense |
- |
SQL injection vulnerability on a DoD website |
| U.S. Dept Of Defense |
- |
Reflected XSS on a DoD website |
| Pornhub |
$5,000 |
Unsecured DB instance |
| U.S. Dept Of Defense |
- |
QuickTime Promotion on a DoD website |
| U.S. Dept Of Defense |
- |
SQL injection vulnerability on a DoD website |
| Legal Robot |
- |
S3 ACL misconfiguration |
| Starbucks |
$500 |
Persistent XSS in www.starbucks.com |
| U.S. Dept Of Defense |
- |
Time Based SQL Injection vulnerability on a DoD website |
| U.S. Dept Of Defense |
- |
XXE on DoD web server |
| HackerOne ★ |
$10,000 |
Information Disclosure in /skills call |
| Robinhood |
- |
httponly flag not set + csrftoken in url |
| U.S. Dept Of Defense |
- |
Reflected XSS in a Navy website |
| Pornhub |
$750 |
Unsecured Kibana/Elasticsearch instance |
| shopify-scripts ★ |
$10,000 |
Buffer overflow in mrb_time_asctime |
| shopify-scripts ★ |
$8,000 |
Segmentation fault due to bad memory access in kh_get_mt |
| U.S. Dept Of Defense |
- |
Remote code execution on an Army website |
| OLX |
- |
Multiple vulnerabilities in http://blog.dubizzle.com/uae |
| Shopify |
- |
Redirect in adding advance cash on delivery app |
| Nextcloud |
- |
BruteForce in to Admin Account |
| Nextcloud |
- |
Login Hints on Admin Panel |
| Starbucks |
$150 |
Dom Based Xss DIV.innerHTML parameters store.starbucks* |
| U.S. Dept Of Defense |
- |
Personal information disclosure on a DoD website |
| Nextcloud |
- |
Wordpress Version Disclosure Bug On Nextcloud |
| U.S. Dept Of Defense |
- |
Violation of secure design principles on a DoD website |
| Brave Software |
- |
Command Execution because of extension handling |
| LocalTapiola |
- |
/icons/README available on viestinta.lahitapiola.fi |
| U.S. Dept Of Defense |
- |
Open redirect vulnerability in a DoD website |
| U.S. Dept Of Defense |
- |
XSS vulnerability on an Army website |
| U.S. Dept Of Defense |
- |
Reflected XSS vulnerability on a DoD website |
| U.S. Dept Of Defense |
- |
Persistent XSS vulnerability on a DoD website |
| Twitter |
$280 |
Vine - overwrite account associated with email via android application |
| U.S. Dept Of Defense |
- |
Authentication bypass vulnerability on a DoD website |
| Mail.Ru |
- |
[element.mail.ru] /.svn/entries |
| shopify-scripts ★ |
- |
Null pointer dereference due to bug in codegen with negation of floats |
| shopify-scripts ★ |
$10,000 |
Null pointer derefence due to bug in codegen with negation without using value |
| Nextcloud |
- |
Files Drop: WebDAV endpoint is leaking existence of resources |
| Trello |
- |
SVG Uploads / Attachments can be viewed by anyone that knows the URL |
| Slack |
$500 |
Store XSS |
| ownCloud |
- |
Stored xss |
| shopify-scripts ★ |
$10,000 |
Invalid handling of zero-length heredoc identifiers leads to infinite loop in the sandbox |
| U.S. Dept Of Defense |
- |
Arbitrary Script Injection (Mail) in a DoD Website |
| Dovecot |
- |
Web Browser XSS Protection Not Enabled |
| PortSwigger Web Security |
- |
JSBeautifier BApp: Race condition leads to memory disclosure |
| Pushwoosh |
- |
Publicy accessible IDRAC instance at api-m.inapp.pushwoosh.com |
| U.S. Dept Of Defense |
- |
Open Redirect in a DoD website |
| PortSwigger Web Security |
- |
Order-phishing via Payment ID URL |
| Starbucks |
$2,000 |
Subdomain takeover on happymondays.starbucks.com due to non-used AWS S3 DNS record |
| shopify-scripts ★ |
$10,000 |
Crash: Overwriting NoMethodError with a builtin class crashes/corrupts memory |
| Pornhub |
$150 |
Stored XSS on the http://ht.pornhub.com/widgets/ |
| OWOX, Inc. |
- |
Access to Grafana Dashboard |
| Starbucks |
$100 |
Stored XSS in Adress Book (starbucks.com/account/profile) |
| U.S. Dept Of Defense |
- |
Information disclosure vulnerability on a DoD website |
| Shopify |
$500 |
Stored XSS at 'Buy Button' page |
| U.S. Dept Of Defense |
- |
Cross-Site Scripting (XSS) on a DoD website |
| OWOX, Inc. |
- |
Subdomain Takeover on OWOX.RU |
| Phabricator |
$300 |
Fetching binaries (for software installation) over HTTP without verification (RCE as ROOT by MITM) |
| U.S. Dept Of Defense |
- |
Arbitary file download vulnerability on a DoD website |
| U.S. Dept Of Defense |
- |
Information disclosure on a DoD website |
| U.S. Dept Of Defense |
- |
DNS Misconfiguration |
| U.S. Dept Of Defense |
- |
Cross-site scripting (XSS) vulnerability on a DoD website |
| U.S. Dept Of Defense |
- |
Information disclosure vulnerability in a DoD website |
| U.S. Dept Of Defense |
- |
Information disclosure vulnerability on a DoD website |
| Pornhub |
$1,500 |
IDOR - disclosure of private videos - /api_android_v3/getUserVideos |
| HackerOne ★ |
$12,500 |
Internal attachments can be exported via "Export as .zip" feature |
| GitLab |
- |
State filter in IssuableFinder allows attacker to delete all issues and merge requests CVE-2016-9469 |
| U.S. Dept Of Defense |
- |
Information leakage on a Department of Defense website |
| U.S. Dept Of Defense |
- |
SQL Injection vulnerability on a DoD website |
| shopify-scripts ★ |
$1,000 |
Crash: A call to Symbol.new leads to a crash when inspecting the resulting object |
| Ian Dunn |
$25 |
constant cache_page_secret in regolith |
| Ian Dunn |
$50 |
unchecked unserialize usages in audit-trail-extension/audit-trail-extension.php |
| Ian Dunn |
$25 |
unchecked unserialize usage in WordPress-Functionality-Plugin-Skeleton/functionality-plugin-skeleton.php |
| shopify-scripts ★ |
$1,000 |
Invalid memory write caused by incorrect upper bound in array_copy |
| Twitter |
$560 |
Twitter for android is exposing user's location to any installed android app |
| Gratipay |
- |
Secure Pages Include Mixed Content |
| Gratipay |
$1 |
Incomplete or No Cache-control and Pragma HTTP Header Set |
| Shopify |
$500 |
XSS in my.shopify.com in widget |
| shopify-scripts ★ |
$8,000 |
Crash: mrb_any_to_s can't handle NilClass, Symbol and Fixnum |
| shopify-scripts ★ |
$10,000 |
Crash: Initialize Decimal with itself triggers an assertion |
| shopify-scripts ★ |
- |
Null pointer dereference in mrb_str_concat |
| shopify-scripts ★ |
$1,000 |
Null pointer dereference regression in parse.y |
| shopify-scripts ★ |
$18,000 |
Type confusion in wrap_decimal leading to memory corruption |
| shopify-scripts ★ |
$20,000 |
Type confusion in mrb_exc_set leading to memory corruption |
| U.S. Dept Of Defense |
- |
Insecure direct object reference vulnerability on a DoD website |
| U.S. Dept Of Defense |
- |
Stored cross site scripting (XSS) vulnerability on a DoD website |
| OWOX, Inc. |
- |
Subdomain Takeover on http://blog.owox.com/ |
| OWOX, Inc. |
- |
invalid URL parsing with and '@' |
| shopify-scripts ★ |
$8,000 |
Crash: calling Proc::initialize_copy with a Proc instance where initialize never ran leads to a crash |
| U.S. Dept Of Defense |
- |
XSS on a DoD website |
| U.S. Dept Of Defense |
- |
Reflected XSS on a DoD website |
| shopify-scripts ★ |
$1,000 |
Read after free in mrb_vm_exec with OP_ARYCAT reading R(B) |
| shopify-scripts ★ |
$8,000 |
Denial of service due to invalid memory access in mrb_ary_concat |
| Slack |
$1,000 |
Eavesdropping on private Slack calls |
| shopify-scripts ★ |
$8,000 |
mruby-time: Crash host with uninitialized Time obj |
| U.S. Dept Of Defense |
- |
Unrestricted File Upload |
| U.S. Dept Of Defense |
- |
Cross-site scripting vulnerability on a DoD website |
| U.S. Dept Of Defense |
- |
Information disclosure vulnerability on a DoD website |
| U.S. Dept Of Defense |
- |
Cross-site scripting (XSS) vulnerability on a DoD website |
| LocalTapiola |
$50 |
Disclosure of IBM Websphere page |
| U.S. Dept Of Defense |
- |
Reflected XSS on a Department of Defense website |
| U.S. Dept Of Defense |
- |
RCE on a Department of Defense website |
| U.S. Dept Of Defense |
- |
Reflected XSS on a DoD website |
| U.S. Dept Of Defense |
- |
Reflected XSS on an Army website |
| U.S. Dept Of Defense |
- |
Reflected XSS vulnerability on a DoD website |
| U.S. Dept Of Defense |
- |
Information disclosure on a DoD website |
| Pushwoosh |
- |
Read Application Name , Subscribers Count |
| U.S. Dept Of Defense |
- |
Reflected cross-site scripting vulnerability on a DoD website |
| U.S. Dept Of Defense |
- |
Local File Inclusion vulnerability on an Army system allows downloading local files |
| U.S. Dept Of Defense |
- |
Stored cross-site scripting (XSS) on a DoD website |
| U.S. Dept Of Defense |
- |
Unrestricted File Download / Path Traversal |
| U.S. Dept Of Defense |
- |
Reflected XSS on a Navy website |
| U.S. Dept Of Defense |
- |
Reflected XSS on a DoD website |
| U.S. Dept Of Defense |
- |
Reflected XSS on a Department of Defense website |
| U.S. Dept Of Defense |
- |
Reflective XSS vulnerability on a DoD website |
| U.S. Dept Of Defense |
- |
Reflected XSS on a DoD website |
| U.S. Dept Of Defense |
- |
Reflected XSS vulnerability on a DoD website |
| LocalTapiola |
$450 |
XSS and open redirect in verkkopalvelu.lahitapiola.fi |
| shopify-scripts ★ |
- |
Invalid memory access while freeing memory, caused by invalid type passed to mrb_ary_unshift |
| shopify-scripts ★ |
- |
Null pointer dereference in ary_concat |
| Pornhub |
$520 |
Race Condition Vulnerability On Pornhubpremium.com |
| WordPress |
$350 |
[Buddypress] Arbitrary File Deletion through bp_avatar_set |
| LocalTapiola |
$100 |
SMTP configuration vulnerability viestinta.lahitapiola.fi |
| shopify-scripts ★ |
$8,000 |
Segmentation fault when a Ruby method is invoked by a C method via Object#send |
| shopify-scripts ★ |
$8,000 |
Null target_class DoS |
| shopify-scripts ★ |
$10,000 |
Segfault and/or potential unwanted (byte)code execution with "break" and "||=" inside a loop |
| VK.com |
$500 |
Возможность провести DoS атаку от имени vk.com сервера |
| OWOX, Inc. |
- |
Direct IP Access |
| Pushwoosh |
- |
Nginx version disclosure via response header |
| shopify-scripts ★ |
$8,000 |
SIGSEGV on mruby's mark_tbl() (Invalid memory access) |
| shopify-scripts ★ |
$8,000 |
SIGSEGV on mruby mrb_str_modify() (Invalid memory access) |
| OWOX, Inc. |
- |
ClickJacking |
| Boozt Fashion AB |
$200 |
Email link poisoning / Host header attack |
| Pushwoosh |
- |
Administrator Access To Management Console |
| OWOX, Inc. |
- |
Subdomain Takeover on http://kiosk.owox.com/ |
| Brave Software |
- |
links the user may download can be a malicious files |
| Pushwoosh |
- |
Bypass the resend limit in Send Invites |
| GitLab |
- |
CSRF Token Bypass in Account Deletion |
| shopify-scripts ★ |
$10,000 |
Broken handling of maximum number of method call arguments leads to segfault |
| Badoo |
$140 |
Email Spoofing |
| HackerOne ★ |
$10,000 |
Partial disclosure of report activity through new "Export as .zip" feature |
| shopify-scripts ★ |
$10,000 |
Null pointer dereference due to TOCTTOU bug in mrb_time_initialize |
| Pushwoosh |
- |
Password Forgot/Password Reset Request Bug |
| LocalTapiola |
$60 |
Option method enabled (viestinta.lahitapiola.fi) |
| Pushwoosh |
- |
Unsecured Grafana instance |
| Python (IBB) |
$500 |
Type confusion in FutureIter_throw() which may potentially lead to an arbitrary code execution |
| PortSwigger Web Security |
$350 |
XSS in IE11 on portswigger.net via Flash |
| Pornhub |
$200 |
Reflected cross-site scripting (XSS) vulnerability in pornhub.com allows attackers to inject arbitrary web script or HTML. |
| Udemy |
$300 |
Completed Compromise & Source Code Disclosure via Exposed Jenkins Dashboard at https://jenkins101.udemy.com |
| Pushwoosh |
- |
Spam Some one using (user.saveInvite) system |
| Pushwoosh |
- |
Nginx server version disclosure |
| Pushwoosh |
- |
Reflected Xss on |
| shopify-scripts ★ |
$8,000 |
SIGSEV on mrb_ary_splice |
| Pushwoosh |
- |
htaccess file is accesible |
| Pushwoosh |
- |
Spoof Email with Hyperlink Injection via Invites functionality |
| Imgur |
$250 |
Stored xss in ALBUM DESCRIPTION |
| Mail.Ru |
- |
[qpt.mail.ru] CRLF Injection / Open Redirect |
| shopify-scripts ★ |
$10,000 |
Range constructor type confusion DoS |
| shopify-scripts ★ |
$20,000 |
TOCTTOU bug in mrb_str_setbyte leading the memory corruption |
| shopify-scripts ★ |
$18,000 |
Struct type confusion RCE |
| shopify-scripts ★ |
$10,000 |
SIGSEGV when invalid argument on remove_method |
| shopify-scripts ★ |
$20,000 |
DoS: type confusion in mrb_no_method_error |
| Udemy |
$200 |
Jenkins |
| LocalTapiola |
$150 |
Multiple Reflected XSS /webApp/lahti (viestinta.lahitapiola.fi) |
| shopify-scripts ★ |
$10,000 |
Segfault in mruby, mruby_engine and the parent MRI Ruby due to null pointer dereference |
| LocalTapiola |
$350 |
SQL Injection /webApp/sijoitustalous_peruutus locId parameter (viestinta.lahitapiola.fi) |
| VK.com |
$1,500 |
Stored XSS в личных сообщениях |
| Informatica |
- |
[marketplace.informatica.com] Persistent XSS through document title |
| LocalTapiola |
$264 |
HTML Injection in email /webApp/lahti (viestinta.lahitapiola.fi) |
| LocalTapiola |
$350 |
SQL Injection /webApp/oma_conf ctx parameter (viestinta.lahitapiola.fi) |
| LocalTapiola |
$60 |
Poodle attack SSLv3 Support (viestinta.lahitapiola.fi) |
| Twitter |
$1,120 |
[IDOR][translate.twitter.com] Opportunity to change any comment at the forum |
| shopify-scripts ★ |
$8,000 |
Undefined method_missing null pointer dereference |
| shopify-scripts ★ |
$10,000 |
Range#initialize_copy null pointer dereference |
| shopify-scripts ★ |
$10,000 |
NULL pointer dereference when parsing ternary operators |
| Ubiquiti Networks |
$500 |
Subdomain Takeover (moderator.ubnt.com) |
| LocalTapiola |
$100 |
Error Page Content Spoofing or Text Injection (viestinta.lahitapiola.fi) |
| shopify-scripts ★ |
$20,000 |
Use after free vulnerability in mruby Array#to_h causing DOS possible RCE |
| shopify-scripts ★ |
$2,000 |
Memory disclosure in mruby String#lines method |
| Paragon Initiative Enterprises |
- |
Not using Binary::safe* functions for substr/strlen function |
| shopify-scripts ★ |
$8,000 |
Denial of Service in mruby due to null pointer dereference |
| Paragon Initiative Enterprises |
- |
Missing rel=noopener noreferrer in target=_blank links (Phishing attack) |
| Paragon Initiative Enterprises |
- |
Using plain git protocol (vulnerable to MITM) |
| Paragon Initiative Enterprises |
- |
Missing GIT tag/commit verification in Docker |
| Paragon Initiative Enterprises |
- |
Incorrect detection of onion URLs |
| Coinbase |
$100 |
Window.opener bug at www.coinbase.com |
| Brave Software |
- |
Remote Stack Overflow Vulnerability (DoS) |
| shopify-scripts ★ |
$10,000 |
Exception cause SIGABRT |
| Legal Robot |
$40 |
Password reset access control |
| shopify-scripts ★ |
$8,000 |
ruby DoS https://www.mruby.science |
| Legal Robot |
$40 |
Missing restriction on string size in profile fields |
| Yelp |
$300 |
X.509 certificate validation fails on international vanity domains |
| VK.com |
$300 |
SSRF (open) - via GET request |
| Boozt Fashion AB |
- |
Cookie Misconfiguration |
| Paragon Initiative Enterprises |
- |
Subdomain Takeover |
| Zomato |
- |
takeover a lot of accounts |
| Trello |
$2,048 |
Stealing power up private tokens (trello, twitter, github...) |
| Zopim |
$100 |
Android SDK - CREATE_REQUEST broascast is unprotected |
| Open-Xchange |
$500 |
Reflected Cross-Site Scripting due to vulnerable Flash component (Flashmediaelement.swf) |
| Paragon Initiative Enterprises |
- |
BAD Code ! |
| Open-Xchange |
$100 |
Selecting encryption for email with drive attachment overrides the drive email password |
| Paragon Initiative Enterprises |
- |
DMARC Not found for paragonie.com URGENT |
| General Motors |
- |
Flash XSS on Buick_RotatingMasthead_JellyBeanSlider.swf |
| LocalTapiola |
$100 |
Suspicious browser fingerprinting(?) scripts on http://www.lahitapiola.fi/ redirector |
| LocalTapiola |
$1,560 |
SQL Injection on /webApp/omatalousuk (viestinta.lahitapiola.fi) |
| Blockchain |
- |
username enumeration |
| Blockchain |
$100 |
Information disclosure at https://blockchain.atlassian.net |
| Open-Xchange |
$666 |
Tab nabbing via window.opener |
| Open-Xchange |
$300 |
Stored XSS in Template Documents |
| Blockchain |
$400 |
Reflected XSS on blockchain.info |
| VK.com |
$1,000 |
Новый 2FA Bypass |
| LocalTapiola |
$400 |
Open Redirect (verkkopalvelu.lahitapiola.fi) |
| Brave Software |
- |
Denial of service(POP UP Recursion) on Brave browser |
| Blockchain |
$50 |
server version dislosure |
| Ubiquiti Networks |
$500 |
Stored XSS in community.ubnt.com |
| Brave Software |
- |
Information disclosure of website |
| Imgur |
$5,000 |
Unauthenticated Docker registry |
| Nextcloud |
$50 |
Content Spoofing in "files" app CVE-2017-0888 |
| Paragon Initiative Enterprises |
- |
[Airship CMS] Local File Inclusion - RST Parser |
| Legal Robot |
- |
The websocket traffic is not secure enough |
| Yelp |
$500 |
CSRF on signup endpoint (auto-api.yelp.com) |
| Badoo |
$280 |
Leave inaccessible messaging system with a message (https://us1.badoo.com) |
| Informatica |
- |
[afocusp.informatica.com] Sql injection afocusp.informatica.com:37777 |
| Revive Adserver |
- |
Reflected XSS on Zones > Invocation Code |
| Badoo |
$260 |
Arbitrary modification value "session" (Cookie) in badoo.com |
| New Relic |
- |
Potential sub-domain hijacking |
| Instacart |
$100 |
Access private list metadata |
| Uber ★ |
$1,000 |
ability to retrieve a user's phone-number/email for a given inviteCode |
| RubyGems |
- |
Possible Subdomain Takeover at http://production.s3.rubygems.org/ pointing to Fastly |
| OLX |
- |
CSRF in delete advertisement on olx.com.eg |
| InVision |
$300 |
CORS Man-in-the-Middle account compromise |
| HackerOne ★ |
- |
Limited Open redirection using SSO-SAML |
| Shopify |
$1,500 |
Misconfiguration in Two Factor Authorisation |
| Informatica |
- |
[parc.informatica.com] Reflected Cross Site Scripting and Open Redirect |
| Mail.Ru |
- |
[pokerist.mail.ru] XSS Request-URI |
| Mail.Ru |
- |
[allods.mail.ru] Cross-Site Request Forgery (Add-Item) |
| Twitter |
$280 |
SSRF in https://cards-dev.twitter.com/validator |
| GitLab |
- |
Read files on application server, leads to RCE CVE-2016-9086 |
| Informatica |
- |
[ipm.informatica.com] Sql injection Oracle |
| QIWI |
$300 |
Раскрытие баланса на //kopilka.qiwi.com |
| Harvest |
$250 |
Stored XSS in Restoring Archived Tasks |
| Nextcloud |
- |
xss on demo.nextcloud.com due to outdated version |
| Starbucks |
$375 |
CSRF exploit | Adding/Editing comment of wishlist items (teavana.com - Wishlist-Comments) |
| Starbucks |
$150 |
CSRF vulnerability in saving payment card on store.starbucks.com (COBilling -AddCreditCard) |
| Badoo |
$140 |
Unvalidated redirect on team.badoo.com |
| OLX |
- |
Reflective XSS at dubai.dubizzle.com |
| LocalTapiola |
$588 |
Lahitapiola´s customer names send to 3rd party |
| Starbucks |
$375 |
Reflected XSS by exploiting CSRF vulnerability on teavana.com wishlist comment module. (wishlist-comments) |
| New Relic |
- |
Open Redirect |
| HackerOne ★ |
- |
Information disclosure via policy update notifications after removal from program |
| Starbucks |
$250 |
CSRF: add item to victim's cart automatically (starbucks.com - updatecart) |
| Nextcloud |
- |
Content spoofing due to the improper behavior of the 403 page in Private Server |
| OLX |
- |
Reflective XSS at m.olx.ph |
| LocalTapiola |
$750 |
Email Server Compromised at secure.lahitapiola.fi |
| Brave Software |
- |
invalid homepage URL causes 'uncaught typeerror' or blank state |
| Mindoktor |
$2,000 |
XSS at endpoint clinic.mindoktor.se in flash cookie |
| Mindoktor |
$300 |
Storing sensitive information on cookie post-registration |
| Coinbase |
$200 |
Authentication Issue |
| Brave Software |
$50 |
[ios] Address bar spoofing in Brave for iOS |
| Harvest |
$100 |
Editing a project (LIMITED) |
| Twitter |
$2,520 |
Cross-site scripting (reflected) |
| Ian Dunn |
- |
No CAPTCHA ia exist in pages |
| itBit Exchange |
$1,000 |
Round error issue -> produce money for free |
| Brave Software |
- |
DOS in browser using window.print() function |
| Brave Software |
$100 |
Denial of service attack(window object) on brave browser |
| Brave Software |
- |
[iOS] URI Obfuscation in iOS application |
| Shopify |
$500 |
race condition in adding team members |
| Revive Adserver |
- |
Weak Forgot Password implementation |
| Brave Software |
- |
JavaScript URL Issues in the latest version of Brave Browser |
| Brave Software |
- |
Javascript confirm() crashes Brave on PC |
| Brave Software |
$50 |
Denial of service attack on Brave Browser. |
| Coinbase |
$100 |
Information disclosure of user by email using buy widget |
| Brave Software |
$100 |
Access to local file system using javascript |
| Brave Software |
$200 |
[iOS/Android] Address Bar Spoofing Vulnerability |
| OLX |
- |
Reflected XSS in OLX.in |
| Brave Software |
$100 |
Address Bar Spoofing - Already resolved - Retroactive report |
| OpenSSL (IBB) |
- |
Remote client memory corruption in ssl_add_clienthello_tlsext() |
| OLX |
- |
Directory Listing of all the resource files of olx.com.eg |
| Brave Software |
- |
Status Bar Obfuscation |
| Brave Software |
$150 |
URI Obfuscation |
| Shopify |
$2,000 |
Able to Login deactivated staff account in shopify app mobile |
| Twitter |
$140 |
Full Path Disclosure at 27.prd.vine.co |
| OLX |
- |
Reflected XSS at m.olx.ph |
| Trello |
$256 |
Can run arbitrary script on em.trello.com |
| Brave Software |
$50 |
[website] Script injection in newsletter signup https://brave.com/brave_youth_program_signup.html |
| Brave Software |
- |
Subdomain Takeover of Brave.com |
| Brave Software |
- |
Brave: Admin Panel Access |
| Brave Software |
$50 |
2 Directory Listing on ledger.brave.com & vault-staging.brave.com |
| PHP (IBB) |
$500 |
memcpy negative parameter _bc_new_num_ex |
| PHP (IBB) |
$500 |
memcpy negative size parameter in php_resolve_path |
| PHP (IBB) |
$500 |
Write out-of-bounds at number_format |
| Brave Software |
$100 |
Homograph attack |
| OpenSSL (IBB) |
- |
Double-free in X509 parsing |
| Shopify |
$500 |
[ecommerce.shopify.com] Invalidated redirection |
| DigitalSellz |
- |
Public profile is vulnerable to stored XSS / Facebook Token can be stolen |
| Python (IBB) |
$1,000 |
chain.__setstate__ Type Confusion |
| Nextcloud |
- |
URI scheme bypass in mail app lead to HTML content spoof and opener control |
| Uber ★ |
$1,000 |
Subdomain takeover on rider.uber.com due to non-existent distribution on Cloudfront |
| Slack |
$700 |
Information Disclosure on stun.screenhero.com |
| WePay |
$200 |
Enumeration of registered email addresses using bruteforce search on userIds |
| GitLab |
- |
Mailgun misconfiguration leads to email snooping and postmaster@-access on email.mg.gitlab.com |
| Veris |
- |
Reflected Cross site scripting |
| Nextcloud |
- |
Dav sharing permissions issue |
| Sucuri |
$500 |
Administrator Access to grafana instance logstash2.sucuri.net with default credentials |
| Yelp |
$500 |
Requesting Show CheckIn Alert for Non Friend User |
| Harvest |
$150 |
Linking Invoice to uninvited project. |
| Trello |
$128 |
XSS on blog.trello.com |
| Twitter |
$1,260 |
View liked twits of private account via publish.twitter.com |
| Badoo |
$140 |
No rate-limit in SERVER_SECURITY_CHECK |
| BrickFTP |
$250 |
Existence of Folder path by guessing the path through response |
| Nextcloud |
$250 |
Filename enumeration && DoS |
| Twitter |
$560 |
Circumventing the Twitter account lockout process [ACCOUNT TAKEOVER] |
| Harvest |
$300 |
Cookie Injection at 'harvestapp.com' |
| HackerOne ★ |
- |
Possible CSRF during external programs |
| HackerOne ★ |
- |
Researcher gets email updates on a private program after he/she quits that program. |
| Trello |
$128 |
Full Sub Domain Takeover at help.trello.com. |
| Zopim |
$150 |
Full Sub Domain Takeover at wx.zopim.net |
| Slack |
$500 |
CSRF in github integration |
| Gratipay |
- |
CSRF csrftoken in cookies |
| PHP (IBB) |
$1,000 |
Buffer overflow in HTTP parse_hostinfo(), parse_userinfo() and parse_scheme() |
| ok.ru |
$100 |
web.xml configuration file disclosure |
| Instacart |
$150 |
Full access to any list |
| Boozt Fashion AB |
$400 |
Git available containing passwords. |
| Nextcloud |
- |
Bad content-type in response header when getting document can lead to html injection |
| Romit |
$513 |
[CRITICAL]-Taking over entire subdomain of romit.io |
| Nextcloud |
- |
Bypassing quota limit CVE-2017-0887 |
| Uber ★ |
$10,000 |
password reset token leaking allowed for ATO of an Uber account |
| Revive Adserver |
- |
Stored XSS on Admin Access Page - Email field |
| Algolia |
- |
Possilbe Sub Domain takever at prestashop.algolia.com |
| WebSummit |
- |
Full Sub Domain Takeover at s3.websummit.net |
| RubyGems |
- |
Login credentials transmitted in cleartext on index.rubygems.org |
| RubyGems |
- |
Password Reset emails missing TLS leads account takeover |
| Legal Robot |
$40 |
Bypass 8 chars password complexity with 6 chars only due to insecure password reset functionaliy |
| HackerOne ★ |
- |
Obtain the username & the uid of the one doing the S3 sync on Hackerone |
| Snapchat |
$250 |
Bypassing "You've requested your data the maximum number of times today." + "Please Verify an email address with snapchat to continue" |
| Rockstar Games |
$500 |
DOM based reflected XSS in rockstargames.com/newswire/tags through cross domain ajax request |
| Shopify |
$500 |
password less login token expiration issue |
| General Motors |
- |
Flash XSS on homepage fliptilescroller |
| General Motors |
- |
Flash XSS on global nav |
| Starbucks |
$750 |
out of date disqus shortname usage in the web app source code |
| WebSummit |
- |
WebSummit - Open Redirect |
| Shopify |
$500 |
Add signature to transactions without any permission |
| Udemy |
$50 |
Content Spoofing in udemy |
| Udemy |
- |
Udemy s3 storage can be used by an attacker personal website because of missing CSRF Token |
| WebSummit |
$40 |
Subdomain take over signup.websummit |
| itBit Exchange |
- |
Open Redirect in https://exchange.itbit.com - False Positive |
| Udemy |
- |
Critical : Malware and XSS file can be uploaded and executed on udemy |
| Ian Dunn |
- |
All Plugins - Direct file access to plugin files Vulnerability |
| Ian Dunn |
- |
Google Authenticator0.6 - PHP Version Dosclosure |
| Ian Dunn |
- |
Google Authenticator - Cross Site Scripting |
| LocalTapiola |
$50 |
Reflected XSS in LTContactFormReceiver (/cs/Satellite) |
| Automattic |
$100 |
Follow Button XSS |
| Python (IBB) |
$1,500 |
LZMADecompressor.decompress Use After Free |
| PHP (IBB) |
$500 |
Heap overflow caused by type confusion vulnerability in merge_param() |
| Trello |
- |
Unvalidated/Open Redirect allowing attackers to implement phishing attack |
| Legal Robot |
$20 |
Information Disclosure on rate limit defense mechanism |
| Ubiquiti Networks |
$500 |
Authentication bypass on sso.ubnt.com via subdomain takeover of ping.ubnt.com |
| Trello |
- |
Subdomain Take over & username enemuration |
| Snapchat |
- |
Subdomain takeover of blog.snapchat.com |
| OLX |
- |
Name, email, phone and more disclosure on user ID (API) |
| CodeIgniter |
- |
Link sanitation bypass in xss_clean() |
| InVision |
$150 |
CRITICAL Any █████ of any screen can be removed by anyone! |
| Nextcloud |
- |
Content spoofing in lookup.nextcloud.com |
| OWOX, Inc. |
- |
HTTP Response Splitting(CRLF injection) in bi.owox.com |
| HackerOne ★ |
- |
(HackerOne SSO-SAML) Login CSRF, Open Redirect, and Self-XSS Possible Exploitation |
| Legal Robot |
$20 |
Near-duplicate accounts allowed with ignored email mutations |
| ownCloud |
- |
Accessable Htaccess |
| Algolia |
$100 |
No rate limit for Referral Program |
| Zendesk |
- |
Missing function level access controls allowing attacker to abuse file access controls. Multiple vulnerabilities |
| OLX |
- |
Full path disclosure vulnerability at http://corporate.olx.ph |
| Maximum |
$75 |
Facebook and twitter page claimed of maximum.com [important] |
| LocalTapiola |
$18,000 |
Oracle Webcenter Sites administrative and hi-privilege access available directly from the internet (/cs/Satellite) |
| Boozt Fashion AB |
- |
ADB Backup is enabled within AndroidManifest |
| Informatica |
- |
[kb.informatica.com] Stored XSS |
| HackerOne ★ |
$500 |
Bypass rate limiting on /users/password (possibly site-wide rate limit bypass?) |
| RubyGems |
- |
Invalid username updating |
| DigitalSellz |
- |
Access to Amazon S3 bucket |
| New Relic |
- |
Stored Xss in rpm.newrelic.com |
| Revive Adserver |
- |
Reflected XSS in Step 2 of the Installation |
| Trello |
$128 |
SSRF in account webhook (through API) |
| Mail.Ru |
$300 |
Time-based sql-injection на https://puzzle.mail.ru |
| DigitalSellz |
- |
AWS Signature Disclosure in www.digitalsellz.com allows access to S3 |
| Slack |
$400 |
Email information leakage for certain addresses |
| Shopify |
$500 |
