Public HackerOne bug reports.

Show Bounties Only

Team Bounty Title
Legal Robot - design issue exists on login page
Legal Robot - Coding error !
TTS Bug Bounty - {REDACTED}.data.gov subdomain takeover.
Legal Robot - Insufficient Security Configurability-Weak Registration Implementation-Allows Disposable Email Addresses
Legal Robot - I cant login to my account
TTS Bug Bounty - Email Spoofing - SPF record set to Neutral
TTS Bug Bounty - Email Spoofing - SPF record set to Neutral
Legal Robot - Improper error message
Legal Robot - Email Length Verification
TTS Bug Bounty - federalist.18f.gov vulnerable to Sweet32 attack
TTS Bug Bounty - Subdomain take-over of {REDACTED}.18f.gov
Legal Robot - Name can't be numbers or email
Gratipay - Reflected XSS - gratipay.com
HackerOne - IDOR on HackerOne Feedback Review
Gratipay - Gratipay rails secret token (secret_key_base) publicly exposed in GitHub
Legal Robot - Password Restriction On Change
Legal Robot - UX: JS error on Password Safety link
Gratipay - xss
Unikrn $200 HTML injection in email in unikrn.com
Legal Robot - Information disclosure
Rockstar Games $500 dom based xss in http://www.rockstargames.com/GTAOnline/ (Fix bypass)
Legal Robot - Special characters are not filtered out on profile fields
Legal Robot - Change password session fixed
Legal Robot - Weak Cryptography for Passwords
Legal Robot $20 No length limit in invite_code can cause server degradation
Legal Robot $20 CSP script-src includes "unsafe-inline"
Legal Robot $20 Improper validation of parameters while creating issues
Legal Robot $100 Update any profile
Legal Robot - Invalid Email Verification
Legal Robot $20 first name and last name restrictions bypass
Legal Robot $20 TabNabbing issue (due to taget=_blank)
Legal Robot - Tampering the mail id on chatbox
Legal Robot $20 Incorrect error message
Legal Robot $20 Incorrect email content when disabling 2FA
Legal Robot $20 Lengthy manual entry of 2FA secret
Trello $128 A CRLF injection into the redirect URL of https://trello.com/1/authorize can be used to cause a denial of service when later redirected to
Udemy - No password length restriction
ownCloud - owncloud.com open redirect
Quora $500 [Quora Android] Possible to steal arbitrary files from mobile device
WordPress - Clickjacking - https://mercantile.wordpress.org/
Snapchat $5,000 RCE/LFI on test Jenkins instance due to improper authentication flow
Gratipay - Sub domain take over in gratipay.com
Ruby - Open aws s3 bucket s3://rubyci
Udemy - CSRF Token
Legal Robot $40 Code injection
Khan Academy - Weak Bithdate Validation Implemented on Sign Up
WakaTime - Impersonation of Wakatime user using Invitation functionality.
ownCloud - This is not the security issue.
Legal Robot $20 User enumeration from failed login error message
Udemy - Violation of secure design principle
Udemy - Weak Password
Legal Robot - Mixed Content over HTTPS
Brave Software $200 URL Spoof / Brave Shield Bypass
Khan Academy - Password Functionality not working correctly
Legal Robot $20 Change password logic inversion
Legal Robot $20 Profile fields validation bypass
arxius - No Email Verification and No email sent on Forget Pasword
Phabricator - Credential gets exposed
Legal Robot - LUCKY13 (CVE-2013-0169) effects legalrobot.com
WakaTime - Failure to check password history
Legal Robot - Create Api Key is not working
Legal Robot $20 Profile shows incorrect account creation date
Legal Robot - Password Reset page Session Fixation
Legal Robot - Lack of input validation in e-mail & user name, job title, company name field
Legal Robot - SSL : breach compression attack (CVE-2013-3587) effects legalrobot.com
Coinbase - Device confirmation Flaw
Rockstar Games $500 dom based xss in https://www.rockstargames.com/GTAOnline/
Bitvise $100 The POODLE attack (SSLv3 supported)
Unikrn $50 Escaping images directory in S3 bucket when saving new avatar, using Path Traversal in filename
Boozt Fashion AB $60 Password reset token issue
Legal Robot $20 [Cross-domain Referer leakage] Password reset token leakage via referer
Automattic $225 XSS Vulnerability in WooCommerce Product Vendors plugin
Rockstar Games $600 CSRF Vulnerability allows attackers to steal SocialClub private token.
Dropbox - Missing URL sanitization in comments can be leveraged for phishing
Phabricator - Hyper Link Injection In email and Space Characters Allowed at Password Field.
Tor - [Android org.torproject.android] Possible to force list of bridges
Legal Robot $20 Token leakage by referrer header & analytics
Zomato $500 Restaurant payment information leakage
Unikrn $40 Flash CSRF: Update Ad Frequency %: [cp-ng.pinion.gg]
Frans Visits Vegas - Frans Visits Vegas Announcement
Zomato $100 Length extension attack leading to HTML injection
Legal Robot $20 No notification on change password feature
Legal Robot $20 Meta characters are not filtered into full name on profile page
Legal Robot $20 Pages don't render in old browsers like IE11
Legal Robot $60 Missing Issuer parameter on TOTP 2FA
Moneybird $50 Stored XSS at Moneybird
Legal Robot - Subdomain misconfiguration [mail.legalrobot.com]
Legal Robot $20 [New Feature] Password history check
TTS Bug Bounty $150 The Federalsit session cookie (federalist.sid) is not properly invalidated - backdoor access to the account is possible
ExpressionEngine - Potential code injection in fun delete_directory
Legal Robot $20 User enumeration
Cuvva - CSRF on cuvva.insure allows to attacker to send multiple SMS to download the app without visiting the cuvva
ExpressionEngine - Image lib - unescaped file path
Legal Robot $20 Password complexity ignores empty spaces
Legal Robot $60 Users with 2FA can have multiple sessions
Legal Robot $20 Account profile shows encryption recovery box for all users
Legal Robot $60 Enhancement: email confirmation for 2FA recovery
Legal Robot $20 Intercom chat session information persists after logout
Legal Robot $60 2FA Error Handling on Google Authenticator
Legal Robot - 2FA user enumeration via login
Legal Robot $90 2FA user enumeration via password reset
Legal Robot $40 Password complexity not evenly enforced
Legal Robot $90 Missing link to 2FA recovery code
Legal Robot $90 Missing link to TOTP manual enroll option
Legal Robot $60 Non-functional 2FA recovery codes
TTS Bug Bounty $150 Race condition on the Federalist API endpoints can lead to the Denial of Service attack
Zomato $50 Posting to Twitter CSRF on php/post_twitter_authenticate.php
Trello - Unpatched (https://hackerone.com/reports/221928)- Unviladate File Upload to XSS on trello-attachment Bucket
Grabtaxi Holdings Pte Ltd $1,000 Git repository found
Twitter $10,080 XXE on sms-be-vip.twitter.com in SXMP Processor
Coinbase $100 Information disclosure same issue #176002
Grabtaxi Holdings Pte Ltd $200 [parcel.grab.com] DOM XSS at /assets/bower_components/lodash/perf/
concrete5 - Stored XSS vulnerability in RSS Feeds Description field
Gratipay - SQL TEST
HackerOne $1,500 Reading redacted data via hackbot's answers
concrete5 - Stored XSS in Name field in User Groups/Group Details form
concrete5 - Stored XSS in Private Messages 'Reply' allows to execute malicious JavaScript against any user while replying to the message which contains payload
Grabtaxi Holdings Pte Ltd $200 Dom based xss affecting all pages from https://www.grab.com/.
WakaTime - Session Duplication due to Broken Access Control
Zomato $250 Bypass OTP verification when placing Order
Moneybird - Moneybird customers invoices leak in cacheable urls
VK.com $100 Узнать название частной группы и ее аватарку по видеоролику.
ICQ - Apache Server-Status Detected
Zomato $500 [█████████] Hardcoded credentials in Android App
Twitter $420 Open Redirect
WakaTime - by pass rate limit exceed
Pornhub - Private videos can be added to our playlists
Snapchat $250 [spectacles.com] Bypassing quantity limit in orders
Coinbase $100 Captcha Bypass in Coinbase SignUp Form
Rockstar Games $500 Reflected XSS via Double Encoding
WakaTime - [Privilege Escalation] Authenticated users can manipulate others fullname without their knowledge [Team Vector]
Zomato $300 SQL Injection, exploitable in boolean mode
WakaTime - Running 2 accounts with a single email
Mixmax - Public calendar link can be invisible
WakaTime - Password Policy Issue
TTS Bug Bounty $350 [IDOR] The authenticated user can restart website build or view build logs on any another Federalist account
TTS Bug Bounty $300 The user, who was deleted from Github Organization, still can access all functions of federalist, in case he didn't do logout
Gratipay - self cross site scripting
WakaTime - Blocking users to sign up on the site
WakaTime - No rate limit on creating private leaderboards.
Weblate - [debian.weblate.org]-Missing SPF Record
WakaTime - Sensitive Cookie Without 'HttpOnly' Flag
Zomato $1,000 Login to any account with the emailaddress
WakaTime - JSON CSRF on POST Heartbeats API
WakaTime - Bypassing Access control, changing owner's name in a private leaderboard
WakaTime - Lack of Password Confirmation When Changing Email
WakaTime - Missing Account Deletion Notification
WakaTime - Two email addresses can access the same account
WakaTime - Missing filteration of meta characters in all full name field on wakatime.com
Mapbox - null pointer dereference and segfault in tile-count-merge
TTS Bug Bounty $300 Double Stored Cross-Site scripting in the admin panel
WakaTime - No rate limiting for confirmation email, can spam anyone with confirmation emails
WakaTime - Session not expired on logout
WakaTime - No notificatoin sent on email after account deletion.
WakaTime - Clickjacking on authorized page https://wakatime.com/share/embed
WakaTime - No redirect uri for Twitter Oath resulting in token leak
WakaTime - Login page password - guessing attack
shopify-scripts $800 Use after free in mruby-mpdecimal
WakaTime - Session Not Expired On Logout
Paragon Initiative Enterprises - [Critical] billion dollars issue
WakaTime - No rate limit when creating new goals [https://wakatime.com/goals]
WakaTime - Logout CSRF
WakaTime - https://wakatime.com/ website CSP "script-src" includes "unsafe-inline"
WakaTime - Unsafe Inline and Eval CSP Usage
Mail.Ru - Open Redirect on [My.com]
WakaTime - UI Redressing on Embedded Charts
WakaTime - Add arbitrary content to Password Reset Email
WakaTime - Forgot password link doesn't expire after used, only after some hours
WakaTime - IDOR create accounts and verify them with original account email
WakaTime - Password token validation in https://wakatime.com/
WakaTime - Password reset links should expire after being used, instead of at specific time
WakaTime - [Privilege Escalation] Authenticated users can manipulate others fullname without their knowledge
WakaTime - Email Spoofing Via /api/v1/users/reset_password
WakaTime - Mailgun misconfiguration
Apache httpd (IBB) $1,500 Apache HTTP Request Parsing Whitespace Defects CVE-2016-8743
WakaTime - [https://wakatime.com/reset_password/] Leaking password reset token via referrer
WakaTime - Missing SPF Flags
Weblate - Password token validation in Weblate Bypass #2
arxius - Missing Rate Limit for Password Reset Verification - Vulnerable to brute force
Gratipay - SSl Weak Ciphers
Shopify $500 IDOR [partners.shopify.com] - User with ONLY Manage apps permission is able to get shops info and staff names from inside the shop
Weblate - Password token validation in Weblate Bypass
Weblate - Error Message When Changing Username
Weblate - Improper validation of unicode characters #3
Weblate - No Rate Limitation on Regenerate Api Key
Weblate - Previous password could set as new password
Weblate - Improper validation of unicode characters still not fixed #2
Weblate - The username of an account can be ..
Weblate - Reset password more than once with a reset link
arxius - Disclose of phpmyadmin
arxius - another local file disclosure via ffmpeg
Mixmax - SSRF via webhook
RubyGems $1,000 Installing a crafted gem package may create or overwrite files CVE-2017-0901
Mixmax - Improper parsing of input could lead to future XSS vulnerabilities in Sequences
arxius - Open redirects protection bypass
Airbnb - Call back number not verified
RubyGems - No limit of summary length allows Denail of Service CVE-2017-0900
Weblate - No filteration of null characters in name field
Rockstar Games $1,000 XSS in http://www.rockstargames.com/theballadofgaytony/js/jquery.base.js
arxius - Local File Disclosure via ffmpeg
Gratipay - Possible User Session Hijack using Invalid HTTPS certificate on inside.gratipay.com domain
Quora - Possibility of DOS Through logging System
VK.com $100 Нет маркера на добавление песни в плейлист пользователя
shopify-scripts $800 Null pointer dereference with send/method_missing
Maximum $50 Open redirect on https://werkenbijdefensie.nl/
Pornhub $500 Stored XSS in the any user profile using website link
Weblate - Improper validation of unicode characters
Gratipay - Possible user session hijack by invalid HTTPS certificate on inside.gratipay.com domain
Weblate - Persistence of Third Party Association.
Apache httpd (IBB) $1,500 ap_find_token() Buffer Overread CVE-2017-7668
Weblate - Full Name Overwrite on Third party login
Weblate - Improper validation of unicode characters still not fixed
Starbucks $2,000 Possible subdomain takeover at openapi.starbucks.com
Gratipay - CSP Policy Bypass and javascript execution Still Not Fixed
Rockstar Games $500 flash injection in http://www.rockstargames.com/IV/imgPlayer/imageEmbed.swf
Python (IBB) $500 Unsafe arithmetic in PyString_DecodeEscape
Pornhub $750 pornhub.com/user/welcome/basicinfo nickname field is vulnerable on xss
Gratipay - CSP Policy Bypass and javascript execution
Shopify $500 Stored XSS in *.myshopify.com
Zomato - xss found in zomato
Gratipay - Email Spoofing
Yelp - Firefly's verify_access_token() function does a byte-by-byte comparison of HMAC values.
Stellar.org - heap-buffer-overflow (READ of size 1) in cpptoml::parser::consume_whitespace()
Mixmax - Design issue with webhook (several) notifications on mixmax.com
Maximum $350 Open Redirect & Information Disclosure [mijn.werkenbijdefensie.nl]
Stellar.org - HTTP - Basic Authentication on https://www.stellar.org/wp-login.php
Stellar.org - Session Cookie without HttpOnly and secure flag set
Bumble - CSRF bug
Algolia - Text injection on status.algolia.com
Mixmax - Stored XSS in Templates>Enahance>Social Badges
Algolia - SAUCE Access_key and User_name leaked in Travis CI build logs
Parrot Sec - XSS on http://irc.parrotsec.org
Parrot Sec - http://lists.parrotsec.org vulnerable to MITM
Weblate - Open redirect while disconnecting Email
Mail.Ru $100 BruteForce Any [My.com] Account Credentials.
Mixmax - Stored XSS templates -> 'call for action' feature
Nextcloud - ci.nextcloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service)
Shopify - SQL Exception thrown during product import
Automattic $800 SSRF and local file disclosure in https://wordpress.com/media/videos/ via FFmpeg HLS processing
Snapchat $500 CRLF Injection at vpn.bitstrips.com
HackerOne - Invitation tokens leak to Google Analytics
Mixmax - no string size restriction on team name
Mixmax - [app.mixmax.com] Stored XSS on Adding new enhancement.
Coinbase - X-Frame-Options
ExpressionEngine - Open redirects protection bypass
Cuvva - Session cookie without secure flag on https://underwriter.partner.cuvva.com
Mixmax - Email Leakage in staging environment
Mixmax - Blind SSRF due to img tag injection in career form
Starbucks - Unable to register in starbucks app
Mixmax - Missing restriction on string size of contact field
MapsMarker.com e.U. $20 Cross-site Scripting (XSS) in /updates-pro/archive/
Mixmax - [compose.mixmax.com] Stored XSS on compose.mixmax.com in contact names.
ToyTalk $200 Host Header Injection and Cache Poisoning
Mixmax - Privilege escalation-User who does not have access is able to add notes to the contact
Cuvva - Sensitive Support Mail Disclosure
Mixmax - CRLF Injection on https://vpn.mixmax.com
Mixmax - Clickjacking on Mixmax.com
Mixmax - Security Vulnerability - SMTP protection not used
Perl (IBB) $500 heap-buffer-overflow (READ of size 61) in Perl_re_intuit_start()
Mixmax - Subdomain takeover (sales.mixmax.com)
Mixmax - Possible Subdomain Takeover
Mixmax - Attacker can trick other into logging in as themselves
Mixmax - mailbomb through invite feature on chrome addon
Weblate - API Does Not Apply Access Controls to Translations
Cuvva - Missing rate-limits at endpoints
Starbucks - Full Api Access and Run All Functions via Starbucks App
Weblate - Uploaded XLF files result in External Entity Execution
Cuvva - IDOR spam anyone's cellphone number through Cuvva app link
Rockstar Games $250 Control characters incorrectly handled on Crew Status Update
Keybase $500 Universal Cross-Site Scripting in Keybase Chrome extension
Cuvva - Missing Rate limiting on https://underwriter.partner.cuvva.com/login
U.S. Dept Of Defense - Remote Code Execution (RCE) vulnerability in a DoD website
Ubiquiti Networks - CRLF Injection on openvpn.svc.ubnt.com CVE-2017-5868
Weblate - Improper Cookie expiration | Cookies Expiration Set to Future
Cuvva - Subdomain take over oh-no.cuvva.co and ohno.cuvva.co
Shopify $5,000 XSS on $shop$.myshopify.com/admin/ and partners.shopify.com via whitelist bypass in SVG icon for sales channel applications
Perl (IBB) $500 heap-buffer-overflow (READ of size 11) in Perl 5.25.x
U.S. Dept Of Defense - Remote Code Execution (RCE) in a DoD website
Cuvva - Verification code for Underwriter dashboard can be brute-forced
ThisData - Insecure Cache-Control Leading to API key Retrieval
Coinbase - Open redirect on sign in
Cuvva - Your two domain login email address are disclosed in
OLX - OLX is vulnerable to clickjaking
Cuvva - Clickjacking vulnerability in support-dashboard.corp.cuvva.co
U.S. Dept Of Defense - Remote Code Execution (RCE) vulnerability in multiple DoD websites
Gratipay - Gratipay Website CSP "script-scr" includes "unsafe-inline"
Cuvva - CRLF Injection [vpn.corp.cuvva.com] CVE-2017-5868
Snapchat $15,000 Open prod Jenkins instance
Rockstar Games $1,000 Stored XSS in profile activity feed messages
Cuvva - https://admin.corp.cuvva.co/ is vulnerable to Clickjacking attacks due to missing X-Frame-Options
Rockstar Games $1,000 Stored XSS in snapmatic comments
Cuvva - Missing rate limit on https://underwriter.partner.cuvva.com/login
Cuvva - cuvva.com website CSP "script-src" includes "unsafe-inline"
Gratipay - CSP "script-src" includes "unsafe-inline" in https://gratipay.com
Cuvva - RC4 cipher suit in use in vpn.corp.cuvva.co
Weblate - CSP "script-src" includes "unsafe-inline" in weblate.org and demo.weblate.org
Shopify $3,000 XSS on any Shopify shop via abuse of the HTML5 structured clone algorithm in postMessage listener on "/:id/digital_wallets/dialog"
Uber - Session not expired When logout [partners.uber.com]
U.S. Dept Of Defense - Arbitary file download vulnerability on a DoD website
Weblate - CSRF bypass ( Delate Source Translation From dictionaries ) in demo.weblate.org
Zomato - CSRF To Like/Unlike Photos
Cuvva - cuvva.com vulnerable to sweet32
U.S. Dept Of Defense - Arbitary file download vulnerability on a DoD website
VK.com $100 CSRF на сброс ключа трансляции.
Cuvva - Reflected XSS on Branch domain
Cuvva - No rate limiting at POST /2/2017-05-22/send_identifier_token
Weblate - Weblate |Security Misconfiguration| Method Enumeration Possible on domain
Weblate - Weblate- Banner Grabbing-Ngnix Server version
WordPress - Vulnerable to clickjacking
Legal Robot $20 Domain takeover (legalrobot.co.za)
Coinbase - CSRF bug on password change
WordPress $275 DOM Based XSS In mercantile.wordpress.org
Coinbase - Csrf bug on signup session
Trello - api flaw
concrete5 - Stored XSS in Headline TextControl element in Express forms [ concrete5 8.1.0 ]
WordPress - [mercantile.wordpress.org] Reflected XSS via AngularJS Template Injection
WordPress $275 Stored self-XSS in mercantile.wordpress.org checkout
Mail.Ru $150 XSS в портальной навигации
Weblate - Option method enabled
Zomato - Reflected XSS in Zomato Mobile - category parameter
Paragon Initiative Enterprises - Full directory path listing
Weblate - Takeover of an account via reset password options after removing the account
concrete5 - Stored XSS in Pages SEO dialog Name field (concrete5 8.1.0)
Weblate - Password token validation in https://demo.weblate.org/
Trello - XML entity expansion using svg file
Weblate - Password Restriction
Weblate - No notificatoin sent on email after account deletion.
Weblate - Adding Email lacks Password validation
Weblate - Rate Limit Issue on hosted.weblate.org
Weblate - Missing restriction on string size
Weblate - Self-XSS can be achieved in the editor link using filter bypass
Zomato - Amazon S3 bucket misconfiguration (share)
Weblate - Information Disclosure on demo.weblate.org
Nextcloud - Email Spoofing Vulnerability from nextcloud.
Weblate - Captcha bypass at registration
Weblate - Old password can be new password
Weblate - Captcha Bypass at Email Reset can lead to Spamming users.
Weblate - Login CSRF : Login Authentication Flaw
Weblate - No Rate Limiting at /contact
Weblate - Improper validation of unicode characters
Weblate - Design Flaw in session management of password reset
Weblate - Csrf in watch-unwatch projects
U.S. Dept Of Defense - Limited code execution vulnerability on a DoD website
PortSwigger Web Security - Misconfiguration: Missing Custom Error Page (CWE-12 & CWE-756)
HackerOne $10,000 WannaCrypt “Killswitch”
Quora - self xss in
Mail.Ru $500 Xss в https://e.mail.ru/
Pornhub $250 Partial disclosure of Private Videos through data-mediabook attribute information leak
Discourse $256 Any authenticated user can download full list of users, including email
Discourse $64 SSRF in upload IMG through URL
Teradici - Weak Password Policy on techsupport.teradici.com
Paragon Initiative Enterprises $50 Directory Disclose,Email Disclose Zendmail vulnerability
Maximum $50 Cross-site Scripting (XSS) on [maximum.nl]
Trello $256 Cross-Site Scripting on Trello's iPhone App
Instacart $150 Reverse Tab-nabbing at www.instacart.com/store/partner_recipe?recipe_url=
Instacart $100 XSS at in instacart.com/store/partner_recipe
shopify-scripts $100 Heap Overflow in fiber_switch triggered from Fiber.transfer
Dashlane $100 [https://www.dashlane.com] Test Panel Disclosure
Teradici - Weak password requirement on techsupport.teradici.com
U.S. Dept Of Defense - Cross-site scripting (XSS) vulnerability on a DoD website
U.S. Dept Of Defense - SQL Injection vulnerability in a DoD website
Maximum $300 IDOR in editing courses
Shopify - API Webhooks Fire And Are Unlisted After Permissions Removed
Mail.Ru $500 Xss в https://e.mail.ru/
Harvest $300 [platform.harvestapp.com] Reflected XSS in Error Message via URL parameters
Nextcloud - Nextcloud Server Remote Command Execution
Ubiquiti Networks $100 HTML Injection on airlink.ubnt.com
VK.com $1,000 local file disclosure via FFmpeg hls processing
Paragon Initiative Enterprises - Broken Authentication & Session Management - Failure to Invalidate Session on all other browsers at Password change
concrete5 - Password Reset link hijacking via Host Header Poisoning
Gratipay - Unauthorized access to the slack channel via inside.gratipay.com/appendices/chat
Mail.Ru - IDOR in tender.mail.ru leading to Information Disclosure
Mixmax - CSRF
Paragon Initiative Enterprises - no session logout after changing the password in https://bridge.cspr.ng/
Paragon Initiative Enterprises - Full Path Disclousure on https://airship.paragonie.com
Paragon Initiative Enterprises - There is an vulnerability in https://bridge.cspr.ng where an attacker can users directory
Shopify $2,000 Reflected XSS in <any>.myshopify.com through theme preview
U.S. Dept Of Defense - Information disclosure vulnerability on a DoD website
HackerOne $500 HackerOne reports escalation to JIRA is CSRF vulnerable
Shopify - Open Redirect in shopify app URL
RubyGems $500 Escape sequence injection in "summary" field CVE-2017-0899
Paragon Initiative Enterprises - Improper validation of Email
U.S. Dept Of Defense - Remote code execution (RCE) in multiple DoD websites
Paragon Initiative Enterprises - directory information disclose
U.S. Dept Of Defense - SQL Injection vulnerability in a DoD website
Paragon Initiative Enterprises $50 Cross-site-Scripting
shopify-scripts $200 OP_SCALL in LHS of a OP_ASGN resulting in arbitrary memory write
HackerOne $1,000 Changing Victim's JIRA Integration Settings Through Multiple Bugs
YouPorn - I am because bug
Nextcloud - I am because bug
Paragon Initiative Enterprises - I am because bug
Nextcloud - Wordpress Vulnerable to Potential Unauthorized Password Reset
U.S. Dept Of Defense - Cross-site scripting (XSS) vulnerability on a DoD website
Weblate - Missing filteration of meta characters in full name field on registration page https://demo.weblate.org/accounts/register
Dashlane $350 Throttling Bypass - ws1.dashlane.com
HackerOne - www.hackerone.com website CSP "script-src" includes "unsafe-inline"
Dashlane $300 Extract Billing admin email address using random team id
Weblate - Facebook share URL should be HTTPS
HackerOne - Insecure SHA1withRSA in b5s.hackerone-ext-content.com and a4l.hackerone-ext-content.com
Weblate - 7BO: Binary Option Robot URL should be HTTPS
Weblate - Account Takeover using Third party Auth CSRF
Weblate - ClickJacking on Debug
Weblate - Incorrect HTTPS Certificate
Mapbox $300 Node modules path disclosure due to lack of error handling
Weblate - full path disclosure at hosted.weblate.org/admin/accounts/profile/
Uber $2,000 phone number exposure for riders/drivers given email/uuid
Weblate - CSRF to Connect third party Account
Nextcloud - Missing Rate Limiting protection leading to mass triggering of e-mails
Dropbox - SSL Key Certificate expires
Weblate - Weak password policy
Weblate - Rate Limit Bypass on login Page
Weblate - session id missing secure flag - Hosted Website
Weblate - Invalidate session after password reset - hosted website
Weblate - Bypassing captcha in registration on Hosted site
Weblate - Open redirect while disconnecting authenticated account
Weblate - CSV Injection with the CVS export feature - Glossary
Weblate - Email verification over an unencrypted channel
WordPress - Lack of Password Confirmation when Changing Password and Email
GitLab - Missing/Breach of Internal Security Boundary - Access to Job Queue Results in Remote Code Execution
Weblate - Email spoofing at weblate.org
Nextcloud - Cross Site Scripting
Shopify - ShopifyAPI is vulnerable to timing attacks.
ownCloud - password reset email spamming
Weblate - Running 2 accounts with a single email
Weblate - Specify maximal length in translation
Weblate - HttpOnly Flag not set
Weblate - CSV export filter bypass leads to formula injection.
Weblate - Specify maximal length in new comment
Weblate - No Password Length Restriction leads to Denial of Service
Weblate - Setting a password with a single character
Weblate - Access to completion page without performing any action
Nextcloud - information disclose
Weblate - weblate.org: X-XSS-Protection not enabled
Weblate - Open redirect in Signing in via Social Sites
Weblate - No Rate Limitting at Change Password
Weblate - Self XSS at translation page through Editor Link at demo.weblate.org
Weblate - demo.weblate.org is vulnerable to SWEET32 Vulnerability
Weblate - [hosted.weblate.org]Account Takeover
Weblate - Content Spoofing
Weblate - Null Password - Setting a new password doesn't check for empty spaces
Weblate - Notify user about password change
VK.com $100 Посмотреть видеоролики, которые пользователь когда-либо скидывал в ЛС.
Weblate - Abuse of Api that causes spamming users and possible DOS due to missing rate limit
Weblate - Missing DMARC on weblate.org
Weblate - Abuse of Api that causes spamming users and possible DOS due to missing rate limit on contact form
Weblate - User Enumeration when adding email to account
Weblate - Spamming any user from Reset Password Function
Weblate - Existing sessions valid after removing third party auth
Weblate - Weak e-mail change functionality could lead to account takeover
Weblate - Content Spoofing in error message
Weblate - Missing restriction on string size of Full Name at https://demo.weblate.org/accounts/register/
Weblate - Open SMTP port can let anyone send email from mail.chihar.com
Weblate - Improper access control when an added email address is deleted from authentication
Weblate - Content Spoofing
Weblate - Login using disconnected google account i.e login using old email id
Weblate - hosted.weblate.org: X-XSS-Protection not enabled
Weblate - Clickjacking docs.weblate.org
Weblate - Directory Listing
Weblate - You can simply just use passwords that simply are as 123456
Weblate - CSRF - Changing the full name / adding a secondary email identity of an account via a GET request
Weblate - Improper Password Reset Policy on https://hosted.weblate.org/
Weblate - Insecure Account Removal
Weblate - Web server is vulnerable to Beast Attack
Weblate - CSRF : Lock and Unlock Translation
Weblate - CSV Injection with the CSV export feature
Weblate - Already Registered Email Disclosure
Weblate - Activation tokens are not expiring
Weblate - No BruteForce Protection
Weblate - CSRF : Reset API
Weblate - [demo.weblate.org] Stored Self-XSS via Editor Link in Profile
Weblate - Logout CSRF
Weblate - No expiration of session ID after Password change
Weblate - Open Redirect via "next" parameter in third-party authentication
Weblate - Registration captcha bypass
Uber $8,500 SAML Authentication Bypass on uchat.uberinternal.com
Phabricator $300 IRC-Bot exposes information
Nextcloud - Stored XSS in Gallery application (NC-SA-2017-010) CVE-2017-0893
Nextcloud - Content (Text) Injection at https://nextcloud.com
Nextcloud - Clickjacking In https://demo.nextcloud.com
Mapbox $500 Open Aws Amazon S3 Buckets
Nextcloud - Possible SSRF in email server settings(SMTP mode)
Nextcloud - The email API to test email-server settings is unlimited and can be used as a email bomb
Pornhub - XSS on pornhubselect.com
Pornhub $350 Mixed Reflected-Stored XSS on pornhub.com (without user interaction) in the playlist playing section
shopify-scripts $800 heap-use-after-free in mrb_vm_exec - vm.c:1247
ICQ $1,000 Дубликат: https://hackerone.com/reports/219171 (доступ к аккаунту, через сброс пароля)
WordPress $150 Stored but [SELF] XSS in mercantile.wordpress.org
shopify-scripts $100 heap use after free in fiber_switch
Homebrew - Stack Trace on jenkins.brew.sh
Homebrew - [bot.brew.sh] Full Path Disclosure
OWOX, Inc. - Broken Authentication & Session Management (Login Bypass) at support.owox.com
Nextcloud - The email API to reset password is unlimited and can be used as a email bomb
Homebrew - Sensitive information disclosure via response headers on jenkins.brew.sh
Nextcloud - Content Spoofing/Text Injection in https://demo.nextcloud.com
WordPress $387.50 Reflected XSS at https://da.wordpress.org/themes/?s= via "s=" parameter
The Internet $500 Mercurial can be tricked into granting authorized users access to the Python debugger CVE-2017-9462
Homebrew - Server version disclosure on [jenkins.brew.sh]
Phabricator - The special code in editor has no Authority control and can lead to Information Disclosure
Phabricator - The mailbox verification API interface is unlimited and can be used as a mailbox bomb
Trello $128 Malicious file can be hidden as Card Attachment or Card Cover image
Homebrew - Host header Injection
WordPress $275 XSS in the search bar of mercantile.wordpress.org
YouPorn $250 DOM-based XSS on youporn.com (main page)
Homebrew - [https://jenkins.brew.sh] Jenkins in Debug Mode with Stack Traces Enabled
OpenSSL (IBB) $500 Excessive allocation of memory in dtls1_preprocess_fragment() (CVE-2016-6308) CVE-2016-6308
OpenSSL (IBB) $500 Excessive allocation of memory in tls_get_message_header() (CVE-2016-6307) CVE-2016-6307
OpenSSL (IBB) $500 Certificate message OOB reads (CVE-2016-6306) CVE-2016-6306
OpenSSL (IBB) $500 OOB read in TS_OBJ_print_bio() (CVE-2016-2180) CVE-2016-2180
OpenSSL (IBB) $500 OOB write in BN_bn2dec() (CVE-2016-2182) CVE-2016-2182
OpenSSL (IBB) $500 Malformed SHA512 ticket DoS (CVE-2016-6302) CVE-2016-6302
OpenSSL (IBB) $500 OOB write in MDC2_Update() (CVE-2016-6303) CVE-2016-6303
ok.ru $300 Blind SQL Injection
WordPress - Administrator(s) Information disclosure via JSON on wordpress.org
shopify-scripts $800 Null pointer dereferences in kh_copy_mt
Brave Software - homograph-attack (unicode vuln)
concrete5 - Stored XSS in RSS Feeds Title (Concrete5 v8.1.0)
GlobaLeaks - Information Disclosure
Twitter $560 HTTP 401 response injection on "amp.twimg.com/amplify-web-player/prod/source.html" through "image_src" parameter
concrete5 - Stored XSS in Express Objects - Concrete5 v8.1.0
Nextcloud - GIT Detected
Starbucks - Java Deserialization RCE via JBoss on card.starbucks.in
LibSass - heap-use-after-free in Sass::SharedPtr::incRefCount()
LibSass - null pointer dereference in Sass::Eval::operator()(Sass::Map*)
shopify-scripts $800 heap-buffer-overflow (read outside of buffer) in mrb_vm_exec()
Nextcloud - CSRF token validation is missing
Nextcloud - https://portal.nextcloud.com/.htaccess file is readable
Phabricator - Autoclose can close any task regardless of policies/spaces
Open-Xchange $200 Critical : View/Edit access to private appointments of calendar folder by read only user (Vertical privilege escalation)
Open-Xchange $200 Unauthorized access to attachments details of Private Calendar appointments (Access control issue)
Mavenlink $50 Tabnabbing via Window.Opener @Mavenlink
Ubiquiti Networks $100 Expired SSL certificate
Algolia $200 [GitHub Extension] Unsanitised HTML leading to XSS on GitHub.com
HackerOne $750 Race condition leads to duplicate payouts
Skyliner - Password reset Token not expiring
Ubiquiti Networks - 200 http code in 403 forbidden directories on main Ubnt.com domain
HackerOne $500 Subdomain takeover #4 at info.hacker.one
shopify-scripts $100 mirb only: stack-buffer-overflow (OOB write) in main()
Maximum $25 XSS
U.S. Dept Of Defense - Reflected XSS on a DoD website
VK.com $100 api.vk.com отдаёт в ответ HTML авторизированную страницу vk.com
Dovecot $600 Dovecot authentication is vulnerable to timing attacks.