Open redirect in bulk edit |
| Imgur |
$100 |
Stored XSS in albums on http://m.imgur.com/ |
| Skyliner |
- |
DNSSEC misconfiguration |
| Nextcloud |
$750 |
Bypass permissions |
| OLX |
- |
Stored XSS in buy topup OLX Gold Credits |
| Zomato |
- |
CORS Misconfiguration on www.zomato.com |
| Twitter |
$2,100 |
Twitter iOS fails to validate server certificate and sends oauth token |
| Coinbase |
$100 |
Information leakage on https://docs.gdax.com |
| IRCCloud |
$50 |
Exposed, outdated nginx server (v1.4.6) potentially vulnerable to heap-based buffer overflow & RCE |
| Snapchat |
$250 |
Incoming email hijacking on sc-cdn.net |
| Uber ★ |
$500 |
Users can falsely declare their own Uber account info on the monthly billing application |
| Paragon Initiative Enterprises |
- |
Not clearing hex-decoded variable after usage in Authentication |
| Coinbase |
- |
coinbase Email leak while sending and requesting |
| Boozt Fashion AB |
- |
Http header injection |
| Instacart |
- |
User Information sent to client through websockets |
| SecNews |
- |
DOM based XSS in search functionality |
| New Relic |
- |
SSO Authentication Bypass |
| concrete5 |
- |
Content Spoofing possible in concrete5.org |
| Nextcloud |
- |
Unauthenticated Stored xss |
| Zomato |
- |
[CRITICAL] Complete source code disclosure via exposed Jenkins Dashboard |
| Shopify |
$500 |
Deleted Post and Administrative Function Access in eCommerce Forum |
| HackerOne ★ |
- |
Ability to enumerate private programs using SAML |
| New Relic |
- |
HOST HEADER INJECTION in rpm.newrelic.com |
| Boozt Fashion AB |
$80 |
Make victim buy in attacker's account without any idea - http://www.booztlet.com/ |
| Boozt Fashion AB |
- |
Broken Authentication and Session Management(Session Fixation) |
| Python |
$1,000 |
msilib.OpenDatabase Type Confusion |
| Boozt Fashion AB |
- |
Host header poisoning leads to account password reset links hijacking |
| Pornhub |
$750 |
Unsecured Grafana instance |
| Pornhub |
$750 |
Disclosure of private photos/albums - http://www.pornhub.com/album/show_image_box |
| Yelp |
$200 |
Bybass The Closing of the account and logged again to your account |
| Nextcloud |
- |
Android - Possible to intercept broadcasts about uploaded files |
| New Relic |
- |
Session Hijacking |
| Legal Robot |
- |
content spoofing |
| Eobot |
$12 |
No password length restriction |
| Boozt Fashion AB |
$120 |
XSS |
| VK.com |
$1,050 |
Второй способ обхода 2FA |
| OLX |
- |
XSS and Open Redirect on https://jobs.dubizzle.com/ |
| Shopify |
$500 |
XSS in SHOPIFY: Unsanitized Supplier Name can lead to XSS in Transfers Timeline |
| Legal Robot |
- |
Server version disclosure |
| Twitter |
$560 |
leaking Digits OAuth authorization to third party websites |
| Shopify |
$500 |
Unsanitized Location Name in POS Channel can lead to XSS in Orders Timeline |
| Boozt Fashion AB |
$80 |
Instance of Apache Vulnerable to Several Issues |
| Boozt Fashion AB |
$120 |
Potential Subdomain Takeover Possible |
| Boozt Fashion AB |
- |
Android app does not use SSL for login |
| Yelp |
$100 |
Self-XSS via location cookie city field when getting suggestions for a new location |
| WebSummit |
- |
Reflected xss on websummit.net |
| Boozt Fashion AB |
$250 |
xss in Theme http://bztfashion.booztx.com |
| Keybase |
$100 |
Denial of Service through set_preference.json |
| Ruby |
$200 |
Arbitrary heap overread in strscan on 32 bit Ruby, patch included |
| OpenSSL |
$500 |
SSLv2 doesn't block disabled ciphers (CVE-2015-3197) |
| OpenSSL |
$2,500 |
Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800) |
| Nextcloud |
- |
Privilege escalation - Normal user can somehow make admin to delete shared folders |
| Yelp |
$500 |
Verification of E-Mail address possible on https://biz.yelp.com/login and https://biz.yelp.com/forgot |
| Legal Robot |
- |
CSRF Issue |
| Envoy |
- |
Abuse of API can Lead to DoS |
| Boozt Fashion AB |
$60 |
PHP info page disclosure on http://www.day.dk/ |
| Boozt Fashion AB |
- |
No csrf protection on logout |
| Boozt Fashion AB |
- |
User Enumeration. |
| Harvest |
$500 |
Invoices can be added to any retainers - even closs-platform |
| OLX |
- |
Bypassing Phone Verification For Posting AD On OLX |
| Slack |
$500 |
Rate-limit bypass |
| Mindoktor |
$500 |
Vulnerable Mobile Phone configuration |
| Nextcloud |
$500 |
Reflected XSS in Gallery App CVE-2016-9466 |
| Legal Robot |
- |
clickjacking at http://mailboxes.legalrobot-uat.com/ |
| Harvest |
$250 |
XSS on expenses attachments |
| Shopify |
- |
Subdomain Takeover in http://genghis-cdn.shopify.io/ pointing to Fastly |
| Open-Xchange |
$300 |
OX (Guard): Stored Cross-Site Scripting via Email Attachment |
| Mapbox |
- |
target="_blank" Vulnerability Resulting in Critical Phishing Vector |
| Instacart |
$50 |
Seemingly sensitive information at /api/v2/zones |
| Python |
$1,000 |
urllib HTTP header injection CVE-2016-5699 |
| Shopify |
$500 |
Access to Splunk via shard3-db2.ec2.shopify.com endpoint |
| Shopify |
$500 |
Open redirect allows changing iframe content in *.myshopify.com/admin/themes/<id>/editor |
| LocalTapiola |
$400 |
Open redirection protection bypass (/cs/Satellite) |
| Algolia |
$100 |
Hyperlink Injection in Friend Invitation Emails |
| LocalTapiola |
$400 |
SQL Injection on `/cs/Satellite` path |
| Legal Robot |
$60 |
Validation bypass on user profile |
| Ian Dunn |
$50 |
CSV Injection in Camptix |
| Twitter |
$5,040 |
[Studio.twitter.com] See someone else pics |
| LocalTapiola |
$100 |
Oracle WebCenter Sites Support Tools available and Information disclosure (/cs/Satellite) |
| LocalTapiola |
$50 |
Reflected XSS in www.lahitapiola.fi (/cs/Satellite) using Oracle WebCenter -page |
| Harvest |
$150 |
CSRF bypass on Submit Time sheet for Approval |
| Nextcloud |
- |
Reflected Self-XSS Vulnerability in the Comment section of Files (Different-payloads) |
| Harvest |
$150 |
Project Manager can approve pending reports(Access control Issue) |
| Phabricator |
- |
link reset problem |
| Udemy |
- |
NON VALIDATION OF SESSIONS AFTER PASSWORD CHANGE |
| Unikrn |
$400 |
Urgent: Server side template injection via Smarty template allows for RCE |
| QIWI |
$150 |
[qiwi.com] Information Disclosure |
| QIWI |
$150 |
[ibank.qiwi.ru] UI Redressing via Request-URI |
| Legal Robot |
$20 |
Possible content spoofing due to missing error page |
| Mail.Ru |
- |
Reflected XSS @ games.mail.ru |
| Nextcloud |
$100 |
Reflected Self-XSS Vulnerability in the Comment section of Files Information |
| Gratipay |
- |
Username Restriction is not applied for reserved folders |
| Slack |
$2,500 |
Snooping into messages via email service |
| Gratipay |
- |
Username can be used to trick the victim on the name of www.gratipay.com |
| Legal Robot |
- |
Click Jacking |
| Legal Robot |
$20 |
unsecured legalrobot.co.uk assets |
| VK.com |
$1,000 |
Обход 2ух-шаговой авторизации / 2FA Bypass |
| Nextcloud |
- |
Slow Http attack on nextcloud(DOS) |
| Gratipay |
- |
Lack of CSRF token validation at server side |
| Gratipay |
- |
Insecure Transportation Security Protocol Supported (TLS 1.0) |
| Instacart |
- |
[Critical] Subdomain Takeover |
| Legal Robot |
- |
UI Redressing ( ClickJacking ) Issue on Information submit form |
| Legal Robot |
- |
News Feed Detected |
| Dropbox |
- |
XSS in OAuth Redirect Url |
| Legal Robot |
- |
2 vulns |
| Legal Robot |
$20 |
Legal | Application is Missing CSP(Content Security Policy) Header |
| Legal Robot |
- |
Clickjacking: X-Frame-Options header missing |
| Legal Robot |
- |
Amazon Bucket Accessible (http://legalrobot.s3.amazonaws.com/) |
| New Relic |
- |
Java RMI (Remote Code Execution) |
| Skyliner |
- |
Email Spoofing |
| Legal Robot |
- |
Email spoofing-fake mail from your mail domain server |
| Legal Robot |
$20 |
CORS (Cross-Origin Resource Sharing) |
| Legal Robot |
$20 |
Information Disclosure in AWS S3 Bucket |
| Legal Robot |
- |
Email spoofing possible via Legal Robot domain |
| Legal Robot |
$120 |
User Information leak allows user to bypass email verification. |
| Legal Robot |
$120 |
User Information sent to client through websockets |
| Nextcloud |
- |
Wordpress: Directory Traversal / Denial of Serivce |
| Nextcloud |
- |
Expired SSL certificate |
| Nextcloud |
- |
\OCA\DAV\CardDAV\ImageExportPlugin allows serving arbitrary data with user-defined or empty mimetype CVE-2016-9465 |
| Instacart |
$100 |
WordPress Authentication Denial of Service |
| Dropbox |
$1,458 |
Subtile Code Injection Vulnerability in Dropbox for Windows |
| Khan Academy |
- |
OPEN URL REDIRECT through PNG files |
| New Relic |
- |
Cookie Misconfiguration |
| Paragon Initiative Enterprises |
- |
Email Spoofing With Your Website's Email |
| HackerOne ★ |
- |
Users contents on AWS is cacheable |
| Skyliner |
- |
[skyliner.io / qa.skyliner.io] Open Redirect |
| Nextcloud |
- |
Information Disclosure of .htaccess file in Private Server/Subdomain |
| Uber ★ |
$100 |
Stealing users password (Limited Scenario) |
| Slack |
$750 |
Code Injection in Slack's Windows Desktop Client leads to Privilege Escalation |
| Instacart |
$150 |
Fetch private list metadata and any user's personal name |
| Uber ★ |
$5,000 |
Changing paymentProfileUuid when booking a trip allows free rides |
| Gratipay |
- |
x-xss protection header is not set in response header |
| OLX |
- |
XSS and HTML Injection https://sharjah.dubizzle.com/ |
| GitLab |
- |
Boards leak private label names and desciptions |
| Gratipay |
- |
Cross Site Scripting In Profile Statement |
| Shopify |
$500 |
Open Redirect possible in https://www.shopify.com/admin/ |
| Gratipay |
- |
Usernames ending in .json are not restricted |
| Certly |
- |
Non secure requests at guard.certly.io not upgrading to https |
| Nextcloud |
- |
Password Reset Link issue |
| Gratipay |
- |
Reset Link Issue |
| Trello |
- |
Security code not getting invalidate on requesting New |
| Harvest |
$500 |
Possible to steal any protected files on Android |
| Airbnb |
- |
████ discloses valid Airbnb SSO login names via Google Search Results |
| Gratipay |
- |
XSS Via Method injection |
| Ian Dunn |
- |
Potentially vulnerable version of Apache software in and default files on https://iandunn.name/ |
| Bime |
$150 |
Subdomain takeover at ws.bimedb.com due to unclaimed Amazon S3 bucket |
| Mail.Ru |
- |
[cfire.mail.ru] CSRF Bypassed - Changing anyone's 'User Info' |
| Nextcloud |
- |
Content Injection - demo.nextcloud.com |
| Instacart |
$50 |
READ .svg files by changing .svg into .png extension |
| Nextcloud |
- |
Content Injection - apps.nextcloud.com |
| Ian Dunn |
- |
bypass to csv injection |
| Harvest |
$150 |
Extracting private info of estimates. |
| Ian Dunn |
$100 |
Bypass fix in https://hackerone.com/reports/151516 report. |
| Ian Dunn |
$50 |
Bypassing CSV injection using new line charcter |
| Coinbase |
$300 |
window.opener is leaking to external domains upon redirect on Safari |
| Ian Dunn |
- |
stored SELF xss on Basic Google Maps Placemarks Settings plugin |
| Instacart |
- |
API OAuth Public Key disclosure in mobile app |
| Instacart |
$150 |
Brute force login and bypass locked account restrictions via iOS app |
| Shopify |
$500 |
[apps.shopify.com] Open Redirect |
| Mail.Ru |
- |
[realty.mail.ru] XSS, SSI Injection |
| GitLab |
- |
XSS On meta tags in profile page |
| Ian Dunn |
- |
Send emails to all users using Camptix |
| HackerOne ★ |
- |
Ability to monitor reports' submission in real time |
| Snapchat |
$400 |
[render.bitstrips.com] Stored XSS via an incorrect avatar property value |
| Instacart |
$150 |
Issues with uploading list images |
| Shopify |
$500 |
Open CouchDB on experiments.ec2.shopify.com:5984 |
| HackerOne ★ |
$500 |
Information leakage of private program |
| Shopify |
$500 |
Open redirect using checkout_url |
| HackerOne ★ |
$500 |
Requesting Mediation possible on reports that are too old for mediation |
| QIWI |
$950 |
[qiwi.com] Oauth захват аккаунта |
| LocalTapiola |
$3,000 |
Blind Stored XSS Against Lahitapiola Employees - Session and Information leakage |
| bitaccess |
- |
Missing Rate limiting for sensitive actions (like "forgot password") and reCaptcha error. |
| OLX |
- |
full path disclosure vulnerability at https://security.olx.com/* |
| Slack |
$1,000 |
Stored XSS(Cross Site Scripting) In Slack App Name |
| Harvest |
$150 |
Unauthorized read access to Invoices by PM (Access control Issues) |
| Harvest |
$150 |
Unauthorized access to all the actions of invoices by PM (Access control Issues) |
| Harvest |
$100 |
PM can delete payment of any invoice in company (Access control Issue) |
| Harvest |
$100 |
Record payment for any invoice by PM (Access control Issue) |
| Harvest |
$100 |
PM can delete the company logo image (Vertical Privilege Escalation ) |
| Starbucks |
$150 |
Improper Validation on Cancel Link Redirect |
| Khan Academy |
- |
The web app's forgot password page is vulnerable to text injection/content spoofing |
| OLX |
- |
Full Account Takeover |
| HackerOne ★ |
$1,000 |
Hacker.One Subdomain Takeover |
| Harvest |
$250 |
PM with can Set up email for invoices and estimates (Access control Issue) |
| OLX |
- |
[Critical] Delete any account |
| Binary.com |
$75 |
Cross site scripting |
| Informatica |
- |
[alpha.informatica.com] Expensive DOMXSS |
| Instacart |
$100 |
Hyperlink Injection in Friend Invitation Emails |
| Moneybird |
- |
Webhook allows sending payload using insecure HTTP protocol |
| Instacart |
- |
Reflected File Download on recipe list search |
| Ubiquiti Networks |
$150 |
[scores.ubnt.com] DOM based XSS at form.html |
| Gratipay |
- |
Host Header poisoning on gratipay.com |
| Mapbox |
$750 |
Blind XSS in mapbox.com/contact |
| Shopify |
$1,000 |
(BYPASS) Open redirect and XSS in supporthiring.shopify.com |
| Uber ★ |
- |
Attacker could setup reminder remotely using brute force |
| GitLab |
- |
Ability to access all user authentication tokens, leads to RCE |
| Certly |
- |
Business logic Failure - Browser cache management and logout vulnerability in Certly |
| Trello |
$1,024 |
File access using image tragick |
| HackerOne ★ |
$500 |
Non-secure requests are not automatically upgraded to HTTPS |
| Instacart |
$250 |
shopper login_code's can be brute forced |
| Twitter |
$560 |
reverb.twitter.com redirects to vulnerable reverb.guru |
| Shopify |
$500 |
Access to Splunk at https://apt.ec2.shopify.com:8089 |
| Trello |
- |
XSS and Open-Redirect via SVG |
| Instacart |
$100 |
Image Upload Path Disclosure |
| Instacart |
$150 |
Host Header Injection/Redirection in: https://www.instacart.com/ |
| Instacart |
$50 |
Server side request forgery on image upload for lists |
| Instacart |
$75 |
Missing rel=noreferrer tag allows link in list to change url of currently open tab |
| Instacart |
$200 |
Race Condition in Redeeming Coupons |
| Instacart |
$100 |
Cross-Site Request Forgery (CSRF) |
| Veris |
- |
Internal server error 500 at log.veris.in |
| Instacart |
$150 |
Stored XSS |
| Instacart |
$50 |
CSRF To change Email Notification Settings |
| OLX |
- |
these are my old reports and still i have not receive any good replys, these all are Cross Site Scripting(XSS) issues: POC1: https://www.youtube.com/w |
| Shopify |
$500 |
(FULL PATH DISCLOSURE) Unknown MySQL server host 'shardm-reader.chi2.shopify.io' |
| OLX |
- |
XSS on Meta Tag at https://m.olx.ph |
| HackerOne ★ |
$500 |
Disclosure of external users invited to a specific report |
| Gratipay |
- |
Cookie:HttpOnly Flag not set |
| Gratipay |
- |
nginx version disclosure on downloads.gratipay.com |
| Gratipay |
- |
Host Header Injection/Redirection Attack |
| New Relic |
- |
All Active user sessions should be destroyed when user change his password! |
| Nextcloud |
- |
XSS on IOS app via HTML rendering |
| SecNews |
$300 |
Querying private posts and changing post meta |
| New Relic |
- |
CSRF vulnerability that allows an attacker to purge plugin metric data |
| New Relic |
- |
Login CSRF vulnerability |
| Veris |
- |
bug |
| Gratipay |
$1 |
Avoid "resend verification email" confusion |
| Ubiquiti Networks |
$500 |
IDOR Causing Deletion of any account |
| Uber ★ |
$10,000 |
Reading Emails in Uber Subdomains |
| Algolia |
$400 |
Unauthorized team members can leak information and see all API calls through /1/admin/* endpoints, even after they have been removed. |
| Nextcloud |
- |
Directory listening enabled in: 88.198.160.130 |
| Nextcloud |
- |
demo.nextcloud.com: Content spoofing due to default Apache Error Page |
| Algolia |
$100 |
Stored XSS from Display Settings triggered on Save and viewing realtime search demo |
| Algolia |
$100 |
Stored xss |
| Algolia |
$100 |
Stored XSS triggered by json key during UI generation |
| Open-Xchange |
$1,000 |
OX (Guard): Stored Cross-Site Scripting via Incoming Email |
| Phabricator |
- |
Error page Text Injection. |
| Zomato |
- |
Visibility Robots.txt file |
| Uber ★ |
- |
XSS At "pages.et.uber.com" |
| Trello |
- |
Verification Code Reused For activating 2FA |
| Slack |
$500 |
CSRF - Add optional two factor mobile number |
| Coinbase |
- |
Create Multiple Account Using Similar X-CSRF token |
| Shopify |
$500 |
Staff member can delete Private Apps |
| Nextcloud |
- |
Arbitrary File Upload in Logo & Log in image Theming setting. |
| Uber ★ |
- |
Content injection on 404 error page at faspex.uber.com |
| ownCloud |
$100 |
Arbitrary Code Injection in ownCloud’s Windows Client |
| Uber ★ |
- |
User Enumeration and Information Disclosure |
| Algolia |
- |
[github.algolia.com] XSS |
| arxius |
- |
No SPF/DKIM/DMARC Record for lfil.es |
| Shopify |
$500 |
(BYPASS) Open Redirect after login at http://ecommerce.shopify.com |
| Nextcloud |
- |
demo.nextcloud.com: Content spoofing due to default Apache Error Page |
| OLX |
- |
Unauthorised access to olx.in user accounts. |
| Twitter |
$1,120 |
Stealing User emails by clickjacking cards.twitter.com/xxx/xxx |
| Gratipay |
$1 |
Content Spoofing/Text Injection |
| New Relic |
- |
Leaking license key in source code |
| Nextcloud |
$50 |
More content spoofing through dir param in the files app |
| Uber ★ |
$3,000 |
Missing authorization checks leading to the exposure of ubernihao.com administrator accounts |
| Nextcloud |
- |
Bookmarks: Delete all existing bookmarks of a user |
| Snapchat |
$3,000 |
Subdomain takeover on http://fastly.sc-cdn.net/ |
| Shopify |
$500 |
Delete/modify your own comment after limited access(IDOR) |
| Harvest |
$150 |
Opportunity to set arbitrary cookies |
| Moneybird |
$50 |
[Stored Cross-Site-Scripting] When search about Incoming ( Manual Jurnal ) |
| Shopify |
$1,000 |
Unauthorized access to Zookeeper on http://locutus-zk3.ec2.shopify.com:2181 |
| ownCloud |
- |
[forum.owncloud.org] IE, Edge XSS via Request-URI |
| ownCloud |
- |
[api.owncloud.org] CRLF Injection |
| New Relic |
- |
Cache purge requests are not authenticated |
| ownCloud |
- |
[doc.owncloud.org] CRLF Injection |
| Uber ★ |
$500 |
Blind OOB XXE At "http://ubermovement.com/" |
| Nextcloud |
$100 |
IDOR - Disable sharing CVE-2016-9464 |
| Nextcloud |
- |
xss for admin of https://newsletter.nextcloud.com |
| Twitter |
$1,120 |
csp bypass + xss |
| Shopify |
- |
Redirect url after login is not validated |
| New Relic |
- |
[alerts.newrelic.com] Scanning local network via notification channel |
| Ian Dunn |
- |
[Not just a server configuration issue] Full Path Disclosure |
| Rockstar Games |
$500 |
Reflected XSS via #tags= while using a callback in newswire http://www.rockstargames.com/newswire |
| Ian Dunn |
- |
CSRF in changing settings of Basic Google Maps Placemarks |
| Nextcloud |
- |
[Nextcloud 9.0.53] Content Spoofing in 'trustDomain' parameter |
| Mail.Ru |
- |
[opensource.mail.ru] system accounts enumeration |
| Uber ★ |
- |
Can add employee in business.uber.com without add payment method |
| Uber ★ |
- |
Text Only Content Spoofing on ubermovement.com Community Page |
| Starbucks |
- |
Java Deserialization RCE via JBoss JMXInvokerServlet/EJBInvokerServlet on card.starbucks.in |
| Ian Dunn |
$50 |
Multiple XSS in Camptix Event Ticketing Plugin |
| New Relic |
- |
Session Management Flaw |
| Harvest |
$500 |
Project Disclosure of all Harvest Instances |
| Nextcloud |
- |
Content spoofing in cloud.nextcloud.com |
| Gratipay |
- |
[gratipay.com] Cross Site Tracing |
| Harvest |
$1,000 |
Leak of all project names and all user names , even across applications |
| Harvest |
$350 |
Users enumeration is possible through cycling through recurring[client_id] argument value. |
| Harvest |
$350 |
Stored XSS on invoice, executing on any subdomain |
| Harvest |
$250 |
CSRF token fixation in Sign in with Google |
| Harvest |
$1,000 |
S3 bucket takeover due to proxy.harvestfiles.com |
| Harvest |
$100 |
Cross-Site Request Forgery (CSRF) |
| Nextcloud |
- |
Information disclosure |
| Gratipay |
- |
Username .. (double dot) should be restricted or handled carefully |
| Dashlane |
$100 |
Missing Access Control(IDOR) To Know LinkedAccounts |
| New Relic |
- |
XSS in a newrelic.com site |
| PHP |
$500 |
NULL Pointer Dereference in exif_process_user_comment |
| PHP |
$1,000 |
Out of bound read in exif_process_IFD_in_MAKERNOTE |
| Coursera |
- |
Broken authentication and session management flaw |
| OLX |
- |
Stored XSS on contact name |
| Uber ★ |
$5,000 |
Stored XSS on developer.uber.com via admin account compromise |
| concrete5 |
- |
CSRF Full Account Takeover |
| Rockstar Games |
$750 |
CSRF in 'set.php' via age causes stored XSS on 'get.php' - http://www.rockstargames.com/php/videoplayer_cache/get.php' |
| Algolia |
$100 |
No Rate Limit In Inviting Similar Contact Multiple Times |
| Nextcloud |
- |
The application uses basic authentication. |
| Gratipay |
- |
User Supplied links on profile page is not validated and redirected via gratipay. |
| Gratipay |
- |
The contribution save option seem to be vulnerable to CSRF |
| GoCD |
- |
X-Content-Type-Options header missing at Auth Login |
| GoCD |
- |
Directory Listening |
| OLX |
- |
XSS on Home page olx.com.ar via auto save search text |
| Ian Dunn |
- |
User enumeration in wp-admin |
| Ian Dunn |
$375 |
CSV Injection at Camptix Event Ticketing |
| ownCloud |
$50 |
ownCloud 2.2.2.6192 DLL Hijacking Vulnerability |
| Uber ★ |
$2,000 |
[IODR] Get business trip via organization id |
| Uber ★ |
$3,000 |
Get organization info base on uuid |
| Slack |
$500 |
Creating Post on a restricted channel |
| OLX |
- |
xss yaman.olx.ph |
| OLX |
- |
REFLECTED CROSS SITE SCRIPTING IN OLX |
| Gratipay |
- |
don't leak Server version for assets.gratipay.com |
| Gratipay |
- |
don't allow directory browsing on grtp.co |
| OLX |
- |
Reflected XSS at yaman.olx.ph |
| Paragon Initiative Enterprises |
- |
Content-type sniffing leads to stored XSS in CMS Airship on Internet Explorer |
| Gratipay |
- |
This is a test report |
| OLX |
- |
Manipulating joinolx.com Job Vacancy alert subscription emails (HTML Injection / Script Injection) |
| OLX |
- |
XSS yaman.olx.ph |
| Automattic |
$300 |
[bbPress] Stored XSS in any forum post. |
| Dropbox |
$729 |
SSRF allows access to internal services like Ganglia |
| Shopify |
$1,500 |
Stealing livechat token and using it to chat as the user - user information disclosure |
| QIWI |
$200 |
Xss on billing |
| OLX |
- |
cross-site scripting in get request |
| Gratipay |
- |
prevent null bytes in email field |
| OLX |
- |
Reflected Cross Site scripting Attack (XSS) |
| OLX |
- |
XSS @ *.letgo.com |
| OLX |
- |
Arbitrary File Reading |
| OLX |
- |
Reflected XSS in www.olx.ph |
| OLX |
- |
stored XSS in olx.pl - ogloszenie TITLE element - moderator acc can be hacked |
| OLX |
- |
SQLi in Payment Request |
| OLX |
- |
Updating and Deleting any Ads on OLX Philippines |
| OLX |
- |
CSRF in account configuration leads to complete account compromise |
| OLX |
- |
XSS @ yaman.olx.ph |
| OLX |
- |
XSS @ *.olx.com.ar |
| Uber ★ |
$1,000 |
newsroom.uber.com is vulnerable to 'SOME' XSS attack via plupload.flash.swf |
| Shopify |
$500 |
https://windsor.shopify.com/ takeover |
| Twitter |
$420 |
Html Injection and Possible XSS in sms-be-vip.twitter.com |
| Uber ★ |
$4,000 |
SQL Injection on sctrack.email.uber.com.cn |
| IRCCloud |
$500 |
Cross Site Scripting(XSS) on IRCCloud Badges Page (using Parameter Pollution) |
| Ian Dunn |
- |
Brute force on wp-login |
| Ian Dunn |
- |
SSL certificate public key less than 2048 bit |
| Paragon Initiative Enterprises |
- |
Full Path Disclosure by removing CSRF token |
| Bime |
$1,000 |
Attacker can access graphic representation of every query |
| Bime |
$1,000 |
Urgent: attacker can access every data source on Bime |
| Nextcloud |
$50 |
Content (Text) Injection at NextCloud Server 9.0.52 - via http://custom_nextcloud_url/remote.php/dav/files/ CVE-2016-9468 |
| Gratipay |
- |
don't leak Server version for assets.gratipay.com |
| Uber ★ |
$2,250 |
Subdomain takeover of translate.uber.com, de.uber.com and fr.uber.com |
| GitLab |
- |
Insecure 2FA/authentication implementation creates a brute force vulnerability |
| WordPress |
$1,337 |
CSRF to add admin [wordpress] |
| Legal Robot |
$40 |
AWS S3 website can't serve security headers, may allow clickjacking |
| Whisper |
$100 |
Stored XSS in wis.pr |
| Uber ★ |
- |
Server version disclosure |
| Paragon Initiative Enterprises |
- |
Site support SNI But Browser can't |
| HackerOne ★ |
- |
Reward Money Leakage |
| Paragon Initiative Enterprises |
- |
ssl info shown |
| CodeIgniter |
- |
Web Server Disclosure |
| Ubiquiti Networks |
$185 |
Reflected Xss in AirMax [Nanostation Loco M2] |
| ExpressionEngine |
- |
Arbitrary SQL query execution and reflected XSS in the "SQL Query Form" |
| ExpressionEngine |
- |
Filename and directory enumeration |
| ExpressionEngine |
- |
Full path + some back-end code disclosure |
| Algolia |
$100 |
Stored xss |
| Paragon Initiative Enterprises |
- |
[URGENT] Password reset emails are sent in clear-text (without encryption) |
| Paragon Initiative Enterprises |
- |
Issue with password reset functionality [Minor] |
| Slack |
$500 |
a stored xss issue in https://files.slack.com |
| Maximum |
$20 |
Application error message |
| Coinbase |
- |
Content Injection error page |
| Paragon Initiative Enterprises |
- |
Session Management Issue CMS Airship |
| Paragon Initiative Enterprises |
- |
User enumeration via Password reset page [Minor] |
| Paragon Initiative Enterprises |
- |
Airship doesn't reject weak passwords |
| Nextcloud |
- |
[Thirdparty] Stored XSS in chat module - nextcloud server 9.0.51 installed in ubuntu 14.0.4 LTS |
| Paragon Initiative Enterprises |
- |
Full path disclosure when CSRF validation failed |
| Phabricator |
$600 |
HTML in Diffusion not escaped in certain circumstances |
| Paragon Initiative Enterprises |
$50 |
Stored XSS using SVG |
| Slack |
$500 |
"a stored xss issue in share post menu" |
| Maximum |
$20 |
Microsoft IIS tilde directory enumeration |
| Legal Robot |
$100 |
Subdomain takeover at api.legalrobot.com due to non-used domain in Modulus.io. |
| Paragon Initiative Enterprises |
- |
Nginx Version Disclosure On Forbidden Page |
| Pornhub |
$1,500 |
[idor] Unauthorized Read access to all the private posts(Including Photos,Videos,Gifs) |
| Paragon Initiative Enterprises |
- |
Email spoofing in security@paragonie.com |
| Paragon Initiative Enterprises |
$25 |
Stored XSS in comments |
| Paragon Initiative Enterprises |
$50 |
Stored Cross-Site-Scripting in CMS Airship's authors profiles |
| Dropbox |
- |
XSS, Unvalidated redirects & phishing website hosting on dropbox servers |
| Keybase |
$350 |
Register multiple users using one invitation (race condition) |
| Coinbase |
- |
No authorization required in iOS device web-application |
| Coinbase |
- |
No authorization required in Windows phone web-application |
| HackerOne ★ |
- |
Possible CSRF during joining report as participant |
| VK.com |
$100 |
Паблики: Модератор паблика может удалять добавленные редакторами материалы с таймером на публикацию. |
| Instacart |
- |
CSRF with redeem coupon request |
| concrete5 |
- |
Full Page Caching Stored XSS Vulnerability |
| Uber ★ |
$1,000 |
Wordpress Vulnerabilities in transparencyreport.uber.com and eng.uber.com domains |
| Mail.Ru |
- |
Cross Site Request Forgery (CSRF) |
| ownCloud |
- |
SMB User Authentication Bypass and Persistence CVE-2016-9463 |
| Trello |
- |
Sending Unlimited Mails To Anybody With Easy Social Share Buttons Plugin |
| Slack |
$1,500 |
Source code leakage through GIT web access at host '52.91.137.42' |
| HackerOne ★ |
$500 |
Know undisclosed Bounty Amount when Bounty Statistics are enabled. |
| Veris |
- |
Email spoofing in support@veris.in |
| Badoo |
$140 |
Change contents of the careers iframe in https://corp.badoo.com/jobs |
| Mail.Ru |
- |
Back Refresh Attack after registration and successful logout |
| Moneybird |
$25 |
Logging out any user |