Gratipay - Transferring incorrect data to the http://gip.rocks/v1 endpoint with correct Content-Type leads to local paths disclosure through the error message
Mail.Ru - Open Redirection at https://it.mail.ru/
Gratipay - POODLE SSLv3.0
Mail.Ru - Open Redirect
shopify-scripts $100 Invalid Pointer reference in L_RESCUE
Harvest $400 Client can redirect payment, causing payment discrepancy between Harvest and PayPal
Uber $5,000 Authentication bypass on auth.uber.com via subdomain takeover of saostatic.uber.com
Harvest - Login bypass on travel.██████████ aka "Harvest Spring Summit 2017"
Twitter $280 [██████████.gnip.com] .htpasswd disclosure
Open-Xchange $200 Resend invitation to members by Read only user(Privilege Escalation)
VK.com $2,000 Возможность взлома любого пользователя, не использующего двухфакторной аутентификации, через получения кода восстановления на чужой номер.
Ubiquiti Networks $150 XSS
Ubiquiti Networks $500 [dev-unifi-go.ubnt.com] Insecure CORS, Stealing Cookies
Nextcloud - Share tokens for public calendars disclosed (NC-SA-2017-011) CVE-2017-0894
GitLab - Stored XSS on Files overview by abusing git submodule URL
shopify-scripts $100 SIGABRT in sym_validate_len - symbol.c:44
Adobe - Parameter tampering can result in product price manipulation
Nextcloud - Design Issues on ( ███ ) Lead to show ( IPS of Users )
HackerOne - Example HackerOne security@ forward domain is not registered
Coinbase $100 [buy.coinbase.com]Content Injection
shopify-scripts $800 Invalid pointer dereference in OP_ENTER
shopify-scripts $800 SIGSEGV in array_copy - array.c:71
Twitter $560 [Gnip Blogs] Reflected XSS via "plupload.flash.swf" component vulnerable to SOME
Ruby - RCE (Remote Code Execution) Vulnerability on Ruby
Phabricator - An unsafe design practice in the Passphrase may result in Secret being accidentally changed.
Kaspersky Lab $400 In App purchase Hack
Automattic $500 An Automattic employee's GitHub personal access token exposed in Travis CI build logs
shopify-scripts $800 Null pointer dereference in OP_ENTER
Starbucks $500 Stored XSS in comments on https://www.starbucks.co.uk/blog/*
Nextcloud - Directory Listing In Subdomain Of nextcloud.com
U.S. Dept Of Defense - Reflected XSS vulnerability on a DoD website
RubyGems $1,000 Request Hijacking Vulnerability in RubyGems 2.6.11 and earlier CVE-2017-0902
Shopify $1,000 XSS in $shop$.myshopify.com/admin/ via twine template injection in "Shopify.API.Modal.input" method when using a malicious app
U.S. Dept Of Defense - Information disclosure vulnerability on a DoD website
Shopify $800 XSS in $shop$.myshopify.com/admin/ via "Button Objects" in malicious app
shopify-scripts $800 kh_put_iv SEGFAULT - mruby 1.2.0
Maximum $300 Possible to view and takeover other user's education and courses @ mijn.werkenbijdefensie.nl
Maximum $150 Possible to unsubscribe from activities using CSRF @ mijn.werkenbijdefensie.nl
Udemy - sweet32
Starbucks - [connect.teavana.com] Open Redirect and abuse of connect.teavana.com
ownCloud - doc.owncloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service)
HackerOne $1,000 Subdomain takeover #3 at info.hacker.one
U.S. Dept Of Defense - Reflected XSS in a DoD Website
shopify-scripts $100 SIGSEGV in mrb_vm_exec
shopify-scripts $800 SIGSEGV in mrb_str_inum
HackerOne - CRLF injection in info.hacker.one
Mail.Ru $750 Stored XSS in e.mail.ru (payload affect multiple users)
Dropbox - CSV Injection with the CVS export feature
shopify-scripts $800 Heap Buffer Overflow in mrb_hash_keys
OpenSSL (IBB) $2,500 OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
Nextcloud $450 Reflected XSS in error pages (NC-SA-2017-008) CVE-2017-0891
Pornhub $250 Reflected XSS in login redirection module
Phabricator $750 Phabricator is vulnerable to padding oracle attacks and chosen-ciphertext attacks.
shopify-scripts $800 SIGABRT - in free
shopify-scripts $800 heap use-after-free in mrb_vm_exec()
U.S. Dept Of Defense - SQL Injection vulnerability in a DoD website
shopify-scripts $800 Crash in ary_concat()
Pornhub - Reflected XSS on ht.pornhub.com - /export/GetPreview
GitLab - Unfiltered `class` attribute in markdown code
Shopify $500 Full access at an internal service of Shopify
Pornhub $500 Blind Stored XSS against Pornhub employees using Amateur Model Program
Uber - deleting payment profile during active trip puts account into arrears but active trip is temporarily “free”
shopify-scripts $800 Null pointer dereferences in mrb_get_args
Legal Robot - Big XSS vulnerability!
Urban Dictionary - Session replay vulnerability in www.urbandictionary.com
GitLab - CSV injection in gitlab.com via issues export feature.
Udemy - CSRF Token Design Flaw
GitLab - [Repository Import] Open Redirect via "continue[to]" parameter
shopify-scripts $800 SIGABRT in mrb_debug_info_append_file
shopify-scripts $800 Null pointer dereference in mrb_class
shopify-scripts $300 Garbage collector crash
HackerOne $2,000 A HackerOne employee's GitHub personal access token exposed in Travis CI build logs
shopify-scripts $800 SIGSEGV in mrb_class
ownCloud $150 HTML Injection in Owncloud
GitLab - [Subgroups] Unprivileged User Can Disclose Private Group Names
Twitter $2,520 CSRF on Periscope Web OAuth authorization endpoint
Nextcloud - Server version/OS type disclosure via HTTP Response Header
VK.com $200 Подмена SSL-сертификата для любой группы в секции Управление группой->Работа с API неавторизированным пользователем.
Ubiquiti Networks $6,000 Ability to log in as any user without authentication if █████████ is empty
Brave Software $100 [iOS] URL can be replaceState by blob URL in iOS Brave
shopify-scripts $800 SIGSEGV in mrb_vm_exec
HackerOne $500 Report invitation links not restricted to any existing user
Rockstar Games $350 Profile bio at rockstar is accepting control characters
shopify-scripts $800 Null pointer dereference in ary_concat
Mail.Ru - Reflected XSS on frag.mail.ru
CloudFlare - Cloudflare based XSS for IE11
Shopify $500 Stored passive XSS at scheduled posts (kitcrm.com)
shopify-scripts $100 SIGABRT - mirb - Double Free
Rockstar Games $350 Login form on non-HTTPS page
Airbnb - Nginx Version Disclosure
Mail.Ru - Stored XSS
Gratipay - Content-Length restriction bypass to heap overflow in gip.rocks.
Blockchain - HTTP Header Injection/HTTP_Response_Splitting
Trello $768 Rate limiting of incorrect Two Factor Authentication codes not enforced
Nextcloud - Content spoofing due to the improper behavior of the 403 page
shopify-scripts $800 Null pointer dereferences in ary_concat
Yelp $100 Clickjacking Vulnerability found on Yelp
Shopify $1,500 Stored XSS in [shop].myshopify.com/admin/orders/[id]
GitLab - Open redirect
Discourse $512 Admin Command Injection via username in user_archive ExportCsvFile
BrickFTP $600 File access controls incorrectly enforced for files shared via QuickLink - Unshared files can be accessed
shopify-scripts $800 SIGABRT - mirb and mruby
Shopify - Setting Arbitrary Cookie at kitcrm.com
Phabricator $600 Differential "Show Raw File" feature exposes generated files to unauthorised users
Legal Robot $60 Token leakage by referrer
Nextcloud - Update php-saml library to 2.10.5
shopify-scripts $800 SIGSEGV - mrb_obj_value
U.S. Dept Of Defense - Remote Command Execution on a DoD website
Legal Robot - Password Policy Bypass
Discourse $512 Arbitrary Local-File Read from Admin - Restore From Backup due to Symlinks
Trello - Phone verification code fails to expire and can be used multiple times also in different accounts to verify same cellphone number on Trello.com
Trello - Email authentication token fails to expire and can be used multiple times for same Email address on Trello.com
Nextcloud - Content Spoofing/Text Injection in nextcloud.com
Nextcloud - SSRF at apps.nextcloud.com/developer/apps/releases/new
shopify-scripts $800 Use-after-free leading to an invalid pointer dereference
shopify-scripts $100 SIGSEGV in str_buf_cat
U.S. Dept Of Defense - Blind SQLi vulnerability in a DoD Website
Nextcloud $250 DOM XSS vulnerability in search dialogue (NC-SA-2017-007) CVE-2017-0890
Starbucks - Reflected XSS in openapi.starbucks.com /searchasyoutype/v1/search?x-api-key=
Legal Robot $40 Password reset form ignores email field
GitLab - Gitlab.com is vulnerable to reverse tabnabbing via AsciiDoc links. (#3)
U.S. Dept Of Defense - Remote Code Execution (RCE) in a DoD website
Nextcloud - Invalid request may lead content spoofing for phishing
U.S. Dept Of Defense - Remote code execution vulnerability on a DoD website
shopify-scripts $800 SIGABRT in only mirb
Nextcloud - Content spoofing due to the improper behavior of the 403 page
HackerOne $750 IE 11 Self-XSS on Jira Integration Preview Base Link
Imgur $5,000 RCE by command line argument injection to `gm convert` in `/edit/process?a=crop`
GitLab - Gitlab.com is vulnerable to reverse tabnabbing. (#2)
Trello - Exporting JSON of other Boards
shopify-scripts $800 SIGSEGV - kh_get_n2s - in /src/symbol.c:37
Ubiquiti Networks - XSS via SVG file
shopify-scripts $100 sprintf gem - format string combined attack
shopify-scripts $800 Null pointer dereference in mrb_class
shopify-scripts $800 SIGSEGV - mrb_yield_with_class
Algolia $100 An “algobot”-s GitHub access token was leaked
U.S. Dept Of Defense - Remote Code Execution (RCE) in a DoD website
Starbucks - Unable to register in starbucks IN app
Moneybird $50 Stored Cross Site Scripting in Customer Name
Shopify $500 Stealing users' facebook access tokens - kitcrm.com
Rockstar Games $150 Source Code Disclosure (CGI)
U.S. Dept Of Defense - Remote Code Execution (RCE) in a DoD website
Nextcloud - https://xmpp.nextcloud.com///;@www.google.com allows open redirect
Nextcloud - Version 4.7.2 of wordpress is vulnerable
Gratipay $1 Inadequate/dangerous jQuery behavior
VK.com $200 Написать от имени любого пользователя на его стене, если он перейдет по ссылке. https://vk.com/al_video.php
GitLab - Gitlab.com is vulnerable to reverse tabnabbing.
shopify-scripts $800 Null pointer dereference in 'get_file'
Rockstar Games $350 Control Character Injection In Messages
LocalTapiola $100 XSS on 3rd party service Localtapiola is using
Rockstar Games $300 use of unsafe host header leads to open redirect
shopify-scripts $800 Null pointer dereferences from mrb_vm_exec
Slack $850 Bypass to postMessage origin validation via FTP
Rockstar Games $150 Full path Disclosure in Rockstargames.com/img/global/
U.S. Dept Of Defense - Information disclosure vulnerability on a DoD website
shopify-scripts $800 mrb_vm_exec - null ptr dereference
Mail.Ru - Open Redirect
Rockstar Games $150 SSLv3 POODLE Vulnerability
shopify-scripts $800 Invalid Pointer Reference from OP_RESCUE
HackerOne $500 Transitioning a Private Program to Public Does Not Clear Previously Private Updates to Hackers
Ubiquiti Networks - Subdomain takeover on https://cloudfront.ubnt.com/ due to non-used CloudFront DNS entry
shopify-scripts $800 SIGSEGV - mark_context_stack
HackerOne $100 javascript: and mailto: links are allowed in JIRA integration settings
Gratipay - URL Given leading to end users ending up in malicious sites
shopify-scripts $800 Heap buffer overflow in mruby value_move
Starbucks $250 DOM XSS on teavana.com via "pr_zip_location" parameter
Greenhouse.io - Content Spoofing on link.greenhouse.io
shopify-scripts $800 Heap buffer overflow with long array assignment
LocalTapiola $264 HTML Injection in email from http://www.lahitapiola.fi/henkilo/sivut/tonttutesti
Ruby $500 public report - Reproducible - Writable RubyCi Amazon s3 bucket[207053]
Ruby $500 Open S3 Bucket WriteAble To Any Aws User
HackerOne $1,000 Subdomain takeover #2 at info.hacker.one
Twitter $7,560 [URGENT] Opportunity to publish tweets on any twitters account
Brave Software - Address bar spoofing in Brave browser via. window close warnings
BrickFTP $100 CSRF @ configuration
Udemy $50 Subdomain Takeover at Landing.udemy.com
VK.com $100 Обход: "Аудиозапись недоступна для прослушивания в Вашем регионе."
Ubiquiti Networks $100 Reflected cross-site scripting (XSS) vulnerability in scores.ubnt.com allows attackers to inject arbitrary web script via p parameter.
ownCloud - Outdated Jenkins server hosted at OwnCloud.org
U.S. Dept Of Defense - Cross-site scripting (XSS) vulnerability on a DoD website
shopify-scripts $800 Null pointer dereference in mark_context_stack
U.S. Dept Of Defense - Remote file inclusion vulnerability on a DoD website
Lyst $100 Site configured improperly at subdomain of lyst.co.uk
HackerOne - Able to create basic user account via Google login on HackerOne Drupal CMS
shopify-scripts $100 Memory corrouption in mrb_gc_mark
LocalTapiola $200 Brute force unsubscription on /webApp/unsub_sb (viestinta.lahitapiola.fi)
LocalTapiola $50 /icons/README is still available on viestinta.lahitapiola.fi
Perl (IBB) $1,000 read outside of buffer (heap buffer overflow) in S_regmatch - regexec.c:6057
Pornhub $50 http://ht.pornhub.com/ stored XSS in widget stylesheet
U.S. Dept Of Defense - Reflected XSS vulnerability in a DoD website
shopify-scripts $800 Heap use-after-free in mrb_vm_exec
Ubiquiti Networks $1,000 sqli
Shopify $500 Subdomain takeover on s3.shopify.com
Khan Academy - No Security check at changing password and at adding mobile number which leads to account takeover and spam
Khan Academy - SSL/TLS Vulnerability at khanacademy.org
Dovecot - SSL Certification Expired And TLS Vulnerability
Lyst $100 Mixed Active content issue on https://www.lyst.com
shopify-scripts $100 Controlled address leak due to type confusion - ASLR bypass
HackerOne $750 Information leakage via CSV when content is valid JavaScript
U.S. Dept Of Defense - Potentially sensitive information disclosure on a DoD website
Slack $3,000 Stealing xoxs-tokens using weak postMessage / call-popup redirect to current team domain
U.S. Dept Of Defense - Insecure Direct Object Reference (IDOR) vulnerability in a DoD website
Ruby $500 Writable RubyCi Amazon s3 bucket
HackerOne $1,500 Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP
ownCloud - HTML injection in Desktop Client
Uber $2,500 SQL injection in 3rd party software Anomali
Robinhood $100 Open Redirect located at https://www.robinhood.com/oauth2/authorize/?
YouPorn $100 XSS via login cookie
OLX - Subdomain Takeover (http://docs.olx.ph/ , http://calendar.olx.ph/, http://sites.olx.ph/)
PortSwigger Web Security - Email Spoofing
Starbucks $750 Persistent CSRF in /GiftCert-AddToBasket prevents purchases on eCommerce sites
shopify-scripts $800 Heap Buffer Overflow while processing OP_SEND
Imgur $2,500 Remote Code Execution on Git.imgur-dev.com
OLX - Reflected XSS in olx.pt
shopify-scripts $800 mruby heap use-after-free
OWOX, Inc. - Subdomain takeover in many subdomains
Boozt Fashion AB - Application code is not obfuscated -- OWASP M9 (2016)
LocalTapiola $50 show control page if you insert ' at http://viestinta.lahitapiola.fi/
shopify-scripts $100 Interger overflow in str_substr leading to read/write out of bound memory
shopify-scripts $800 Use After Free in mrb_vm_exec
OLX - Combined attacks leading to stealing user's account
shopify-scripts $800 Heap Buffer overflow in mrb_ary_unshift
GitLab - [Textile] XSS in project README files
GitLab - [reStructuredText] XSS in project README files
shopify-scripts $100 SIGABRT - method_missing - mark_context_stack
Nextcloud - Missing SPF Flags on nextcloud.com
Zopim $50 express config leaking stacktrace
Informatica - [wave.informatica.com]- Subdomain missconfiguration
Uber $1,500 pam-ussh may be tricked into using another logged in user's ssh-agent
shopify-scripts $800 A crash when an exception is caught in a caller and the receiver returned from `ensure`
shopify-scripts $100 segafult in mruby's sprintf - mrb_str_format
WordPress $350 Infrastructure - Photon - SSRF
shopify-scripts $800 Heap buffer oveflow with many arguments
Rockstar Games $1,400 <- Critical IDOR vulnerability in socialclub allow to insert and delete comments as another user and it discloses sensitive information ->
LocalTapiola $315 High server resource usage on captcha (viestinta.lahitapiola.fi)
Brave Software - Clickjacking or URL Masking
Ubiquiti Networks - Weak credentials for nutty.ubnt.com
YouPorn - [Android API] SQL injection ( errortoken.json )
shopify-scripts $1,000 Segmentation fault while printing backtrace
YouPorn $250 Reflected XSS in Meta Tag
YouPorn $2,500 Time Based SQL-inject in post-parametr login[username] [domain - youporn.com]
Informatica - Stored XSS via Discussion Title and Send as Email attribute in [marketplace.informatica.com]
Greenhouse.io $100 Open Redirect in <customer>.greenhouse.io
Ubiquiti Networks $150 AirFibre products vulnerable to HTTP Header injection
Phabricator - Restricted file access when it exists in old versions of task or wiki document
Phabricator - Enumerating emails through "Forgot Password" form
U.S. Dept Of Defense - Remote code execution vulnerability on a DoD website
shopify-scripts $800 forgot to add the patch
Nextcloud $183 Calendar and addressbook names disclosed (NC-SA-2017-012) CVE-2017-0895
WordPress $350 Wordpress 4.7.2 - Two XSS in Media Upload when file too large.
shopify-scripts $100 SIGSEGV - mrb_vm_exec - line:1312
Gratipay - HTTP trace method is enabled on aspen.io
Ubiquiti Networks - Content Spoofing or Text Injection in (403 forbidden page injection) and Nginx version disclosure via response header
Gratipay - Content length restriction bypass can lead to DOS by reading large files on gip.rocks
Gratipay - HTTP trace method is enabled on gip.rocks
U.S. Dept Of Defense - Bypass file access control vulnerability on a DoD website
Algolia $100 Reflected XSS
Brave Software - Brave payments remembers history even after clearing all browser data.
U.S. Dept Of Defense - Cross-site scripting (XSS) on a DoD website
YouPorn $150 Find whether a video has been favourited or not, for any user [via YouPorn Mobile API]
Informatica - [marketplace.informatica.com]- Stored XSS on Image title and Edit Property
Pornhub $1,500 Wordpress Content injection
Pornhub - Debug.log file Exposed to Public \Full Path Disclosure\
Zomato - Unauthorised Access to Anyone's User Account
OLX - yaman.olx.ph/wordpress is using a very vulnerable version of WordPress and contains directory listing
Twitter $7,560 Vine all registered user Private/sensitive information disclosure .[ Ip address/phone no/email and many other informations ]
U.S. Dept Of Defense - Cross-site request forgery (CSRF) vulnerability in a DoD website
WebSummit - found a vulnerability in your website
ExpressionEngine - Type Juggling -> PHP Object Injection -> SQL Injection Chain
HackerOne $1,000 Subdomain takeover at info.hacker.one
VK.com $400 Missing Server Side Rate Limiting can Lead to VK Account Take over
Mapbox $750 Public access to objects in AWS S3 bucket
arxius - XSS in content type header when uploading file.
U.S. Dept Of Defense - Remote command execution (RCE) vulnerability on a DoD website
U.S. Dept Of Defense - SQL injection vulnerability on a DoD website
shopify-scripts $800 Denial of service (segfault) due to null pointer dereference in mrb_vm_exec
shopify-scripts $800 Denial of service (segfault) due to null pointer dereference in mrb_obj_instance_eval
Pornhub $250 XSS Vulnerability at https://www.pornhubpremium.com/premium_signup? URL endpoint
Pornhub $250 [xss] pornhubpremium.com, /redeem?code= URL endpoint
Phabricator $300 User with only Viewing Privilege can send message to Room
U.S. Dept Of Defense - Stored XSS vulnerability on a DoD website
shopify-scripts $100 Null pointer dereference in mrb_random_initialize
Coinbase - Requestor Email Disclosure via Email Notification
Instacart $100 Login with Google Not Authenticated on iOS App
Ubiquiti Networks $600 Wordpress directories/files visible to internet
Mail.Ru - Disclosure of information on static.dl.mail.ru
YouPorn $1,000 Account hijack via deleted PH account
shopify-scripts $800 SIGSEGV - vm.c - line:1214
shopify-scripts $100 Segmentfault at mrb_vm_exec
shopify-scripts $2,000 Recursion causing uninitialized memory reads leading to a segfault
Coinbase - Information disclosue in Android Application
Automattic $250 cloudup Subdomain Takeover That resolves to Desk.com ( CNAME cloudup.desk.com )
LocalTapiola $400 Single user DOS on selectedLanguage -cookie (yrityspalvelu.lahitapiola.fi)
Ubiquiti Networks $150 Can upload files without authentication on AirFibre 3.2
Zomato - test.zba.se is vulnerable to SSL POODLE
U.S. Dept Of Defense - SQL Injection vulnerability in a DoD website
Nextcloud - Wordpress 4.7.1
OpenSSL (IBB) $1,000 CVE-2017-3730: Bad (EC)DHE parameters cause a client crash
LocalTapiola $100 Enumeration in unsubscribe -function of /omatalousuk (viestinta.lahitapiola.fi)
Twitter $5,040 Attacker can get vine repost user all informations even Ip address and location .
Informatica - [ipm.informatica.com]- Broken Authentication
LocalTapiola $150 Reflected XSS on iltakoulu_varkaus (viestinta.lahitapiola.fi)
PHP (IBB) $500 Out of bounds memory read in unserialize() CVE-2016-10161
Algolia $100 [github.algolia.com] DOM Based XSS github-btn.html
shopify-scripts $100 heap-use-after-free /home/operac/testafl/mruby/mrubylast/mruby/src/gc.c
LocalTapiola $1,350 SQL Injection /webApp/cancel_iltakoulu regId parameter (viestinta.lahitapiola.fi)
Nextcloud - Email Spoofing
Ubiquiti Networks $100 [nutty.ubnt.com] DOM Based XSS nuttyapp github-btn.html
Boozt Fashion AB - Email spoofing at booztlet.com
GitLab - [RDoc] XSS in project README files
LocalTapiola $50 CSRF bypass + XSS on verkkopalvelu.tapiola.fi
U.S. Dept Of Defense - SQL injection vulnerability on a DoD website
Dovecot - Information About Your System(Sensitive Directories)
Alvosec $3 Alvocrypt uses a cryptographically insecure PRNG.
Slack $1,000 Access of Android protected components via embedded intent
Pushwoosh - Clickjacking
shopify-scripts $100 Incorrect code generation with redo inside NODE_RESCUE.
Zomato - MailPoet Newsletters <= 2.7.2 - Authenticated Reflected Cross-Site Scripting (XSS)
Zomato - XSS in flashmediaelement.swf (business-blog.zomato.com)
LocalTapiola $1,350 SQL Injection on /webApp/lapsuudenturva (viestinta.lahitapiola.fi)
LocalTapiola $350 Sql injection on /webApp/sijoituswebinaari (viestinta.lahitapiola.fi)
LocalTapiola $350 SQL Injection on /webApp/viivanalle (viestinta.lahitapiola.fi)
U.S. Dept Of Defense - Information disclosure vulnerability on a DoD website
Boozt Fashion AB - Bypass email validity in newsletter field
Informatica - [marketplace.informatica.com] Search XSS
Harvest $250 Persistent XSS on ForecastApp
HackerOne $500 Google Analytics could be used as CSP bypass for data exfiltration on hackerone.com
shopify-scripts $800 Aborted - proc.c - line:143
Nextcloud - Missing Rate Limit for Current Password field in nextcloud.com
U.S. Dept Of Defense - Privilege Escalation on a DoD Website
Nextcloud - Nextcloud.com is vulnerable to SWEET32 attack
Legal Robot - SWEET32 TLS attack
Nextcloud - Group admin can remove user from all his groups via API
Brave Software - No user confirmation when an auto-updated extension gets more permissions
VK.com - HTML Injection possible due to bad filter
Nextcloud - Drone Nextcloud
New Relic - SSRF in alerts.newrelic.com exposes entire internal network
Nextcloud - HTTP-Basic Authentication on logs.nextcloud.com
Twitter $560 Clickjacking Periscope.tv on Chrome
Starbucks - Lack of Controls Allowing for Card and PIN Enumeration Leading to Fraud
Starbucks - csrf blogs.starbucks.com
shopify-scripts $100 SIGABRT - mrb_realloc_simple - gc.c - line:201
Starbucks - Time-based Blind SQLi on news.starbucks.com
U.S. Dept Of Defense - Reflected XSS vulnerability on a DoD website
QIWI $150 [XSS/pay.qiwi.com] Pay SubDomain Hard-Use XSS
QIWI $250 [XSS/3dsecure.qiwi.com] 3DSecure XSS
New Relic - Restricted User can view multiple account details including customer_root_account_id, payment method, date of first payment, etc.
Nextcloud - Disclosure of administrators via JSON on nextcloud.com Wordpress
Ubiquiti Networks $2,000 [EdgeSwitch] Web GUI command injection as root with Privilege-1 and Privilege-15 users
shopify-scripts $100 Crash in print_backtrace
Discourse $256 Stored XSS in posts because of absence of oembed variables values escaping
U.S. Dept Of Defense - Misconfigured user account settings on DoD website
Discourse $256 Stored XSS in topics because of whitelisted_generic engine vulnerability
Nextcloud - WordPress <= 4.6.1 Stored XSS Via Theme File
Nextcloud - User Information Disclosure via REST API
ownCloud - User Information Disclosure via REST API
U.S. Dept Of Defense - SQL Injection vulnerability in a DoD website
shopify-scripts $800 Null pointer dereference in mrb_str_modify
shopify-scripts $800 Still heap overflow in mrb_ary_splice
shopify-scripts $100 SIGSEGV - mrb_obj_extend - line:413
shopify-scripts $800 SIGSEGV - mrb_vm_exec - line:1681
Starbucks - Starbucks.com is reachable via ip address thus possible to link any doamin to Starbucks.
Discourse $256 XSS in topics because of bandcamp preview engine vulnerability
VK.com $300 SSRF через Share-ботов
Rockstar Games $650 [IMP] - Blind XSS in the admin panel for reviewing comments
FormAssembly - formassembly.com is vulnerable to padding-oracle attacks.
OLX - Server Version Of https://www.olx.ph/
Rockstar Games $500 Ability to post comments to a crew even after getting kicked out
YouPorn $1,000 IDOR - Access to private video thumbnails even if video requires password authentication
U.S. Dept Of Defense - Information disclosure vulnerability on a DoD website
FormAssembly - XSS on username when register to proffesional account
ownCloud - bug reporting template encourages users to paste config file with passwords
VK.com $100 Возможность смотреть видео рекомендации любого пользователя вконтакте
Nextcloud - bug reporting template encourages users to paste config file with passwords
Starbucks $375 Open redirect / Reflected XSS payload in root that affects all your sites (store.starbucks.* / shop.starbucks.* / teavana.com)
CodeIgniter - Vulnerable Javascript library
shopify-scripts $800 Heap Buffer overflow in mrb_funcall_with_block
Mail.Ru - CSRF Send a message at street-combats.mail.ru
HackerOne $2,000 Disclose any user's private email through API
Slack $200 dom xss in https://www.slackatwork.com
shopify-scripts $800 Segmentation fault on program counter
U.S. Dept Of Defense - Information disclosure vulnerability on a DoD website
Shopify $500 apps.shopify.com - CSRF token leakage through Google Analytics
U.S. Dept Of Defense - Local file inclusion vulnerability on a DoD website
shopify-scripts - Clearing , Shifting and Pop Value from Frozen Array
shopify-scripts $800 SIGSEGV - mrb_vm_exec - vm.c in line:1272
shopify-scripts $800 SIGSEGV in mrb_vm_exec
HackerOne - Report redaction doesn't apply to report title update activities
U.S. Dept Of Defense - Blind SQLi in a DoD Website
Snapchat $250 RTLO char allowed in chat
Instacart $100 XSS in instacart.com/store/partner_recipe
PHP (IBB) $500 Use of uninitialized memory in unserialize() CVE-2017-5340
Mail.Ru - Излишние права при авторизации через интерфейс mail.ru
shopify-scripts $100 Segmentation fault - mrb_gc_mark
U.S. Dept Of Defense - Information disclosure vulnerability on a DoD website
U.S. Dept Of Defense - Information disclosure vulnerability on a DoD website
U.S. Dept Of Defense - Information disclosure vulnerability on a DoD website
U.S. Dept Of Defense - Exposed Access Control Data Backup Files on DoD Website
U.S. Dept Of Defense - HTML Injection/Load Images vulnerability on a DoD website
Slack $100 Subdomain takeover on podcasts.slack-core.com
GlobaLeaks - No valid SPF records on demo.globaleaks.org
Starbucks $250 SAP Server - default credentials enabled
Shopify $1,000 CSRF in all API endpoints when authenticated using HTTP Authentication
GitLab - Users with guest access can post notes to private merge requests, issues, and snippets
GitLab - User with guest access can access private merge requests
GitLab - Every user can delete public deploy keys
GitLab - Users can download old project exports due to unclaimed namespace
U.S. Dept Of Defense - SQL injection vulnerability in a DoD website
Open-Xchange $250 Set Cookie Via SVG
Envoy - Primary Cloning of Envoy web application resulting confidential information disclosure
shopify-scripts $800 Heap overflow due to off-by-one when expanding stack
shopify-scripts $200 Heap use-after-free during range creation
shopify-scripts - Deleting Key-value pair from Frozen HASH or Clearing a Frozen HASH
Shopify $500 Authentication Bypass on monitoring server
LocalTapiola $100 OpenSSL Padding Oracle Attack (CVE-2016-2107) on viestinta.lahitapiola.fi
GlobaLeaks - GlobaLeaks is vulnerable to timing attacks.