| leetfiles |
- |
[leetfil.es] MSIE, Edge XSS via Request-URI |
| Coinbase |
$100 |
Application error message |
| concrete5 |
- |
Local File Inclusion path bypass |
| Slack |
$100 |
Generate new Test token |
| FantasyTote |
- |
Session doesn't expired after login |
| Slack |
$100 |
User can start call in a channel of an unpaid account |
| The Internet |
$500 |
ntpd: read_mru_list() does inadequate incoming packet checks CVE-2016-7434 |
| FantasyTote |
- |
Weak HSTS age |
| FantasyTote |
- |
Betting more than max amount |
| FantasyTote |
- |
Urgent Fix Balance Limit bypass |
| FantasyTote |
- |
Bypass logout |
| FantasyTote |
- |
Insecure password change mechanism may lead to full account takeover |
| Informatica |
- |
[careers.informatica.com] Reflected Cross Site Scripting to XSS Shell Possible |
| FantasyTote |
- |
Stored number of clicks in the Deposits button |
| FantasyTote |
- |
No email verification required when we change email from settings |
| Informatica |
- |
[oneclickdrsfdc-test.informatica.com] Tomcat Example Scripts Exposed Unauthenticated |
| Dropbox |
- |
Can make any number of dropbox accounts with one email |
| Zomato |
- |
Clickjacking login page of http://book.zomato.com/ |
| VK.com |
- |
DOM XSS в /activation.php?act=activate_mobile |
| Maximum |
$20 |
The POODLE attack (SSLv3 supported) |
| Maximum |
$20 |
RC4 cipher suites detected |
| New Relic |
- |
http://newrelic.com SSRF/XSPA |
| Uber ★ |
- |
faspex.uber.com uses an invalid SSL certificate |
| HackerOne ★ |
$500 |
Race Conditions in Popular reports feature. |
| Uber ★ |
- |
Authentication Issue for easter egg on bonjour.uber.com |
| Uber ★ |
- |
Command Injection, Information |
| LocalTapiola |
$150 |
Mixed Active Scripting Issue on https://www.lahitapiola.fi |
| Pornhub |
$500 |
RCE Possible Via Video Manager Export using @ character in Video Title |
| Informatica |
- |
[product360.informatica.com] Unauthenticated Apache Tomcat 8 Installation |
| Nextcloud |
- |
No Rate Limiting on stats.nextcloud.com login |
| Ruby |
- |
Ruby:HTTP Header injection in 'net/http' |
| Mail.Ru |
- |
BRUTE FORCE ATTACK |
| Uber ★ |
- |
Server version disclosure: team.uberinternal.com |
| New Relic |
- |
Html injection in monitor name textbox |
| Nextcloud |
- |
Deny access to download.nextcloud.com + folders |
| Nextcloud |
- |
Log pollution can lead to HTML Injection. |
| PHP |
$1,000 |
ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize |
| PHP |
$1,000 |
Use After Free Vulnerability in PHP's GC algorithm and unserialize |
| Trello |
- |
Report bug on jetpack plugin |
| Nextcloud |
- |
REG: Content provider information leakage |
| Instacart |
- |
Authentication Bypass in Updating Personal Information |
| Nextcloud |
- |
Email ID Disclosure. |
| Nextcloud |
- |
WordPress Vulnerabilities: User Enumeration, Vulnerable Akismet Plugin, XML-RPC Interface available |
| Nextcloud |
$100 |
Read-only share recipient can restore old versions of file |
| Nextcloud |
$250 |
Uploading files to a folder where invited user don't have any EDIT privilege |
| Nextcloud |
- |
Password reset link remains valid after email change |
| Uber ★ |
- |
Error Message on 404 page |
| Nextcloud |
- |
Content Injection in subdomain |
| Nextcloud |
- |
Content injection in subdomain |
| Nextcloud |
- |
Content Spoofing/Text Injection - docs.nextcloud.org |
| Nextcloud |
- |
Content Injection 404 page |
| Nextcloud |
- |
Business/Functional logic bypass: Remove admins from admin group. |
| Nextcloud |
- |
help.nextcloud Email Address/Username enumeration |
| Nextcloud |
- |
newsletter.nextcloud.com: Bypass firewall protection |
| Nextcloud |
- |
Bruteforcing help.nextcloud.com |
| Nextcloud |
- |
Bruteforce attack is possible on newsletter.nextcloud.com |
| Zomato |
- |
CSS |
| Algolia |
$100 |
2-factor authentication bypass |
| Slack |
- |
Unauthenticated Access to some old file thumbnails |
| Nextcloud |
- |
No captcha on newsletter.nextcloudcom leaves vulnerable to email spammers |
| Nextcloud |
- |
Avatar image upload and bypass real image verification |
| Nextcloud |
- |
https://newsletter.nextcloud.com Directory listening and Information Disclosure |
| Nextcloud |
- |
Lost Password CSRF |
| Nextcloud |
- |
Directory Listing On download.nextcloud.com & Practical Attacks on PGP (Pretty Good Privacy) |
| Nextcloud |
- |
Server side request forgery (SSRF) on nextcloud implementation. |
| Nextcloud |
- |
Vulnerable Javascript library |
| Nextcloud |
- |
nextcloud.com: Directory listening for 'wp-includes' forders |
| Nextcloud |
- |
failure to invalidate session on password change |
| Vimeo |
$600 |
Downloading password protected / restricted videos |
| Nextcloud |
$50 |
Nextcloud server software: Content Spoofing |
| Nextcloud |
- |
No rate limiting on password protected shared file link |
| Nextcloud |
- |
nextcloud.com: Mail Bombing ( No Rate Limiting On Sending Emails On Contact us Page) |
| Nextcloud |
$350 |
Share owner has no possibility to list all existing derived shares |
| Nextcloud |
- |
help.nextcloud.com: Session Management Issue |
| Nextcloud |
- |
help.nextcloud.com: Known DoS condition (null pointer deref) in Nginx running |
| Nextcloud |
- |
No permission set on Activities [Android App] |
| Nextcloud |
- |
Enumeration of subscribed users and unauthenticated email unsubscriptions on https://newsletter.nextcloud.com/?p=unsubscribe |
| Nextcloud |
- |
Response Header injection using redirect_uri together with PHP that utilizes Header Folding according to RFC1945 and Internet Explorer 11 |
| Nextcloud |
- |
stats.nextcloud.com: Content Injection |
| Nextcloud |
- |
Content Spoofing |
| Nextcloud |
$750 |
Stored XSS on Share-popup of a directory's Gallery-view |
| Nextcloud |
- |
nextcloud.com: Content Injection Custom 404 Error |
| Veris |
- |
Registeration Link "Jacking&Redirecting" |
| Paragon Initiative Enterprises |
- |
Session Management |
| Uber ★ |
- |
Self-XSS in Partners Profile |
| Uber ★ |
$7,000 |
xss in https://www.uber.com |
| Paragon Initiative Enterprises |
- |
Full path disclosure vulnerability on paragonie.com |
| Zomato |
- |
Stored Cross site scripting |
| Ubiquiti Networks |
$1,000 |
Subdomain takeover on partners.ubnt.com due to non-used CloudFront DNS entry |
| Gratipay |
- |
set Expires header |
| Uber ★ |
$1,500 |
Bulk UUID enumeration via invite codes |
| Ubiquiti Networks |
$150 |
[account-global.ubnt.com] CRLF Injection |
| Ian Dunn |
$50 |
Stored XSS from ticket messages in admin table in SupportFlow |
| Ian Dunn |
$50 |
Stored XSS in SupportFlow Ticket Subject |
| Uber ★ |
- |
Bruteforce INVITE codes easy way |
| Uber ★ |
- |
Email Address Enumeration |
| Python |
$1,000 |
CVE-2016-0772 - python: smtplib StartTLS stripping attack |
| Sucuri |
$250 |
[support.sucuri.net] CRLF Injection |
| Sucuri |
$250 |
SSRF in sitecheck.sucuri.net |
| Mail.Ru |
$150 |
[townwars.mail.ru] Time-Based SQL Injection |
| Uber ★ |
$750 |
Brute-Forcing invite codes in partners.uber.com |
| bitaccess |
$200 |
EXTREMELY URGENT: Missing control of bitcoin amount when selling bitcoin allows a user to withdraw any amount of money, unrestricted. |
| New Relic |
- |
Open redirection bypass . |
| Ruby |
- |
Heap corruption in string.c tr_trans() due to undersized buffer |
| Ruby |
- |
Heap corruption in DateTime.strftime() on 32 bit for certain format strings |
| Ruby |
$500 |
StringIO strio_getline() can divulge arbitrary memory |
| WebSummit |
- |
Time Based SQL injection in url parameter |
| Uber ★ |
- |
Newsroom.uber HTML form without CSRF protection |
| HackerOne ★ |
$500 |
All information is not removed from published reports |
| SecNews |
- |
Text injection on error page. |
| SecNews |
- |
Content spoofing due to the improper behavior of the not-found message |
| Instacart |
$100 |
Authorization Bypass in Delivery Chat Logs |
| The Internet |
$7,500 |
Insufficient shell characters filtering leads to (potentially remote) code execution (CVE-2016-3714) |
| Slack |
$500 |
File upload over private IM channel |
| Uber ★ |
$10,000 |
Change any Uber user's password through /rt/users/passwordless-signup - Account Takeover (critical) |
| Uber ★ |
- |
Email Enumeration Vulnerability |
| Badoo |
$280 |
Получение оригинала скрытого изображения |
| Phabricator |
- |
Full path disclosure |
| Coinbase |
- |
Transaction Pending Via Ip Change |
| Shopify |
$3,000 |
Authentication Bypass on Icinga monitoring server |
| Shopify |
$1,500 |
Potentially Sensitive Information on GitHub |
| Informatica |
- |
[uk.informatica.com] XSS on uk.informatica..com |
| Veris |
- |
Unauthenticated CSRF(User can input any value for CSRF Token) |
| Zomato |
- |
XSS on zomato.com |
| Uber ★ |
- |
Password Reset Does Not Confirm the Existence of an Email Address |
| Mail.Ru |
$250 |
Mail.ru for Android Content Provider Vulnerability |
| Zomato |
- |
Unvalidated redirect on user profile website |
| Mapbox |
$500 |
XSS on www.mapbox.com/authorize/ because of open redirect at /core/oauth/auth |
| Mapbox |
$500 |
XSS on www.mapbox.com/authorize |
| Gratipay |
$40 |
upgrade Aspen on inside.gratipay.com to pick up CR injection fix |
| Uber ★ |
- |
Header Injection |
| drchrono |
$50 |
Information Disclosure |
| Python |
$500 |
Heap corruption via Python 2.7.11 IOBase readline() |
| Uber ★ |
$750 |
xss vulnerability in http://ubermovement.com/community/daniel |
| drchrono |
$50 |
Bug Report |
| Moneybird |
$50 |
[STORED XSS] in debtor reports of ,,invoices'' |
| WePay |
$250 |
Invited users can modify and/or remove account owner |
| Shopify |
$500 |
Fetching external resources through svg images |
| LocalTapiola |
$100 |
DOM XSS bypassing in Regional Office -selector |
| Urban Dictionary |
- |
Infinite Upvoting/Downvoting: Lockout Bypass, Plus: Exposed API Documentation |
| Pornhub |
$10,000 |
[RCE] Unserialize to XXE - file disclosure on ams.upload.pornhub.com |
| Twitter |
$560 |
Information Disclosure through .DS_Store in ██████████ |
| Pushwoosh |
- |
Cross-Site Scripting Stored On Rich Media |
| Mail.Ru |
$150 |
[tidaltrek.mail.ru] SQL Injection |
| OpenSSL |
$500 |
CVE-2016-2177 Undefined pointer arithmetic in SSL code |
| Pornhub |
$1,500 |
(Pornhub & Youporn & Brazzers ANDROID APP) : Upload Malicious APK / Overrite Existing APK / Android BackOffice Access |
| Zomato |
- |
Bypass OTP verification when placing Order |
| Trello |
- |
XSS in Jetpack plugin |
| VK.com |
$1,500 |
XSS в upload.php |
| drchrono |
$50 |
User with no permissions can create, edit, delete favorite prescriptions /erx/ |
| Slack |
$200 |
[Screenhero] Subdomain takeover |
| Ubiquiti Networks |
$125 |
Stored XSS in unifi.ubnt.com |
| General Motors |
- |
IE search XSS |
| Pornhub |
$20,000 |
[phpobject in cookie] Remote shell/command execution |
| Pornhub |
$1,000 |
Private Photo Disclosure - /user/stream_photo_attach?load=album&id= endpoint |
| drchrono |
$50 |
Bypassing Password Reset |
| drchrono |
- |
XSS in Blog |
| GlassWire |
$25 |
Bypass GlassWire's monitoring of Hosts file |
| New Relic |
- |
SSRF on synthetics.newrelic.com permitting access to sensitive data |
| Bime |
- |
Bime Unable to load Data Sources |
| HackerOne ★ |
$500 |
Able to remove the admin access of my program |
| drchrono |
$50 |
User with no permissions can access full wdcalendar feed |
| Pornhub |
- |
Reflected XSS by way of jQuery function |
| drchrono |
$50 |
Stored XSS via AngularJS Injection |
| Ubiquiti Networks |
$260 |
Open Redirect in unifi.ubnt.com [Controller Finder] |
| drchrono |
$50 |
[CRITICAL] CSRF leading to account take over |
| Uber ★ |
- |
Uber is Flooding my Mobile with SMS Daily like a cron JOB |
| Mail.Ru |
$150 |
Code source discloure & ability to get database information "SQL injection" in [townwars.mail.ru] |
| New Relic |
- |
Blind SSRF on synthetics.newrelic.com |
| Zendesk |
$100 |
XSS in zendesk.com/product/ |
| drchrono |
$100 |
Angular injection in the profile name of onpatient |
| Nginx |
- |
Module ngx_http_auth_basic_module is broken and allowing all password after specific length |
| drchrono |
$50 |
Template stored XSS |
| drchrono |
$50 |
node.drchrono.com - Information Disclosure and Windows Host Exposed |
| drchrono |
$50 |
Ngnix Server version disclosure |
| Starbucks |
$4,000 |
Parameter Manipulation allowed for editing the shipping address for other user’s teavana.com subscriptions. |
| Pushwoosh |
- |
Stored XSS in Filters |
| Starbucks |
$6,000 |
Parameter Manipulation allowed for viewing of other user’s teavana.com orders |
| drchrono |
$50 |
Bypass password complexity requirements on passsword reset page |
| drchrono |
$100 |
Security Issue : CSRF Token Design Flaw |
| Mail.Ru |
$150 |
[tidaltrek.mail.ru] SQL Injection |
| Mail.Ru |
- |
[sales.mail.ru] CRLF Injection |
| Uber ★ |
- |
XSS in people.uber.com |
| Mail.Ru |
- |
Insecure cookies without httpOnly flag set |
| Coinbase |
- |
Cookie not secure |
| HackerOne ★ |
- |
Denial of service in report view. |
| Mail.Ru |
$100 |
[my.mail.ru] HTML injection в письмах от myadmin@corp.mail.ru |
| Starbucks |
$375 |
www.starbucks.co.uk Reflected XSS via utm_source parameter |
| Mail.Ru |
$160 |
[upload-X.my.mail.ru] /uploadphoto Insecure Direct Object References |
| Slack |
$500 |
Open Redirect on slack.com |
| Gratipay |
$10 |
configure a redirect URI for Facebook OAuth |
| Binary.com |
$50 |
CJ vulnerability in subdomain |
| Gratipay |
- |
don't store CSRF tokens in cookies |
| New Relic |
- |
Session takeover |
| New Relic |
- |
No CSRF validation on Account Monitors in Synthetics Block |
| Trello |
$128 |
XSS in Jetpack Plugin |
| Zomato |
- |
XSS onmouseover |
| New Relic |
- |
JIRA account misconfig causes internal info leak |
| Phabricator |
- |
No authentication required to add an email address. |
| LocalTapiola |
$100 |
Exploiting Secure Shell (SSH) on mobilelt.lahitapiola.fi |
| Uber ★ |
- |
DOM based XSS on |
| Phabricator |
$300 |
Passphrase credential lock bypass |
| Dovecot |
- |
Outdated Apache Server in www.dovecot.fi is vulnerable to various attack. |
| Dovecot |
- |
Apache version disclosure |
| New Relic |
- |
Privilege Escalation In Moniter |
| Informatica |
- |
[kb.informatica.com] Unauthenticated emails and HTML injection in email messages |
| Ubiquiti Networks |
$2,750 |
Read-Only user can execute arbitraty shell commands on AirOS |
| ok.ru |
- |
Missing proper error message. |
| Automattic |
$500 |
WordPress core stored XSS via attachment file name |
| Badoo |
$280 |
Ability to collect users' ids that have visited a specific web page with malicious code |
| New Relic |
- |
Improper Session Management |
| Dropbox |
- |
Lack of account link warning enables dropbox hijacking |
| LocalTapiola |
$300 |
Persistent XSS at verkkopalvelu.tapiola.fi using spoofed React element and React v.0.13.3 |
| Uber ★ |
- |
Phone Number Enumeration |
| Uber ★ |
$7,000 |
OneLogin authentication bypass on WordPress sites via XMLRPC |
| New Relic |
- |
Missing rate limit on password |
| Pornhub |
$750 |
[idor] Profile Admin can pin any other user's post on his stream wall |
| LocalTapiola |
$100 |
Remote Code Execution in NovaStor NovaBACKUP DataCenter backup software (Hiback) |
| Veris |
- |
Text injection can be used in phishing 404 page and should not include attacker text |
| Pornhub |
$1,000 |
SSRF & XSS (W3 Total Cache) |
| Gratipay |
- |
don't expose path of Python |
| Uber ★ |
- |
Self-XSS on partners.uber.com |
| Dovecot |
- |
DIrectory Listing Found |
| Mail.Ru |
- |
[torg.mail.ru] CRLF Injection |
| LocalTapiola |
$300 |
Abusing and Hacking the SMTP Server secure.lahitapiola.fi |
| Zomato |
- |
Instagram OAuth2 Implementation Leaks Access Token; Allows for Cross-Site Script Inclusion (XSSI) |
| Zomato |
- |
Reflected Cross-Site Scripting in www.zomato.com/php/instagram_tag_relay |
| WP API |
$100 |
Missing access control exposing detailed information on all users |
| Pornhub |
$1,000 |
[IDOR] Deleting other users comment |
| Pornhub |
$150 |
Same-Origin Method Execution bug in plupload.flash.swf on /insights |
| OpenSSL |
$1,000 |
Bleichenbacher oracle in SSLv2 (CVE-2016-0704) |
| OpenSSL |
$2,500 |
Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703) |
| Pornhub |
$5,000 |
Weak user aunthentication on mobile application - I just broken userKey secret password |
| Pornhub |
$1,500 |
[stored xss, pornhub.com] stream post function |
| Pornhub |
$250 |
XSS Reflected incategories*p |
| Pornhub |
$250 |
XSS ReflectedGET /*embed_player*? |
| StopTheHacker |
- |
Wordpress flashmediaelement.swf XSS on stopthehacker.com |
| Mail.Ru |
$150 |
SQL Injection |
| Pornhub |
$1,500 |
[IDOR] post to anyone even if their stream is restricted to friends only |
| Veris |
- |
Reflected XSS in domain www.veris.in |
| Zomato |
- |
Reflected XSS on business-blog.zomato.com - Part 2 |
| Zomato |
- |
Reflected XSS on business-blog.zomato.com - Part I |
| Pornhub |
$100 |
CSV Macro injection in Video Manager (CEMI) |
| Veris |
- |
Stored XSS on 'Badges' page |
| Square Open Source |
- |
Cache poisoning for okhttp |
| Pornhub |
- |
vulnerabilitie |
| Ruby |
- |
SMTP command injection |
| HackerOne ★ |
- |
Inadequate access controls in "Vote" functionality??? |
| Vimeo |
$600 |
All Vimeo Private videos disclosure via Authorization Bypass |
| LocalTapiola |
$100 |
Amazon Bucket Accessible (http://inpref.s3.amazonaws.com/) |
| New Relic |
- |
New Relic - Session Hijacking |
| Twitter |
- |
List of a ton of internal twitter servers available on GitHub |
| Sucuri |
$500 |
CRLF/HTTP header injection www.sucuri.net |
| Dovecot |
- |
nginx server vulnerable |
| Dropbox |
- |
Dropbox apps Server side request forgery |
| ThisData |
- |
Host Header Poisoning in thisdata.com |
| Uber ★ |
- |
Clickjacking in love.uber.com |
| Veris |
- |
[Stored XSS] sandbox.veris.in |
| ok.ru |
$500 |
Xss in m.ok.ru |
| Veris |
- |
[XSS] sandbox.veris.in |
| Mail.Ru |
- |
AXFR на plexus.m.smailru.net работает |
| Vimeo |
- |
XSS in Subtitles of Vimeo Flash Player and Hubnut |
| Udemy |
- |
Csrf on creating course |
| OpenSSL |
$2,500 |
Padding oracle in AES-NI CBC MAC check (CVE-2016-2107) |
| Ubiquiti Networks |
$1,000 |
Source code disclosure on https://107.23.69.180 |
| Uber ★ |
$8,000 |
[CRITICAL] -- Complete Account Takeover |
| Gratipay |
$1 |
don't leak server version of grtp.co in error pages |
| Moneybird |
$50 |
Reflected XSS in Backend search |
| Uber ★ |
- |
Compromising Atlassian Confluence (team.uberinternal.com) via WordPress (newsroom.uber.com) |
| Vimeo |
$750 |
CSRF on Vimeo via cross site flashing leading to info disclosure and private videos go public |
| ThisData |
- |
STORED XSS FOUND |
| GitLab |
- |
Persistent XSS on public wiki pages |
| Mapbox |
$400 |
Denial of service in account statistics endpoint |
| Uber ★ |
$10,000 |
OneLogin authentication bypass on WordPress sites |
| Moneybird |
$100 |
Employees with Any Permissions Can Create App with Full Permissions and Perform any API Action |
| OpenSSL |
$500 |
EBCDIC overread (CVE-2016-2176) |
| OpenSSL |
$500 |
EVP_EncryptUpdate overflow (CVE-2016-2106) |
| OpenSSL |
$500 |
EVP_EncodeUpdate overflow (CVE-2016-2105) |
| Uber ★ |
- |
Missing authentication on Notification setting . |
| Romit |
$50 |
Session Fixation |
| Moneybird |
$25 |
information disclose |
| Shopify |
$500 |
View all deleted comments and rating of any app . |
| Dropbox Acquisitions |
- |
Session hacking |
| Udemy |
- |
Showing Up Source Code |
| Dovecot |
- |
Cross-Site Scripting Vulnerability in dovecot.fi |
| Uber ★ |
$5,000 |
Multiple vulnerabilities in a WordPress plugin at drive.uber.com |
| Paragon Initiative Enterprises |
- |
Email Authentication Bypass |
| LocalTapiola |
$400 |
Possibly big authorization problem in Lähitapiola´s varainhoito |
| Mapbox |
$1,000 |
Reflected cross-site scripting (XSS) on api.tiles.mapbox.com |
| LocalTapiola |
$100 |
HTTP status code manipluation & java stack trace |
| LocalTapiola |
$5,000 |
Blind Stored XSS Against Lahitapiola Employees - Session and Information leakage |
| PHP |
$1,500 |
Integer overflow in ZipArchive::getFrom* |
| HackerOne ★ |
$2,500 |
RCE in profile picture upload |
| OpenSSL |
- |
Potential double free in EVP_DigestInit_ex |
| Paragon Initiative Enterprises |
- |
The Anti-CSRF Library fails to restrict token to a particular IP address when being behind a reverse-proxy/WAF |
| OpenSSL |
$500 |
ASN.1 BIO excessive memory allocation (CVE-2016-2109) |
| Mail.Ru |
$250 |
XSS с помощью специально сформированного файла. |
| Veris |
- |
SSL/TLS BEAST ATTACK VULNERABILITY |
| Shopify |
$500 |
staff memeber can install apps even if have limitied access |
| Automattic |
$1,337 |
WordPress SOME bug in plupload.flash.swf leading to RCE |
| Automattic |
$1,337 |
WordPress Flash XSS in *flashmediaelement.swf* |
| Uber ★ |
- |
Uber for Business Allows Administrators to Change Uber Driver Ratings Due to Failure to Authenticate `fast-rating` Endpoint |
| Zendesk |
$250 |
XSS In /zuora/ functionality |
| LocalTapiola |
- |
Source Code Disclosure on out of scope domain viestinta.lahitapiola.fi |
| LocalTapiola |
$100 |
Content Spoofing or Text Injection (404 error page injection) |
| Algolia |
$500 |
RCE on facebooksearch.algolia.com |
| GitLab |
- |
Private snippets in public / internal projects leaked though GitLab API |
| GitLab |
- |
Confidential issues leaked in public projects when attached to milestone |
| GitLab |
- |
Attacker can post notes on private MR, snippets, and issues |
| GitLab |
- |
Attacker can delete (and read) private project webhooks |
| ownCloud |
- |
doc.owncloud.com: PHP info page disclosure |
| Uber ★ |
- |
Defect-Security | Driver-Broken Authentication | Able to update the Subscription Setting anonymously |
| QIWI |
- |
SSL Certificate on qiwi.com will expire soon. |
| Uber ★ |
- |
Stored self-XSS at m.uber.com |
| Uber ★ |
$2,000 |
Reflected XSS via Livefyre Media Wall in newsroom.uber.com |
| New Relic |
- |
newrelic.com rails directory traversal vuln |
| General Motors |
- |
Reflected XSS and something more Store XSS too |
| Automattic |
$75 |
XSS on www.wordpress.com |
| concrete5 |
- |
ProBlog 2.6.6 CSRF Exploit |
| Moneybird |
$25 |
Content Spoofing In Moneybird |
| Veris |
- |
XSS in Asset name |
| GitLab |
- |
GFM renderer leaks external issue tracker URL of private project |
| Badoo |
- |
AWS S3 Bucket hotornot-images permissions allow for listing and removing files |
| Uber ★ |
- |
Information Disclosure on lite.uber.com |
| Legal Robot |
- |
No DMARC Record in legalrobot-uat.com |
| HackerOne ★ |
- |
Manipulate report timeline activity by using null byte. |
| New Relic |
- |
Cache-Control Misconfiguration Leads to Sensitive Information Leakage |
| GitLab |
- |
Labels created in private projects are leaked |
| New Relic |
- |
Stored Cross-Site Scripting via Angular Template Injection |
| Udemy |
$50 |
Stored XSS at Udemy |
| New Relic |
- |
Open redirection |
| Slack |
$1,000 |
Stored XSS on team.slack.com using new Markdown editor of posts inside the Editing mode and using javascript-URIs |
| HackerOne ★ |
- |
Reputation Manipulation (Theoretical) |
| Zendesk |
$500 |
[HIGH RISK] CSRF could potentially delete a zendesk subdomain. |
| Moneybird |
$50 |
Open Redirect vulnerability in moneybird.com |
| bitaccess |
- |
Missing SPF for hackerone.com |
| Uber ★ |
- |
CrashPlan Backup is Vulnerable Allowing to a DoS Attack Against Uber's Backups to ```backup.uber.com``` |
| New Relic |
- |
Login Open Redirect |
| Zendesk |
$100 |
AWS S3 bucket writable for authenticated aws user |
| Udemy |
- |
AWS S3 bucket writable for authenticated aws user |
| Gratipay |
- |
PHP 5.4.45 is Outdated and Full of Preformance Interupting Arbitrary Code Execution Bugs |
| Uber ★ |
$7,500 |
Stored XSS in developer.uber.com |
| CloudFlare |
- |
Reflected XSS on partners.cloudflare.com |
| GitLab |
- |
Privilege escalation to access all private groups and repositories |
| Twitter |
$840 |
[Critical] - Steal OAuth Tokens |
| Coinbase |
$100 |
User's legal name could be changed despite front end controls being disabled |
| Uber ★ |
- |
XSS via password recovering |
| Automattic |
$75 |
Akismet Several CSRF vulnerabilities |
| ownCloud |
$150 |
Open Redirector via (apps/files_pdfviewer) for un-authenticated users. |
| Gratipay |
$1 |
bring grtp.co up to A grade on SSLLabs |
| Gratipay |
- |
Submit a non valid syntax email |
| Uber ★ |
- |
XSS in uber oauth |
| Gratipay |
- |
Possible Blind SQL injection | Language choice in presentation |
| Moneybird |
$50 |
Stored XSS in Financial Account executing in Bank tab |
| Moneybird |
$100 |
Malicious File Upload |
| Paragon Initiative Enterprises |
- |
Vunerability : spf |
| ownCloud |
- |
doc.owncloud.org: XSS via Referrer |
| Vimeo |
- |
Error page Text Injection. |
| Ubiquiti Networks |
$275 |
Reflected XSS in scores.ubnt.com |
| Trello |
- |
Error Page Text Injection. |
| New Relic |
- |
Sensitive information contained with New Relic APM iOS application |
| Moneybird |
$150 |
XXE issue |
| Moneybird |
$25 |
Stored XSS thru SVG upload |
| Uber ★ |
- |
Unsubscribe any user from receiving email |
| bitaccess |
$50 |
BYASSING OTP Verification |
| Badoo |
- |
Badoo and Hotornot User Disclosure |
| Uber ★ |
- |
Requested and received edit access to Google form |
| Moneybird |
$50 |
CSV Injection with the CSV export feature |
| Trello |
$128 |
Cross site scripting in blog.trello.com |
| Uber ★ |
- |
developer.uber.com/404 and developer.uber.com/docs/404 are susceptible to iframes |
| HackerOne ★ |
- |
Missing Certificate Authority Authorization rule |
| Xero |
- |
Insecure Payment System Integration |
| Slack |
$2,000 |
Authentication bypass leads to sensitive data exposure (token+secret) |
| APITest.IO |
- |
beta version reveals paths, environment variables and partially files contents |
| Zendesk |
$50 |
Stored XSS on [your_zendesk].zendesk.com in Facebook Channel |
| APITest.IO |
- |
Login Via FB Leads To Create A New Account Instead Of Loging In |
| Dropbox |
- |
No Rate Limiting while sending the feedback under Dropbox Help Centre |
| Python |
$500 |
Python 2.7 strop.replace Integer Overflow |
| GitLab |
- |
Persistent XSS on public project page |
| Uber ★ |
- |
reopen #128853 (Information disclosure at lite.uber.com) |
| APITest.IO |
- |
Clickjacking: X-Frame-Options header missing |
| ownCloud |
- |
Cross site scripting in apps.owncloud.com |
| Twitter |
$700 |
xss in DM group name in twitter |
| Twitter |
$700 |
niche s3 buckets are readable/writeable/deleteable by authorized AWS users |
| Veris |
- |
Stored XSS in member book |
| Gratipay |
- |
After removing app from facebook app session not expiring. |
| New Relic |
- |
APT repository is signed using weak digest (SHA-1) |
| Automattic |
$75 |
CPU utilization 99% on visiting wordpress site url & open redirect found |
| Uber ★ |
- |
Disclosure of ways to the site root |
| LocalTapiola |
$300 |
The PdfServlet-functionality used by the "Tee vakuutustodistus" allows injection of custom PDF-content via CSRF-attack |
| LocalTapiola |
$400 |
Cookie-based client-side denial-of-service to all of the Lähitapiola domains |
| Gratipay |
- |
prevent %2f spoofed URLs in profile statement |
| Uber ★ |
- |
User credentials are not strong on vault.uber.com |
| Gratipay |
$10 |
Send email asynchronously |
| Uber ★ |
- |
Information disclosure at lite.uber.com |
| Algolia |
$100 |
No rate-limit in Two factor Authentication leads to bypass using bruteforce attack |
| Gratipay |
- |
text injection in website title |
| Ubiquiti Networks |
$1,500 |
Read-Only user can execute arbitraty shell commands on AirOS |
| Uber ★ |
- |
Enumerating userIDs with phone numbers |
| APITest.IO |
- |
SSRF on testing endpoint |
| New Relic |
- |
Clickjacking on authenticated pages which is inscope for New Relic |
| ownCloud |
- |
doc.owncloud.org: X-XSS-Protection not enabled |
| Trello |
$1,536 |
Payments informations are sent to the webhook when a team changes its visibility |
| OpenSSL |
$1,000 |
BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193) |
| Gratipay |
$10 |
fix bug in username restriction |
| Snapchat |
$1,000 |
Administrator access to a Django Administration Panel on *.sc-corp.net via bruteforced credentials |
| InVision |
$400 |
CRITICAL : Delete Boards Admin's ( or any other user ) comment. ( IDOR ) |
| HackerOne ★ |
$2,500 |
AWS S3 bucket writeable for authenticated aws users |
| GitLab |
- |
Bypassing password authentication of users that have 2FA enabled |
| GitLab |
- |
Attacker can extract list of private project's project members |
| Gratipay |
- |
Getting Error Message and in use python version 2.7 is exposed. |
| Gratipay |
- |
An adversary can harvest email address for spamming. |
| Gratipay |
$1 |
Limit email address length |
| Uber ★ |
$5,000 |
Stored XSS on newsroom.uber.com admin panel / Stream WordPress plugin |
| Uber ★ |
$250 |
Easy spam with USE My PHONE Feature |
| HackerOne ★ |
- |
Deleted name still present via mouseover functionality for user accounts |
| HackerOne ★ |
$1,500 |
Web Authentication Endpoint Credentials Brute-Force Vulnerability |
| HackerOne ★ |
- |
DOS Report FILE html inside <code> in markdown |
| New Relic |
- |
Password disclosure during signup process |
| New Relic |
- |
Open redirection bypass |
| Badoo |
$852 |
[CRITICAL] Full account takeover using CSRF |
| Uber ★ |
- |
Session Impersonation in riders.uber.com |
| HackerOne ★ |
$500 |
New hacktivity view discloses report IDs of non-public reports |
| ownCloud |
- |
Reflected XSS in owncloud.com |
| HackerOne ★ |
$500 |
New hacktivity view discloses report IDs of non-public reports |
| PHP |
$1,000 |
php_snmp_error() Format String Vulnerability |
| New Relic |
- |
rpm.newrelic.com - monitor creation to other accounts |
| New Relic |
- |
Mobile Authentication Endpoint Credentials Brute-Force Vulnerability |
| HackerOne ★ |
- |
HackerOne Important Emails Notification are sent in clear-text |
| Coursera |
- |
XSS in https://www.coursera.org/courses/ |
| Uber ★ |
$5,000 |
Information regarding trips from other users |
| Uber ★ |
$5,000 |
Possibility to get private email using UUID |
| Twitter |
$280 |
XSS using javascript:alert(8007) |
| Uber ★ |
$3,000 |
Possible to View Driver Waybill via Driver UUID |
| Uber ★ |
- |
Use Partner/Driver App Without Being Activated |
| LocalTapiola |
$100 |
www.lahitapiola.fi DOM XSS by choosing regional company |
| New Relic |
- |
CSV Injection in sub_accounts.csv |
| New Relic |
- |
Old CAPTCHA offers no protection |
| New Relic |
- |
User enumeration possible from log-in timing difference |
| Uber ★ |
- |
Brute Forcing rider-view Endpoint Allows for Counting Number of Active Uber Drivers |
| Uber ★ |
$3,000 |
Stored XSS in archive.uber.com Due to Injection of Javascript:alert(0) |
| Badoo |
- |
Insecure Direct Object Reference on badoo.com |
| Uber ★ |
- |
It is possible to re-rate a driver after a very long time |
| Uber ★ |
- |
Pixel flood attack in https://riders.uber.com/profile |
| Coinbase |
$1,000 |
Sending payments via QR code does not require confirmation |
| Uber ★ |
- |
Disclosure of ip addresses in local network of uber |
| Shopify |
$500 |
XSS on https://app.shopify.com/ |
| Uber ★ |
- |
SMS Flood with Update Profile |
| Uber ★ |
- |
Changing Driver Passwords With Only an Authenticated Session (no password, no email) |
| Coinbase |
$500 |
Email leak in transcations in Android app |
| Uber ★ |
- |
Uploading Plain Text to uber-documents.s3.amazonaws.com Through the Driver Document Upload Page |
| Uber ★ |
- |
Uber password reset link EMAIL FLOOD |
| Uber ★ |
- |
Privilege escalation to allow non activated users to login and use uber partner ios app |
| Trello |
$1,024 |
If a team is public, the web socket receives data about the Team visible boards |
| Uber ★ |
- |
text injection in get.uber.com/check-otp |
| LocalTapiola |
$1,000 |
Posting modified information in 'Investment section' will cause unintended information change in verkkopalvelu.tapiola.fi |
| Uber ★ |
$500 |
CBC "cut and paste" attack may cause Open Redirect(even XSS) |
| Uber ★ |
$750 |
XSS In archive.uber.com Due to Mime Sniffing in IE |
| Uber ★ |
$1,000 |
CSV Injection in business.uber.com |
| Uber ★ |
$2,000 |
Stored XSS in drive.uber.com WordPress admin panel |
| Uber ★ |
- |
Cross-site Scripting (XSS) |
| Gratipay |
$10 |
prevent content spoofing on /~username/emails/verify.html |
| Uber ★ |
- |
CRLF Injection in developer.uber.com |
| Uber ★ |
$10,000 |
uber.com may RCE by Flask Jinja2 Template Injection |
| Uber ★ |
$3,000 |
SQL injection in Wordpress Plugin Huge IT Video Gallery at https://drive.uber.com/frmarketplace/ |
| Veris |
- |
XSS on multiple fields |
| Uber ★ |
$3,000 |
Reflected XSS via Unvalidated / Open Redirect in uber.com |
| Zomato |
- |
Reflected XSS on Zomato API |
| Uber ★ |
- |
Session retention is present which reveals the customer info |
| Uber ★ |
- |
Brute Force Amplification Attack |
| Uber ★ |
- |
CSRF on eng.uber.com may lead to server-side compromise |
| Uber ★ |
$5,000 |
Possibility to brute force invite codes in riders.uber.com |
| Uber ★ |
- |
Stored Cross Site Scripting [SELF] in partners.uber.com |
| Uber ★ |
$3,000 |
Dom Based Xss |
| Uber ★ |
$500 |
Estimation of a Lower Bound on Number of Uber Drivers via Enumeration |
| New Relic |
- |
Too many included lookups |
| PHP |
- |
Null pointer deref (segfault) in stream_context_get_default |
| Mapbox |
$1,000 |
XSS (cross-site scripting) on www.mapbox.com/maki |
| Uber ★ |
$3,000 |
Avoiding Surge Pricing |
| Uber ★ |
- |
Create account in uber without signup form |
| Uber ★ |
$2,000 |
Bypassing Uber Partner's 3 Cancel Limit |
| Uber ★ |
$3,000 |
Lack of rate limiting on get.uber.com leads to enumeration of promotion codes and estimation of a lower bound on the number of Uber drivers |
| Uber ★ |
$3,000 |
SQLi in love.uber.com |
| Uber ★ |
- |
XSS on love.uber.com |
| Uber ★ |
- |
HTML Escaping Error in the 404 Page on developer.uber.com/docs/ |
| Uber ★ |
$1,500 |
Lack of CNAME/A Record Trimming Pointing Uber Domains to Insecure Non-Uber AWS Instances/Sites |
| Uber ★ |
$3,000 |
XSS in getrush.uber.com |
| Uber ★ |
- |
LIsting of http://archive.uber.com/pypi/simple/ |
| Uber ★ |
- |
Self-XSS Vulnerability on Password Reset Form |
| Uber ★ |
$3,000 |
Reflected XSS on developer.uber.com via Angular template injection |
| Uber ★ |
$500 |
Open Redirect in m.uber.com |
| Gratipay |
$1 |
Hijacking user session by forcing the use of invalid HTTPs Certificate on images.gratipay.com |
| Uber ★ |
- |
Cross-site Scripting (XSS) autocomplete generation in https://www.uber.com/ |
| HackerOne ★ |
$1,500 |
External programs revealing info |
| HackerOne ★ |
$500 |
Websites opened from reports can change url of report page |
| Shopify |
$500 |
Bypassed password authentication before enabling OTP verification |
| New Relic |
- |
Stored XSS through Angular Expression Sandbox Escape |
| HackerOne ★ |
- |
External links should use rel="noopener" or use the redirect service |
| HackerOne ★ |
$500 |
Disclosure of private programs that have an "external" page on HackerOne |
| General Motors |
- |
Angular Expression Injection in the my.gmc.com Search Page |
| Vimeo |
- |
Missing rate limit on private videos password |
| Shopify |
$500 |
Stored XSS via "Free Shipping" option (Discounts) |
| Imgur |
$100 |
XSS via React element spoofing |
| HackerOne ★ |
$500 |
CSV Injection via the CSV export feature |
| Veris |
- |
Captcha Bypass enable login bruteforce |
| Zomato |
- |
Authentication Bypassing and Sensitive Information Disclosure on Verify Email Address in Registration Flow |
| Shopify |
$1,500 |
Shopify GitHub Login and Password exposed all private source code might be available. |
| Veris |
- |
Wordpress Pingback DDoS Attacks in domain: veris.in |
| Trello |
$768 |
Using WebSocket I can always access organization data even if I am removed |
| Veris |
- |
Stored XSS in Access Rules |
| Veris |
- |
Complete Profile URL is not Random and not expiring |
| Gratipay |
- |
csrf_token cookie don't have the flag "HttpOnly" |
| Gratipay |
$1 |
auto-logout after 20 minutes |
| Gratipay |
$1 |
Cookie Does Not Contain The "secure" Attribute |
| Gratipay |
- |
Vulnerable to clickjacking |
| Veris |
- |
Not Using Secure Flag Option on Cookies Could Lead to a Man in the Middle Session Highjacking |
| HackerOne ★ |
- |
Sending emails (via HackerOne) impersonating other users |
| Gratipay |
$1 |
suppress version in Server header on gratipay.com or grtp.co |
| Veris |
- |
Complete or Edit Another User's Profile |
| Veris |
- |
Insecure Direct 'org-visitor-log' References |
| Veris |
- |
Insecure Direct 'org-invite-log' References |
| Dropbox |
- |
Possible SQL injection can cause denial of service attack |
| New Relic |
- |
Synthetics Xss |
| Informatica |
- |
[marketplace.informatica.com] Open Redirect |
| HackerOne ★ |
$500 |
SECURITY: Referencing previous Reports attachment_IDs on new Reports via Draft_Sync DELETES Attachments |
| HackerOne ★ |
- |
Unauthorized Team members viewing |
| Veris |
- |
Security Vulnerability - SMTP protection not used |
| New Relic |
- |
Host Header Injection / Cache Poisoning |
| Veris |
- |
Insecure Direct Member Disclosure |
| Veris |
- |
User enumeration via error message |
| New Relic |
- |
Normal user can set "Job title" of other users by Direct Object Reference |
| HackerOne ★ |
$500 |
Mediation link can be accepted by other users |
| Mail.Ru |
- |
Обход basic авторизации [qpt.mail.ru] |
| Veris |
- |
Creating multiple user with the same link which is sent to email after registeration |
| LocalTapiola |
$500 |
CSRF allows attacker to delete item from customer's "Postilaatikko" |
| HackerOne ★ |
- |
Possible XSS |
| Veris |
- |
Server and PHP version Disclosed in Response Header |
| New Relic |
- |
All the active session should destroy when user change his password |
| New Relic |
- |
Open redirection on login |
| HackerOne ★ |
- |
Email Address Leak |
| New Relic |
- |
no email confirmation on signup |
| New Relic |
- |
newrelic.com vulnerable to clickjacking ! |
| Shopify |
$500 |
XSS on hardware.shopify.com |
| New Relic |
- |
Emails and alert policies can be altered by malicious users. |
| New Relic |
- |
CSRF- delete all empty server policy |
| Mail.Ru |
- |
Reflected XSS на games.mail.ru |
| New Relic |
- |
CSRF - Delete all empty application policy |
| New Relic |
- |
No Rate Limitation on Promo Code |
| New Relic |
- |
Vulnerable Link Leaks the User Names |
| New Relic |
- |
https://rpm.newrelic.com/login vulnerable to host header attack |
| New Relic |
- |
https://rpm.newrelic.com/.htaccess file is world readable |
| HackerOne ★ |
$1,000 |
Edit Auto Response Messages |
| Zomato |
- |
Persistent XSS on Reservation / Booking Page |
| Mail.Ru |
$200 |
bgplay.mail.ru |
| Xero |
- |
Default.aspx exposing full path and other info on wip.origin-community.xero.com |
| Shopify |
$500 |
Stored XSS in https://checkout.shopify.com/ |
| Uber ★ |
- |
Active Email Hyperlink Sent on riders.uber.com |
| New Relic |
- |
Server Side Browsing - localhost open port enumeration |
| Imgur |
$5,000 |
Local file read in image editor |
| Xero |
- |
stored xss issue in folder name on go.xero.com/Docs/Folders |
| Xero |
- |
Open-redirect on login.xero.com |
| Mapbox |
$200 |
Mapbox API Access Token with No Scope Can Read Styles |
| Ubiquiti Networks |
$1,300 |
Shell Injection via Web Management Console (dl-fw.cgi) |
| Vimeo |
$100 |
Private, embeddable videos leaks data through Facebook & Open Graph |
| Xero |
- |
Additonal stored XSS in Add note/Expected payment Date |
| PHP |
$1,000 |
Buffer overflow in HTTP url parsing functions |
| Badoo |
$850 |
Account Takeover |
| Xero |
- |
Vulnerability : XSS Vulnerability |
| LocalTapiola |
$400 |
CRLF injection in https://verkkopalvelu.lahitapiola.fi/ |
| Badoo |
$427 |
Broken Authentication on Badoo |
| Bime |
$150 |
Subdomain takeover due to unclaimed Amazon S3 bucket on a2.bime.io |
| Coinbase |
- |
Inaccurate Payment receipt |
| ownCloud |
- |
doc.owncloud.org has missing PHP handler |
| Veris |
- |
Multiple Stored XSS on Sanbox.veris.in through Veris Frontdesk Android App |
| General Motors |
- |
Content Spoof in opel.es.wpsegment2.gm.com |
| Zomato |
- |
NexTable: Credentials exposure |
| General Motors |
- |
XSS Vulnerability in developer.gm.com |
| General Motors |
- |
Reflected Cross Site Script in m.chevrolet.com.wpsegment5.gm.com |
| General Motors |
- |
Reflected Cross Site Script in imtportal.gm.com |
| Veris |
- |
Multiple Stored XSS |
| Veris |
- |
Critical IDOR - Make Rule for Any Group & Any Venue remotely |
| Veris |
- |
Critical IDOR - Get Rules of any organization remotely |
| Veris |
- |
Critical IDOR - Can select any Parent while creating new Venue |
| Veris |
- |
Critical IDOR - Get venue data of any organization remotely |
| Veris |
- |
Critical IDOR - Get Authentication Details of any Terminal/Gatekeeper |
| Veris |
- |
Critical IDOR - Set anyone's Terminal Data remotely |
| Veris |
- |
Critical IDOR - Get anyone's Terminal Data remotely |
| Veris |
- |
Critical IDOR - Delete any terminal/gatekeeper of any organization remotely |
| Bime |
$250 |
SSRF issue |
| Veris |
- |
Missing Server Side Validation of CSRF Middleware Token in Change Password Request |
| Veris |
- |
Critical IDOR - Delete any rule of any organization remotely |
| Veris |
- |
Critical IDOR - Delete any venue of any organization remotely |
| Veris |
- |
Critical IDOR - Delete any group of any organization remotely |
| Veris |
- |
Critical - Insecure Direct Object Reference - Deleting any member of any organization remotely |
| Gratipay |
$1 |
don't serve hidden files from Nginx |
| OpenSSL |
- |
b2i_PVK_bio heap corruption |
| Pornhub |
$250 |
Public Facing Barracuda Login |
| OpenSSL |
$500 |
BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797) |
| Pornhub |
$2,500 |
Unprotected Memcache Installation running |
| Pornhub |
$50 |
HTTP Track/Trace Method Enabled |
| LeaseWeb |
- |
Found clickjacking vulnerability |
| ownCloud |
- |
DROWN Attack |
| Badoo |
- |
Password modification without knowing actual password & httpOnly bypass |
| LeaseWeb |
- |
Server version is disclosure in http://leasewebnoc.com/ |
| Coinbase |
- |
An adversary can overwhelm the resources by automating Forgot password/Sign Up requests |
| Twitter |
$1,120 |
DOMXSS in Tweetdeck |
| Veris |
- |
Password(s) can be found via login process. |
| Veris |
- |
www.veris.in DOM based XSS |
| Mail.Ru |
$150 |
By pass admin panel [conference.mail.ru] |
| Mail.Ru |
$150 |
By pass admin panel [seminars.mail.ru] |
| HackerOne ★ |
- |
Race Conditions Exist When Accepting Invitations |
| Ubiquiti Networks |
$1,500 |
Read-Only user can execute arbitraty shell commands on AirOS |
| Udemy |
$150 |
Session Takeover vulnerability |
| Shopify |
$500 |
xss in the all widgets of shopifyapps.com |
| Uber ★ |
$500 |
Open Redirection on Uber.com |
| HackerOne ★ |
$500 |
User with Read-Only permissions can edit the Internal comment Activities on Bug Reports After Revoke the team access permissions |
| Twitter |
$280 |
Sub-Domain Takeover |
| InVision |
$500 |
CRITICAL Stored XSS in https://projects.invisionapp.com |
| Udemy |
$150 |
Able to view others' gifts on /gift/share URL, giftId is predictable, and easy to manipulate |
| New Relic |
- |
CSRF - Regenerate all admin api keys |
| Coinbase |
$500 |
Misconfiguration in 2 factor allows sensitive data expose |
| New Relic |
- |
Reflected XSS on Signup Page |
| Cakebet |
- |
Sender policy framework (SPF) records evaluation return (Too many DNS lookups) error |
| Twitter |
$2,520 |
Tweet Deck XSS- Persistent- Group DM name |
| HackerOne ★ |
$500 |
Distinguish EP+Private vs Private programs in HackerOne |
| Veris |
- |
Stored XSS |
| Veris |
- |
Password reset link is not Expiring |
| Algolia |
$1,000 |
API Key added for one Indices works for all other indices too. |
| OpenSSL |
$500 |
CVE-2016-0799 memory issues in BIO_*printf functions |
| ThisData |
- |
Login CSRF using Google OAuth |
| HackerOne ★ |
- |
User with Read-Only permissions can edit the SwagAwarded Activities on Bug Reports |
| HackerOne ★ |
$500 |
User with Read-Only permissions can manually public disclosure the report |
| Shopify |
$500 |
File name and folder enumeration. |
| HackerOne ★ |
- |
Abusing HOF rankings in limited circumstances |
| HackerOne ★ |
- |
Denial of Service any Report |
| Coinbase |
$200 |
XSSI (Cross Site Script Inclusion) |
| HackerOne ★ |
$500 |
CSV Injection at the CSV export feature |
| KIWI.KI GmbH |
- |
Subdomain takeover : URGENT |
| Mail.Ru |
- |
Утечка информации через JSONP (XXSI) |
| Shopify |
- |
Injection via CSV Export feature in Admin Orders |
| QIWI |
$150 |
Content Spoofing in mango.qiwi.com |
| Gratipay |
- |
X-Content-Type Header Missing For aspen.io |
| GitLab |
- |
Markdown based stored XSS (IE only) |
| VK.com |
$100 |
Дорк |
| Mail.Ru |
$500 |
Admin panel access restrictions bypass [poll.mail.ru/admin/] |
| LeaseWeb |
- |
MISSING SPF RECORDS & MISSING DKIM POLICY |
| Gratipay |
$1 |
limit number of images in statement |
| LeaseWeb |
- |
Apache version disclosed on developer.leaseweb.com |
| LeaseWeb |
- |
Directory Listening |
| Zendesk |
$50 |
Stored XSS via Angular Expression injection on developer.zendesk.com |
| Gratipay |
$1 |
strengthen Diffie-Hellman (DH) key exchange parameters in grtp.co |
| Shopify |
$500 |
XSS in Draft Orders in Timeline i SHOPIFY Admin Site! |
| LeaseWeb |
- |
PHP and Web Server version disclosed on leasewebnoc.com |
| Gratipay |
$1 |
stop serving grtp.co over HTTP |
| Gratipay |
$10 |
DMARC is misconfigured for grtp.co |
| Gratipay |
- |
Login csrf. |
| Uber ★ |
$3,000 |
Reflected XSS on Uber.com careers |
| Gratipay |
$10 |
Prevent content spoofing on /~username/emails/verify.html |
| Mail.Ru |
- |
Stored XSS на street-combats.mail.ru |
| Gratipay |
$2 |
SPF/DKIM/DMARC for aspen.io |
| Mail.Ru |
$250 |
SSRF на element.mail.ru |
| Gratipay |
$2 |
SPF/DKIM/DMARC for grtp.co |
| Gratipay |
$1 |
limit HTTP methods on other domains |
| Gratipay |
$10 |
Email Forgery through Mandrillapp SPF |
| Uber ★ |
$250 |
Multiple Vulnerabilities (Including SQLi) in love.uber.com |
| Informatica |
- |
[informatica.com] Blind SQL Injection |
| Uber ★ |
$3,000 |
XSS @ love.uber.com |
| Gratipay |
$10 |
No Valid SPF Records. |
| HackerOne ★ |
$500 |
Increase number of bugs by sending duplicate of your own valid report |
| Zopim |
$100 |
Chat History CSV Export Excel Injection Vulnerability |
| Paragon Initiative Enterprises |
- |
Spf |
| Legal Robot |
$20 |
SSL Issue on legalrobot.com |
| HackerOne ★ |
$500 |
Private Program Disclosure in /:handle/settings/allow_report_submission.json endpoint |
| Gratipay |
- |
UDP port 5060 (SIP) Open |
| VK.com |
$200 |
vk.com/login.php |
| Algolia |
- |
PHP version disclosed on blog.algolia.com |
| Gratipay |
- |
server calendar and server status available to public |
| Gratipay |
- |
proxy port 7000 and shell port 514 not filtered |
| Legal Robot |
$20 |
SPF Issue |
| Legal Robot |
$120 |
Remote Code Execution (upload) |
| Mail.Ru |
$600 |
VERY DANGEROUS XSS STORED inside emails |
| Gratipay |
- |
Markdown parsing issue enables insertion of malicious tags |
| Mail.Ru |
$150 |
[3k.mail.ru] SQL Injection |
| Ubiquiti Networks |
$1,000 |
Auth bypass on directory.corp.ubnt.com |
| General Motors |
- |
E-mail Spoof in media.gm.com |
| Slack |
$100 |
an xss issue in https://hunter22.slack.com/help/requests/793043 |
| General Motors |
- |
Content Spoof in webcaps.ecomm.gm.com |
| Gratipay |
$1 |
The POODLE attack (SSLv3 supported) for https://grtp.co/ |
| Gratipay |
- |
nginx SPDY heap buffer overflow for https://grtp.co/ |
| New Relic |
- |
open redirection at login |
| WePay |
$150 |
2-step Verification bypass |
| Python |
$1,000 |
Type confusion in partial.setstate, partial_repr, partial_call leads to memory corruption, reliable control flow hijack |
| ownCloud |
- |
owncloud.com: Persistent XSS In Account Profile |
| New Relic |
- |
Potential Subdomain Takeover - http://storefront.newrelic.com/ |
| Sucuri |
$500 |
Manipulating of Sucuri.net (List Subscription) Emails (HTML/Script Injection) |
| HackerOne ★ |
- |
Null byte injection |
| New Relic |
- |
Unauthorized Access |
| General Motors |
- |
Reflected Cross Site Script in www.gmcar.gm.com |
| Paragon Initiative Enterprises |
- |
file full path discloser. |
| HackerOne ★ |
$500 |
Private Program Disclosure in /:handle/reports/draft.json endpoint |
| HackerOne ★ |
$5,000 |
Private program activity timeline information disclosure |
| Shopify |
$500 |
XSS on hardware.shopify.com |
| Imgur |
$1,000 |
SSRF / Local file enumeration / DoS due to improper handling of certain file formats by ffmpeg |
| New Relic |
- |
[download.newrelic.com] Access to private directories |
| New Relic |
- |
[login.newrelic.com] XSS via return_to |
| Imgur |
$800 |
SSRF and local file read in video to gif converter |
| Legal Robot |
$20 |
Rate limiting on Email confirmation link |
| Legal Robot |
- |
Rate limiting on password reset links |
| Imgur |
$2,000 |
SSRF in https://imgur.com/vidgif/url |
| New Relic |
- |
SUBDOMAIN TAKEOVER(FIXED) |
| Zomato |
- |
Two XSS vulns in widget parameters (all_collections.php and o2.php) |
| Paragon Initiative Enterprises |
- |
Email Spoof |
| Urban Dictionary |
- |
Cross-Site Scripting Vulnerability in urbandictionary.com |
| Zomato |
- |
XSS via modified Zomato widget (res_search_widget.php) |
| Paragon Initiative Enterprises |
- |
Missing SPF for paragonie.com |
| Paragon Initiative Enterprises |
$50 |
Full Path Disclosure |
| Paragon Initiative Enterprises |
- |
CSRF AT SUBSCRIBE TO LIST |
| Paragon Initiative Enterprises |
- |
Missing SPF for paragonie.com |
| Paragon Initiative Enterprises |
- |
Blind SQL INJ |
| Paragon Initiative Enterprises |
- |
Missing SPF |
| Mail.Ru |
$300 |
[orsotenslimselfie.lady.mail.ru] SQL Injection |
| Gratipay |
$10 |
prevent content spoofing on /search |
| Gratipay |
$5 |
SPF DNS Record |
| Paragon Initiative Enterprises |
- |
SSL certificate public key less than 2048 bit |
| Paragon Initiative Enterprises |
- |
Missing SPF records for paragonie.com |
| Zomato |
- |
XSS and CSRF in Zomato Contact form |
| Paragon Initiative Enterprises |
- |
DNSsec not configured |
| Paragon Initiative Enterprises |
- |
Email Authentication bypass Vulnerability |
| Paragon Initiative Enterprises |
- |
Email spoofing |
| Keybase |
$50 |
Content spoofing due to the improper behavior of the not-found meesage |
| Paragon Initiative Enterprises |
- |
Information Disclosure in Error Page |
| Paragon Initiative Enterprises |
- |
Missing SPF for https://paragonie.com/ |
| Uber ★ |
- |
Unauthorized file (invoice) download |
| HackerOne ★ |
$500 |
Putting link inside link in markdown |
| Zomato |
- |
Weak Password Policy |
| Keybase |
$350 |
Race conditions can be used to bypass invitation limit |
| Zomato |
- |
Persistent input validation mail encoding vulnerability in the "just followed you" email notification. |
| New Relic |
- |
Basic Authorization over HTTP |
| New Relic |
- |
Html injection in monitor name textbox |
| New Relic |
- |
Unsafe HTML in reset password email and Account verification in email is missing in Sign up |
| New Relic |
- |
A Signup page does not properly validate the authenticity token at the server side. |
| New Relic |
- |
A Log in page does not properly validate the authenticity token at the server side |
| New Relic |
- |
No validation on account names |
| Keybase |
$250 |
Remote Server Restart Lead to Denial of Service by only one Request. |
| Zomato |
- |
Several XSS affecting Zomato.com and developers.zomato.com |
| Mapbox |
$200 |
Content Spoofing and Local Redirect in Mapbox Studio |
| VK.com |
$2,500 |
Внедрение внешних сущностей в функционале импорта пользователей YouTrack |
| Shopify |
$500 |
CSRF on https://shopify.com/plus |
| Zomato |
- |
Remote File Upload Vulnerability in business-blog.zomato.com |
| Mail.Ru |
- |
[touch.lady.mail.ru] CRLF Injection |
| Twitter |
$2,520 |
Bypassing Digits web authentication's host validation with HPP |
| Zomato |
- |
Cross Site Scripting - type Patameter |
| Snapchat |
$1,000 |
Subdomain takeover in http://support.scan.me pointing to Zendesk (a Snapchat acquisition) |
| Zomato |
- |
Twitter Disconnect CSRF |
| Keybase |
$250 |
Remote Server Restart Lead to Denial of Server by only one Request. |
| Ruby on Rails |
- |
Remote code execution using render :inline |
| Zomato |
- |
Subdomain Takeover |
| Zomato |
- |
CSRF AT INVITING PEOPLE THOUGH PHONE NUMBER |
| Zomato |
- |
CSRF AT SELECTING ZAMATO HANDLE |
| Ruby on Rails |
- |
Regarding [CVE-2016-0752] Possible Information Leak Vulnerability in Action View |
| Paragon Initiative Enterprises |
- |
Cross-domain AJAX request |
| Mail.Ru |
- |
[api.login.icq.net] Reflected XSS |
| Mail.Ru |
- |
[api.login.icq.net] Open Redirect |
| OpenSSL |
$2,500 |
OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701) |
| ownCloud |
- |
No Any Kind of Protection on Delete account |
| Paragon Initiative Enterprises |
$50 |
Open-redirect on paragonie.com |
| HackerOne ★ |
$500 |
Multiple issues with Markdown and URL parsing |
| withinsecurity |
$250 |
WordPress Failure Notice page will generate arbitrary hyperlinks |
| HackerOne ★ |
$500 |
Unintended HTML inclusion as a result of https://hackerone.com/reports/110578 |
| Gratipay |
- |
grtp.co is vulnerable to http-vuln-cve2011-3192 |
| Mail.Ru |
$300 |
[afisha.mail.ru] SQL Injection |
| Coinbase |
$1,000 |
Session Issue Maybe Can lead to huge loss [CRITICAL] |
| Binary.com |
$250 |
Full takeover of some binary.com sub domains |
| ownCloud |
- |
owncloud.help: Text Injection |
| Mail.Ru |
- |
Logical Vulnerability : REDIRECTING on pw.mail.ru by Parameter Spoofing |
| Bime |
$100 |
The JDBC driver used by the Vertica connector allows to create files on the backends |
| Bime |
$1,000 |
SSRF in the Connector Designer (REST and Elastic Search) |
| Bime |
$750 |
XXE in the Connector Designer |
| Udemy |
- |
Stored XSS |
| General Motors |
- |
XSS on gmchat.gm.com |
| General Motors |
- |
Full Path Disclosure on gmchat.gm.com |
| HackerOne ★ |
$500 |
Interstitial redirect bypass / open redirect in https://hackerone.com/zendesk_session |
| Mail.Ru |
$150 |
[allods.my.com] SSRF / XSPA |
| Zendesk |
$100 |
[CRITICAL] HTML injection issue leading to account take over |
| HackerOne ★ |
- |
Report title and issue information prepopulated |
| withinsecurity |
$250 |
Error Page Text Injection #106350 |
| Khan Academy |
- |
XSS vulnerability in "/coach/roster/" ( create your first class) |
| Imgur |
$50 |
Big Bug in SSL : breach compression attack (CVE-2013-3587) affect imgur.com |
| HackerOne ★ |
- |
attack in not an authorized user |
| Shopify |
$500 |
Full access to Amazon S3 bucket containing AWS CloudTrail logs |
| Mail.Ru |
- |
[3k.mail.ru] Content Spoofing |
| Automattic |
$75 |
XSS at wordpress.com |
| Shopify |
$500 |
www.shopify.com XSS via third-party script |
| Trello |
$1,152 |
DOM based XSS via Wistia embedding |
| VK.com |
$100 |
Checking whether user liked the media or not even when you are blocked |
| Vimeo |
$100 |
Legacy API exposes private video titles |
| Automattic |
$75 |
XSS at www.woothemes.com |
| Pornhub |
$1,500 |
[ssrf] libav vulnerable during conversion of uploaded videos |
| ownCloud |
- |
The csrf token remains same after user logs in |
| Shopify |
$500 |
Attach Pinterest account - no State/CSRF parameter in Oauth Call back |
| Shopify |
$500 |
Twitter Disconnect CSRF |
| HackerOne ★ |
$500 |
CSV Injection via the CSV export feature |
| Binary.com |
- |
XSS |
| withinsecurity |
$250 |
Content Spoofing OR Text Injection in https://withinsecurity.com |
| Gratipay |
$15 |
Sub Domian Take over |
| Automattic |
$250 |
Internal GET SSRF via CSRF with Press This scan feature |
| ownCloud |
$250 |
Information Exposure Through Directory Listing CVE-2016-1499 |
| HackerOne ★ |
$500 |
HTML injection can lead to data theft |
| Twitter |
$5,040 |
Bypassing Digits bridge origin validation |
| Perl |
$1,000 |
Perl 5.22 VDir::MapPathA/W Out-of-bounds Reads and Buffer Over-reads |
| Phabricator |
$300 |
Extended policy checks are buggy |
| Udemy |
$25 |
CSRF in Udemy.com |
| Binary.com |
- |
HTML injection via 'underlying' parameter |
| Coinbase |
$200 |
Direct URL access to completed reports |
| Coinbase |
- |
The 'Create a New Account' action is vulnerable to CSRF |
| Ubiquiti Networks |
$500 |
Subdomain Takeover in http://assets.goubiquiti.com/ |
| HackerOne ★ |
$500 |
User with Read-Only permissions can request/approve public disclosure |
| General Motors |
- |
refelected Xss on https://gmid.gm.com/gmid/jsp/GMIDInitialLogin.jsp |
| HackerOne ★ |
- |
Requesting unknown file type returns Ruby object w/ address |
| General Motors |
- |
gmmovinparts.com SQLi via forgot_password.jsp |
| Mail.Ru |
- |
Multiple vulnerabilities in mail.ru subdomains |
| General Motors |
- |
XSS in GM |
| Mail.Ru |
$150 |
[parapa.mail.ru] SQL Injection |
| PHP |
$1,000 |
Use After Free in sortWithSortKeys() |
| Gratipay |
- |
Directory Listing on grtp.co |
| Gratipay |
$5 |
HTTP trace method is enabled |
| HackerOne ★ |
- |
Signals get affected once reports closed as self |
| Ruby on Rails |
- |
Validation bypass for Active Record and Active Model |
| ownCloud |
- |
Mixed Active Scripting Issue on stats.owncloud.org |
| Gratipay |
- |
Harden resend throttling |
| ownCloud |
- |
otrs.owncloud.com: Reflected Cross-Site Scripting |
| Twitter |
$2,520 |
Bypassing callback_url validation on Digits |