Nextcloud - Review remote code execution in SwiftMailer
Starbucks - Exposed Unencrypted Telnet Endpoint
Yelp $100 Able to download arbitrary PHP files at yelpblog.com
Skyport Systems $25 Nginx version disclosure via forbidden page
Starbucks - Brute Force Attack against PIN on Card History Page Could Lead to Card Information Discovery / Fraud
U.S. Dept Of Defense - Password reset vulnerability on a DoD website
U.S. Dept Of Defense - Reflected XSS on a DoD website
LocalTapiola $400 Reflected XSS and Open Redirect (verkkopalvelu.lahitapiola.fi)
Apache httpd (IBB) - DoS vulnerability in mod_auth_digest CVE-2016-2161
U.S. Dept Of Defense - SQL injection vulnerability on a DoD website
U.S. Dept Of Defense - Misconfigured password reset vulnerability on a DoD website
Trello - The contact page is vulnerable to self-XSS via upload file name
shopify-scripts $800 SIGABRT - mrb_default_allocf
VK.com - Способ узнать имя человека удаленной страницы 2
Dovecot - Directory listing
shopify-scripts $800 SIGSEGV - kh_resize_iv - Null Deref
shopify-scripts $200 Double free of filename after codegen error
Gratipay - Session Fixation At Logout /Session Misconfiguration
shopify-scripts $800 attempting double-free using the mruby compiler `mrbc`
U.S. Dept Of Defense - Reflected XSS on a DoD website
Starbucks - Create New User Whilst Logged On
Zendesk $2,000 a stored xss in web widget chat
U.S. Dept Of Defense - SQL injection vulnerability on a DoD website
VK.com - Способ узнать имя человека удаленной страницы
shopify-scripts $800 Use After Free in str_replace
shopify-scripts $800 Null pointer dereference in mrb_str_prepend
shopify-scripts $800 mrb_str_modify try to write to memory not marked for writing
shopify-scripts $800 SIGSEGV - mrb_check_intern_str() - NullPointer
WebSummit $20 Subdomain Takeover at http://gameday.websummit.net
CloudFlare - [http2.cloudflare.com] Open Redirect
Gratipay - User Enumeration
U.S. Dept Of Defense - Server-side include injection vulnerability in a DoD website
OWOX, Inc. - Stored XSS at https://finance.owox.com/customer/accountList
shopify-scripts $1,000 Memory disclosure in timegm
Mapbox $1,000 Mapbox Android SDK uses Broadcast Receiver instead of Local Broadcast Manager
Nextcloud - Reflected XSS in U2F plugin by shipping the example endpoints
U.S. Dept Of Defense - XSS vulnerability on a DoD website
Starbucks - [newscdn.starbucks.com] CRLF Injection, XSS
shopify-scripts $800 SIGSEGV Null Pointer mrb_str_concat()
shopify-scripts $100 heap-buffer-overflow on mruby
YouPorn $1,000 Account takeover via Pornhub Oauth
LocalTapiola $150 Creating arbitrary cookies values /cs/CookieServer (www.lahitapiola.fi)
Discourse $128 Users can bookmark other user's messages
shopify-scripts $800 kh_get_n2s() stack overrun
U.S. Dept Of Defense - Server side information disclosure
U.S. Dept Of Defense - Remote code execution vulnerability on a DoD website
shopify-scripts $800 SIGABRT, SIGSEGV mspace_free() and mrb_default_allocf()
shopify-scripts $800 SIGSEGV on mrb_vm_exec() Null Deref
Harvest $300 Unauthorised read Access to Expense Receipt of any user in the company(Vertical Privilege escalation)
Mail.Ru - [ml.money.mail.ru] Open Redirect
Mail.Ru - [cooking.lady.mail.ru] Open Redirect
shopify-scripts $800 Heap Overflow in mrb_arb_splice
shopify-scripts $100 mrb_vformat() heap overflow could lead to code execution
OLX - olx.ph is vulnerable to POODLE attack
shopify-scripts $100 Integer Overflow in mrb_ary_set
Discourse $256 XSS vulnerability on Audio and Video parsers
Shopify $1,000 Stored XSS in blog comments through Shopify API
Coinbase - Information disclosure in coinbase android app
Shopify $500 XSS on postal codes
Badoo $280 CSRF Attack on (m.badoo.com)deleting account and erasing imported contacts
Ruby $500 Buffer underflow in sprintf
U.S. Dept Of Defense - SQL Injection vulnerability in a DoD website
U.S. Dept Of Defense - SQL Injection vulnerability in a DoD website
U.S. Dept Of Defense - Default credentials on a DoD website
shopify-scripts $800 SIGSEGV mrb_obj_freeze() Manipulating Register RAX and RSI
Nextcloud $300 Limitation of app specific password scope can be bypassed (NC-SA-2017-009) CVE-2017-0892
shopify-scripts $800 SIGSEGV on mruby mrb_get_args()
Discourse $256 XSS Vulnerability on Image link parser
U.S. Dept Of Defense - HTML injection vulnerability on a DoD website
Discourse $256 DOM Based XSS in Discourse Search
Twitter - Remote Unrestricted file Creation/Deletion and Possible RCE.
U.S. Dept Of Defense - Cross-site request forgery (CSRF) vulnerability on a DoD website
U.S. Dept Of Defense - Server side information disclosure on a DoD website
shopify-scripts $1,000 Incorrect code generation when result of NODE_NEGATE is not used
Pornhub $1,000 XSS vulnerability using GIF tags
Legal Robot $20 Password complexity requirements not enforced
U.S. Dept Of Defense - Cross-site request forgery vulnerability on a DoD website
LocalTapiola $1,350 SQL Injection on /webApp/sijoitustalousuk email-parameter + potential lack of CSRF Token (viestinta.lahitapiola.fi)
U.S. Dept Of Defense - DOM Based XSS on a DoD website
U.S. Dept Of Defense - DOM Based XSS on an Army website
LocalTapiola $450 Reflected XSS and Open Redirect in several parameters (viestinta.lahitapiola.fi)
U.S. Dept Of Defense - Reflected cross-site scripting (XSS) vulnerability on a DoD website
Twitter $1,680 CRLF and XSS stored on ton.twitter.com
OLX - Reflected XSS in [olx.qa]
shopify-scripts $100 Invalid memory access in `mrb_str_format`
Twitter $140 Sub Domain Takeover at mk.prd.vine.co
U.S. Dept Of Defense - File upload vulnerability on a DoD website
PortSwigger Web Security - HTTP OPTION Method is Enabled on portswigger.net
Uber $2,500 Authorization issue in Google G Suite allows DoS through HTTP redirect
Starbucks - http://digital.starbucks.com/ Creation of Google G Suite Account on Behalf of starbucks.
LocalTapiola $1,350 SQL Injection in lapsuudenturva (viestinta.lahitapiola.fi)
LocalTapiola $50 Reflected XSS on sankarikoulutus (viestinta.lahitapiola.fi)
Gratipay - Content type incorrectly stated
Shopify $500 XSS on manually entering Postal codes
PHP (IBB) $500 Invalid parameter in memcpy function trough openssl_pbkdf2
Nextcloud - Stored XSS on new Calling plugin (spreed)
PHP (IBB) $500 imagefilltoborder stackoverflow on truecolor images
Starbucks $250 Reflected XSS on teavana.com (Locale-Change)
LocalTapiola $1,350 SQL Injection in sijoitustalous_peruutus (viestinta.lahitapiola.fi)
U.S. Dept Of Defense - Reflected XSS on a DoD website
Gratipay - Gratipay uses the random module's cryptographically insecure PRNG.
GoCD - Reflected XSS vector
Informatica - [marketplace.informatica.com] Profile stored XSS
U.S. Dept Of Defense - Reflected XSS on a DoD website
QIWI $100 [qiwi.com] .bash_history
Gratipay - Cookie HttpOnly Flag Not Set
LocalTapiola $400 Open Redirect bypass and cookie leakage on www.lahitapiola.com
shopify-scripts $1,000 Segfault when passing invalid values to `values_at`
Informatica - [careers.informatica.com] XSS on "isJTN"
Informatica - [network.informatica.com] The login form XSS via the referer value
Gratipay - Certificate signed using SHA-1
U.S. Dept Of Defense - Time Based SQL Injection vulnerability on a DoD website
Informatica - [kb.informatica.com] DOM based XSS in the bindBreadCrumb function
Quora $150 [Android] XSS via start ContentActivity
Quora $300 [controlsyou.quora.com] 429 Too Many Requests Error-Page XSS
HackerOne $500 Websites opened from reports can change url of report page
shopify-scripts - Segmentation fault due to invalid memory access in codegen when using break with the 127th argument a constant
U.S. Dept Of Defense - Server Side Request Forgery (SSRF) vulnerability in a DoD website
shopify-scripts $10,000 Certain inputs cause tight C-level recursion leading to process stack overflow
Twitter - GNIP subdomain take over
U.S. Dept Of Defense - Information disclosure vulnerability on a DoD website
U.S. Dept Of Defense - Information disclosure on a DoD website
Shopify $500 Unauthenticated Stored XSS on <any>.myshopify.com via checkout page
Urban Dictionary - Text injection on Auth problem at urbandictionary.com
U.S. Dept Of Defense - SQL injection vulnerability on a DoD website
U.S. Dept Of Defense - Reflected XSS on a DoD website
Pornhub $5,000 Unsecured DB instance
U.S. Dept Of Defense - QuickTime Promotion on a DoD website
U.S. Dept Of Defense - SQL injection vulnerability on a DoD website
Legal Robot - S3 ACL misconfiguration
Starbucks $500 Persistent XSS in www.starbucks.com
U.S. Dept Of Defense - Time Based SQL Injection vulnerability on a DoD website
U.S. Dept Of Defense - XXE on DoD web server
HackerOne $10,000 Information Disclosure in /skills call
Robinhood - httponly flag not set + csrftoken in url
U.S. Dept Of Defense - Reflected XSS in a Navy website
Pornhub $750 Unsecured Kibana/Elasticsearch instance
shopify-scripts $10,000 Buffer overflow in mrb_time_asctime
shopify-scripts $8,000 Segmentation fault due to bad memory access in kh_get_mt
U.S. Dept Of Defense - Remote code execution on an Army website
OLX - Multiple vulnerabilities in http://blog.dubizzle.com/uae
Shopify - Redirect in adding advance cash on delivery app
Nextcloud - BruteForce in to Admin Account
Nextcloud - Login Hints on Admin Panel
Starbucks $150 Dom Based Xss DIV.innerHTML parameters store.starbucks*
U.S. Dept Of Defense - Personal information disclosure on a DoD website
Nextcloud - Wordpress Version Disclosure Bug On Nextcloud
U.S. Dept Of Defense - Violation of secure design principles on a DoD website
Brave Software - Command Execution because of extension handling
LocalTapiola - /icons/README available on viestinta.lahitapiola.fi
U.S. Dept Of Defense - Open redirect vulnerability in a DoD website
U.S. Dept Of Defense - XSS vulnerability on an Army website
U.S. Dept Of Defense - Reflected XSS vulnerability on a DoD website
U.S. Dept Of Defense - Persistent XSS vulnerability on a DoD website
Twitter $280 Vine - overwrite account associated with email via android application
U.S. Dept Of Defense - Authentication bypass vulnerability on a DoD website
Mail.Ru - [element.mail.ru] /.svn/entries
shopify-scripts - Null pointer dereference due to bug in codegen with negation of floats
shopify-scripts $10,000 Null pointer derefence due to bug in codegen with negation without using value
Nextcloud - Files Drop: WebDAV endpoint is leaking existence of resources
Trello - SVG Uploads / Attachments can be viewed by anyone that knows the URL
Slack $500 Store XSS
ownCloud - Stored xss
shopify-scripts $10,000 Invalid handling of zero-length heredoc identifiers leads to infinite loop in the sandbox
U.S. Dept Of Defense - Arbitrary Script Injection (Mail) in a DoD Website
Dovecot - Web Browser XSS Protection Not Enabled
PortSwigger Web Security - JSBeautifier BApp: Race condition leads to memory disclosure
Pushwoosh - Publicy accessible IDRAC instance at api-m.inapp.pushwoosh.com
U.S. Dept Of Defense - Open Redirect in a DoD website
PortSwigger Web Security - Order-phishing via Payment ID URL
Starbucks $2,000 Subdomain takeover on happymondays.starbucks.com due to non-used AWS S3 DNS record
shopify-scripts $10,000 Crash: Overwriting NoMethodError with a builtin class crashes/corrupts memory
Pornhub $150 Stored XSS on the http://ht.pornhub.com/widgets/
OWOX, Inc. - Access to Grafana Dashboard
Starbucks $100 Stored XSS in Adress Book (starbucks.com/account/profile)
U.S. Dept Of Defense - Information disclosure vulnerability on a DoD website
Shopify $500 Stored XSS at 'Buy Button' page
U.S. Dept Of Defense - Cross-Site Scripting (XSS) on a DoD website
OWOX, Inc. - Subdomain Takeover on OWOX.RU
Phabricator $300 Fetching binaries (for software installation) over HTTP without verification (RCE as ROOT by MITM)
U.S. Dept Of Defense - Arbitary file download vulnerability on a DoD website
U.S. Dept Of Defense - Information disclosure on a DoD website
U.S. Dept Of Defense - DNS Misconfiguration
U.S. Dept Of Defense - Cross-site scripting (XSS) vulnerability on a DoD website
U.S. Dept Of Defense - Information disclosure vulnerability in a DoD website
U.S. Dept Of Defense - Information disclosure vulnerability on a DoD website
Pornhub $1,500 IDOR - disclosure of private videos - /api_android_v3/getUserVideos
HackerOne $12,500 Internal attachments can be exported via "Export as .zip" feature
GitLab - State filter in IssuableFinder allows attacker to delete all issues and merge requests CVE-2016-9469
U.S. Dept Of Defense - Information leakage on a Department of Defense website
U.S. Dept Of Defense - SQL Injection vulnerability on a DoD website
shopify-scripts $1,000 Crash: A call to Symbol.new leads to a crash when inspecting the resulting object
Ian Dunn $25 constant cache_page_secret in regolith
Ian Dunn $50 unchecked unserialize usages in audit-trail-extension/audit-trail-extension.php
Ian Dunn $25 unchecked unserialize usage in WordPress-Functionality-Plugin-Skeleton/functionality-plugin-skeleton.php
shopify-scripts $1,000 Invalid memory write caused by incorrect upper bound in array_copy
Twitter $560 Twitter for android is exposing user's location to any installed android app
Gratipay - Secure Pages Include Mixed Content
Gratipay $1 Incomplete or No Cache-control and Pragma HTTP Header Set
Shopify $500 XSS in my.shopify.com in widget
shopify-scripts $8,000 Crash: mrb_any_to_s can't handle NilClass, Symbol and Fixnum
shopify-scripts $10,000 Crash: Initialize Decimal with itself triggers an assertion
shopify-scripts - Null pointer dereference in mrb_str_concat
shopify-scripts $1,000 Null pointer dereference regression in parse.y
shopify-scripts $18,000 Type confusion in wrap_decimal leading to memory corruption
shopify-scripts $20,000 Type confusion in mrb_exc_set leading to memory corruption
U.S. Dept Of Defense - Insecure direct object reference vulnerability on a DoD website
U.S. Dept Of Defense - Stored cross site scripting (XSS) vulnerability on a DoD website
OWOX, Inc. - Subdomain Takeover on http://blog.owox.com/
OWOX, Inc. - invalid URL parsing with and '@'
shopify-scripts $8,000 Crash: calling Proc::initialize_copy with a Proc instance where initialize never ran leads to a crash
U.S. Dept Of Defense - XSS on a DoD website
U.S. Dept Of Defense - Reflected XSS on a DoD website
shopify-scripts $1,000 Read after free in mrb_vm_exec with OP_ARYCAT reading R(B)
shopify-scripts $8,000 Denial of service due to invalid memory access in mrb_ary_concat
Slack $1,000 Eavesdropping on private Slack calls
shopify-scripts $8,000 mruby-time: Crash host with uninitialized Time obj
U.S. Dept Of Defense - Unrestricted File Upload
U.S. Dept Of Defense - Cross-site scripting vulnerability on a DoD website
U.S. Dept Of Defense - Information disclosure vulnerability on a DoD website
U.S. Dept Of Defense - Cross-site scripting (XSS) vulnerability on a DoD website
LocalTapiola $50 Disclosure of IBM Websphere page
U.S. Dept Of Defense - Reflected XSS on a Department of Defense website
U.S. Dept Of Defense - RCE on a Department of Defense website
U.S. Dept Of Defense - Reflected XSS on a DoD website
U.S. Dept Of Defense - Reflected XSS on an Army website
U.S. Dept Of Defense - Reflected XSS vulnerability on a DoD website
U.S. Dept Of Defense - Information disclosure on a DoD website
Pushwoosh - Read Application Name , Subscribers Count
U.S. Dept Of Defense - Reflected cross-site scripting vulnerability on a DoD website
U.S. Dept Of Defense - Local File Inclusion vulnerability on an Army system allows downloading local files
U.S. Dept Of Defense - Stored cross-site scripting (XSS) on a DoD website
U.S. Dept Of Defense - Unrestricted File Download / Path Traversal
U.S. Dept Of Defense - Reflected XSS on a Navy website
U.S. Dept Of Defense - Reflected XSS on a DoD website
U.S. Dept Of Defense - Reflected XSS on a Department of Defense website
U.S. Dept Of Defense - Reflective XSS vulnerability on a DoD website
U.S. Dept Of Defense - Reflected XSS on a DoD website
U.S. Dept Of Defense - Reflected XSS vulnerability on a DoD website
LocalTapiola $450 XSS and open redirect in verkkopalvelu.lahitapiola.fi
shopify-scripts - Invalid memory access while freeing memory, caused by invalid type passed to mrb_ary_unshift
shopify-scripts - Null pointer dereference in ary_concat
Pornhub $520 Race Condition Vulnerability On Pornhubpremium.com
WordPress $350 [Buddypress] Arbitrary File Deletion through bp_avatar_set
LocalTapiola $100 SMTP configuration vulnerability viestinta.lahitapiola.fi
shopify-scripts $8,000 Segmentation fault when a Ruby method is invoked by a C method via Object#send
shopify-scripts $8,000 Null target_class DoS
shopify-scripts $10,000 Segfault and/or potential unwanted (byte)code execution with "break" and "||=" inside a loop
VK.com $500 Возможность провести DoS атаку от имени vk.com сервера
OWOX, Inc. - Direct IP Access
Pushwoosh - Nginx version disclosure via response header
shopify-scripts $8,000 SIGSEGV on mruby's mark_tbl() (Invalid memory access)
shopify-scripts $8,000 SIGSEGV on mruby mrb_str_modify() (Invalid memory access)
OWOX, Inc. - ClickJacking
Boozt Fashion AB $200 Email link poisoning / Host header attack
Pushwoosh - Administrator Access To Management Console
OWOX, Inc. - Subdomain Takeover on http://kiosk.owox.com/
Brave Software - links the user may download can be a malicious files
Pushwoosh - Bypass the resend limit in Send Invites
GitLab - CSRF Token Bypass in Account Deletion
shopify-scripts $10,000 Broken handling of maximum number of method call arguments leads to segfault
Badoo $140 Email Spoofing
HackerOne $10,000 Partial disclosure of report activity through new "Export as .zip" feature
shopify-scripts $10,000 Null pointer dereference due to TOCTTOU bug in mrb_time_initialize
Pushwoosh - Password Forgot/Password Reset Request Bug
LocalTapiola $60 Option method enabled (viestinta.lahitapiola.fi)
Pushwoosh - Unsecured Grafana instance
Python (IBB) $500 Type confusion in FutureIter_throw() which may potentially lead to an arbitrary code execution
PortSwigger Web Security $350 XSS in IE11 on portswigger.net via Flash
Pornhub $200 Reflected cross-site scripting (XSS) vulnerability in pornhub.com allows attackers to inject arbitrary web script or HTML.
Udemy $300 Completed Compromise & Source Code Disclosure via Exposed Jenkins Dashboard at https://jenkins101.udemy.com
Pushwoosh - Spam Some one using (user.saveInvite) system
Pushwoosh - Nginx server version disclosure
Pushwoosh - Reflected Xss on
shopify-scripts $8,000 SIGSEV on mrb_ary_splice
Pushwoosh - htaccess file is accesible
Pushwoosh - Spoof Email with Hyperlink Injection via Invites functionality
Imgur $250 Stored xss in ALBUM DESCRIPTION
Mail.Ru - [qpt.mail.ru] CRLF Injection / Open Redirect
shopify-scripts $10,000 Range constructor type confusion DoS
shopify-scripts $20,000 TOCTTOU bug in mrb_str_setbyte leading the memory corruption
shopify-scripts $18,000 Struct type confusion RCE
shopify-scripts $10,000 SIGSEGV when invalid argument on remove_method
shopify-scripts $20,000 DoS: type confusion in mrb_no_method_error
Udemy $200 Jenkins
LocalTapiola $150 Multiple Reflected XSS /webApp/lahti (viestinta.lahitapiola.fi)
shopify-scripts $10,000 Segfault in mruby, mruby_engine and the parent MRI Ruby due to null pointer dereference
LocalTapiola $350 SQL Injection /webApp/sijoitustalous_peruutus locId parameter (viestinta.lahitapiola.fi)
VK.com $1,500 Stored XSS в личных сообщениях
Informatica - [marketplace.informatica.com] Persistent XSS through document title
LocalTapiola $264 HTML Injection in email /webApp/lahti (viestinta.lahitapiola.fi)
LocalTapiola $350 SQL Injection /webApp/oma_conf ctx parameter (viestinta.lahitapiola.fi)
LocalTapiola $60 Poodle attack SSLv3 Support (viestinta.lahitapiola.fi)
Twitter $1,120 [IDOR][translate.twitter.com] Opportunity to change any comment at the forum
shopify-scripts $8,000 Undefined method_missing null pointer dereference
shopify-scripts $10,000 Range#initialize_copy null pointer dereference
shopify-scripts $10,000 NULL pointer dereference when parsing ternary operators
Ubiquiti Networks $500 Subdomain Takeover (moderator.ubnt.com)
LocalTapiola $100 Error Page Content Spoofing or Text Injection (viestinta.lahitapiola.fi)
shopify-scripts $20,000 Use after free vulnerability in mruby Array#to_h causing DOS possible RCE
shopify-scripts $2,000 Memory disclosure in mruby String#lines method
Paragon Initiative Enterprises - Not using Binary::safe* functions for substr/strlen function
shopify-scripts $8,000 Denial of Service in mruby due to null pointer dereference
Paragon Initiative Enterprises - Missing rel=noopener noreferrer in target=_blank links (Phishing attack)
Paragon Initiative Enterprises - Using plain git protocol (vulnerable to MITM)
Paragon Initiative Enterprises - Missing GIT tag/commit verification in Docker
Paragon Initiative Enterprises - Incorrect detection of onion URLs
Coinbase $100 Window.opener bug at www.coinbase.com
Brave Software - Remote Stack Overflow Vulnerability (DoS)
shopify-scripts $10,000 Exception cause SIGABRT
Legal Robot $40 Password reset access control
shopify-scripts $8,000 ruby DoS https://www.mruby.science
Legal Robot $40 Missing restriction on string size in profile fields
Yelp $300 X.509 certificate validation fails on international vanity domains
VK.com $300 SSRF (open) - via GET request
Boozt Fashion AB - Cookie Misconfiguration
Paragon Initiative Enterprises - Subdomain Takeover
Zomato - takeover a lot of accounts
Trello $2,048 Stealing power up private tokens (trello, twitter, github...)
Zopim $100 Android SDK - CREATE_REQUEST broascast is unprotected
Open-Xchange $500 Reflected Cross-Site Scripting due to vulnerable Flash component (Flashmediaelement.swf)
Paragon Initiative Enterprises - BAD Code !
Open-Xchange $100 Selecting encryption for email with drive attachment overrides the drive email password
Paragon Initiative Enterprises - DMARC Not found for paragonie.com URGENT
General Motors - Flash XSS on Buick_RotatingMasthead_JellyBeanSlider.swf
LocalTapiola $100 Suspicious browser fingerprinting(?) scripts on http://www.lahitapiola.fi/ redirector
LocalTapiola $1,560 SQL Injection on /webApp/omatalousuk (viestinta.lahitapiola.fi)
Blockchain - username enumeration
Blockchain $100 Information disclosure at https://blockchain.atlassian.net
Open-Xchange $666 Tab nabbing via window.opener
Open-Xchange $300 Stored XSS in Template Documents
Blockchain $400 Reflected XSS on blockchain.info
VK.com $1,000 Новый 2FA Bypass
LocalTapiola $400 Open Redirect (verkkopalvelu.lahitapiola.fi)
Brave Software - Denial of service(POP UP Recursion) on Brave browser
Blockchain $50 server version dislosure
Ubiquiti Networks $500 Stored XSS in community.ubnt.com
Brave Software - Information disclosure of website
Imgur $5,000 Unauthenticated Docker registry
Nextcloud $50 Content Spoofing in "files" app CVE-2017-0888
Paragon Initiative Enterprises - [Airship CMS] Local File Inclusion - RST Parser
Legal Robot - The websocket traffic is not secure enough
Yelp $500 CSRF on signup endpoint (auto-api.yelp.com)
Badoo $280 Leave inaccessible messaging system with a message (https://us1.badoo.com)
Informatica - [afocusp.informatica.com] Sql injection afocusp.informatica.com:37777
Revive Adserver - Reflected XSS on Zones > Invocation Code
Badoo $260 Arbitrary modification value "session" (Cookie) in badoo.com
New Relic - Potential sub-domain hijacking
Instacart $100 Access private list metadata
Uber $1,000 ability to retrieve a user's phone-number/email for a given inviteCode
RubyGems - Possible Subdomain Takeover at http://production.s3.rubygems.org/ pointing to Fastly
OLX - CSRF in delete advertisement on olx.com.eg
InVision $300 CORS Man-in-the-Middle account compromise
HackerOne - Limited Open redirection using SSO-SAML
Shopify $1,500 Misconfiguration in Two Factor Authorisation
Informatica - [parc.informatica.com] Reflected Cross Site Scripting and Open Redirect
Mail.Ru - [pokerist.mail.ru] XSS Request-URI
Mail.Ru - [allods.mail.ru] Cross-Site Request Forgery (Add-Item)
Twitter $280 SSRF in https://cards-dev.twitter.com/validator
GitLab - Read files on application server, leads to RCE CVE-2016-9086
Informatica - [ipm.informatica.com] Sql injection Oracle
QIWI $300 Раскрытие баланса на //kopilka.qiwi.com
Harvest $250 Stored XSS in Restoring Archived Tasks
Nextcloud - xss on demo.nextcloud.com due to outdated version
Starbucks $375 CSRF exploit | Adding/Editing comment of wishlist items (teavana.com - Wishlist-Comments)
Starbucks $150 CSRF vulnerability in saving payment card on store.starbucks.com (COBilling -AddCreditCard)
Badoo $140 Unvalidated redirect on team.badoo.com
OLX - Reflective XSS at dubai.dubizzle.com
LocalTapiola $588 Lahitapiola´s customer names send to 3rd party
Starbucks $375 Reflected XSS by exploiting CSRF vulnerability on teavana.com wishlist comment module. (wishlist-comments)
New Relic - Open Redirect
HackerOne - Information disclosure via policy update notifications after removal from program
Starbucks $250 CSRF: add item to victim's cart automatically (starbucks.com - updatecart)
Nextcloud - Content spoofing due to the improper behavior of the 403 page in Private Server
OLX - Reflective XSS at m.olx.ph
LocalTapiola $750 Email Server Compromised at secure.lahitapiola.fi
Brave Software - invalid homepage URL causes 'uncaught typeerror' or blank state
Mindoktor $2,000 XSS at endpoint clinic.mindoktor.se in flash cookie
Mindoktor $300 Storing sensitive information on cookie post-registration
Coinbase $200 Authentication Issue
Brave Software $50 [ios] Address bar spoofing in Brave for iOS
Harvest $100 Editing a project (LIMITED)
Twitter $2,520 Cross-site scripting (reflected)
Ian Dunn - No CAPTCHA ia exist in pages
itBit Exchange $1,000 Round error issue -> produce money for free
Brave Software - DOS in browser using window.print() function
Brave Software $100 Denial of service attack(window object) on brave browser
Brave Software - [iOS] URI Obfuscation in iOS application
Shopify $500 race condition in adding team members
Revive Adserver - Weak Forgot Password implementation
Brave Software - JavaScript URL Issues in the latest version of Brave Browser
Brave Software - Javascript confirm() crashes Brave on PC
Brave Software $50 Denial of service attack on Brave Browser.
Coinbase $100 Information disclosure of user by email using buy widget
Brave Software $100 Access to local file system using javascript
Brave Software $200 [iOS/Android] Address Bar Spoofing Vulnerability
OLX - Reflected XSS in OLX.in
Brave Software $100 Address Bar Spoofing - Already resolved - Retroactive report
OpenSSL (IBB) - Remote client memory corruption in ssl_add_clienthello_tlsext()
OLX - Directory Listing of all the resource files of olx.com.eg
Brave Software - Status Bar Obfuscation
Brave Software $150 URI Obfuscation
Shopify $2,000 Able to Login deactivated staff account in shopify app mobile
Twitter $140 Full Path Disclosure at 27.prd.vine.co
OLX - Reflected XSS at m.olx.ph
Trello $256 Can run arbitrary script on em.trello.com
Brave Software $50 [website] Script injection in newsletter signup https://brave.com/brave_youth_program_signup.html
Brave Software - Subdomain Takeover of Brave.com
Brave Software - Brave: Admin Panel Access
Brave Software $50 2 Directory Listing on ledger.brave.com & vault-staging.brave.com
PHP (IBB) $500 memcpy negative parameter _bc_new_num_ex
PHP (IBB) $500 memcpy negative size parameter in php_resolve_path
PHP (IBB) $500 Write out-of-bounds at number_format
Brave Software $100 Homograph attack
OpenSSL (IBB) - Double-free in X509 parsing
Shopify $500 [ecommerce.shopify.com] Invalidated redirection
DigitalSellz - Public profile is vulnerable to stored XSS / Facebook Token can be stolen
Python (IBB) $1,000 chain.__setstate__ Type Confusion
Nextcloud - URI scheme bypass in mail app lead to HTML content spoof and opener control
Uber $1,000 Subdomain takeover on rider.uber.com due to non-existent distribution on Cloudfront
Slack $700 Information Disclosure on stun.screenhero.com
WePay $200 Enumeration of registered email addresses using bruteforce search on userIds
GitLab - Mailgun misconfiguration leads to email snooping and postmaster@-access on email.mg.gitlab.com
Veris - Reflected Cross site scripting
Nextcloud - Dav sharing permissions issue
Sucuri $500 Administrator Access to grafana instance logstash2.sucuri.net with default credentials
Yelp $500 Requesting Show CheckIn Alert for Non Friend User
Harvest $150 Linking Invoice to uninvited project.