| ownCloud |
$350 |
Exploiting unauthenticated encryption mode |
| HackerOne ★ |
- |
HackerOne is still prone to Internet Explorer UXSS |
| Ubiquiti Networks |
$150 |
Reflected File Download in community.ubnt.com/restapi/ |
| VK.com |
$500 |
API: Bug in method auth.signup , дающий возможность бесконечно звонить |
| ownCloud |
- |
[https://test1.owncloud.com/owncloud6/] Guessable password used for admin user |
| Mail.Ru |
$150 |
[cfire.mail.ru] Time Based SQL Injection |
| Mail.Ru |
- |
XSS at forum : |
| Mail.Ru |
$500 |
reflected in xss |
| HackerOne ★ |
$500 |
Team Member(s) associated with a Group have Read-only permission (Post internal comments) can post comment to all the participants |
| WePay |
$100 |
Unauthenticated Stored XSS in API Panel |
| Automattic |
$50 |
Possible Timing Side-Channel in XMLRPC Verification |
| GlassWire |
$100 |
GlassWireSetup.exe subject to EXE planting attack |
| Imgur |
$150 |
XSS in imgur mobile 3 |
| Imgur |
$150 |
XSS in imgur mobile |
| Shopify |
$500 |
Stored XSS in /admin/orders |
| Informatica |
- |
[rev-app.informatica.com] - XXE via SAML |
| VK.com |
$100 |
Добавление в меню сообщества без ведома пользователя (нажатия пользователем) |
| Informatica |
- |
[marketplace.informatica.com] - XXE |
| Informatica |
- |
[marketplace.informatica.com] - XXE |
| Zendesk |
$500 |
Stored XSS in comments |
| Informatica |
- |
[now.informatica.com] Reflective XSS |
| Shopify |
$500 |
Strored Cross Site Scripting |
| PHP |
$1,000 |
Format string vulnerability in zend_throw_or_error() |
| Shopify |
$500 |
HTTP-Response-Splitting on v.shopify.com |
| Maximum |
$20 |
Application error message |
| CloudFlare |
- |
Clickjacking : https://partners.cloudflare.com/ |
| Coinbase |
$100 |
Race condition allowing user to review app multiple times |
| withinsecurity |
$250 |
text injection can be used in phishing 404 page should not include attacker text |
| Algolia |
$100 |
text injection can be used in phishing 404 page should not include attacker text |
| Coinbase |
- |
Potential for Double Spend via Sign Message Utility |
| HackerOne ★ |
$500 |
Improve signals in reputation |
| Shopify |
$500 |
Reflective XSS on wholesale.shopify.com |
| HackerOne ★ |
$500 |
Team Member(s) associated with a Custom Group Created with 'Program Managment' only permissions can Comments on Bug Reports |
| ownCloud |
- |
owncloud.com: Parameter pollution in social sharing buttons |
| Shopify |
$500 |
"Remember me" token generated when "Remember me" box unchecked |
| ownCloud |
- |
XXE at host vpn.owncloud.com |
| GlassWire |
$100 |
DLL Hijacking Vulnerability in GlassWireSetup.exe |
| HackerOne ★ |
$500 |
Parameter pollution in social sharing buttons |
| HackerOne ★ |
$500 |
Know whether private program for company exist or not |
| Informatica |
- |
XXE in upload file feature |
| Informatica |
- |
[app.informaticaondemand.com] XXE |
| LeaseWeb |
$100 |
DOM Based XSS in Checkout |
| Shopify |
$500 |
many xss in widgets.shopifyapps.com |
| Phabricator |
- |
libphutil: removing bytes from a PhutilRope does not work as intended |
| Pornhub |
$50 |
[crossdomain.xml] Dangerous Flash Cross-Domain Policy |
| Pornhub |
$250 |
PornIQ Reflected Cross-Site Scripting |
| Imgur |
$150 |
risk of having secure=false in a crossdomain.xml |
| Informatica |
- |
[rev-app.informatica.com] - XXE |
| Instacart |
$100 |
Cookie-Based Injection |
| Shopify |
- |
[livechat.shopify.com] Cookie bomb at customer chats |
| Square Open Source |
$2,000 |
Unsafe usage of Ruby string interpolation enabling command injection in git-fastclone |
| ownCloud |
- |
directory listing in https://demo.owncloud.org/doc/ |
| Shopify |
$500 |
CSRF in Connecting Pinterest Account |
| Instacart |
$100 |
Cross-Site Scripting Reflected On Main Domain |
| Zopim |
$100 |
[status.zopim.com] Open Redirect |
| Coinbase |
- |
XXE in OAuth2 Applications gallery profile App logo |
| Automattic |
$75 |
XSS on codex.wordpress.org |
| Coinbase |
$200 |
HTML injection in apps user review |
| QIWI |
$200 |
[rubm.qiwi.com] Yui charts.swf XSS |
| Square Open Source |
$2,000 |
git-fastclone allows arbitrary command execution through usage of ext remote URLs in submodules |
| Shopify |
$1,000 |
shopifyapps.com XSS on sales channels via currency formatting |
| Slack |
$1,000 |
Trick make all fixed open redirect links vulnerable again |
| Python |
$500 |
tokenizer crash when processing undecodable source code |
| Python |
$1,000 |
PyFloat_FromString & PyNumber_Long Buffer Over-reads |
| PHP |
- |
Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow) CVE-2015-4643 |
| PHP |
$500 |
Memory Corruption in phar_parse_tarfile when entry filename starts with null CVE-2015-4021 |
| PHP |
$500 |
invalid pointer free() in phar_tar_process_metadata() CVE-2015-3307 |
| Python |
$500 |
use after free in load_newobj_ex |
| Python |
$500 |
array.fromstring Use After Free |
| Python |
$1,000 |
bytearray.find Buffer Over-read |
| Python |
$500 |
hotshot pack_string Heap Buffer Overflow |
| Python |
$500 |
audioop.adpcm2lin Buffer Over-read |
| Python |
$500 |
audioop.lin2adpcm Buffer Over-read |
| PHP |
$500 |
Files extracted from archive may be placed outside of destination directory CVE-2015-6833 |
| PHP |
$1,500 |
Multiple Use After Free Vulnerabilites in unserialize() CVE-2015-6831 |
| PHP |
$1,000 |
Arbitrary code execution in str_ireplace function CVE-2015-6527 |
| PHP |
$1,000 |
Dangling pointer in the unserialization of ArrayObject items CVE-2015-6832 |
| PHP |
$500 |
curl_setopt_array() type confusion |
| The Internet |
$1,000 |
libcurl duphandle read out of bounds CVE-2014-3707 |
| PHP |
$500 |
heap buffer overflow in enchant_broker_request_dict() CVE-2014-9705 |
| PHP |
$500 |
Integer overflow in unserialize() (32-bits only) CVE-2014-3669 |
| PHP |
$500 |
AddressSanitizer reports a global buffer overflow in mkgmtime() function CVE-2014-3668 |
| PHP |
$1,500 |
SOAP serialize_function_call() type confusion / RCE CVE-2015-6836 |
| PHP |
$500 |
zend_throw_or_error() format string vulnerability |
| PHP |
$1,000 |
Uninitialized pointer in phar_make_dirstream CVE-2015-7804 |
| PHP |
$1,000 |
Buffer over-read in exif_read_data with TIFF IFD tag |
| PHP |
$500 |
Null pointer deref (segfault) in spl_autoload via ob_start |
| PHP |
$500 |
null pointer deref (segfault) in zend_eval_const_expr |
| PHP |
$500 |
Mem out-of-bounds write (segfault) in ZEND_ASSIGN_DIV_SPEC_CV_UNUSED_HANDLER |
| Python |
$1,000 |
Python deque.index() uninitialized memory |
| Python |
$500 |
Python scan_eol() Buffer Over-read |
| Python |
$500 |
time_strftime() Buffer Over-read |
| Python |
$500 |
Python xmlparse_setattro() Type Confusion |
| PHP |
$500 |
Use after free vulnerability in unserialize() with GMP |
| PHP |
$500 |
Use After Free Vulnerability in session deserializer CVE-2015-6835 |
| PHP |
$1,000 |
Use After Free Vulnerability in unserialize() CVE-2015-6834 |
| PHP |
$1,000 |
Use After Free Vulnerability in unserialize() with SplObjectStorage CVE-2015-6834 |
| PHP |
$1,000 |
Use After Free Vulnerability in unserialize() with SplDoublyLinkedList CVE-2015-6834 |
| Python |
$500 |
Python 3.3 - 3.5 product_setstate() Out-of-bounds Read |
| Ruby |
$1,500 |
Request Hijacking Vulnerability In RubyGems 2.4.6 And Earlier CVE-2015-3900 |
| Python |
$500 |
Integer overflow in _Unpickler_Read |
| Apache httpd |
$500 |
mod_lua: Crash in websockets PING handling CVE-2015-0228 |
| PHP |
$500 |
Null pointer dereference in phar_get_fp_offset() CVE-2015-7803 |
| Khan Academy |
- |
Escaping the iframe via exceptions |
| HackerOne ★ |
$2,500 |
CSRF possible when SOP Bypass/UXSS is available |
| Shopify |
$500 |
Open Redirect at *.myshopify.com/account/login?checkout_url= |
| CERT/CC |
- |
manipulate the Practical HTTP Host header |
| Urban Dictionary |
- |
URGENT - Subdomain Takeover in support.urbandictionary.com pointing to Zendesk |
| Shopify |
$500 |
[CSRF] Install premium themes |
| Imgur |
- |
Attack User Privacy Settings - X-Frame-Options missing on m.imgur.com/user/username/settings |
| Algolia |
$100 |
Stored XSS in name selection |
| ok.ru |
$500 |
Обход защиты от csrf-ок в m.ok.ru |
| withinsecurity |
$250 |
content injection |
| ok.ru |
$500 |
Same-Origin Policy Bypass #2 |
| ok.ru |
$500 |
Same-Origin Policy bypass on main domain - ok.ru |
| Zendesk |
$500 |
[CRITICAL] CSRF leading to account take over |
| Sucuri |
$250 |
XSS Vuln in Sucuri Security - Auditing, Malware Scanner |
| Binary.com |
$75 |
Cookie bug |
| Imgur |
- |
Login to any user account using other facebook app access token |
| Shopify |
$500 |
Open redirect using theme install |
| Ubiquiti Networks |
$200 |
account.ubnt.com CSRF |
| Shopify |
$500 |
XSS in creating tweets |
| Maximum |
$20 |
RC4 cipher suites detected |
| Maximum |
$10 |
SSL certificate invalid date |
| Maximum |
$40 |
RC4 cipher suites detected |
| Automattic |
$75 |
Remove anyone's pic gravtar |
| Pornhub |
$250 |
Reflected Cross-Site Scripting on French subdomain |
| Twitter |
$140 |
Subdomain Expired |
| InVision |
$300 |
Stored Cross-Site Scripting on █████████ (with small user interaction) |
| Uber ★ |
$500 |
Drivers can change profile picture |
| Shopify |
- |
Cookie securing your "Opening soon" store is not secured against XSS |
| Shopify |
$500 |
An administrator without any permission is able to get order notifications using his APNS Token. |
| Twitter |
$560 |
xss in link items (mopub.com) |
| Yelp |
$1,500 |
Access to internal CMS containing private Data |
| Imgur |
$5,500 |
Imgur dev environments facing the Internet |
| Twitter |
$560 |
URGENT : NICHE.co Account Take Over Vulnerability |
| Coinbase |
$5,000 |
Stored-XSS in https://www.coinbase.com/ |
| Twitter |
$560 |
Add tweet to collection CSRF |
| Mail.Ru |
- |
Reflected XSS on hi-tech.mail.ru |
| Shopify |
- |
CSV Excel Macro Injection Vulnerability in export list of current users - app.shopify.com |
| Slack |
- |
Executing scripts on slack-files.com using SVG |
| Pornhub |
$250 |
Cross Site Scripting - On Mouse Over, Blog page |
| Pornhub |
$250 |
[xss, pornhub.com] /user/[username], multiple parameters |
| HackerOne ★ |
$1,000 |
Pre-generation of 2FA secret/backup codes seems like an unnecessary risk |
| Mail.Ru |
- |
[tz.mail.ru] XSS в функционале авторизации |
| QIWI |
$100 |
Open Redirect in meeting.qiwi.com |
| Coinbase |
$500 |
Transactions visible on Unconfirmed devices |
| Algolia |
$200 |
User with limited access to Index configuration can rename the Index |
| drchrono |
$100 |
Request Accepts without X-CSRFToken [ Header - Cookie ] |
| HackerOne ★ |
$500 |
Limited CSRF bypass. |
| HackerOne ★ |
- |
profile cover can also load external URL's |
| Mail.Ru |
- |
[w1.dwar.ru] Core Dump |
| drchrono |
$100 |
CSRF Add Album On onpatient.com |
| Boozt Fashion AB |
$100 |
Reflected XSS on www.boozt.com |
| Badoo |
$153 |
Open redirect helps to steal Facebook access_token |
| Uber ★ |
$1,000 |
Mass Assignment Vulnerability in partners.uber.com |
| Shopify |
$500 |
deleted staff member can add his amazon marketplace web services account to the store. |
| Algolia |
$100 |
an xss issue |
| Shopify |
$500 |
[CSRF] Activate PayPal Express Checkout |
| QIWI |
$3,137 |
XML External Entity (XXE) in qiwi.com + waf bypass |
| Mail.Ru |
- |
[gitmm.corp.mail.ru] Auth Bypass, Information Disclosure |
| Mail.Ru |
- |
[otus.p.mail.ru] CRLF Injection |
| Mail.Ru |
- |
[otus.p.mail.ru] Full Path Disclosure |
| Mapbox |
$1,000 |
XSS in L.mapbox.shareControl in mapbox.js |
| Slack |
$100 |
RC4 cipher suites detected on status.slack.com |
| Mail.Ru |
- |
[opensource.mail.ru] Debug Mode |
| Shopify |
$1,000 |
S3 Buckets open to the world thanks to 'Authenticated Users' ACL |
| ownCloud |
- |
RCE in ci.owncloud.com / ci.owncloud.org |
| Shopify |
$500 |
Apps can access 'channels' beta api |
| Binary.com |
$50 |
Email Verification Link can be Used as Password Reset Link! |
| Twitter |
$280 |
Urgent : Disclosure of all the apps with hash ID in mopub through API request (Authentication bypass) |
| QIWI |
$200 |
XSS Reflected in test.qiwi.ru |
| Shopify |
$1,500 |
'Limited' RCE in certain places where Liquid is accepted |
| Binary.com |
$300 |
login to any user's cashier account and full account information disclosure |
| Shopify |
- |
Non-owner user can remove online store channel and re-add it. |
| itBit Exchange |
$100 |
No password length restriction denial of service |
| Algolia |
$100 |
Stored XSS on https://www.algolia.com/realtime-search-demo/* |
| HackerOne ★ |
$2,500 |
Cross-domain AJAX request |
| Imgur |
$150 |
XSS m.imgur.com |
| Slack |
$100 |
Reflected Self-XSS in Slack |
| Twitter |
$1,120 |
File Upload XSS in image uploading of App in mopub |
| Slack |
$200 |
File upload XSS (Java applet) on http://slackatwork.com/ |
| Binary.com |
- |
User Enumeration : Due to rate limiting on registration |
| Shopify |
$500 |
List of devices is accessible regardless of the account limitations |
| Twitter |
$280 |
Following a User After Favoriting Actually Follows Another User (related to #95243) |
| Shopify |
$500 |
SVG parser loads external resources on image upload |
| Shopify |
$500 |
Staff members with no permission can access to the files, uploaded by the administrator |
| Mail.Ru |
$300 |
Potential SSRF in sales.mail.ru |
| HackerOne ★ |
- |
Hackerone impersonation |
| Mail.Ru |
- |
[allods.my.com] Full Path Disclosure |
| Mail.Ru |
- |
[allods.my.com] Full SQL Disclosure |
| ok.ru |
$250 |
Multiple critical vulnerabilities in Odnoklassniki Android application |
| HackerOne ★ |
$1,000 |
HTTP header injection in info.hackerone.com allows setting cookies for hackerone.com |
| HackerOne ★ |
$2,500 |
Send AJAX request to external domain |
| Twitter |
$1,120 |
Can see private tweets via keyword searches on tweetdeck |
| Shopify |
$500 |
An administrator without the 'Settings' permission is able to see payment gateways |
| Shopify |
$500 |
A 'Full access' administrator is able to see the shop owners user details |
| Shopify |
$500 |
Staff members with no permission to access domains can access them. |
| Keybase |
$50 |
Un-handled exception leads to Information Disclosure |
| itBit Exchange |
- |
email not required to be unique |
| Badoo |
$310 |
crossdomain.xml too permissive on eu1.badoo.com, us1.badoo.com, etc. |
| Snapchat |
$1,500 |
Password Reset - query param overrides postdata |
| Mail.Ru |
- |
[it.mail.ru] Open Redirect |
| Shopify |
$500 |
Missing of csrf protection |
| Imgur |
$50 |
Persistent XSS in https://p.imgur.com/albumview.gif and http://p.imgur.com/imageview.gif / post statistics |
| Mail.Ru |
- |
Reflected XSS. |
| Slack |
$500 |
Stored XSS in Slack (weird, trial and error) |
| withinsecurity |
- |
DDOS using xmlrpc.php |
| Vimeo |
$250 |
XSS on player.vimeo.com without user interaction and vimeo.com with user interaction |
| withinsecurity |
- |
Uses unsafe-inline without nonce |
| Shopify |
- |
Domain takoever - https://sellocdn.com |
| Binary.com |
$75 |
Http Response Splitting - Validate link |
| itBit Exchange |
$50 |
user-agent Content spoofing |
| Mail.Ru |
- |
[allods.mail.ru] Reflected XSS |
| Mail.Ru |
$300 |
[api.allodsteam.com] Authentication Data |
| Udemy |
- |
Reflected XSS and/or malicious redirection via JWPlayer 6 configuration modification |
| Binary.com |
$50 |
Cross Site Scripting |
| Shopify |
$500 |
Privilege escalation and circumvention of permission to limited access user |
| Imgur |
$250 |
Persistent XSS in image title |
| Twitter |
$280 |
CSRF on cards API |
| Twitter |
$5,040 |
IDOR- Activate Mopub on different organizations- steal api token- Fabric.io |
| Shopify |
$500 |
Unauthorized access to any Store Admin's First & Last name |
| Twitter |
$280 |
Following a User Actually Follows Another User |
| Twitter |
$280 |
XSS in the "Poll" Feature on Twitter.com |
| Mail.Ru |
- |
Reflected XSS. |
| InVision |
- |
X-Frame-Options Header Not Set |
| Shopify |
$500 |
Reflected XSS in cart at hardware.shopify.com |
| Coinbase |
- |
Balance Manipulation - BUG |
| Shopify |
$4,000 |
Paid account can review\download any invoice of any other shop |
| Whisper |
$30 |
SMS Invite Form Abuse |
| Whisper |
$30 |
Host Header Injection/Redirection |
| Ruby on Rails |
- |
http_basic_authenticate_with is suseptible to timing attacks. |
| Mail.Ru |
- |
Reflective Xss on news.mail.ru and admin.news.mail.ru |
| Shopify |
$500 |
Some S3 Buckets are world readable (and one is world writeable) |
| HackerOne ★ |
- |
Minimum bounty of a private program is visible for users that were removed from the program |
| Zopim |
$1,000 |
Cross-site Scripting in all Zopim |
| Shopify |
$1,500 |
Arbitrary read on s3://shopify-delivery-app-storage/files |
| Shopify |
$2,500 |
Unauthorized access to all collections, products, pages from other stores |
| Shopify |
$500 |
Bypassing password requirement during deletion of accout |
| FanFootage |
- |
XSS by image file name |
| Shopify |
$2,000 |
Arbitrary write on s3://shopify-delivery-app-storage/files |
| Shopify |
$500 |
Missing authorization check on dashboard overviews |
| Shopify |
$500 |
get users information without full access |
| Adobe |
- |
Reflected XSS via. search |
| Shopify |
$1,000 |
Unauthenticated access to details of hidden products in any shop via title emuneration |
| Shopify |
$500 |
First & Last Name Disclosure of any Shopify Store Admin |
| Gratipay |
- |
SPF Protection not used, I can hijack your email server |
| Imgur |
- |
Csrf near report abuse meme |
| WePay |
$100 |
Subdomain Takeover in http://staging.wepay.com/ pointing to Fastly |
| VK.com |
$100 |
Способ узнать имя человека и ВУЗ удаленной страницы |
| Shopify |
$2,000 |
unauthorized access to all collections name |
| Keybase |
- |
xss |
| Coinbase |
$100 |
SPF records not found |
| HackerOne ★ |
- |
HackerOne Private Programs users disclosure and de-anonymous-ize |
| ownCloud |
- |
apps.owncloud.com: Referer protection Bypassed |
| Shopify |
- |
The POS Firmware is leaking the root Password which can be used for unauthorized access to the device. |
| HackerOne ★ |
- |
Content spoofing on invitations page |
| Shopify |
$500 |
Accessing Payments page and adding payment methods with limited access accounts |
| Badoo |
$456 |
Tokens from services like Facebook can be stolen |
| Shopify |
$2,500 |
unauthorized access to all customers first and last name |
| Automattic |
$75 |
CSV Injection in polldaddy.com |
| Trello |
$128 |
CSV Injection |
| Shopify |
$500 |
customers password hash leak!!!! |
| Uber ★ |
$100 |
Issue with Password reset functionality |
| ownCloud |
- |
Self-XSS in mails sent by hello@owncloud.com |
| Trello |
$256 |
Normal User can add new users to group |
| Imgur |
$1,600 |
Server Side Request Forgery In Video to GIF Functionality |
| Imgur |
$50 |
Crossdomain.xml settings on api.imgur.com too open |
| Automattic |
$50 |
WooCommerce: Support Ticket indirect object reference |
| Imgur |
$50 |
Reflected Flash XSS using swfupload.swf with an epileptic reloading to bypass the button-event |
| Imgur |
- |
Content Sniffing not enabled |
| Imgur |
$50 |
"Sign me out everywhere" does not work for desktop sessions |
| Imgur |
- |
Open Url redirection on login with facebook |
| ownCloud |
- |
owncloud.com: WP Super Cache plugin is outdated |
| IRCCloud |
$500 |
Inadequate input validation on API endpoint leading to self denial of service and increased system load. |
| Shopify |
- |
Passwords Returned in Later Responses. |
| Gratipay |
- |
change bank account numbers |
| Gratipay |
- |
implement a cross-domain policy for Adobe products |
| Zendesk |
$50 |
Content Spoofing |
| Mail.Ru |
- |
[ling.go.mail.ru] Server-Status opened for all users |
| Shopify |
$1,000 |
change Login Services settings without owner access |
| Shopify |
$1,000 |
create staff member without owner access |
| Shopify |
$500 |
Privilege escalation vulnerability |
| ownCloud |
- |
No email verification during registration |
| ownCloud |
- |
[s3.owncloud.com] Web Server HTTP Trace/Track Method Support |
| Ruby on Rails |
- |
Nested attributes reject_if proc can be circumvented by providing "_destroy" parameter |
| Zaption |
- |
CSV Excel Macro Injection in Export Response |
| HackerOne ★ |
- |
Minor Bug: Public un-compiled CSS with original sass, versioning, source map, comments, etc. |
| ownCloud |
- |
Apache documentation |
| Coinbase |
$100 |
User email enumuration using Gmail |
| Zopim |
$100 |
CSV Excel Macro Injection Vulnerability in export chat logs |
| Twitter |
$280 |
Tweetdeck (twitter owned app) not revoked |
| VK.com |
$500 |
CSRF в получении резервных токенов+framing , приводящие к компроментации 2fa |
| Zendesk |
$100 |
CSV Excel Macro Injection Vulnerability in export customer tickets |
| Mail.Ru |
- |
Reflected XSS на https://aw.mail.ru/news/ |
| Zendesk |
$100 |
Cross-site Scripting https://www.zendesk.com/product/pricing/ |
| Slack |
$100 |
Self-XSS in posts by formatting text as code |
| BitHunt |
- |
No rate limit or captcha to identify humans |
| ownCloud |
- |
owncloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service) |
| Mail.Ru |
- |
Vulnerability :- "XSS vulnerability" |
| ownCloud |
- |
Apache Range Header Denial of Service Attack (Confirmed PoC) |
| Mail.Ru |
$500 |
XSS: https://light.mail.ru/compose, https://m.mail.ru/compose/[id]/reply при ответе на специальным образом сформированное письмо |
| Twitter |
$2,520 |
Multiple DOMXSS on Amplify Web Player |
| Vimeo |
$200 |
XSS when using captions/subtitles on video player based on Flash (requires user interaction) |
| Phabricator |
$300 |
Information leakage through Graphviz blocks |
| Vimeo |
$100 |
XSS on vimeo.com | "Search within these results" feature (requires user interaction) |
| Vimeo |
- |
XSS on mobile version of vimeo.com where the button "Follow" appears |
| Vimeo |
$1,500 |
XSS on vimeo.com/home after other user follows you |
| ownCloud |
- |
Webview Vulnerablity [OwnCloudAndroid Application] |
| Mail.Ru |
- |
[support.my.com] Internet Explorer XSS |
| Mail.Ru |
- |
[rabota.mail.ru] Open Redirect |
| ownCloud |
- |
gallery_plus: Content Spoofing |
| Udemy |
$100 |
XSS Vulnerability |
| Vimeo |
$200 |
Stored XSS on vimeo.com and player.vimeo.com |
| Coinbase |
$100 |
OAUTH pemission set as true= lead to authorize malicious application |
| Gratipay |
- |
Mail spaming |
| ownCloud |
$25 |
Full Path Disclosure CVE-2016-1501 |
| Shopify |
$500 |
www.shopify.com XSS on blog pages via sharing buttons |
| Twitter |
$2,520 |
XSS on OAuth authorize/authenticate endpoint |
| Keybase |
$500 |
[keybase.io] Open Redirect |
| Anghami |
$100 |
[CRITICAL] Login To Any Account Linked With Google+ With Email Only |
| Anghami |
$300 |
[https://www.anghami.com/updatemailinfo/] Sql Injection |
| Mail.Ru |
- |
xss на нескольких форумах игр от mail.ru (Cross-Site Scripting) |
| HackerOne ★ |
- |
Weak HSTS age in support hackerone site |
| Phabricator |
$450 |
Multiple so called 'type juggling' attacks. Most notably PhabricatorUser::validateCSRFToken() is 'bypassable' in certain cases. |
| Romit |
$250 |
IDOR on remoing Share |
| Vimeo |
$100 |
Reflected XSS on vimeo.com/musicstore |
| ownCloud |
- |
apps.owncloud.com: Potential XSS |
| ownCloud |
- |
apps.owncloud.com: CSRF change privacy settings |
| ownCloud |
- |
Password appears in user name field |
| ownCloud |
- |
apps.owncloud.com: Mixed Active Scripting Issue |
| ownCloud |
- |
apps.owncloud.com: Edit Question didn't check ACLs |
| Vimeo |
$500 |
Stored XSS on player.vimeo.com |
| Mail.Ru |
$150 |
XSS at af.attachmail.ru |
| InVision |
$400 |
Deleting a Project for which the user is not owner but a normal member |
| Shopify |
$500 |
XSS https://www.shopify.com/signup |
| ownCloud |
$25 |
Full Path Disclosure CVE-2016-1501 |
| Phabricator |
- |
Dashboard panel embedded onto itself causes a denial of service |
| ownCloud |
- |
Config |
| Gratipay |
- |
Stored XSS On Statement |
| Zopim |
$100 |
[API ISSUE] agents can Create agents even after they are disabled ! |
| ownCloud |
- |
owncloud.com: Outdated plugins contains public exploits |
| ownCloud |
- |
Lack of HSTS on https://apps.owncloud.com |
| ownCloud |
- |
CSRF in apps.owncloud.com |
| ownCloud |
- |
apps.owncloud.com: Malicious file upload leads to remote code execution |
| ownCloud |
- |
owncloud.com: Account Compromise Through CSRF |
| ownCloud |
- |
apps.owncloud.com: Stored XSS in profile page |
| Gratipay |
- |
DKIM records not present, Email Hijacking is possible |
| ownCloud |
- |
demo.owncloud.org: HTTP compression is enabled potentially leading to BREACH attack |
| ownCloud |
- |
daily.owncloud.com: Information disclosure |
| ownCloud |
- |
*.owncloud.com / *.owncloud.org: Using not strong enough SSL ciphers |
| ownCloud |
- |
test1.owncloud.com: Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability |
| Ruby on Rails |
- |
DoS Attack in Controller Lookup Code |
| InVision |
$100 |
Content Spoofing - Signout Warning Page |
| ownCloud |
- |
s2.owncloud.com: SSL Session cookie without secure flag set |
| ownCloud |
- |
s2.owncloud.com: Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability |
| ownCloud |
- |
demo.owncloud.org: Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability |
| ownCloud |
- |
apps.owncloud.com: SSL Server Allows Anonymous Authentication Vulnerability (SMTP) |
| ownCloud |
- |
apps.owncloud.com: Path Disclosure |
| ownCloud |
- |
apps.owncloud.com: SSL Session cookie without secure flag set |
| ownCloud |
- |
apps.owncloud.com: Session Cookie in URL can be captured by hackers |
| Khan Academy |
- |
Html injection on khanacademy |
| Mail.Ru |
- |
[riot.mail.ru] Reflected XSS in debug-mode |
| ownCloud |
- |
owncloud.com: PermError SPF Permanent Error: Too many DNS lookups |
| Mail.Ru |
- |
[start.icq.com] Reflected XSS via Cookies |
| Pornhub |
$100 |
[reflected xss, pornhub.com] /blog, any |
| ownCloud |
- |
apps.owncloud.com: Multiple reflected XSS by insecure URL generation (IE only) |
| ownCloud |
- |
apps.owncloud.com: XSS via referrer |
| ownCloud |
- |
owncloud.com: Cross Site Tracing |
| ownCloud |
- |
owncloud.com: Content Sniffing not disabled |
| ownCloud |
- |
owncloud.com: Allowed an attacker to force a user to change profile details. (XCSRF) |
| ownCloud |
- |
owncloud.com: DOM Based XSS |
| Pornhub |
$50 |
Cross Site Scripting – Album Page |
| Zendesk |
$500 |
Stored XSS in comments |
| Hired |
$420 |
Stored XSS in Company Name |
| Shopify |
$500 |
Self XSS in chat. |
| Automattic |
$100 |
XSS in WordPress |
| Gratipay |
$1 |
Possible SQL injection on "Jump to twitter" |
| Shopify |
$500 |
XSS https://delivery.shopifyapps.com/ (Digital Downloads App in myshopify.com) |
| Ruby on Rails |
- |
[Rails42] We can inject HTML tags when server is using strip_tags method |
| Ruby on Rails |
$2,000 |
Potential XSS on sanitize/Rails::Html::WhiteListSanitizer |
| InVision |
$100 |
Reflective XSS in projects.invisionapp.com |
| Informatica |
- |
[now.informatica.com] Reflective Xss |
| HackerOne ★ |
$500 |
Internal bounty and swag details disclosed as part of JSON response |
| HackerOne ★ |
$500 |
Private Program and bounty details disclosed as part of JSON search response |
| Gratipay |
- |
Authentication errors in server side validaton of E-MAIL |
| Urban Dictionary |
- |
Reflective Xss Vulnerability |
| HackerOne ★ |
$500 |
Number of invited researchers disclosed as part of JSON search response |
| Coinbase |
- |
Runtime manipulation iOS app breaking the PIN |
| VK.com |
$500 |
Внедрение произвольного javascript-сценария в функционале просмотра изображений мобильной версии сайта |
| Gratipay |
- |
[gratipay.com] CRLF Injection |
| QIWI |
$500 |
Открытый доступ к корпоративным данным. |
| Slack |
$1,000 |
OSX slack:// protocol handler javascript injection |
| Flox |
$25 |
Content spoofing through Referel header |
| ok.ru |
$300 |
Доступ к чужим групповым беседам. |
| ok.ru |
$150 |
Critical : Access to group videos where videos are restricted for all users(Broken authentication ) |
| Udemy |
$50 |
information disclosure |
| Flox |
- |
Email spoofing configuration missing |
| ok.ru |
$200 |
Доступ к чужим приватным фотографиям (3) через обложку видео |
| Mail.Ru |
$150 |
Time-Based Blind SQL Injection Attacks |
| ok.ru |
$500 |
(URGENT!) Покупка OK дешевле, чем он стоит |
| Mail.Ru |
$150 |
Cross site scripting |
| ok.ru |
$200 |
Stored XSS в имени песни (2) на платёжном гейте. |
| ok.ru |
$100 |
Покупка=>скачка песен, которые не предназначены для продажи |
| ok.ru |
$150 |
Покупка песни дешевле, чем она стоит. |
| ok.ru |
$150 |
xss in group |
| Keybase |
- |
Sensitive server-side/application information disclosure |
| ok.ru |
- |
Cross site scripting On api Calculator API requests |
| ok.ru |
$100 |
cross siite scripting in the blog |
| ok.ru |
$500 |
SSRF/XSPA в форме загрузки видео по URL |
| Shopify |
$1,000 |
TCP Source Port Pass Firewall |
| ok.ru |
$100 |
http://217.20.144.201 privilege escalation in apache tomcat SessionEample-script |
| MapLogin |
- |
Account creation code bypass |
| Keybase |
$100 |
Full path disclosure at https://keybase.io/_/api/1.0/invitation_request.json |
| WordPoints |
$25 |
Weak Cryptographic Hash |
| Mavenlink |
$25 |
Open/Unvalidated Redirect Issue |
| Keybase |
$250 |
Content Sniffing not disabled |
| Romit |
$250 |
GA code not verified on the server side allows sending Verification Documents on behalf of another user |
| Keybase |
$250 |
No rate limiting for sensitive actions (like "forgot password") enables user enumeration |
| Keybase |
$500 |
Stealing CSRF Tokens |
| Keybase |
$500 |
SMTP protection not used |
| Keybase |
- |
NO SPF RECORDS |
| Zaption |
- |
Cheating at gallery rating |
| Zaption |
$25 |
Open redirect filter bypass |
| Zaption |
$25 |
Using GET method for account login with CSRF token leaking to external sites Via Referer. |
| Zaption |
$50 |
XSS - Gallery Search Listing |
| Gratipay |
- |
Self XSS Protection not used , I can trick users to insert JavaScript |
| Gratipay |
- |
weak ssl cipher suites |
| Zopim |
- |
Security Missconfiguration in Autologin |
| Zendesk |
$200 |
Stored Cross site scripting In developer.zendesk.com |
| Romit |
$250 |
No rate limit which leads to "Users information Disclosure" including verfification documents etc. |
| Envoy |
- |
Stored XSS |
| Envoy |
- |
XSS in "Guest Pre-Registration" page after registration |
| HackerOne ★ |
$500 |
Accessing title of the report of which you are marked as duplicate |
| QIWI |
$100 |
Session Cookie without HttpOnly and secure flag set |
| Envoy |
- |
Stored XSS in /settings/ipad Page |
| Mapbox |
$500 |
Disclosure of map information |
| DigitalSellz |
- |
The product/status method CSRF |
| DigitalSellz |
- |
The email updates issues |
| Zendesk |
$50 |
Error stack trace enabled |
| DigitalSellz |
- |
Own downloading link isn't properly checked in the email template |
| Romit |
$250 |
Potential for financial loss, negative Values for "Buy fee" and "Sell Fee" |
| Ubiquiti Networks |
$500 |
Yet another Buffer Overflow in PHP of the AirMax Products |
| Ubiquiti Networks |
$500 |
Other Buffer Overflow in PHP of the AirMax Products |
| Udemy |
$150 |
Extremely high Course rating values could be set in order to make really high Average rating of the course. Negative values could be set to. |
| Shopify |
$3,000 |
Attention! Remote Code Execution at http://wpt.ec2.shopify.com/ |
| Shopify |
$500 |
Reflected XSS in chat |
| Ubiquiti Networks |
$250 |
Buffer Overflow in PHP of the AirMax Products |
| Ubiquiti Networks |
$18,000 |
Arbritrary file Upload on AirMax |
| Python |
$1,000 |
Integer overflow in _json_encode_unicode leads to crash |
| Python |
$500 |
Integer overflow in _pickle.c |
| Python |
$1,000 |
Python: imageop Unsafe Arithmetic |
| PHP |
$500 |
PHP yaml_parse/yaml_parse_file/yaml_parse_url Unsafe Deserialization |
| PHP |
$1,500 |
PHP yaml_parse/yaml_parse_file/yaml_parse_url Double Free |
| PHP |
$500 |
str_repeat() sign mismatch based memory corruption |
| Python |
$500 |
Multiple type confusions in unicode error handlers |
| Python |
$500 |
Use after free in get_filter |
| Python |
$1,500 |
Multiple use after free bugs in json encoding |
| Python |
$1,500 |
Multiple use after free bugs in heapq module |
| Python |
$1,500 |
Multiple use after free bugs in element module |
| Python |
$500 |
Tokenizer crash when processing undecodable source code |
| PHP |
$500 |
php_stream_url_wrap_http_ex() type-confusion vulnerability |
| PHP |
$500 |
Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER |
| PHP |
$500 |
Type Confusion Vulnerability in SoapClient |
| PHP |
$1,500 |
Use after free vulnerability in unserialize() with DateInterval |
| The Internet |
$3,000 |
libcurl: URL request injection CVE-2014-8150 |
| OpenSSL |
$2,500 |
Malformed ECParameters causes infinite loop CVE-2015-1788 |
| PHP |
$1,500 |
Integer overflow in ftp_genlist() resulting in heap overflow CVE-2015-4022 |
| PHP |
$1,500 |
ZIP Integer Overflow leads to writing past heap boundary CVE-2015-2331 |
| PHP |
$1,000 |
Buffer Over-read in unserialize when parsing Phar CVE-2015-2783 |
| PHP |
$1,000 |
Buffer Over flow when parsing tar/zip/phar in phar_set_inode CVE-2015-3329 |
| OpenSSL |
$500 |
X509_to_X509_REQ NULL pointer deref CVE-2015-0288 |
| PHP |
$1,500 |
Use After Free Vulnerability in unserialize() CVE-2015-2787 |
| PHP |
$500 |
out of bounds read crashes php-cgi CVE-2014-9427 |
| Shopify |
- |
Body injection in mailto link while commenting shop blog |
| Shopify |
- |
Prevent Shop Admin From Seeing his Installed Apps / Install Persistent Unremovable App |
| HackerOne ★ |
$500 |
CSV Injection with the CVS export feature |
| VK.com |
$300 |
Уязвимость Создание фотографий без ведома пользователей |
| Pornhub |
$5,000 |
Unauthenticated access to Content Management System - www1.pornhubpremium.com |
| ThisData |
- |
Xss via Dropbox |
| Shopify |
$500 |
XSS at Bulk editing ProductVariants |
| Pornhub |
$2,500 |
Multiple endpoints are vulnerable to XML External Entity injection (XXE) |
| Pornhub |
$10,000 |
Publicly exposed SVN repository, ht.pornhub.com |
| Hired |
$250 |
URGENT - Subdomain Takeover on be.hired.com. due to unclaimed domain pointing to Heroku.com |
| Shopify |
$500 |
XSS in Myshopify Admin Site in DISCOUNTS |
| VK.com |
$250 |
Отвязываем Twitter от любого профиля вк ! + несколько багов по дизайну |
| Airbnb |
- |
authenticity_token is not random across page loads |
| HackerOne ★ |
- |
Redirection Page throwing error instead of redirecting to site |
| Automattic |
$100 |
Verification code issues for Two-Step Authentication |
| VK.com |
$100 |
Issue in the implementation of captcha and race condition |
| Shopify |
$1,000 |
Bypass access restrictions from API |
| InVision |
$150 |
Enumeration and Guessable Email (OWASP-AT-002)T hrough Login Form |
| Shopify |
$500 |
SSRF via 'Insert Image' feature of Products/Collections/Frontpage |
| Mail.Ru |
$160 |
[my.mail.ru] CRLF Injection |
| Shopify |
$500 |
SSRF via 'Add Image from URL' feature |
| VK.com |
$200 |
Уязвимость получения всех номеров телефонов вк (по совместительству логинов профилей) |
| Shopify |
$500 |
Expire User Sessions in Admin Site does not expire user session in Shopify Application in IOS |
| Mail.Ru |
$200 |
Possible xWork classLoader RCE: shared.mail.ru |
| Shopify |
$500 |
XSS at Bulk editing products |
| Shopify |
$500 |
XSS at importing Product List |
| Slack |
- |
Link vulnerability leads to phishing attacks |
| Sandbox Escape |
$3,000 |
Microsoft Internet Explorer ActiveX Broker Allows EPM Bypass |
| Marktplaats |
- |
Multiple Apache 2.2.22 Vulnerabilities (XSS/ Code Exec/ DoS) |
| Marktplaats |
- |
Content Spoofing - http://aanbieding.marktplaats.nl/wp-admin/admin-ajax.php |
| Legal Robot |
$20 |
- Guessing registered users in legalrobot.com |
| LibSass |
- |
type confusion in Sass::ParserState::ParserState(Sass::ParserState const&) CVE-2015-4459 |
| Marktplaats |
- |
Secret Password reset key disclosed to third party site via referer in header |
| Mail.Ru |
- |
[tanks.mail.ru] Internet Explorer XSS via Request-URI |
| Mail.Ru |
- |
[mrgs.mail.ru] Internet Explorer XSS via Request-URI |
| Shopify |
$500 |
[www.*.myshopify.com] CRLF Injection |
| Legal Robot |
$20 |
No valid SPF record |
| Envoy |
- |
[dashboard.signwithenvoy.com] Open Redirect |
| HackerOne ★ |
$500 |
mailto: link injection on https://hackerone.com/directory |
| Mail.Ru |
$250 |
[s.mail.ru] CRLF Injection |
| VK.com |
$200 |
Уязвимость в Указание мест на фото + фича + хакинг |
| Coinbase |
- |
Two-factor authentication (via SMS) |
| HackerOne ★ |
$500 |
Invitation is not properly cancelled while inviting to bug reports. |
| VK.com |
$500 |
XSS at http://vk.com on IE using flash files |
| VK.com |
$400 |
Уязвимость приватных записей пользователя (личных) |
| Mail.Ru |
- |
help2.m.smailru.net: XSS |
| Coinbase |
$5,000 |
OAuth authorization page vulnerable to clickjacking |
| concrete5 |
- |
No CSRF protection when creating new community points actions, and related stored XSS |
| Mail.Ru |
$150 |
Activities are not Protected and able to crash app using other app (Can Malware or third parry app). |
| VK.com |
$100 |
Не достаточная проверка логина скайп |
| VK.com |
- |
XSS on added name album on videos. |
| Mapbox |
$1,000 |
Stored Cross-Site Scripting in Map Share Page |
| Legal Robot |
$20 |
CSRF |
| Coinbase |
$5,000 |
Big Bug with Vault which i have already reported: Case #606962 |
| Mail.Ru |
$250 |
HTML Injection на e.mail.ru |
| VK.com |
$500 |
API: Bug in method auth.validatePhone |
| Legal Robot |
$40 |
Registration bypass using OAuth logical bug |
| Shopify |
- |
Header Misconfiguration - PHP API |
| VK.com |
$100 |
Able to intercept app Traffic after choosing up the Secured Connection using SSL (HTTPS) |
| MapLogin |
- |
Bypass verification of email while creating account(No rate limiting enable for verification code) |
| Legal Robot |
$20 |
Missing security headers, possible clickjacking |
| MapLogin |
- |
Not Completed Accounts Take Over (Urgent bug) |
| Legal Robot |
$20 |
missing SPF for legalrobot.com |
| concrete5 |
- |
No csrf protection on index.php/ccm/system/user/add_group, index.php/ccm/system/user/remove_group |
| Shopify |
$1,000 |
Privilege Escalation - A `MEMBER` with no ACCESS to `ORDERS` can still access the orders by using `Order Printer APP` |
| Romit |
$50 |
Cross site scripting |
| HackerOne ★ |
$100 |
Potential denial of service in hackerone.com/<program>/reward_settings |
| HackerOne ★ |
$500 |
Logic error with notifications: user that has left team continues to receive notifications and can not 'clean' this area on account |
| Mavenlink |
$100 |
XSS in https://app.mavenlink.com/workspaces/ |
| HackerOne ★ |
$500 |
External URL page bypass |
| Ruby on Rails |
- |
Changeable model ids on vanilla update can lead to severely bad side-effects |
| Mail.Ru |
- |
https://voip.agent.mail.ru/phpinfo.php |
| Shopify |
$500 |
Bulk Discount App in myshopify.com exposes http://bulkdiscounts.shopifyapps.com vulnerable to XSS |
| HackerOne ★ |
- |
Email Notification should be get while changing Paypal Email |
| Udemy |
$150 |
Multiple sub domain are vulnerable because of leaking full path |
| Mail.Ru |
$150 |
http://tp-dev1.tp.smailru.net/ |
| Mail.Ru |
$200 |
tt-mac.i.mail.ru: Quagga 0.99.23.1 (Router) : Default password and default enable password |
| Shopify |
$500 |
XSS in myshopify.com Admin site in TAX Overrides |
| Udemy |
$100 |
XSS on https://www.udemy.com/asset/export.html |
| jsDelivr |
- |
Pretty Photo Dom XSS |
| Udemy |
$100 |
Ability to add pishing links in discusion ," Bypassing uneductional Links add " |
| concrete5 |
- |
Multiple XSS Vulnerabilities in Concrete5 5.7.3.1 |
| Sandbox Escape |
$3,000 |
Internet Explorer Enhanced Protected Mode sandbox escape via a broker vulnerability |
| Udemy |
$150 |
leak receipt of another user |
| Udemy |
$100 |
xss on autoserch |
| Slack |
$100 |
Bypass of the SSRF protection (Slack commands, Phabricator integration) |
| Mail.Ru |
$400 |
http://fitter1.i.mail.ru/browser/ торчит Graphite в мир |
| HackerOne ★ |
- |
Logical Issue (Boosting Reputation points) |
| Mail.Ru |
$400 |
store-agent.mail.ru: stacked blind injection |
| HackerOne ★ |
$500 |
Content Spoofing - External Link Warning Page |
| Udemy |
- |
Misconfigured SPF Record Flag |
| Mobile Vikings |
- |
XSS Vulnerability on all pages |
| Udemy |
$150 |
teach.udemy.com log poison vulnerability through wordpress debug.log being publically available |
| Udemy |
$150 |
xss profile |
| concrete5 |
- |
Local File Inclusion Vulnerability in Concrete5 version 5.7.3.1 |
| concrete5 |
- |
SQL Injection Vulnerability in Concrete5 version 5.7.3.1 |
| concrete5 |
- |
Sendmail Remote Code Execution Vulnerability in Concrete5 version 5.7.3.1 |
| concrete5 |
- |
Multiple Stored Cross Site Scripting Vulnerabilities in Concrete5 version 5.7.3.1 |
| concrete5 |
- |
Multiple Reflected Cross Site Scripting Vulnerabilities in Concrete5 version 5.7.3.1 |
| concrete5 |
- |
Multiple Cross Site Request Forgery Vulnerabilities in Concrete5 version 5.7.3.1 |
| HackerOne ★ |
$500 |
Reopen Disable Accounts/ Hidden Access After Disable |
| drchrono |
$100 |
Accessing all appointments vulnerability |
| drchrono |
$150 |
Create and Update patients vulnerability |
| HackerOne ★ |
$500 |
Fake URL + Additional vectors for homograph attack |
| HackerOne ★ |
$500 |
Homograph attack |
| HackerOne ★ |
- |
Homograph Attack |
| HackerOne ★ |
$500 |
Making any Report Failed to load |
| Dropbox |
$512 |
XSS in dropbox main domain |
| Dropbox |
$216 |
Race condition when redeeming coupon codes |
| Shopify |
$500 |
Stored XSS in the Shopify Discussion Forums |
| Mail.Ru |
- |
Flash XSS on img.mail.ru |
| OkCupid |
- |
An XSS bug was fixed due to my report, but I didn't submit it through the h1 |
| Shopify |
$500 |
SSL cookie without secure flag set |
| Shopify |
$500 |
Content Spoofing |
| HackerOne ★ |
$500 |
Homograph attack |
| Whisper |
$50 |
Insecure Local Data Storage : Application stores data using a binary sqlite database |
| Romit |
$50 |
HTML injection in email sent by romit.io |
| Coinbase |
$100 |
ByPassing the email Validation Email on Sign up process in mobile apps |
| HackerOne ★ |
- |
Missing spf flags for hackerone.com |
| Romit |
$50 |
Server responds with the server error logs on account creation |
| Vimeo |
$500 |
API: missing invalidation of OAuth2 Authorization Code during access revocation causes authorization bypass |
| Shopify |
$500 |
amazon aws s3 bucket content is public :- http://shopify.com.s3.amazonaws.com/ |
| Shopify |
$500 |
XSS in experts.shopify.com |
| Twitter |
$280 |
DOM based cookie bomb |
| WordPoints |
- |
Rank Creation function not validating user inputs. |
| HackerOne ★ |
$500 |
Open-redirect on hackerone.com |
| Shopify |
- |
comment out causes information disclosure |
| Shopify |
$4,000 |
Notification request disclose private information about other myshopify accounts |
| Dropbox |
$512 |
SSRF vulnerablity in app webhooks |
| Dropbox |
- |
XSS in version history of an HTML file in a shared folder |
| Shopify |
- |
Multiple issues on Checkout Process |
| Whisper |
$30 |
Missing DMARC record |
| Shopify |
$500 |
XSS on ecommerce.shopify.com |
| Shopify |
- |
XSS on support.shopify.com |
| HackerOne ★ |
$1,000 |
SPF whitelist of mandrill leads to email forgery |
| Shopify |
$500 |
Invitation issue |
| Shopify |
- |
XSS - URL Redirects |
| Shopify |
$500 |
Payment gateway status transferred to Shopify without authentication |
| Shopify |
$1,000 |
Shop admin can change external login services |
| Shopify |
$1,000 |
IDOR expire other user sessions |
| Dropbox Acquisitions |
$216 |
Get email ID of any user on hackpad.com |
| Vimeo |
- |
May cause account take over (Via invitation page) |
| Coin.Space |
- |
SMTP protection not used |
| Twitter |
- |
Privecy Issue : view "Protected users" followers and following |
| Shopify |
$2,000 |
Shopify android client all API request's response leakage, including access_token, cookie, response header, response body content |
| Shopify |
$500 |
CSRF token fixation in facebook store app that can lead to adding attacker to victim acc |
| Shopify |
$1,000 |
[persistent cross-site scripting] customers can target admins |
| Coinbase |
- |
iframes considered harmful |
| Shopify |
$500 |
Force 500 Internal Server Error on any shop (for one user) |
| Twitter |
$280 |
Fabric.io: Ex-admin of an organization can delete team members |
| Shopify |
- |
Lack of SSL Pinning on POS Application ( iOS ) |
| Shopify |
$500 |
Open Redirect after login at http://ecommerce.shopify.com |
| Shopify |
$500 |
Authentication Failed Mobile version |
| Shopify |
$500 |
Open redirection in OAuth |
| Twitter |
- |
Privacy Issue on protected tweets |
| drchrono |
$700 |
XML Parser Bug: XXE over which leads to RCE |
| Faceless |
- |
Bypass Setup by External Activity Invoke |
| PHP |
$3,000 |
Use after free vulnerability in unserialize() |
| PHP |
$2,500 |
SoapClient's __call() type confusion through unserialize() |
| PHP |
$2,500 |
Use after free vulnerability in unserialize() with DateTimeZone |
| PHP |
$2,500 |
Free called on unitialized pointer in exif.c |
| OpenSSL |
$3,000 |
Segmentation fault for invalid PSS parameters |
| Python |
$9,000 |
Multiple Python integer overflows |
| Factlink |
- |
Frameset Proxy Problem |
| Shopify |
$500 |
Missing spf flags for myshopify.com |
| Coinbase |
$1,000 |
Sandboxed iframes don't show confirmation screen |
| Mail.Ru |
$500 |
e.mail.ru stored XSS in agent via sticker (smile) |
| Snapchat |
$100 |
Captcha Bypass in Snapchat's Geofilter Submission Process |
| Snapchat |
$100 |
Vulnerable to JavaScript injection. (WXS) (Javascript injection)! |
| Slack |
$100 |
Logout any user of same team |
| Mapbox |
$1,000 |
Persistent cross-site scripting (XSS) in map attribution |
| Shopify |
$500 |
Xss in website's link |
| HackerOne ★ |
- |
Reflected Filename Download |
| Twitter |
$420 |
Insecure Direct Object Reference - access to other user/group DM's |
| Twitter |
$2,800 |
HTTP Response Splitting (CRLF injection) due to headers overflow |
| Mapbox |
$1,000 |
Stored xss in editor |
| Dropbox Acquisitions |
$216 |
XSS in https://hackpad.com/ |
| Twitter |
$1,400 |
XSS in twitter.com/safety/unsafe_link_warning |
| Phabricator |
$300 |
SSRF vulnerability (access to metadata server on EC2 and OpenStack) |
| Coinbase |
$100 |
Blacklist bypass on Callback URLs |
| Vimeo |
$250 |
[URGENT ISSUE] Add or Delete the videos in watch later list of any user . |
| OkCupid |
- |
XSS on Send A Message Option |
| Phabricator |
$300 |
XSS with Time-of-Day Format |
| Vimeo |
$250 |
Share your channel to any user on vimeo without following him |
| Vimeo |
$250 |
Invite any user to your group without even following him |
| Twitter |
$420 |
Insecure direct object reference - have access to deleted DM's |
| itBit Exchange |
$200 |
secretKey for OTP , is getting leaked in response of a delete request ! |
| itBit Exchange |
$200 |
confirmation bypass of 2FA devices while they are deleting |
| Ubiquiti Networks |
$500 |
UniFi v3.2.10 Cross-Site Request Forgeries / Referer-Check Bypass |
| HackerOne ★ |
- |
"learn more here", reward email - domain expired. |
| Dropbox Acquisitions |
- |
unknow files Upload in profile photo |
| Vimeo |
$150 |
Insecure Direct Object References that allows to read any comment (even if it should be private) |
| Vimeo |
$500 |
Insecure Direct Object References in https://vimeo.com/forums |
| Twitter |
$3,500 |
HTTP Response Splitting (CRLF injection) in report_story |
| HackerOne ★ |
$500 |
Open redirect in "Language change". |
| Caviar |
$500 |
Remotely modifying courier Account Details |
| Vimeo |
$250 |
Post in private groups after getting removed |
| Flash |
$2,000 |
Flash Cross Domain Policy Bypass by Using File Upload and Redirection - only in Chrome |
| IRCCloud |
- |
Email verification links still valid after changing it 2x |
| itBit Exchange |
- |
ITBit Vulnerable to SSLSTrip |
| Mail.Ru |
- |
XSS in touch.sports.mail.ru |
| Mail.Ru |
- |
XSS in ad.mail.ru |
| Mail.Ru |
- |
XSS in realty.mail.ru |
| Vimeo |
$250 |
A user can enhance their videos with paid tracks without buying the track |
| Whisper |
$10 |
CVE-2014-0224 openssl ccs vulnerability |
| Whisper |
$100 |
Bypass pin(4 digit passcode on your android app) |
| Vimeo |
$500 |
A user can post comments on other user's private videos |
| Vimeo |
$250 |
A user can add videos to other user's private groups |
| concrete5 |
- |
Stored XSS in Image Alt. Text |
| concrete5 |
- |
Stored XSS in Message to Display When No Pages Listed. |
| concrete5 |
- |
Stored XSS in Bio/Quote |
| Vimeo |
$250 |
A user can edit comments even after video comments are disabled |
| Twitter |
$560 |
open redirect sends authenticity_token to any website or (ip address) |
| Ubiquiti Networks |
$500 |
CSRF in login form would led to account takeover |
| concrete5 |
- |
Stored XSS In Company URL |
| HackerOne ★ |
- |
Reflected File Download attack allows attacker to 'upload' executables to hackerone.com domain |
| concrete5 |
- |
Stored XSS in testimonial Company |
| concrete5 |
- |
Stored XSS in Testimonial Position |
| concrete5 |
- |
Stored XSS in Testimonial name |
| concrete5 |
- |
Stored Xss in Feature Paragraph |
| concrete5 |
- |
Stored XSS in Feature tile |
| concrete5 |
- |
Stored XSS in title of date navigation |
| concrete5 |
- |
Stored XSS in Title of the topic List |
| concrete5 |
- |
Stored XSS in Contact Form |
| concrete5 |
- |
Stored XSS on Search Title |
| concrete5 |
- |
Stored XSS on Title of Page List in edit page list |
| concrete5 |
- |
Stored XSS on Blog's page Tile |
| Phabricator |
- |
Server Side Request Forgery in macro creation |
| concrete5 |
- |
Self Xss on File Replace |
| Adobe |
- |
Adobe XSS |
| Adobe |
- |
Open redirect and reflected xss in http://youthvoices.adobe.com/community?return_url=[payload her] |
| Adobe |
- |
files.acrobat.com stored XSS via send file |
| The Internet |
$7,500 |
FREAK: Factoring RSA_EXPORT Keys to Impersonate TLS Servers |
| Adobe |
- |
Reflected Cross Site Scripting - 'puser' Parameter in login page |
| Twitter |
$1,400 |
XSS in original referrer after follow |
| Square |
- |
Invitation threshold |
| Romit |
$50 |
The csrf token remains same after user logs in |
| Ruby on Rails |
$1,000 |
rails-ujs will send CSRF tokens to other origins |
| Twitter |
$560 |
Twitter Ads Campaign information disclosure through admin without any authentication. |
| Twitter |
$1,400 |
Open Redirect leak of authenticity_token lead to full account take over. |
| Vimeo |
- |
URGENT - Subdomain Takeover on status.vimeo.com due to unclaimed domain pointing to statuspage.io |
| HackerOne ★ |
$5,000 |
Improperly validated fields allows injection of arbitrary HTML via spoofed React objects |
| HackerOne ★ |
- |
Auto Approval of Invitation to join Team as a Team member |
| Vimeo |
$250 |
Vimeo + & Vimeo PRO Unautorised Tax bypass |
| Airbnb |
- |
SSL Issues |
| Airbnb |
- |
Vulnerability type xss uncovered in airbnb.es |
| Airbnb |
- |
Generating Unlimited Free Travel Gift Invites | IDOR |
| Twitter |
- |
Cross site Port Scanning bug in twitter developers console |
| Mail.Ru |
$300 |
RCE через JDWP |
| Dropbox |
- |
Create N Accounts In Dropbox Irrespective Of Domain |
| HackerOne ★ |
- |
Substantially weakened authenticity verification when using 'Remember me for a week' |
| Airbnb |
- |
I Can Delete Any Airbnb Users Symbol! |
| Vimeo |
- |
Bypassing Email verification |
| Yelp |
$500 |
Information disclosure - emails disclosed in response > staging.seatme.us |
| Mail.Ru |
$150 |
scfbp.tng.mail.ru: Heartbleed |
| Mail.Ru |
$150 |
HDFS NameNode Public disclosure: http://185.5.139.33:50070/dfshealth.jsp |
| Todoist |
$25 |
Remotely removing credit cards from business accounts! |
| Todoist |
$25 |
Taking over a Business Account Admin |
| Twitter |
$1,400 |
Redirect URL in /intent/ functionality is not properly escaped |
| HackerOne ★ |
$500 |
Team member invitations to sandboxed teams are not invalidated consistently (v2) |
| HackerOne ★ |
- |
Restrict any user from logging into his account. |
| The Internet |
$5,000 |
Bad Write in TTF font parsing (win32k.sys) |
| Coinbase |
$100 |
open authentication bug |
| Slack |
$200 |
Team admin can add billing contacts |
| Dropbox Acquisitions |
$729 |
Privilege Escalation at invite feature @hackpad.com |
| Twitter |
$140 |
Reporting user's profile by using another people's ID |
| Mail.Ru |
- |
Full Path Disclosure |
| The Internet |
$3,000 |
Heap overflow in H. Spencer’s regex library on 32 bit systems |
| Romit |
$50 |
Email Enumeration (POC) |
| QIWI |
$200 |
[ishop.qiwi.com] XSS + Misconfiguration |
| Mail.Ru |
$600 |
Same Origin Policy bypass |
| HackerOne ★ |
$2,000 |
CSP Bypass: Click handler for links with data-method="post" can cause authenticity_token to be sent off domain |
| Mobile Vikings |
- |
Approve topup method by sender of this method |
| Mobile Vikings |
- |
Enum phone numbers thru /en/sims/topup/add/ |
| Mobile Vikings |
- |
Username and sim id enum |
| Mobile Vikings |
- |
CSRF token from another valid user session accepted |
| Mobile Vikings |
- |
Stored xss in user name (2) affected another user. |
| Mobile Vikings |
- |
Stored xss in user name |
| Mobile Vikings |
- |
Reflected xss in user name thru cookie |
| Mail.Ru |
- |
XSS Vulnerability in cfire.mail.ru/screen/1/ |
| Ruby on Rails |
- |
JSON keys are not properly escaped |
| Informatica |
- |
XSS in Search Communities Function |
| Flash |
$7,500 |
Use After Free in Flash MessageChannel.send can cause arbitrary code execution |
| Flash |
$10,000 |
Use after free during the StageVideoAvailabilityEvent can result in arbitrary code execution |
| Flash |
$10,000 |
Race condition in workers may cause an exploitable double free by abusing bytearray.compress() |
| InVision |
$200 |
Javascript Injection |
| itBit Exchange |
$50 |
Leakage of sensitive wallet tokens to third party sites |
| Flash |
$2,000 |
Adobe Flash Player Out-of-Bound Access Vulnerability |
| Vimeo |
$250 |
Red October 1511493148.cloud.vimeo.com |
| HackerOne ★ |
- |
Markdown code block sequence makes report unreadable |
| HackerOne ★ |
$5,000 |
Markdown parsing issue enables insertion of malicious tags and event handlers |
| Twitter |
$560 |
Twitter Card - Parent Window Redirection |
| Slack |
$100 |
Team admin can change unauthorized team setting (allow_message_deletion) |
| Slack |
$200 |
Team admin can change unauthorized team setting (require_at_for_mention) |
| Romit |
- |
CSRF token leakage |
| Romit |
$50 |
Frictionless Transferring of Wallet Ownership |
| Square |
- |
Redirecting a victim elsewhere through shopseen 0auth |
| Twitter |
$1,260 |
Problem with OAuth |
| HackerOne ★ |
$500 |
Team member invitations to sandboxed teams are not invalidated consistently |
| HackerOne ★ |
$500 |
Insecure Direct Object Reference vulnerability |
| Nearby Live |
- |
Group Invite not properly authenticated |
| Whisper |
$10 |
Error stack trace |
| Whisper |
$25 |
Directory index and information disclosure |
| HackerOne ★ |
- |
In markdown, parsing things like @danlec and #46072 after links is unsafe |
| Vimeo |
- |
Can message users without the proper authorization |
| Vimeo |
- |
Brute force on "vimeo" cookie |
| HackerOne ★ |
$5,000 |
Vulnerability with the way \ escaped characters in <http://danlec.com> style links are rendered |
| Ruby on Rails |
- |
Explicit, dynamic render path: Dir. Trav + RCE |
| Vimeo |
$250 |
CRITICAL vulnerability - Insecure Direct Object Reference - Unauthorized access to `Videos` of Channel whose privacy is set to `Private`. |
| Zaption |
- |
[zaption.com] Open Redirect |
| Trello |
$128 |
[blog.trello.com] CRLF Injection |
| Trello |
$64 |
[trello.com] Open Redirect |
| Vimeo |
$100 |
XSS on Vimeo |
| Vimeo |
- |
CSRF bypass |
| itBit Exchange |
$150 |
Stored xss in bank name withdraw |
| Vimeo |
$100 |
ftp upload of video allows naming that is not sanitized as the manual naming |
| Mobile Vikings |
- |
Number, username and name disclosure |
| Mobile Vikings |
- |
Stored XSS in Direct debit name |
| Vimeo |
- |
Full account takeover via Add a New Email to account without email verified and without password confirmation. |
| Informatica |
- |
[community.informatica.com] - CSRF in Private Messages allows to move user's messages to Trash |
| Square |
- |
HTTP Header revealing server information. |
| itBit Exchange |
$50 |
weird bug ! ( missing validation on new email verfication ) |
| HackerOne ★ |
$500 |
Improper way of validating a program |
| itBit Exchange |
$200 |
Unsecure data in "device" response - OTP |
| Vimeo |
$100 |
Vimeo Search - XSS Vulnerability [http://vimeo.com/search] |
| Dropbox |
- |
Unvalidated Redirects and Stored XSS |
| Twitter |
$140 |
Insecure Data Storage in Vine Android App |
| Mobile Vikings |
- |
Insecure crossdomain.xml |
| itBit Exchange |
$50 |
Email Length Verification |
| Twitter |
- |
URGENT - SUBDOMAIN TAKEOVER ON TWITTER ACQ. |
| itBit Exchange |
$500 |
Notification Emails: IP + Content-Spoofing |
| Ruby on Rails |
$500 |
RCE due to Web Console IP Whitelist bypass in Rails 4.0 and 4.1 |
| Vimeo |
$1,000 |
XSS on any site that includes the moogaloop flash player | deprecated embed code |
| Twitter |
$140 |
Flaw in login with twitter to steal Oauth tokens |
| Vimeo |
- |
unvalid open authentication with facebook |
| Twitter |
- |
Path disclosure in platform0.twitter.com |
| HackerOne ★ |
- |
Add text to the title of the page "Thanks" |