Trello $128 XSS on blog.trello.com
Twitter $1,260 View liked twits of private account via publish.twitter.com
Badoo $140 No rate-limit in SERVER_SECURITY_CHECK
BrickFTP $250 Existence of Folder path by guessing the path through response
Nextcloud $250 Filename enumeration && DoS
Twitter $560 Circumventing the Twitter account lockout process [ACCOUNT TAKEOVER]
Harvest $300 Cookie Injection at 'harvestapp.com'
HackerOne - Possible CSRF during external programs
HackerOne - Researcher gets email updates on a private program after he/she quits that program.
Trello $128 Full Sub Domain Takeover at help.trello.com.
Zopim $150 Full Sub Domain Takeover at wx.zopim.net
Slack $500 CSRF in github integration
Gratipay - CSRF csrftoken in cookies
PHP (IBB) $1,000 Buffer overflow in HTTP parse_hostinfo(), parse_userinfo() and parse_scheme()
ok.ru $100 web.xml configuration file disclosure
Instacart $150 Full access to any list
Boozt Fashion AB $400 Git available containing passwords.
Nextcloud - Bad content-type in response header when getting document can lead to html injection
Romit $513 [CRITICAL]-Taking over entire subdomain of romit.io
Nextcloud - Bypassing quota limit CVE-2017-0887
Uber $10,000 password reset token leaking allowed for ATO of an Uber account
Revive Adserver - Stored XSS on Admin Access Page - Email field
Algolia - Possilbe Sub Domain takever at prestashop.algolia.com
WebSummit - Full Sub Domain Takeover at s3.websummit.net
RubyGems - Login credentials transmitted in cleartext on index.rubygems.org
RubyGems - Password Reset emails missing TLS leads account takeover
Legal Robot $40 Bypass 8 chars password complexity with 6 chars only due to insecure password reset functionaliy
HackerOne - Obtain the username & the uid of the one doing the S3 sync on Hackerone
Snapchat $250 Bypassing "You've requested your data the maximum number of times today." + "Please Verify an email address with snapchat to continue"
Rockstar Games $500 DOM based reflected XSS in rockstargames.com/newswire/tags through cross domain ajax request
Shopify $500 password less login token expiration issue
General Motors - Flash XSS on homepage fliptilescroller
General Motors - Flash XSS on global nav
Starbucks $750 out of date disqus shortname usage in the web app source code
WebSummit - WebSummit - Open Redirect
Shopify $500 Add signature to transactions without any permission
Udemy $50 Content Spoofing in udemy
Udemy - Udemy s3 storage can be used by an attacker personal website because of missing CSRF Token
WebSummit $40 Subdomain take over signup.websummit
itBit Exchange - Open Redirect in https://exchange.itbit.com - False Positive
Udemy - Critical : Malware and XSS file can be uploaded and executed on udemy
Ian Dunn - All Plugins - Direct file access to plugin files Vulnerability
Ian Dunn - Google Authenticator0.6 - PHP Version Dosclosure
Ian Dunn - Google Authenticator - Cross Site Scripting
LocalTapiola $50 Reflected XSS in LTContactFormReceiver (/cs/Satellite)
Automattic $100 Follow Button XSS
Python (IBB) $1,500 LZMADecompressor.decompress Use After Free
PHP (IBB) $500 Heap overflow caused by type confusion vulnerability in merge_param()
Trello - Unvalidated/Open Redirect allowing attackers to implement phishing attack
Legal Robot $20 Information Disclosure on rate limit defense mechanism
Ubiquiti Networks $500 Authentication bypass on sso.ubnt.com via subdomain takeover of ping.ubnt.com
Trello - Subdomain Take over & username enemuration
Snapchat - Subdomain takeover of blog.snapchat.com
OLX - Name, email, phone and more disclosure on user ID (API)
CodeIgniter - Link sanitation bypass in xss_clean()
InVision $150 CRITICAL Any █████ of any screen can be removed by anyone!
Nextcloud - Content spoofing in lookup.nextcloud.com
OWOX, Inc. - HTTP Response Splitting(CRLF injection) in bi.owox.com
HackerOne - (HackerOne SSO-SAML) Login CSRF, Open Redirect, and Self-XSS Possible Exploitation
Legal Robot $20 Near-duplicate accounts allowed with ignored email mutations
ownCloud - Accessable Htaccess
Algolia $100 No rate limit for Referral Program
Zendesk - Missing function level access controls allowing attacker to abuse file access controls. Multiple vulnerabilities
OLX - Full path disclosure vulnerability at http://corporate.olx.ph
Maximum $75 Facebook and twitter page claimed of maximum.com [important]
LocalTapiola $18,000 Oracle Webcenter Sites administrative and hi-privilege access available directly from the internet (/cs/Satellite)
Boozt Fashion AB - ADB Backup is enabled within AndroidManifest
Informatica - [kb.informatica.com] Stored XSS
HackerOne $500 Bypass rate limiting on /users/password (possibly site-wide rate limit bypass?)
RubyGems - Invalid username updating
DigitalSellz - Access to Amazon S3 bucket
New Relic - Stored Xss in rpm.newrelic.com
Revive Adserver - Reflected XSS in Step 2 of the Installation
Trello $128 SSRF in account webhook (through API)
Mail.Ru $300 Time-based sql-injection на https://puzzle.mail.ru
DigitalSellz - AWS Signature Disclosure in www.digitalsellz.com allows access to S3
Slack $400 Email information leakage for certain addresses
Shopify $500 Open redirect in bulk edit
Imgur $100 Stored XSS in albums on http://m.imgur.com/
Skyliner - DNSSEC misconfiguration
Nextcloud $750 Bypass permissions
OLX - Stored XSS in buy topup OLX Gold Credits
Zomato - CORS Misconfiguration on www.zomato.com
Twitter $2,100 Twitter iOS fails to validate server certificate and sends oauth token
Coinbase $100 Information leakage on https://docs.gdax.com
IRCCloud $50 Exposed, outdated nginx server (v1.4.6) potentially vulnerable to heap-based buffer overflow & RCE
Snapchat $250 Incoming email hijacking on sc-cdn.net
Uber $500 Users can falsely declare their own Uber account info on the monthly billing application
Paragon Initiative Enterprises - Not clearing hex-decoded variable after usage in Authentication
Coinbase - coinbase Email leak while sending and requesting
Boozt Fashion AB - Http header injection
Instacart - User Information sent to client through websockets
SecNews - DOM based XSS in search functionality
New Relic - SSO Authentication Bypass
concrete5 - Content Spoofing possible in concrete5.org
Nextcloud - Unauthenticated Stored xss
Zomato - [CRITICAL] Complete source code disclosure via exposed Jenkins Dashboard
Shopify $500 Deleted Post and Administrative Function Access in eCommerce Forum
HackerOne - Ability to enumerate private programs using SAML
New Relic - HOST HEADER INJECTION in rpm.newrelic.com
Boozt Fashion AB $80 Make victim buy in attacker's account without any idea - http://www.booztlet.com/
Boozt Fashion AB - Broken Authentication and Session Management(Session Fixation)
Python $1,000 msilib.OpenDatabase Type Confusion
Boozt Fashion AB - Host header poisoning leads to account password reset links hijacking
Pornhub $750 Unsecured Grafana instance
Pornhub $750 Disclosure of private photos/albums - http://www.pornhub.com/album/show_image_box
Yelp $200 Bybass The Closing of the account and logged again to your account
Nextcloud - Android - Possible to intercept broadcasts about uploaded files
New Relic - Session Hijacking
Legal Robot - content spoofing
Eobot $12 No password length restriction
Boozt Fashion AB $120 XSS
VK.com $1,050 Второй способ обхода 2FA
OLX - XSS and Open Redirect on https://jobs.dubizzle.com/
Shopify $500 XSS in SHOPIFY: Unsanitized Supplier Name can lead to XSS in Transfers Timeline
Legal Robot - Server version disclosure
Twitter $560 leaking Digits OAuth authorization to third party websites
Shopify $500 Unsanitized Location Name in POS Channel can lead to XSS in Orders Timeline
Boozt Fashion AB $80 Instance of Apache Vulnerable to Several Issues
Boozt Fashion AB $120 Potential Subdomain Takeover Possible
Boozt Fashion AB - Android app does not use SSL for login
Yelp $100 Self-XSS via location cookie city field when getting suggestions for a new location
WebSummit - Reflected xss on websummit.net
Boozt Fashion AB $250 xss in Theme http://bztfashion.booztx.com
Keybase $100 Denial of Service through set_preference.json
Ruby $200 Arbitrary heap overread in strscan on 32 bit Ruby, patch included
OpenSSL $500 SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
OpenSSL $2,500 Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
Nextcloud - Privilege escalation - Normal user can somehow make admin to delete shared folders
Yelp $500 Verification of E-Mail address possible on https://biz.yelp.com/login and https://biz.yelp.com/forgot
Legal Robot - CSRF Issue
Envoy - Abuse of API can Lead to DoS
Boozt Fashion AB $60 PHP info page disclosure on http://www.day.dk/
Boozt Fashion AB - No csrf protection on logout
Boozt Fashion AB - User Enumeration.
Harvest $500 Invoices can be added to any retainers - even closs-platform
OLX - Bypassing Phone Verification For Posting AD On OLX
Slack $500 Rate-limit bypass
Mindoktor $500 Vulnerable Mobile Phone configuration
Nextcloud $500 Reflected XSS in Gallery App CVE-2016-9466
Legal Robot - clickjacking at http://mailboxes.legalrobot-uat.com/
Harvest $250 XSS on expenses attachments
Shopify - Subdomain Takeover in http://genghis-cdn.shopify.io/ pointing to Fastly
Open-Xchange $300 OX (Guard): Stored Cross-Site Scripting via Email Attachment
Mapbox - target="_blank" Vulnerability Resulting in Critical Phishing Vector
Instacart $50 Seemingly sensitive information at /api/v2/zones
Python $1,000 urllib HTTP header injection CVE-2016-5699
Shopify $500 Access to Splunk via shard3-db2.ec2.shopify.com endpoint
Shopify $500 Open redirect allows changing iframe content in *.myshopify.com/admin/themes/<id>/editor
LocalTapiola $400 Open redirection protection bypass (/cs/Satellite)
Algolia $100 Hyperlink Injection in Friend Invitation Emails
LocalTapiola $400 SQL Injection on `/cs/Satellite` path
Legal Robot $60 Validation bypass on user profile
Ian Dunn $50 CSV Injection in Camptix
Twitter $5,040 [Studio.twitter.com] See someone else pics
LocalTapiola $100 Oracle WebCenter Sites Support Tools available and Information disclosure (/cs/Satellite)
LocalTapiola $50 Reflected XSS in www.lahitapiola.fi (/cs/Satellite) using Oracle WebCenter -page
Harvest $150 CSRF bypass on Submit Time sheet for Approval
Nextcloud - Reflected Self-XSS Vulnerability in the Comment section of Files (Different-payloads)
Harvest $150 Project Manager can approve pending reports(Access control Issue)
Phabricator - link reset problem
Udemy - NON VALIDATION OF SESSIONS AFTER PASSWORD CHANGE
Unikrn $400 Urgent: Server side template injection via Smarty template allows for RCE
QIWI $150 [qiwi.com] Information Disclosure
QIWI $150 [ibank.qiwi.ru] UI Redressing via Request-URI
Legal Robot $20 Possible content spoofing due to missing error page
Mail.Ru - Reflected XSS @ games.mail.ru
Nextcloud $100 Reflected Self-XSS Vulnerability in the Comment section of Files Information
Gratipay - Username Restriction is not applied for reserved folders
Slack $2,500 Snooping into messages via email service
Gratipay - Username can be used to trick the victim on the name of www.gratipay.com
Legal Robot - Click Jacking
Legal Robot $20 unsecured legalrobot.co.uk assets
VK.com $1,000 Обход 2ух-шаговой авторизации / 2FA Bypass
Nextcloud - Slow Http attack on nextcloud(DOS)
Gratipay - Lack of CSRF token validation at server side
Gratipay - Insecure Transportation Security Protocol Supported (TLS 1.0)
Instacart - [Critical] Subdomain Takeover
Legal Robot - UI Redressing ( ClickJacking ) Issue on Information submit form
Legal Robot - News Feed Detected
Dropbox - XSS in OAuth Redirect Url
Legal Robot - 2 vulns
Legal Robot $20 Legal | Application is Missing CSP(Content Security Policy) Header
Legal Robot - Clickjacking: X-Frame-Options header missing
Legal Robot - Amazon Bucket Accessible (http://legalrobot.s3.amazonaws.com/)
New Relic - Java RMI (Remote Code Execution)
Skyliner - Email Spoofing
Legal Robot - Email spoofing-fake mail from your mail domain server
Legal Robot $20 CORS (Cross-Origin Resource Sharing)
Legal Robot $20 Information Disclosure in AWS S3 Bucket
Legal Robot - Email spoofing possible via Legal Robot domain
Legal Robot $120 User Information leak allows user to bypass email verification.
Legal Robot $120 User Information sent to client through websockets
Nextcloud - Wordpress: Directory Traversal / Denial of Serivce
Nextcloud - Expired SSL certificate
Nextcloud - \OCA\DAV\CardDAV\ImageExportPlugin allows serving arbitrary data with user-defined or empty mimetype CVE-2016-9465
Instacart $100 WordPress Authentication Denial of Service
Dropbox $1,458 Subtile Code Injection Vulnerability in Dropbox for Windows
Khan Academy - OPEN URL REDIRECT through PNG files
New Relic - Cookie Misconfiguration
Paragon Initiative Enterprises - Email Spoofing With Your Website's Email
HackerOne - Users contents on AWS is cacheable
Skyliner - [skyliner.io / qa.skyliner.io] Open Redirect
Nextcloud - Information Disclosure of .htaccess file in Private Server/Subdomain
Uber $100 Stealing users password (Limited Scenario)
Slack $750 Code Injection in Slack's Windows Desktop Client leads to Privilege Escalation
Instacart $150 Fetch private list metadata and any user's personal name
Uber $5,000 Changing paymentProfileUuid when booking a trip allows free rides
Gratipay - x-xss protection header is not set in response header
OLX - XSS and HTML Injection https://sharjah.dubizzle.com/
GitLab - Boards leak private label names and desciptions
Gratipay - Cross Site Scripting In Profile Statement
Shopify $500 Open Redirect possible in https://www.shopify.com/admin/
Gratipay - Usernames ending in .json are not restricted
Certly - Non secure requests at guard.certly.io not upgrading to https
Nextcloud - Password Reset Link issue
Gratipay - Reset Link Issue
Trello - Security code not getting invalidate on requesting New
Harvest $500 Possible to steal any protected files on Android
Airbnb - ████ discloses valid Airbnb SSO login names via Google Search Results
Gratipay - XSS Via Method injection
Ian Dunn - Potentially vulnerable version of Apache software in and default files on https://iandunn.name/
Bime $150 Subdomain takeover at ws.bimedb.com due to unclaimed Amazon S3 bucket
Mail.Ru - [cfire.mail.ru] CSRF Bypassed - Changing anyone's 'User Info'
Nextcloud - Content Injection - demo.nextcloud.com
Instacart $50 READ .svg files by changing .svg into .png extension
Nextcloud - Content Injection - apps.nextcloud.com
Ian Dunn - bypass to csv injection
Harvest $150 Extracting private info of estimates.
Ian Dunn $100 Bypass fix in https://hackerone.com/reports/151516 report.