| Mail.Ru |
- |
http://217.69.136.200/?p=2&c=Fetcher%20cluster&h=fetcher1.mail.ru |
| Mail.Ru |
$150 |
Heartbleed: my.com (185.30.178.33) port 1433 |
| Vimeo |
- |
Application XSS filter function Bypass may allow Multiple stored XSS |
| Vimeo |
- |
Poodle bleed vulnerability in cloud sub domain |
| Vimeo |
- |
Open Redirection Security Filter bypassed |
| Vimeo |
$1,000 |
Make API calls on behalf of another user (CSRF protection bypass) |
| Vimeo |
- |
USER PRIVACY VIOLATED (PRIVATE DATA GETTING TRANSFER OVER INSECURE CHANNEL ) |
| Mail.Ru |
$150 |
Hadoop Node available to public |
| Vimeo |
$100 |
CRITICAL full source code/config disclosure for Cameo |
| Vimeo |
- |
Serious Vulnerability Found |
| Twitter |
$420 |
twitter android app Fragment Injection |
| Vimeo |
$1,000 |
abusing Thumbnails(https://vimeo.com/upload/select_thumb) to see a private video |
| Vimeo |
- |
No Limitation on Following allows user to follow people automatically! |
| Vimeo |
- |
Securing "Reset password" pages from bots |
| Vimeo |
$250 |
Ability to Download Music Tracks Without Paying (Missing permission check on`/musicstore/download`) |
| Vimeo |
- |
profile photo update bypass |
| Mail.Ru |
$100 |
Раскрытие номера мобильного телефона при двухфакторной аутентификации |
| Mail.Ru |
- |
3k.mail.ru: XSS |
| Vimeo |
$100 |
player.vimeo.com - Reflected XSS Vulnerability |
| Vimeo |
$1,000 |
Adding profile picture to anyone on Vimeo |
| Vimeo |
$260 |
Buying ondemand videos that 0.1 and sometimes for free |
| Python |
$1,000 |
PyUnicode_FromFormatV crasher |
| Ruby on Rails |
$1,000 |
Arbitrary file existence disclosure in Action Pack CVE-2014-7829 |
| OkCupid |
- |
Stored XSS in popup messages window |
| HackerOne ★ |
- |
HTTPS is not enforced for objects stored by HackerOne on Amazon S3 |
| Dropbox |
- |
WP User Enumeration is possible at https://blog.dropbox.com |
| Vimeo |
- |
Misconfigured crossdomain.xml - vimeo.com |
| Twitter |
$1,120 |
Fabric.io - an app admin can delete team members from other user apps |
| Twitter |
$1,400 |
fabric.io - app member can make himself an admin |
| Ruby on Rails |
- |
Denial of Service in Action Pack Exception Handling |
| Nearby Live |
- |
Web Server information disclosure. |
| Ruby on Rails |
- |
Data-Tags and the New HTML Sanitizer Subverts CSRF protection |
| Vimeo |
$100 |
APIs for channels allow HTML entities that may cause XSS issue |
| Vimeo |
$5,000 |
Vimeo.com Insecure Direct Object References Reset Password |
| Vimeo |
$100 |
Vimeo.com - reflected xss vulnerability |
| Vimeo |
$100 |
Vimeo.com - Reflected XSS Vulnerability |
| Informatica |
- |
[careers.informatica.com] Cross Site Script Vulnerability on informatica |
| Twitter |
- |
Account Deleted without any confirmation |
| Uber ★ |
$500 |
XSS on partners.uber.com |
| Twitter |
- |
No rate limiting on creating lists |
| concrete5 |
- |
Stored XSS in adding fileset |
| Flash |
$1,000 |
chrome allows POST requests with custom headers using flash + 307 redirect |
| Twitter |
$420 |
URGENT - Subdomain Takeover on users.tweetdeck.com , the same issue of report #32825 |
| Romit |
$250 |
stored xss in transaction |
| Nearby Live |
- |
Gain access to any user's email address |
| Mail.Ru |
- |
/surveys/2auth: DOM-based XSS |
| Mail.Ru |
- |
GET /surveys/2auth: XSS |
| Twitter |
$1,400 |
HTML/XSS rendered in Android App of Crashlytics through fabric.io |
| Romit |
$250 |
Stored XSS in api key of operator wallet |
| Romit |
$100 |
Error stack trace |
| Twitter |
$140 |
POODLE Bug: 199.16.156.44, 199.16.156.108, mx4.twitter.com |
| HackerOne ★ |
- |
Reflected File Download |
| Twitter |
$280 |
Open redirection in fabric.io |
| Mail.Ru |
$100 |
No bruteforce protection leads to enumeration of emails in http://e.mail.ru/ |
| Phabricator |
$500 |
Phabricator Phame Blog Skins Local File Inclusion |
| Mail.Ru |
- |
[odnoklassniki.ru] XSS via Host |
| Dropbox |
- |
[monitor.sjc.dropbox.com] CRLF Injection |
| Informatica |
- |
Missing SPF for informatica.com |
| WePay |
- |
Broken Authentication – Session Token bug |
| C2FO |
- |
[admin.c2fo.com] Open Redirect |
| Vimeo |
$500 |
[vimeopro.com] CRLF Injection |
| HackerOne ★ |
- |
URL Crashing browser. {Tested on firefox, Chrome and Safari} |
| Phabricator |
$300 |
Phabricator Diffusion application allows unauthorized users to delete mirrors |
| concrete5 |
- |
stored XSS in concrete5 5.7.2.1 |
| concrete5 |
- |
SQL injection in conc/index.php/ccm/system/search/users/submit |
| Square |
$500 |
Delayed, fraudulent transactions possible with encrypted Square Reader devices due to lack of server-side verification of device transaction counter |
| Mail.Ru |
$250 |
[connect.mail.ru] Memory Disclosure / IE XSS |
| HackerOne ★ |
$500 |
Issue with password change |
| HackerOne ★ |
$500 |
Breaking Bugs as team member |
| Openfolio |
$100 |
xss in /browse/contacts/ |
| Python |
$6,500 |
Misc Python bugs (Memory Corruption & Use After Free) |
| QIWI |
$150 |
[qiwi.com] Open Redirect |
| QIWI |
$100 |
Stored xss in agent.qiwi.com |
| Greenhouse.io |
$1,000 |
Subdomain Takeover using blog.greenhouse.io pointing to Hubspot |
| Eobot |
- |
Multiple information disclosure |
| Twitter |
- |
Abuse of "Remember Me" functionality. |
| OkCupid |
- |
Rosetta flash vulnerability in clientstats AJAX script |
| Sucuri |
- |
Form contained inside page loaded over SSL submits its contents to another page over HTTP |
| Eobot |
$10 |
XSS in www.eobot.com(IE9 only) |
| Sucuri |
$250 |
Open Redirect in unmask.sucuri.net |
| InVision |
$150 |
CSRF Token in cookies! |
| Twitter |
- |
Homograph attack. |
| Eobot |
- |
OPTIONS METHOD ENABLED |
| Twitter |
$1,400 |
[Stored XSS] vine.co - profile page |
| Twitter |
- |
Notifications can mark as read by CSRF |
| Coinbase |
$100 |
New Device Confirmation, token is valid until not used. |
| QIWI |
- |
Metadata in hosted files is disclosing Usernames, Printers, paths, admin guides. emails |
| ThisData |
- |
Missing SPF header on revert.io |
| QIWI |
$1,000 |
[send.qiwi.ru] Soap-based XXE vulnerability /soapserver/ |
| Openfolio |
- |
Options Method Enabled |
| QIWI |
$100 |
[qiwi.com] /oauth/confirm.action XSS |
| Flash |
$2,000 |
Adobe Flash Player MP4 Use-After-Free Vulnerability |
| Apache httpd |
$500 |
mod_proxy_fcgi buffer overflow CVE-2014-3583 |
| HackerOne ★ |
$500 |
Logic Issue with Reputation: Boost Reputation Points |
| Phabricator |
- |
Content injection |
| QIWI |
$250 |
CRLF Injection [ishop.qiwi.com] |
| Twitter |
- |
Headers Missing |
| Factlink |
- |
File name/folder enumeration. |
| QIWI |
- |
Code for registration of qiwi account is not coming even after a long interval of time for Indian mobile number |
| QIWI |
$200 |
[send.qiwi.ru] XSS at auth?login= |
| QIWI |
$200 |
[static.qiwi.com] XSS proxy.html |
| Twitter |
$140 |
getting emails of users/removing them from victims account [using typical attack] |
| HackerOne ★ |
$500 |
Gain reputation by creating a duplicate of an existing report |
| PHP |
$2,500 |
Locale::parseLocale Double Free |
| Ian Dunn |
- |
XSS in Tagregator plugin |
| Block.io |
- |
Bypassed or command injection |
| Mail.Ru |
- |
Нежелательная информация |
| Eobot |
- |
IDOR on https://www.eobot.com/paypal |
| Twitter |
$280 |
XSS via Fabrico Account Name |
| Mail.Ru |
$500 |
Ошибка фильтрации |
| Block.io |
- |
Various Low level Vulnerabilities |
| Mail.Ru |
- |
Flash XSS на old.corp.mail.ru |
| Block.io |
$150 |
SMPT Protection not used, I can hijack your email server. |
| Twitter |
$420 |
Bad extended ascii handling in HTTP 301 redirects of t.co |
| Twitter |
- |
Options Method Enabled |
| Twitter |
- |
Option Method Enabled on web server |
| HackerOne ★ |
$500 |
File Name Enumeration |
| Twitter |
- |
BROKEN AUTHENTICATION IN MOBILE VERIFICATION |
| InVision |
- |
Password reset tokens is valid after changing the password by logging in the account |
| Uzbey |
- |
test |
| Twitter |
- |
Flaw in valid password policy. |
| Uzbey |
- |
Test |
| Uzbey |
- |
Test |
| Twitter |
$1,400 |
DOM Cross-Site Scripting ( XSS ) |
| InVision |
$300 |
Backup of wordpress configuration file found. Leaking database users/passwords |
| Slack |
$500 |
a stored xss in slack integration https://onerror.slack.com/services/import |
| HackerOne ★ |
- |
Enumeration/Guess of Private (Invited) Programs |
| WP API |
- |
MD5 used for Key-Auth signatures |
| Twitter |
$1,680 |
URGENT - Subdomain Takeover on media.vine.co due to unclaimed domain pointing to AWS |
| 99designs |
- |
Source Code Disclosure (PHP) |
| Mail.Ru |
$200 |
OpenSSL HeartBleed (CVE-2014-0160) |
| Twitter |
$280 |
XSS in fabric.io |
| HackerOne ★ |
- |
Content Spoofing via reports |
| The Internet |
$3,000 |
Drupal 7 pre auth sql injection and remote code execution |
| Twitter |
$140 |
Singup Page HTML Injection Vulnerability |
| Mail.Ru |
- |
Авторизуюсь от имени любого пользователя parapa.mail.ru |
| RelateIQ |
$500 |
PoodleBleed |
| Flash |
$5,000 |
Adobe Flash Player Out-of-Bound Read/Write Vulnerability |
| HackerOne ★ |
$1,000 |
Ability to see common response titles of other teams (limited) |
| Localize |
- |
files likes of README.md is public |
| Twitter |
- |
Creating Unauthorized Audience Lists |
| Bookfresh |
- |
Reflected XSS on www.bookfresh.com/index.html?view=upload_form |
| concrete5 |
- |
Weak random number generator used in concrete/authentication/concrete/controller.php |
| WP API |
$50 |
Cryptographic Side Channel in OAuth Library |
| joola.io |
- |
Timing Attack Side-Channel on API Token Verification |
| joola.io |
- |
Weak Random Number Generator for Auth Tokens |
| Twitter |
$420 |
Unauthorized Tweeting on behalf of Account Owners |
| Khan Academy |
- |
Sql injection And XSS |
| Twitter |
$560 |
Improper Verification of email address while saving Account Settings |
| RelateIQ |
$250 |
Relateiq SSLv3 deprecated protocol vulnerability. |
| Localize |
- |
PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings. |
| Bookfresh |
- |
Missing Function Level Access Control in /cindex.php/widget/customize/ |
| Flash |
$2,000 |
Adobe Flash Player MP4 Use-After-Free Vulnerability |
| Coinbase |
$100 |
New Device confirmation tokens are not properly validated. |
| 99designs |
- |
CSRF to connect attacker's twitter account to logged in victims account |
| concrete5 |
- |
Stored XSS in concrete5 5.7.0.4. |
| Square |
$250 |
CSRF on adding a calendar event |
| Square |
$500 |
square google calendar integration CSRF,https://squareup.com/appointments/business/settings(state parameter not checking properly) |
| Mail.Ru |
- |
Выполнение кода PHP через FastCGI |
| Square |
$500 |
CSRF on adding clients |
| The Internet |
$20,000 |
GNU Bourne-Again Shell (Bash) 'Shellshock' Vulnerability |
| Twitter |
$280 |
Profile Pic padding (Length-hiding) fails due to use of GZIP |
| HackerOne ★ |
$500 |
homograph attack. IDNs displayed in unicode in bug reports and on external link warning page |
| IRCCloud |
$300 |
Unvalidated Channel names causes IRC Command Injection |
| Square |
$250 |
Privilege Escalation |
| WePay |
$350 |
Horizontal Privilege Escalation |
| Twitter |
$1,120 |
XSS platform.twitter.com | video-js metadata |
| HackerOne ★ |
$500 |
No email verification on username change |
| Twitter |
$1,120 |
XSS platform.twitter.com |
| Sucuri |
$250 |
Usage of HTTP for exporting graph data as images |
| Square |
$250 |
Redirect while opening link in new tabs |
| Coinbase |
$100 |
Credit Card Validation Issue |
| Twitter |
- |
Twitter Flight SSL 2.0 deprecated protocol vulnerability. |
| HackerOne ★ |
- |
"early preview" programs disclosure |
| HackerOne ★ |
$500 |
Redirect FILTER bypass in report/comment |
| Mail.Ru |
$500 |
touch.mail.ru XSS via message id |
| Phabricator |
- |
Content Spoofing through URL |
| IRCCloud |
- |
Weak password policy |
| Mavenlink |
- |
Email field filtering problem. |
| Twitter |
$420 |
iOS App can establish Facetime calls without user's permission |
| Ruby on Rails |
$1,500 |
Active Record SQL Injection Vulnerability Affecting PostgreSQL CVE-2014-3483 |
| Ruby on Rails |
$1,500 |
Active Record SQL Injection Vulnerability Affecting PostgreSQL CVE-2014-3482 |
| PHP |
$2,500 |
SPL ArrayObject/SPLObjectStorage Unserialization Type Confusion Vulnerabilities CVE-2014-3515 |
| Twitter |
$1,400 |
Cross site scripting on ads.twitter.com |
| HackerOne ★ |
$500 |
Window Opener Property Bug |
| Twitter |
$1,400 |
Stored xss |
| Square |
$2,000 |
malicious file upload |
| Flash |
$1,000 |
Flash Local Sandbox Bypass CVE-2014-0554 |
| GlassWire |
- |
Clickjacking: X-Frame-Options header missing |
| Phabricator |
- |
Content spoofing |
| Twitter |
$1,400 |
ads.twitter.com xss |
| Square |
$400 |
Reflected XSS in widget script thru cookie |
| Twitter |
$2,800 |
Delete Credit Cards from any Twitter Account in ads.twitter.com [New Vulnerability] |
| Square |
$1,000 |
Reflected XSS in connect.square.com |
| Square |
$750 |
Editing Client Details of other People |
| Twitter |
$140 |
Missing Rate Limiting on https://twitter.com/account/complete |
| The Internet |
$3,000 |
open redirect in rfc6749 |
| Mail.Ru |
$1,337 |
XSS via .eml file |
| WePay |
$350 |
Critical : Account removing using CSRF attack |
| Square |
- |
XSS on bookfresh |
| Twitter |
$140 |
Full path disclosure at ads.twitter.com |
| Slack |
- |
HTTP Strict Transport Policy not enabled on newly made accounts |
| Phabricator |
- |
Password Policy issue |
| Square |
$2,000 |
CRITICAL Account takeover via AngularJS template injection in connect.squareup.com |
| Django |
$1,000 |
CSRF protection bypass on any Django powered site via Google Analytics |
| Square |
$500 |
XSS in Client Past Activity |
| ExpressionEngine |
- |
Stored Cross-Site Scripting Vulnerability in /admin.php?/cp/admin_system/general_configuration |
| HackerOne ★ |
- |
Notification of previous signed out user leakage. |
| Mavenlink |
- |
DNS load balancing not enabled |
| WePay |
- |
CSRF (Make email primary) may lead to account compromise |
| CloudFlare |
- |
Apache mod_negotiation filename bruteforcing |
| Square |
$250 |
Open Redirect [FreshBook] |
| Square |
$500 |
XSS [BookFresh] |
| HackerOne ★ |
$100 |
Change Any username and profile link in hackerone |
| Greenhouse.io |
- |
[greenhouse.io] CRLF Injection / Insecure nginx configuration |
| CloudFlare |
- |
User can request for password reset link without giving his website, eventhough he have it |
| Greenhouse.io |
- |
SMTP protection not used (please read carefully ) |
| Phabricator |
$400 |
Open redirection on secure.phabricator.com |
| Twitter |
- |
HTML form without CSRF protection at http://try.crashlytics.com/enterprise/ |
| Greenhouse.io |
- |
openssh-server Forced Command Handling Information Disclosure Vulnerability on blog.greenhouse.io |
| Factor.io |
- |
Reflected XSS - factor.io |
| Mail.Ru |
- |
Не уверен, что этому место на периметре: 94.100.180.95, 94.100.180.96, 94.100.180.97, 94.100.180.98 |
| concrete5 |
- |
broken authentication |
| Twitter |
- |
User's DM won't deleted after logout from Twitter for iOS (com.atebits.xxx.application-state) |
| Mail.Ru |
$150 |
money.mail.ru: Странное поведение SMS |
| Secret |
- |
Broken Authentication and Session Management |
| Mail.Ru |
- |
Version Disclosure (NginX) |
| HackerOne ★ |
$500 |
Redirect while opening links in new tabs |
| Phabricator |
$300 |
Forgot Password Issue |
| Square |
- |
CSRF login |
| Square |
$1,500 |
Blind SQL injection in www.bookfresh.com |
| Uzbey |
- |
SQL Injection |
| Uzbey |
- |
XSS in 3rd party plugin (not affecting Uzbey's users) |
| Phabricator |
- |
Password Reset Links Not Expiring |
| Twitter |
- |
Broken authentication and invalidated email address leads to account takeover |
| Automattic |
- |
Open Redirect in WordPress Feed Statistics {Affected All Versions} |
| Slack |
$200 |
Content Spoofing all Integrations in https://team.slack.com/services/new/ |
| Twitter |
- |
Password reset link not validated. |
| Yahoo! |
- |
caesary.yahoo.net Blind Sql Injection |
| IRCCloud |
- |
Bruteforce protection not enabled on the login page https://www.irccloud.com/ |
| Slack |
$100 |
Content spoofing at Stripe Integrations |
| Mavenlink |
$50 |
privilege escalation |
| Mavenlink |
- |
Cookies are not cleared from Server side on Logout |
| Mavenlink |
$200 |
Flash XSS on swfupload.swf showing at app.mavenlink.com |
| Mavenlink |
$50 |
Clickjacking |
| HackerOne ★ |
- |
Account Hijacking (Only rare case scenario) |
| Mavenlink |
$100 |
Login CSRF |
| Phabricator |
- |
Back - Refresh - Attack To Obtain User Credentials |
| Coinbase |
$1,000 |
Invoice Details activate JS that filled in |
| The Internet |
$3,000 |
rsync hash collisions may allow an attacker to corrupt or modify files |
| Apache httpd |
$500 |
moderate: mod_deflate denial of service CVE-2014-0118 |
| Mail.Ru |
$150 |
cloud.mail.ru: File upload XSS using Content-Type header |
| Python |
$1,500 |
integer overflow in 'buffer' type allows reading memory |
| WePay |
- |
oauth redirect uri validation bug leads to open redirect and account compromise |
| Mail.Ru |
$1,000 |
e.mail.ru: File upload "Chapito" circus |
| Mail.Ru |
- |
files.mail.ru: HTTP Header Injection |
| Mail.Ru |
$100 |
m.agent.mail.ru: Подделываем j2me app-descriptor |
| DigitalSellz |
- |
USER Account is not being deleted after user "Delete Account" from DASHBOARD |
| DigitalSellz |
- |
Verbose SQL error messages |
| ExpressionEngine |
- |
Cross Site Scripting (Stored) |
| HackerOne ★ |
- |
No option to logout concurrent sessions |
| Twitter |
- |
password sent over HTTP |
| Automattic |
- |
Missing HSTS header in https://app.simplenote.com |
| Automattic |
- |
Missing HSTS header in https://public-api.wordpress.com |
| RelateIQ |
$100 |
Cross-site Scripting in mailing (username) |
| Envoy |
- |
Authentication Bypass |
| Coin.co |
- |
Host header is not Validated resulting in Redirect |
| Envoy |
- |
Delete visitor from IPAD with fullname which contains JS results XSS |
| HackerOne ★ |
- |
Session Hijacking attack (Different Scenario) |
| Envoy |
- |
Too much sensitive information in GET https://signwithenvoy.com/device_config/preview_badge |
| Envoy |
- |
Stored XSS on adding locations |
| Envoy |
- |
Stored XSS on sign_up page |
| Uzbey |
- |
Missing "size check" on files to upload could make memory leaks. |
| Uzbey |
- |
IFXSS (image filename XSS) by creating a new Photo Gallery |
| Localize |
- |
PHP PDOException and Full Path Disclosure |
| Mail.Ru |
- |
target.mail.ru: XSS через Referer |
| Mail.Ru |
- |
target.mail.ru: XSS |
| Secret |
- |
ClientId gives away platform (iOS/Android) from which a secret was posted. |
| Mail.Ru |
$3,000 |
Possibility to attach any mobile number to any email |
| Sandbox Escape |
$5,000 |
.NET Type Traversal Vulnerability CVE-2014-0257 |
| Sandbox Escape |
- |
OSX ATS memory corruption may lead to App Sandbox bypass CVE-2014-1262 |
| Sandbox Escape |
- |
OSX ATS arbitrary free issue may lead to App Sandbox bypass CVE-2014-1255 |
| HackerOne ★ |
- |
Email changing |
| WePay |
$100 |
Unauthorized Access via Join Email Link |
| Factlink |
- |
XSS 01 on staging.fct.li |
| DC Compendium |
$25 |
Multiple Full Path Disclosure (FPD) Vulnerability on Dccompendium.com domain |
| RelateIQ |
$190 |
Resubmitted with POC #18685 Password reset CSRF |
| Phabricator |
$1,000 |
XSS in editor by any user |
| WePay |
$150 |
CSRF on email address operations. Also performing unintended operations. |
| Automattic |
- |
Top 10 2013-A2-Broken Authentication and Session Management - wordpress.com |
| WePay |
$500 |
Session Fixation |
| jsDelivr |
- |
HSTS Policy not enabled on cdn.jsdelivr.net |
| DC Compendium |
$50 |
Backend source code disclosure on 404 pages |
| jsDelivr |
- |
Using nmap revealing sensitive information |
| jsDelivr |
- |
XSS |
| jsDelivr |
- |
Directory Traversal at http://staging.jsdelivr.net/ |
| DC Compendium |
$25 |
source code disclosure |
| Yahoo! |
$250 |
Yahoo! Reflected XSS |
| DC Compendium |
$25 |
XSS on Home page |
| DC Compendium |
$25 |
Error page Cross-site scripting |
| DC Compendium |
- |
Forward Secrecy is disable |
| DC Compendium |
- |
Login CSRF |
| DC Compendium |
$25 |
Clickjacking: X-Frame-Options header missing |
| HackerOne ★ |
$100 |
Denial of Service |
| Faceless |
- |
Tap Jacking Attack on Button Tags |
| The Internet |
$6,000 |
LZ4 Core CVE-2014-4611 |
| Factlink |
- |
Click-Jacking due to missing X-frame header |
| Uzbey |
- |
Mass invitation send |
| IRCCloud |
$500 |
Reflected XSS in Pastebin-view |
| Uzbey |
- |
Information Disclosure (phpinfo()) |
| HackerOne ★ |
- |
Account takeover |
| Yahoo! |
$50 |
Default /docs folder of PHPBB3 installation on gamesnet.yahoo.com |
| Uzbey |
- |
Price Manipulation |
| Phabricator |
$300 |
Broken Authentication and Session Management |
| Uzbey |
- |
Flash Content-Type Sniffing Vulnerability |
| HackerOne ★ |
$100 |
Category- Broken Authentication and Session Management (leads to account compromise if some conditions are met) |
| Mail.Ru |
- |
tp-demo1.corp.mail.ru: SVN наружу торчит |
| Uzbey |
- |
Email Flooding Vuln |
| Uzbey |
- |
Clickjacking at https://staging.uzbey.com/ |
| Uzbey |
- |
HTML Form Without CSRF Protection Vulnerability |
| Uzbey |
- |
Breach Attack Vulnerability |
| Uzbey |
- |
Cross site scripting in type parameter |
| Uzbey |
- |
CMS Information Disclosure |
| Uzbey |
- |
email field doesn't filtered against XSS |
| Uzbey |
- |
Language version disclosure in response header |
| Uzbey |
- |
All Active user sessions should be destroyed when user change his password! |
| Uzbey |
- |
Cross-site scripting vulnerability detected |
| Uzbey |
- |
Missing HSTS (Strict Transport Security) |
| Uzbey |
- |
Album image XSS |
| Uzbey |
- |
SQL injection, time zoom script, tile ID |
| Uzbey |
- |
SQL injection, tile ID |
| Coin.co |
- |
Found clickjacking vulnerability |
| Slack |
$100 |
Password Policy issue (Weak Protect) |
| HackerOne ★ |
- |
Cache leads to Privacy leaks |
| Mail.Ru |
- |
my.mail.ru: HTTP Header Injection |
| Mail.Ru |
$400 |
e.mail.ru: SMS spam with custom content |
| Slack |
$100 |
Open Redirect login account |
| Coinbase |
- |
2FA settings allowed to be changed with no delay/freeze on funds |
| RelateIQ |
$250 |
SSRF (Portscan) via Register Function (Custom Server) |
| RelateIQ |
$200 |
Failed Certificate Validation On Custom Server (Register) |
| Automattic |
- |
User Enumeration and Guessable User Account Attack on WORDPRESS |
| Mail.Ru |
- |
Cross Site Scripting |
| Yahoo! |
$200 |
Yahoo Sports Fantasy Golf (Join Public Group) |
| Phabricator |
$300 |
Abusing daemon logs for Privilege escalation under certain scenarios |
| Coin.co |
- |
Facilitation of XSS attacks through supporting the HTTP TRACE method (cross-site tracing) |
| The Internet |
$5,000 |
Multiple issues in looking-glass software (aka from web to BGP injections) |
| Phabricator |
$600 |
Abusing VCS control on phabricator |
| Coin.co |
- |
Wordpress readme.html / X-Powered-By-Header (low crit) |
| Coin.co |
- |
Report: Wordpress Bug! |
| Coin.co |
- |
Directory Listing |
| Coin.co |
- |
OPTIONS method is enabled |
| Coin.co |
- |
Information disclosure : Web Server Version Details |
| Coin.co |
- |
Coin.co Admin interface accessible externally |
| Localize |
- |
PHP PDOException and Full Path Disclosure |
| Mavenlink |
$50 |
Non Validation of session after password reset |
| Mail.Ru |
- |
Раскрытие полного серверного пути |
| HackerOne ★ |
$100 |
Session not invalidated after password reset |
| Automattic |
- |
Process of changing email address and password does not asks old Password. |
| Mail.Ru |
$150 |
SQL Injection on 11x11.mail.ru |
| Localize |
- |
Bug on registration as new Translator user |
| Mail.Ru |
- |
Reflected XSS |
| Mail.Ru |
- |
Перечисление каталогов за счёт уязвимости в IIS |
| FanFootage |
- |
Cookie fixation |
| FanFootage |
- |
Same user name and uuid for multiple user names |
| FanFootage |
- |
Reporting Bugs |
| Factlink |
- |
Criptographic Issue: Strisct Transport Security with not good max age..(TOO SHORT!) |
| Mail.Ru |
- |
[corp.mail.ru] CRLF Injection / Insecure nginx configuration |
| FanFootage |
- |
Session Token is not Verified while changing Account Setting's which Result In account Takeover |
| FanFootage |
- |
NO CSRF token found on user details update |
| Coinbase |
$1,000 |
Leaking CSRF token over HTTP resulting in CSRF protection bypass |
| Flash |
$3,000 |
Flash Sandbox Bypass CVE-2014-0535 |
| Twitter |
- |
XSS ON MOPUB.COM |
| Mail.Ru |
- |
Flash XSS in http://go.mail.ru |
| Yahoo! |
- |
Open Redirect via Request-URI |
| Mail.Ru |
- |
Flash XSS in http://lingvo.mail.ru |
| Twitter |
- |
Cookie not marked as secure. |
| Mavenlink |
$100 |
Password reset token not expiring |
| Twitter |
- |
XSS vulnerability in video player page |
| Twitter |
- |
Captcha bypass with extension at http://www.mopub.com/about/contact/ |
| Twitter |
- |
[mobile.twitter.com / twitter.com] CSRF protection bypass |
| Automattic |
- |
Serving Transitions From: HTTP Protocol (not secure) |
| WePay |
- |
Typical form vulnerable to csrf attack |
| Factlink |
- |
Anonymous Proxy and IP leak |
| WePay |
- |
CSRF & Nonce Token Weak Implementation |
| WePay |
$300 |
Open Redirect |
| WePay |
- |
Sensitive settings need Re authentication |
| Mavenlink |
$50 |
Clickjacking at https://www.mavenlink.com/ main website |
| Mavenlink |
$50 |
Login password guessing attack |
| WePay |
$100 |
Session fixation in wepay.com |
| Mavenlink |
- |
The web application https://mavenlink.com discloses version details of the underlying Platform / Server |
| Mavenlink |
- |
Clickjacking & CSRF attack can be done at https://app.mavenlink.com/login |
| Mail.Ru |
- |
Flash XSS - http://hi-tech.mail.ru/ |
| Factlink |
- |
Password reset link doesn't expire. |
| Automattic |
- |
genericons.com - DOM based XSS. |
| Automattic |
- |
http://jetpack.me/ Self XSS |
| InVision |
- |
Sensitive information in cookies |
| Yahoo! |
- |
Multiple vulnerabilities |
| Twitter |
- |
uclfinal.twitter.com and euro2012.twitter.com are vulnerable to CRIME attack |
| Twitter |
- |
Token remains alive ever after logging out! |
| Slack |
$300 |
SSRF on https://whitehataudit.slack.com/account/photo |
| Slack |
- |
Remote file Inclusion - RFI in upload |
| Mail.Ru |
- |
XSS in "About Video" |
| Mail.Ru |
$300 |
connect.mail.ru: SSRF |
| Automattic |
$250 |
privilege escalation |
| Automattic |
- |
information disclosure |
| Twitter |
- |
CSRF in crashlytics.com |
| Automattic |
- |
XSS on gravatar |
| HackerOne ★ |
$100 |
Potential denial of service in hackerone.com/teams/new |
| Automattic |
- |
xss in simperium.com |
| Automattic |
- |
logout csrf app.simplenote.com/logout |
| Automattic |
- |
xss in app.simplenote.com |
| Factlink |
- |
Meta characters not filtered on signup |
| Factlink |
- |
Proxy service crash DoS |
| Factlink |
- |
X/Csrf token problem |
| IRCCloud |
- |
Missing Character Restriction |
| IRCCloud |
- |
Password type input with auto-complete enabled |
| Factlink |
- |
Session not expired on logout |
| Factlink |
- |
Sign up CSRF |
| Factlink |
- |
Password Complexity very low. |
| Factlink |
- |
Missing SPF for factlink.com and Staging.factlink.com |
| Factlink |
- |
Leaking of password reset token through referer |
| Factlink |
- |
Login CSRF using Twitter oauth |
| Factlink |
- |
Url Redirection |
| Factlink |
- |
HTML5 cross-origin resource sharing |
| Factlink |
- |
Click jacking |
| Khan Academy |
- |
Unchecking hidden parameter is vulnerable to XSS-attack |
| Mail.Ru |
$1,000 |
https://217.69.135.63/rb/: money.mail.ru sources disclosure |
| Sandbox Escape |
$10,000 |
Linux PI futex self-requeue bug CVE-2014-3153 |
| Mail.Ru |
- |
touch.afisha.mail.ru: XSS |
| Khan Academy |
- |
CRLF Injection |
| Mail.Ru |
- |
files.mail.ru: XSS |
| Mail.Ru |
- |
api.video.mail.ru: XSS |
| IRCCloud |
$100 |
Host Header Injection - irccloud.com |
| Khan Academy |
- |
Suffix of url-path is vulnerable to XSS-attack |
| Localize |
- |
full path disclosure from false language |
| Mail.Ru |
- |
(m.mail.ru) Password type input with auto-complete enabled |
| Mail.Ru |
$500 |
auth.mail.ru: XSS in login form |
| Secret |
- |
secret app for iOS and android is sending some info over HTTP |
| Urban Dictionary |
- |
Open URL Redirection |
| Urban Dictionary |
- |
Open Redirection |
| Mail.Ru |
- |
Reflected XSS connect.mail.ru (IE6-IE8) |
| Localize |
- |
missing sender policy framework (SPF) |
| HackerOne ★ |
- |
Improper filtering of classes used in codeblocks in Markdown |
| Mail.Ru |
- |
Reflected XSS in User-Agent |
| Mail.Ru |
- |
Раскрытие путей сервера за счёт неопределённого индекса в сценарии /home/berserk-online.com/public_html/forum/Themes/berserker/Profile.template.php |
| HackerOne ★ |
- |
Spamming any user from Reset Password Function |
| Yahoo! |
$100 |
Testing for user enumeration (OWASP‐AT‐002) - https://gh.bouncer.login.yahoo.com |
| Yahoo! |
$50 |
Authorization issue on creative.yahoo.com |
| Faceless |
- |
Account hijacking possible through ADB backup feature |
| joola.io |
- |
X-Content-Type-Options header missing |
| Mail.Ru |
$500 |
XSS in a file or folder name |
| Mail.Ru |
$700 |
XXE and SSRF on webmaster.mail.ru |
| Secret |
- |
Content Sniffing not disabled |
| Flash |
$7,500 |
Adobe Flash Player FileReference Use-after-Free Vulnerability CVE-2014-0538 |
| ReddAPI |
- |
Content Sniffing not disabled |
| ReddAPI |
- |
Browser cross-site scripting filter misconfiguration |
| ReddAPI |
- |
Strict Transport Security Misconfiguration |
| Kadira |
- |
API keys being cached |
| Respondly |
- |
XSS in the input |
| InVision |
- |
Multiple Upload Vulnerability !File Upload + File Inclusion (Access Not Forbidden) |
| Kadira |
- |
Undeletable File |
| Kadira |
- |
MISSING SPF (Sender Policy Framework) for meteorapm.com |
| Python |
$1,500 |
Python vulnerability: reading arbitrary process memory CVE-2014-4616 |
| joola.io |
- |
Login password guessing attack |
| Yahoo! |
- |
http://us.rd.yahoo.com/ |
| CloudFlare |
- |
CSRF and No password requirement in this URL Billing Info |
| Yahoo! |
- |
TESTING FOR REFLECTED CROSS SITE SCRIPTING (OWASP‐DV‐001) |
| joola.io |
- |
SSH Port Wide Open |
| joola.io |
- |
HTTP Strict Transport Security (HSTS) Policy Not Enabled |
| Mail.Ru |
$150 |
Stored XSS on http://cards.mail.ru |
| Mail.Ru |
$300 |
Stored XSS on http://top.mail.ru |
| Mail.Ru |
$250 |
SQL injection update.mail.ru |
| CloudFlare |
- |
Password reset threshold not set |
| Musopen |
- |
Port 22 Open/Banner visible on musopen.org |
| Ian Dunn |
- |
Path Disclosure Vulnerability |
| Coinbase |
- |
Simultaneous Session Logon : Improper Session Management |
| Hubdia |
- |
Subscribe User bug |
| Musopen |
- |
USERNAME Related Issue! |
| Yahoo! |
$250 |
Infrastructure and Application Admin Interfaces (OWASP‐CM‐007) |
| Mail.Ru |
$400 |
XSS in https://e.mail.ru/cgi-bin/lstatic (Limited use) |
| 4chan |
- |
Login panel brute force attack |
| Meteor |
- |
Open Url Reditection After authentication |
| 4chan |
- |
XSS in settings |
| CloudFlare |
- |
Bug Report |
| Mail.Ru |
- |
Content Spoofing vulnerability in Mail.ru mobile |
| Yahoo! |
- |
Authentication Bypass due to Session Mismanagement |
| CloudFlare |
- |
User's data leak |
| Coinbase |
$100 |
CSRF in function "Set as primary" on accounts page |
| 99designs |
$400 |
report a reflected XSS |
| 99designs |
- |
Reflected XSS in 99designs.com |
| Yahoo! |
- |
Yahoo! Messenger v11.5.0.228 emoticons.xml shortcut Value Handling Stack-Based Buffer Overflow |
| 99designs |
- |
Insecure transition from HTTP to HTTPS in form post |
| 99designs |
- |
Server leaks version number |
| Localize |
- |
XSS in Team Only Area |
| Coinbase |
$100 |
CSRF on "Set as primary" option on the accounts page |
| Coinbase |
$1,000 |
Bypassing 2FA for BTC transfers |
| Mail.Ru |
$150 |
SQL inj |
| C2FO |
- |
All Active user sessions should be destroyed when user change his password! |
| The Internet |
$3,000 |
Bypassing Same Origin Policy With JSONP APIs and Flash |
| Slack |
$500 |
Stored XSS in slack.com (integrations) |
| RelateIQ |
- |
Old Sessions remain valid after the password change. |
| Mail.Ru |
- |
Persistent XSS in afisha.mail.ru |
| HackerOne ★ |
- |
Flooding mailbox of user |
| Mail.Ru |
$150 |
SQL |
| Mail.Ru |
$150 |
SQL inj |
| Mail.Ru |
- |
Login without SSL-Protection |
| HackerOne ★ |
$100 |
All Active user sessions should be deleted when user change his password! |
| Mail.Ru |
$200 |
Time based sql injection |
| Mail.Ru |
$200 |
SQL injection [дырка в движке форума] |
| OkCupid |
- |
XSS Vulnerability Found! |
| CloudFlare |
- |
Threat control information leak |
| Slack |
$500 |
Stored XSS Found |
| Localize |
- |
Full Path Disclosure (FPD) in www.localize.im |
| StopTheHacker |
- |
Reflected cross site scripting in login page |
| Yahoo! |
- |
Loadbalancer + URI XSS #3 |
| CloudFlare |
- |
Security issue with your "bag" script |
| Automattic |
- |
https://polldaddy.com storage.swf XSS |
| Ian Dunn |
- |
PHP and Wordpress version disclosure |
| Ian Dunn |
- |
Multiple Path Disclosure |
| HackerOne ★ |
$100 |
Anti-MIME-Sniffing header X-Content-Type-Options header has not been set. |
| Respondly |
- |
OAuth Bug |
| Ian Dunn |
$25 |
Xss in CampTix Event Ticketing |
| Ian Dunn |
$25 |
Stored XSS in all fields in Basic Google Maps Placemarks Settings |
| Mail.Ru |
$250 |
Home page reflected XSS |
| Localize |
- |
Full Path Disclosure (FPD) in www.localize.im |
| StopTheHacker |
- |
XSS 1 |
| StopTheHacker |
- |
XSS Reflected - https://www.stopthehacker.com/ |
| Respondly |
- |
Full Path Disclosure |
| Mail.Ru |
- |
Unproper usage of Mobile Number that will lead to Information Disclosure |
| Localize |
- |
Atttacker can send "Invitation Request" to a Project that is not even created yet! |
| Mail.Ru |
- |
No CSRF token used in Phone Verification POST |
| CloudFlare |
- |
Cookie missing the Secure flag |
| CloudFlare |
- |
Flash-based XSS in cdnjs.cloudflare.com subdomain |
| Localize |
- |
Criptographic Issue: Strisct Transport Security with not good max age..(TOO SHORT!) |
| Respondly |
- |
No Bruteforce Protection |
| CloudFlare |
- |
System Status Update CSRF |
| CloudFlare |
- |
XSS - http://js.cloudflare.com |
| CloudFlare |
- |
Apache Multiviews are enabled |
| StopTheHacker |
- |
XSS in Stopthehacker support |
| CloudFlare |
- |
csrf on password change functionality |
| Mail.Ru |
$150 |
localStorage не чистится после выхода |
| StopTheHacker |
- |
CSRF - Disabling orders at https://panel.stopthehacker.com/manage/disable-order/order/ID |
| CloudFlare |
- |
http://cdnjs.cloudflare.com/ Cross-site scripting 2 |
| CloudFlare |
- |
Content spoofing /CSRF at https://www.cloudflare.com/ajax/modal-dialog.html |
| Mail.Ru |
- |
Admin panel of http://tp-test1.corp.mail.ru/ is acccessible publicly |
| CloudFlare |
- |
jplayer.swf Cross-site scripting |
| StopTheHacker |
- |
Information Disclosure (FPD) - stopthehacker.com |
| CloudFlare |
- |
CSRF in Cloudflare login |
| Respondly |
- |
Deleting team members |
| Mail.Ru |
$150 |
Clickjacking |
| Mail.Ru |
- |
Reflected XSS |
| Mail.Ru |
- |
Clicjacking on Login panel |
| Mail.Ru |
- |
Xss On http://my.mail.ru/ |
| Mail.Ru |
- |
rs.mail.ru - Flash Based XSS |
| Yahoo! |
$300 |
information disclosure (LOAD BALANCER + URI XSS) |
| Yahoo! |
$500 |
https://caldav.calendar.yahoo.com/ - XSS (STORED) |
| OkCupid |
- |
Reflected XSS on www.okcupid.com/signup |
| Localize |
- |
Projects Watch or Notifications Settings Change Via CSRF |
| Respondly |
- |
Allowed method disclosure |
| Localize |
- |
No Wildcard DNS |
| Localize |
- |
Private Project Access Request Invitation Sent Via CSRF |
| Localize |
- |
Private Project Access Request Accpeted Via CSRF |
| Localize |
- |
Group Deletion Via CSRF |
| Localize |
- |
Group Creation Via CSRF |
| Localize |
- |
OPTIONS Method Enabled |
| Localize |
- |
Deleting groups in any project without permission |
| Localize |
- |
Making groups in any project without permission |
| Localize |
- |
infinite number of new project creation! |
| Localize |
- |
Full Path Disclosure / Info Disclosure in Importing XML Section! |
| Localize |
- |
Full Path Disclosure / Info Disclosure in Creating New Group |
| Localize |
- |
Full Path Disclosure (FPD) in www.localize.io |
| HackerOne ★ |
$100 |
Password Reset Bug |
| Localize |
- |
Numerous open ports/services |
| Minr.es |
- |
readable .htaccess |
| Localize |
- |
X-Content-Type-Options header missing |
| Localize |
- |
Apache Documentation |
| Respondly |
- |
X-Content-Type-Options header missing |
| Localize |
- |
Possible sensitive files |
| Localize |
- |
Login page password-guessing attack |
| Localize |
- |
Full Path Disclosure (2) |
| Respondly |
- |
XSS via Email Link |
| Localize |
- |
XSS in password |
| Localize |
- |
Full Path Disclosure |
| Respondly |
- |
HTTP Strict transport security policy not enabled |
| Localize |
- |
Sensitive file |
| Localize |
- |
CSRF in adding phrase. |
| Localize |
- |
Password type input with auto-complete enabled |
| Localize |
- |
User credentials are sent in clear text |
| Respondly |
- |
DNS Misconfiguration |
| Respondly |
- |
x-frame options-sameorigin warning |
| Localize |
- |
A Serious Bug on SIGNUP Process! |
| Secret |
- |
Login CSRF in Secret.ly |
| HackerOne ★ |
$150 |
Issue with remember_user_token |
| Localize |
- |
Information Disclosure (Directory Structure) |
| HackerOne ★ |
- |
Arbitrary file uploads to Amazon WS. |
| Respondly |
- |
Clickjacking - changing role |
| Localize |
- |
Apache2 /icons/ folder accessible |
| Localize |
- |
Assigning a non-existing role to user causes exception when opening project page |
| Respondly |
- |
XSS via Email |
| Respondly |
- |
Find, private notes Cross-site scripting. |
| Localize |
- |
No Cross-Site Request Forgery protection at multiple locations |
| Localize |
- |
Uninitialized variable error message leaks information |
| Localize |
- |
Server header - information disclosure |
| Respondly |
- |
Import emails from Gmail are activate XSS |
| Localize |
- |
Business logic Failure - Browser cache management and logout vulnerability. |
| Localize |
- |
Path Disclosure (Info Disclosure) in http://www.localize.io |
| Respondly |
- |
OAuth open redirect |
| Respondly |
- |
Persistent Cross-site scripting vulnerability settings. |
| Localize |
- |
HTML/Javascript possible in "Discussion" section of reviews |
| Localize |
- |
Full path disclosure |
| Localize |
- |
XSS in Localize.io |
| Localize |
- |
Unexpected array leaks information about the system |
| Localize |
- |
XSS in invite approval |
| Localize |
- |
XSS in main page (invitation) |
| Localize |
- |
Password Policy |
| Localize |
- |
XSS in main page |
| Localize |
- |
XSS & HTML injection |
| Localize |
- |
Stored XSS |
| Localize |
- |
Change user settings through CSRF |
| Localize |
- |
No BruteForce Protection |
| Localize |
- |
XSS in Groups |
| Localize |
- |
Sign-up Form CSRF |
| Localize |
- |
HTML Form Without CSRF protection |
| Localize |
- |
ClickJacking |
| Automattic |
- |
HTML form without CSRF protection |
| Automattic |
- |
Session Cookie without Secure flag set |
| Yahoo! |
$250 |
readble .htaccess + Source Code Disclosure (+ .SVN repository) |
| Flash |
$2,000 |
Security bypass could lead to information disclosure |
| Yahoo! |
$2,500 |
Local File Include on marketing-dam.yahoo.com |
| Yahoo! |
- |
clickjacking on leaving group(flick) |
| concrete5 |
- |
FULL PATH DISCLOSUR |
| Yahoo! |
- |
ads.yahoo.com Unvalidate open url redirection |
| Automattic |
- |
Session Cookie without Secure flag set |
| Minr.es |
- |
OPTIONS method enabled on webserver |
| Yahoo! |
$400 |
invite1.us2.msg.vip.bf1.yahoo.com/ - CSRF/email disclosure |
| Automattic |
- |
Simplenote Silverlight cross-domain policy misconfiguration |
| IRCCloud |
$100 |
Login CSRF can be bypassed (Similar approach to previous one). |
| IRCCloud |
- |
Log Out Cross site Request Forgery |
| Minr.es |
- |
Session Cookie without Secure flag set |
| Minr.es |
- |
Clickjacking: X-Frame-Options header missing |
| IRCCloud |
$1,000 |
Dangerous Persistent xss |
| IRCCloud |
- |
Unwanted Spamming Using CSRF [LOGGED IN USER] |
| Coinbase |
$100 |
2 factor authentication design flaw |
| IRCCloud |
$100 |
Host Header is not validated resulting in Open Redirect |
| IRCCloud |
- |
CSRF - Creating accounts |
| The Internet |
$7,500 |
TLS Triple Handshake Attack |
| Faceless |
- |
Bruteforce attack in login panel |
| Yahoo! |
$500 |
XSS in https://hk.user.auctions.yahoo.com |
| Yahoo! |
$250 |
Bypass of the Clickjacking protection on Flickr using data URL in iframes |
| IRCCloud |
- |
Login page password-guessing attack(Brute-force attack-High). |
| IRCCloud |
$500 |
Persistent Cross Site Scripting within the IRCCloud Pastebin |
| IRCCloud |
- |
CSRF to Account Take Over Bug |
| IRCCloud |
- |
DNS Misconfiguration |
| IRCCloud |
- |
User Account Creation CSRF |
| IRCCloud |
$100 |
iOS application does not destroy session upon logout. |
| IRCCloud |
$100 |
Bug in iOS application which could lead to unauthorised access. |
| IRCCloud |
- |
"SESSION" Cookie without HttpOnly flag set |
| IRCCloud |
$100 |
Missing X-Content-Type-Options |
| IRCCloud |
- |
Session cookie can be leaked over an unencrypted HTTP connection |
| IRCCloud |
$500 |
Full account takeover using CSRF and password reset |
| IRCCloud |
$500 |
Session Token is not Verified while changing Account Setting's which Result In account Takeover |
| IRCCloud |
- |
HTML Form without CSRF protection |
| IRCCloud |
$100 |
Leaking Referrer in Reset Password Link |
| IRCCloud |
$100 |
Bruteforcing irccloud login |
| IRCCloud |
$100 |
Unsecure cookies, cookie flag secure not set |
| IRCCloud |
$100 |
Sign up CSRF |
| IRCCloud |
$100 |
Login CSRF |
| concrete5 |
- |
XSS on [/concrete/concrete/elements/dashboard/sitemap.php] |
| concrete5 |
- |
Cross-Site Scripting in getMarketplacePurchaseFrame |
| Faceless |
- |
Blocking yourself |
| C2FO |
- |
The server supports only older protocols for HTTPS connections |
| Yahoo! |
$2,000 |
Open Proxy, http://www.smushit.com/ysmush.it/, 4/09/14, #SpringClean |
| Yahoo! |
$200 |
CSRF Token is missing on DELETE message option on http://baseball.fantasysports.yahoo.com/b1/127146/messages |
| Yahoo! |
$400 |
CSRF Token missing on http://baseball.fantasysports.yahoo.com/b1/127146/messages |
| ReddAPI |
- |
No Captcha or rate limit on Login Page |
| InVision |
- |
TLS Renegotiation and Denial of Service Attacks on InVision. |
| Yahoo! |
$3,000 |
REMOTE CODE EXECUTION/LOCAL FILE INCLUSION/XSPA/SSRF, view-source:http://sb*.geo.sp1.yahoo.com/, 4/6/14, #SpringClean |
| Yahoo! |
$500 |
Comment Spoofing at http://suggestions.yahoo.com/detail/?prop=directory&fid=97721 |
| OpenSSL |
- |
TLS heartbeat read overrun CVE-2014-0160 |
| Khan Academy |
- |
XSS at http://smarthistory.khanacademy.org |
| ReddAPI |
- |
Login page password-guessing attack |
| OkCupid |
- |
okcupid.com vulnerable to Heartbleed attack |
| Khan Academy |
- |
Open Redirection in SmartHistory KhanAcademy |
| HackerOne ★ |
- |
(lack of) smtp transport layer security |
| ReddAPI |
- |
Session Fixation Found |
| C2FO |
- |
c2fo.com is releasing sensitive Information about Database Configuration. |
| Khan Academy |
- |
Weak Ciphers Enabled |
| concrete5 |
- |
https://concrete5.org ::: HeartBleed Attack (CVE-2014-0160) |
| Khan Academy |
- |
Persistent class XSS [the fuck] |
| Khan Academy |
- |
https://www.khanacademy.org/coach/reports/activity XSS |
| Python |
$1,500 |
Integer overflow in strop.expandtabs |
| Flash |
$2,000 |
Same Origin Security Bypass Vulnerability CVE-2014-0503 |
| Khan Academy |
- |
CSRF - Adding/Removing items to cart - shop.khanacademy.org |
| Khan Academy |
- |
User guessing/enumeration at sw.khanacademy.org |
| Khan Academy |
- |
Lighttpd version disclosure / directory listing |
| Khan Academy |
- |
Possible clickjacking at shop.khanacademy.org |
| Khan Academy |
- |
Stored XSS {dangerous?} https://www.khanacademy.org/coach/roster/?listId=allStudents |
| Khan Academy |
- |
Full Path Disclosure on [smarthistory.khanacademy.org] |
| Khan Academy |
- |
https://www.khanacademy.org/login open-redirect |
| RelateIQ |
$100 |
Wildcard DNS in website |
| Khan Academy |
- |
Dom based XSS https://www.khanacademy.org/ |
| HackerOne ★ |
$150 |
creating titleless and non-closable bugs |
| Khan Academy |
- |
http://smarthistory.khanacademy.org/search-results.html XSS |
| Yahoo! |
$1,000 |
Header injection on rmaitrack.ads.vip.bf1.yahoo.com |
| Yahoo! |
$250 |
Cross-origin issue on rmaiauth.ads.vip.bf1.yahoo.com |
| Yahoo! |
$300 |
reflected XSS, http://extprodweb11.cc.gq1.yahoo.com/, 4/8/14, #SpringClean |
| Yahoo! |
$500 |
Significant Information Disclosure/Load balancer access, http://extprodweb11.cc.gq1.yahoo.com/, 4/8/14, #SpringClean |
| InVision |
$200 |
captcha missing |
| Slack |
- |
open redirect in https://slack.com |
| Slack |
$500 |
Facebook Takeover using Slack using 302 from files.slack.com with access_token |
| Slack |
$300 |
Stored XSS in Slack.com |
| Yahoo! |
- |
Information Disclosure, groups.yahoo.com,6-april-2014, #SpringClean |
| HackerOne ★ |
$100 |
Marking notifications as read CSRF bug |
| Coinbase |
$1,000 |
Multiple Issues related to registering applications |
| The Internet |
$500 |
Uncontrolled Resource Consumption with XMPP-Layer Compression |
| Coinbase |
$100 |
Coinbase Android Security Vulnerabilities |
| C2FO |
- |
Password reset token leakage through referrer at https://app.c2fo.com/password/reset/ |
| C2FO |
- |
User guessing/enumeration at https://app.c2fo.com/api/password-reset |
| Lookout |
- |
Clickjacking at https://jira.corp.lookout.com |
| C2FO |
- |
OPTIONS Method Enabled |
| Slack |
- |
TLS1/SSLv3 Renegotiation Vulnerability |
| Lookout |
- |
DOM-XSS Vulnerability |
| MS-DOS |
- |
एमएस डॉस प्राणघाती है। |
| MS-DOS |
- |
Injecting Distrust and Disbelief in Addicted Gamers |
| MS-DOS |
- |
History Disclosure of MS-Dos |
| MS-DOS |
- |
Permanent Denial of Service |
| MS-DOS |
- |
Arbitrary command execution in MS-DOS |
| MS-DOS |
- |
Bug in Source Code Files(v1.1) |
| Yahoo! |
$100 |
XSS in Yahoo! Web Analytics |
| MS-DOS |
- |
Hack administrator password even if you are a guest |
| MS-DOS |
- |
Please contact me @sehacure otherwise i am going to disclose in Full disclosure mailing list :p |
| OkCupid |
- |
Xss high issue in www.okcupid.com main domain in users signup page |
| MS-DOS |
- |
CRITICAL BUG! |
| Coinbase |
$1,000 |
Coinbase Android Application - Bitcoin Wallet Leaks OAuth Response Code |
| Yahoo! |
- |
Out of date version |
| Coinbase |
- |
IFRAME loaded from External Domains |
| Coinbase |
- |
Cookie missing the HttpOnly flag |
| Coinbase |
- |
User Enumeration, Information Disclosure and Lack of Rate Limitation on API |
| Coinbase |
- |
Improper Validation of the Referrer header leading to Open URL Redirection |
| Coinbase |
- |
Information Disclosure That shows the webroot of CoinBase Server |
| concrete5 |
- |
page_controls_menu_js can reveal collection version of page |
| concrete5 |
- |
CONCRETE5 - path disclosure. |
| concrete5 |
- |
XSS IN member List (Because of City Textbox) |
| Yahoo! |
$800 |
From Unrestricted File Upload to Remote Command Execution |
| concrete5 |
- |
XSS in private message |
| concrete5 |
- |
dashboard/pages/types [Unknown column 'Array' in 'where clause'] disclosure. |
| concrete5 |
- |
/index.php/dashboard/sitemap/explore/ Cross-site scripting |
| concrete5 |
- |
Bypass auth.email-domains |
| concrete5 |
- |
HttpOnly flag not set for cookie on concrete5.org |
| concrete5 |
- |
XSS in Theme Preview Tools File |
| Nginx |
$3,000 |
SPDY heap buffer overflow CVE-2014-0133 |
| Nginx |
$3,000 |
SPDY memory corruption CVE-2014-0088 |
| Slack |
$500 |
Duplicate of #4550 |
| Yahoo! |
- |
Open redirect on tw.money.yahoo.com |
| Slack |
$500 |
Stored XSS in Slackbot Direct Messages |
| Slack |
- |
Open Redirect in Slack |
| Yahoo! |
- |
Open URL Redirection |
| Yahoo! |
$500 |
Server Side Request Forgery |
| RelateIQ |
$100 |
TRACE disclosure attack may be possible |
| Yahoo! |
- |
Almost all the subdomains are infected. |
| Yahoo! |
- |
Stored Cross Site Scripting Vulnerability in Yahoo Mail |
| MoneyStream |
- |
Here is another XSS i got for you |
| OkCupid |
- |
XSS in okcupid.com by hamid |
| Yahoo! |
$250 |
XSS Vulnerability (my.yahoo.com) |
| OkCupid |
- |
Server leaks version number |
| OkCupid |
- |
DOM based XSS in changing email address |
| HackerOne ★ |
- |
javascript: and mailto: links are allowed on users' profiles |
| Phabricator |
$300 |
Persistent XSS: Editor link |
| OkCupid |
- |
Security issue in OkCupid |
| HackerOne ★ |
- |
Accepting Invalid characters on email address |
| HackerOne ★ |
$100 |
Securing sensitive pages from SearchBots |
| Phabricator |
$400 |
OAuth Stealing Attack (New) |
| HackerOne ★ |
- |
Adding an user email address to the list before confirming. |
| Phabricator |
$300 |
Control character allowed in username |
| Slack |
- |
User impersonation is possible with incoming webhooks |
| HackerOne ★ |
- |
Criptographic Issue: Strisct Transport Security with not good max age..(TOO SHORT!) |
| Phabricator |
$450 |
OAuth access_token stealing in Phabricator |
| Yahoo! |
- |
Clickjacking at surveylink.yahoo.com |
| Yahoo! |
- |
Authentication bypass at fast.corp.yahoo.com |
| InVision |
- |
Found a Clickjacking in blog.invisionapp.com. |
| Slack |
$500 |
flash content type sniff vulnerability in api.slack.com |
| RelateIQ |
$100 |
Captcha Bypass With Extension |
| RelateIQ |
- |
RelateIQ GWT based application visible to unauthenticated users |
| OkCupid |
- |
XSS in "Questions" search module |
| Ruby on Rails |
$1,500 |
Directory traversal attack in view resolver CVE-2014-0130 |
| Phabricator |
$300 |
UnAuthorized Editorial Publishing to Blogs |
| OkCupid |
- |
XSS in 404 page of cdn.okccdn.com |
| HackerOne ★ |
$100 |
Control Characters Not Stripped From Username on Signup |
| OkCupid |
- |
XSS - okcupid.com |
| OkCupid |
- |
Stored XSS on your site.. |
| OkCupid |
- |
Stored Cross-site scripting vulnerability in okcupid |
| Yahoo! |
$1,000 |
SQL Injection ON HK.Promotion |
| OkCupid |
- |
XSS In Profle |
| OkCupid |
- |
XSS on [okcupid.com] |
| OkCupid |
- |
Login destination open redirection |
| OkCupid |
- |
http://www.helloquizzy.com/quizzy/createlist Cross-site scripting vulnerability |
| Slack |
- |
Content Spoofing |
| OkCupid |
- |
Direct XSS vulnerabilities (persistent) in http://www.okcupid.com/profile |
| Slack |
- |
Deleting Teams implemenation |
| OkCupid |
- |
https://www.okcupid.com/hidden-users CSRF vulnerability. |
| OkCupid |
- |
Instagram Authentication - No Request Token |
| OkCupid |
- |
Users can easily be tricked into changing/disabling privacy and notification settings |
| OkCupid |
- |
http://www2.okcupid.com/profile Cross-site scripting |
| Slack |
- |
Stored XSS |
| Phabricator |
- |
CSRF token valid even after the session logout of a particular user |
| Slack |
$500 |
Reflected Xss |
| Slack |
- |
Email enumeration |
| Slack |
- |
Data exports stored on S3 can be scraped easily |
| RelateIQ |
$100 |
HTML injection in "Invite Collaborators" |
| Slack |
- |
Open redirect vulnerability |
| Slack |
- |
State parameter missing on google OAuth |
| Slack |
$500 |
Stored XSS in Channel Chat |
| Slack |
- |
Stored XSS on this link https://sehacure.slack.com/help/requests/ |
| Slack |
- |
CSRF on add comment section |
| Slack |
- |
csrf |
| Slack |
$100 |
CSRF vulnerability on https://sehacure.slack.com/account/settings |
| Slack |
$500 |
Stored XSS in username.slack.com |
| Slack |
$200 |
URL redirection flaw |
| Slack |
$200 |
Stored XSS in www.slack-files.com |
| Yahoo! |
$100 |
http://conf.member.yahoo.com configuration file disclosure |
| Yahoo! |
- |
Yahoo mail login page bruteforce protection bypass |
| HackerOne ★ |
$500 |
Weird Bug - Ability to see partial of other user's notification |
| Slack |
- |
Session Fixation disclosing email address |
| Slack |
$100 |
Slack OAuth2 "redirect_uri" Bypass |
| Slack |
$100 |
Broken Authentication (including Slack OAuth bugs) |
| Slack |
$150 |
Reflective XSS can be triggered in IE |
| RelateIQ |
$100 |
Cross Site Scripting (XSS) - app.relateiq.com |
| HackerOne ★ |
- |
Hackerone Email Addresses Enumeration |
| RelateIQ |
$100 |
XSRF token problem |
| RelateIQ |
$100 |
Value of JSESSIONID and XSRF token parameter in cookie remains same before and after login |
| RelateIQ |
- |
open redirect |
| Yahoo! |
- |
Yahoo open redirect using ad |
| Sandbox Escape |
$5,000 |
Win32k Window Handle Vulnerability (EoP) CVE-2014-0262 |
| Yahoo! |
- |
Reflected XSS in mail.yahoo.com |
| Phabricator |
$500 |
Bypass auth.email-domains (2) |
| Phabricator |
$300 |
Login CSRF using Twitter OAuth |
| Phabricator |
$1,000 |
Bypass auth.email-domains |
| HackerOne ★ |
$100 |
CSS leaks SCSS debug info |
| HackerOne ★ |
- |
harvesting attack on user registration |
| Flash |
$10,000 |
Flash double free vulnerability leads to code execution CVE-2014-0502 |
| Yahoo! |
$1,500 |
XSS on Every sports.yahoo.com page |
| Flash |
$2,000 |
Flash local-with-fileaccess Sandbox Bypass CVE-2014-0508 |
| Yahoo! |
$1,276 |
HK.Yahoo.Net Remote Command Execution |
| Yahoo! |
- |
Insufficient validation of redirect URL on login page allows hijacking user name and password |
| Flash |
$2,000 |
Handling of jar: URIs bypasses AllowScriptAccess=never CVE-2014-0491 |
| Flash |
$10,000 |
Flash type confusion vulnerability leads to code execution CVE-2013-5331 |
| Yahoo! |
- |
In Fantasy Sports iOS app, signup page is requested over HTTP |
| Yahoo! |
$1,390 |
Local file inclusion |
| Yahoo! |
- |
A csrf vulnerability which add and remove a favorite team from a user account. |
| Yahoo! |
- |
XSS Reflected - Yahoo Travel |
| Yahoo! |
$3,705 |
SQLi on http://sports.yahoo.com/nfl/draft |
| Yahoo! |
$750 |
Flickr: Invitations disclosure (resend feature) |
| HackerOne ★ |
$100 |
DNS Misconfiguration |
| Secret |
- |
Strict Transport Security on secret.ly |
| Yahoo! |
$800 |
HTML Injection on flickr screename using IOS App |
| Yahoo! |
- |
URL Redirection |
| Secret |
- |
SSL Not Enforced |
| Factlink |
- |
Proxy discloses internal web servers |
| Yahoo! |
- |
Yahoo YQL Injection? |
| Yahoo! |
- |
HTML Code Injection |
| PHP |
$1,500 |
PHP Heap Overflow Vulnerability in imagecrop() CVE-2013-7226 |
| Yahoo! |
- |
Vulnerability found, XSS (Cross site Scripting) |
| Yahoo! |
- |
ClickJacking on http://au.launch.yahoo.com |
| Yahoo! |
- |
Authentication Bypass in Yahoo Groups |
| Yahoo! |
- |
clickjacking |
| Yahoo! |
$800 |
XSS in my yahoo |
| Yahoo! |
$2,500 |
Security.allowDomain("*") in SWFs on img.autos.yahoo.com allows data theft from Yahoo Mail (and others) |
| HackerOne ★ |
- |
LinkedIN URL should be HTTPS |
| Yahoo! |
- |
Directory Traversal |
| Yahoo! |
- |
Information Disclosure |
| Yahoo! |
- |
Bypass of anti-SSRF defenses in YahooCacheSystem (affecting at least YQL and Pipes) |
| Yahoo! |
- |
XSS using yql and developers console proxy |
| Sandbox Escape |
$3,000 |
Linux 3.4+: arbitrary write with CONFIG_X86_X32 CVE-2014-0038 |
| Yahoo! |
$1,960 |
Store XSS Flicker main page |
| Yahoo! |
- |
Java Applet Execution On Y! Messenger |
| Yahoo! |
$2,173.75 |
Cross-site scripting on the main page of flickr by tagging a user. |
| Yahoo! |
$677.50 |
XSS Yahoo Messenger Via Calendar.Yahoo.Com |
| HackerOne ★ |
$100 |
Autocomplete enabled in Paypal preferences |
| Phabricator |
$300 |
Improperly implemented password recovery link functionality |
| Phabricator |
$300 |
Log in a user to another account |
| HackerOne ★ |
- |
Enumeration of users |
| HackerOne ★ |
$100 |
A password reset page does not properly validate the authenticity token at the server side. |
| HackerOne ★ |
$100 |
Information disclosure (reset password token) and changing the user's password |
| HackerOne ★ |
$100 |
Improper session management |
| HackerOne ★ |
$150 |
Switching the user to the attacker's account |
| HackerOne ★ |
$500 |
Upload profile photo from URL |
| HackerOne ★ |
$250 |
Email spoofing |
| HackerOne ★ |
$100 |
CSRF login |
| HackerOne ★ |
$150 |
Logical issues with account settings |
| PHP |
$4,000 |
PHP openssl_x509_parse() Memory Corruption Vulnerability CVE-2013-6420 |
| The Internet |
$7,500 |
TLS Virtual Host Confusion |
| The Internet |
$1,500 |
OpenSSH: Memory corruption in AES-GCM support CVE-2013-4548 |
| Ruby |
$1,500 |
Ruby: Heap Overflow in Floating Point Parsing CVE-2013-4164 |
| HackerOne ★ |
$100 |
DNS Cache Poisoning |
| HackerOne ★ |
$100 |
Flawed account creation process allows registration of usernames corresponding to existing file names |
| HackerOne ★ |
$500 |
PNG compression DoS |
| HackerOne ★ |
$250 |
GIF flooding |
| HackerOne ★ |
$500 |
Pixel flood attack |
| HackerOne ★ |
$100 |
Session not expired on logout |
| HackerOne ★ |
- |
Privilege escalation..., or not?! |
| HackerOne ★ |
$250 |
CSP not consistently applied |
| HackerOne ★ |
$500 |
RTL override symbol not stripped from file names |
| HackerOne ★ |
$100 |
Session Management |
| HackerOne ★ |
$100 |
Broken Authentication and session management OWASP A2 |
| HackerOne ★ |
$100 |
Real impersonation |
| HackerOne ★ |
- |
Flawed account creation process allows registration of usernames corresponding to existing file names |
| HackerOne ★ |
- |
Report title autocompletion |
| HackerOne ★ |
$500 |
Missing SPF for hackerone.com |
| HackerOne ★ |
- |
Login page password-guessing attack |