Ian Dunn $50 Bypassing CSV injection using new line charcter
Coinbase $300 window.opener is leaking to external domains upon redirect on Safari
Ian Dunn - stored SELF xss on Basic Google Maps Placemarks Settings plugin
Instacart - API OAuth Public Key disclosure in mobile app
Instacart $150 Brute force login and bypass locked account restrictions via iOS app
Shopify $500 [apps.shopify.com] Open Redirect
Mail.Ru - [realty.mail.ru] XSS, SSI Injection
GitLab - XSS On meta tags in profile page
Ian Dunn - Send emails to all users using Camptix
HackerOne - Ability to monitor reports' submission in real time
Snapchat $400 [render.bitstrips.com] Stored XSS via an incorrect avatar property value
Instacart $150 Issues with uploading list images
Shopify $500 Open CouchDB on experiments.ec2.shopify.com:5984
HackerOne $500 Information leakage of private program
Shopify $500 Open redirect using checkout_url
HackerOne $500 Requesting Mediation possible on reports that are too old for mediation
QIWI $950 [qiwi.com] Oauth захват аккаунта
LocalTapiola $3,000 Blind Stored XSS Against Lahitapiola Employees - Session and Information leakage
bitaccess - Missing Rate limiting for sensitive actions (like "forgot password") and reCaptcha error.
OLX - full path disclosure vulnerability at https://security.olx.com/*
Slack $1,000 Stored XSS(Cross Site Scripting) In Slack App Name
Harvest $150 Unauthorized read access to Invoices by PM (Access control Issues)
Harvest $150 Unauthorized access to all the actions of invoices by PM (Access control Issues)
Harvest $100 PM can delete payment of any invoice in company (Access control Issue)
Harvest $100 Record payment for any invoice by PM (Access control Issue)
Harvest $100 PM can delete the company logo image (Vertical Privilege Escalation )
Starbucks $150 Improper Validation on Cancel Link Redirect
Khan Academy - The web app's forgot password page is vulnerable to text injection/content spoofing
OLX - Full Account Takeover
HackerOne $1,000 Hacker.One Subdomain Takeover
Harvest $250 PM with can Set up email for invoices and estimates (Access control Issue)
OLX - [Critical] Delete any account
Binary.com $75 Cross site scripting
Informatica - [alpha.informatica.com] Expensive DOMXSS
Instacart $100 Hyperlink Injection in Friend Invitation Emails
Moneybird - Webhook allows sending payload using insecure HTTP protocol
Instacart - Reflected File Download on recipe list search
Ubiquiti Networks $150 [scores.ubnt.com] DOM based XSS at form.html
Gratipay - Host Header poisoning on gratipay.com
Mapbox $750 Blind XSS in mapbox.com/contact
Shopify $1,000 (BYPASS) Open redirect and XSS in supporthiring.shopify.com
Uber - Attacker could setup reminder remotely using brute force
GitLab - Ability to access all user authentication tokens, leads to RCE
Certly - Business logic Failure - Browser cache management and logout vulnerability in Certly
Trello $1,024 File access using image tragick
HackerOne $500 Non-secure requests are not automatically upgraded to HTTPS
Instacart $250 shopper login_code's can be brute forced
Twitter $560 reverb.twitter.com redirects to vulnerable reverb.guru
Shopify $500 Access to Splunk at https://apt.ec2.shopify.com:8089
Trello - XSS and Open-Redirect via SVG
Instacart $100 Image Upload Path Disclosure
Instacart $150 Host Header Injection/Redirection in: https://www.instacart.com/
Instacart $50 Server side request forgery on image upload for lists
Instacart $75 Missing rel=noreferrer tag allows link in list to change url of currently open tab
Instacart $200 Race Condition in Redeeming Coupons
Instacart $100 Cross-Site Request Forgery (CSRF)
Veris - Internal server error 500 at log.veris.in
Instacart $150 Stored XSS
Instacart $50 CSRF To change Email Notification Settings
OLX - these are my old reports and still i have not receive any good replys, these all are Cross Site Scripting(XSS) issues: POC1: https://www.youtube.com/w
Shopify $500 (FULL PATH DISCLOSURE) Unknown MySQL server host 'shardm-reader.chi2.shopify.io'
OLX - XSS on Meta Tag at https://m.olx.ph
HackerOne $500 Disclosure of external users invited to a specific report
Gratipay - Cookie:HttpOnly Flag not set
Gratipay - nginx version disclosure on downloads.gratipay.com
Gratipay - Host Header Injection/Redirection Attack
New Relic - All Active user sessions should be destroyed when user change his password!
Nextcloud - XSS on IOS app via HTML rendering
SecNews $300 Querying private posts and changing post meta
New Relic - CSRF vulnerability that allows an attacker to purge plugin metric data
New Relic - Login CSRF vulnerability
Veris - bug
Gratipay $1 Avoid "resend verification email" confusion
Ubiquiti Networks $500 IDOR Causing Deletion of any account
Uber $10,000 Reading Emails in Uber Subdomains
Algolia $400 Unauthorized team members can leak information and see all API calls through /1/admin/* endpoints, even after they have been removed.
Nextcloud - Directory listening enabled in: 88.198.160.130
Nextcloud - demo.nextcloud.com: Content spoofing due to default Apache Error Page
Algolia $100 Stored XSS from Display Settings triggered on Save and viewing realtime search demo
Algolia $100 Stored xss
Algolia $100 Stored XSS triggered by json key during UI generation
Open-Xchange $1,000 OX (Guard): Stored Cross-Site Scripting via Incoming Email
Phabricator - Error page Text Injection.
Zomato - Visibility Robots.txt file
Uber - XSS At "pages.et.uber.com"
Trello - Verification Code Reused For activating 2FA
Slack $500 CSRF - Add optional two factor mobile number
Coinbase - Create Multiple Account Using Similar X-CSRF token
Shopify $500 Staff member can delete Private Apps
Nextcloud - Arbitrary File Upload in Logo & Log in image Theming setting.
Uber - Content injection on 404 error page at faspex.uber.com
ownCloud $100 Arbitrary Code Injection in ownCloud’s Windows Client
Uber - User Enumeration and Information Disclosure
Algolia - [github.algolia.com] XSS
arxius - No SPF/DKIM/DMARC Record for lfil.es
Shopify $500 (BYPASS) Open Redirect after login at http://ecommerce.shopify.com
Nextcloud - demo.nextcloud.com: Content spoofing due to default Apache Error Page
OLX - Unauthorised access to olx.in user accounts.
Twitter $1,120 Stealing User emails by clickjacking cards.twitter.com/xxx/xxx
Gratipay $1 Content Spoofing/Text Injection
New Relic - Leaking license key in source code
Nextcloud $50 More content spoofing through dir param in the files app
Uber $3,000 Missing authorization checks leading to the exposure of ubernihao.com administrator accounts
Nextcloud - Bookmarks: Delete all existing bookmarks of a user
Snapchat $3,000 Subdomain takeover on http://fastly.sc-cdn.net/
Shopify $500 Delete/modify your own comment after limited access(IDOR)
Harvest $150 Opportunity to set arbitrary cookies
Moneybird $50 [Stored Cross-Site-Scripting] When search about Incoming ( Manual Jurnal )
Shopify $1,000 Unauthorized access to Zookeeper on http://locutus-zk3.ec2.shopify.com:2181
ownCloud - [forum.owncloud.org] IE, Edge XSS via Request-URI
ownCloud - [api.owncloud.org] CRLF Injection
New Relic - Cache purge requests are not authenticated
ownCloud - [doc.owncloud.org] CRLF Injection
Uber $500 Blind OOB XXE At "http://ubermovement.com/"
Nextcloud $100 IDOR - Disable sharing CVE-2016-9464
Nextcloud - xss for admin of https://newsletter.nextcloud.com
Twitter $1,120 csp bypass + xss
Shopify - Redirect url after login is not validated
New Relic - [alerts.newrelic.com] Scanning local network via notification channel
Ian Dunn - [Not just a server configuration issue] Full Path Disclosure
Rockstar Games $500 Reflected XSS via #tags= while using a callback in newswire http://www.rockstargames.com/newswire
Ian Dunn - CSRF in changing settings of Basic Google Maps Placemarks
Nextcloud - [Nextcloud 9.0.53] Content Spoofing in 'trustDomain' parameter
Mail.Ru - [opensource.mail.ru] system accounts enumeration
Uber - Can add employee in business.uber.com without add payment method
Uber - Text Only Content Spoofing on ubermovement.com Community Page
Starbucks - Java Deserialization RCE via JBoss JMXInvokerServlet/EJBInvokerServlet on card.starbucks.in
Ian Dunn $50 Multiple XSS in Camptix Event Ticketing Plugin
New Relic - Session Management Flaw
Harvest $500 Project Disclosure of all Harvest Instances
Nextcloud - Content spoofing in cloud.nextcloud.com
Gratipay - [gratipay.com] Cross Site Tracing
Harvest $1,000 Leak of all project names and all user names , even across applications
Harvest $350 Users enumeration is possible through cycling through recurring[client_id] argument value.
Harvest $350 Stored XSS on invoice, executing on any subdomain
Harvest $250 CSRF token fixation in Sign in with Google
Harvest $1,000 S3 bucket takeover due to proxy.harvestfiles.com
Harvest $100 Cross-Site Request Forgery (CSRF)
Nextcloud - Information disclosure
Gratipay - Username .. (double dot) should be restricted or handled carefully
Dashlane $100 Missing Access Control(IDOR) To Know LinkedAccounts
New Relic - XSS in a newrelic.com site
PHP $500 NULL Pointer Dereference in exif_process_user_comment
PHP $1,000 Out of bound read in exif_process_IFD_in_MAKERNOTE
Coursera - Broken authentication and session management flaw
OLX - Stored XSS on contact name
Uber $5,000 Stored XSS on developer.uber.com via admin account compromise
concrete5 - CSRF Full Account Takeover
Rockstar Games $750 CSRF in 'set.php' via age causes stored XSS on 'get.php' - http://www.rockstargames.com/php/videoplayer_cache/get.php'
Algolia $100 No Rate Limit In Inviting Similar Contact Multiple Times
Nextcloud - The application uses basic authentication.
Gratipay - User Supplied links on profile page is not validated and redirected via gratipay.
Gratipay - The contribution save option seem to be vulnerable to CSRF
GoCD - X-Content-Type-Options header missing at Auth Login
GoCD - Directory Listening
OLX - XSS on Home page olx.com.ar via auto save search text
Ian Dunn - User enumeration in wp-admin
Ian Dunn $375 CSV Injection at Camptix Event Ticketing
ownCloud $50 ownCloud 2.2.2.6192 DLL Hijacking Vulnerability
Uber $2,000 [IODR] Get business trip via organization id
Uber $3,000 Get organization info base on uuid
Slack $500 Creating Post on a restricted channel
OLX - xss yaman.olx.ph
OLX - REFLECTED CROSS SITE SCRIPTING IN OLX
Gratipay - don't leak Server version for assets.gratipay.com
Gratipay - don't allow directory browsing on grtp.co
OLX - Reflected XSS at yaman.olx.ph
Paragon Initiative Enterprises - Content-type sniffing leads to stored XSS in CMS Airship on Internet Explorer
Gratipay - This is a test report
OLX - Manipulating joinolx.com Job Vacancy alert subscription emails (HTML Injection / Script Injection)
OLX - XSS yaman.olx.ph
Automattic $300 [bbPress] Stored XSS in any forum post.
Dropbox $729 SSRF allows access to internal services like Ganglia
Shopify $1,500 Stealing livechat token and using it to chat as the user - user information disclosure
QIWI $200 Xss on billing
OLX - cross-site scripting in get request
Gratipay - prevent null bytes in email field
OLX - Reflected Cross Site scripting Attack (XSS)
OLX - XSS @ *.letgo.com
OLX - Arbitrary File Reading
OLX - Reflected XSS in www.olx.ph
OLX - stored XSS in olx.pl - ogloszenie TITLE element - moderator acc can be hacked
OLX - SQLi in Payment Request
OLX - Updating and Deleting any Ads on OLX Philippines
OLX - CSRF in account configuration leads to complete account compromise
OLX - XSS @ yaman.olx.ph
OLX - XSS @ *.olx.com.ar
Uber $1,000 newsroom.uber.com is vulnerable to 'SOME' XSS attack via plupload.flash.swf
Shopify $500 https://windsor.shopify.com/ takeover
Twitter $420 Html Injection and Possible XSS in sms-be-vip.twitter.com
Uber $4,000 SQL Injection on sctrack.email.uber.com.cn
IRCCloud $500 Cross Site Scripting(XSS) on IRCCloud Badges Page (using Parameter Pollution)
Ian Dunn - Brute force on wp-login
Ian Dunn - SSL certificate public key less than 2048 bit
Paragon Initiative Enterprises - Full Path Disclosure by removing CSRF token
Bime $1,000 Attacker can access graphic representation of every query
Bime $1,000 Urgent: attacker can access every data source on Bime
Nextcloud $50 Content (Text) Injection at NextCloud Server 9.0.52 - via http://custom_nextcloud_url/remote.php/dav/files/ CVE-2016-9468
Gratipay - don't leak Server version for assets.gratipay.com
Uber $2,250 Subdomain takeover of translate.uber.com, de.uber.com and fr.uber.com
GitLab - Insecure 2FA/authentication implementation creates a brute force vulnerability
WordPress $1,337 CSRF to add admin [wordpress]
Legal Robot $40 AWS S3 website can't serve security headers, may allow clickjacking
Whisper $100 Stored XSS in wis.pr
Uber - Server version disclosure
Paragon Initiative Enterprises - Site support SNI But Browser can't
HackerOne - Reward Money Leakage
Paragon Initiative Enterprises - ssl info shown
CodeIgniter - Web Server Disclosure
Ubiquiti Networks $185 Reflected Xss in AirMax [Nanostation Loco M2]
ExpressionEngine - Arbitrary SQL query execution and reflected XSS in the "SQL Query Form"
ExpressionEngine - Filename and directory enumeration
ExpressionEngine - Full path + some back-end code disclosure
Algolia $100 Stored xss
Paragon Initiative Enterprises - [URGENT] Password reset emails are sent in clear-text (without encryption)
Paragon Initiative Enterprises - Issue with password reset functionality [Minor]
Slack $500 a stored xss issue in https://files.slack.com
Maximum $20 Application error message
Coinbase - Content Injection error page
Paragon Initiative Enterprises - Session Management Issue CMS Airship
Paragon Initiative Enterprises - User enumeration via Password reset page [Minor]
Paragon Initiative Enterprises - Airship doesn't reject weak passwords
Nextcloud - [Thirdparty] Stored XSS in chat module - nextcloud server 9.0.51 installed in ubuntu 14.0.4 LTS
Paragon Initiative Enterprises - Full path disclosure when CSRF validation failed
Phabricator $600 HTML in Diffusion not escaped in certain circumstances
Paragon Initiative Enterprises $50 Stored XSS using SVG
Slack $500 "a stored xss issue in share post menu"
Maximum $20 Microsoft IIS tilde directory enumeration
Legal Robot $100 Subdomain takeover at api.legalrobot.com due to non-used domain in Modulus.io.
Paragon Initiative Enterprises - Nginx Version Disclosure On Forbidden Page
Pornhub $1,500 [idor] Unauthorized Read access to all the private posts(Including Photos,Videos,Gifs)
Paragon Initiative Enterprises - Email spoofing in security@paragonie.com
Paragon Initiative Enterprises $25 Stored XSS in comments
Paragon Initiative Enterprises $50 Stored Cross-Site-Scripting in CMS Airship's authors profiles
Dropbox - XSS, Unvalidated redirects & phishing website hosting on dropbox servers
Keybase $350 Register multiple users using one invitation (race condition)
Coinbase - No authorization required in iOS device web-application
Coinbase - No authorization required in Windows phone web-application
HackerOne - Possible CSRF during joining report as participant
VK.com $100 Паблики: Модератор паблика может удалять добавленные редакторами материалы с таймером на публикацию.
Instacart - CSRF with redeem coupon request
concrete5 - Full Page Caching Stored XSS Vulnerability
Uber $1,000 Wordpress Vulnerabilities in transparencyreport.uber.com and eng.uber.com domains
Mail.Ru - Cross Site Request Forgery (CSRF)
ownCloud - SMB User Authentication Bypass and Persistence CVE-2016-9463
Trello - Sending Unlimited Mails To Anybody With Easy Social Share Buttons Plugin
Slack $1,500 Source code leakage through GIT web access at host '52.91.137.42'
HackerOne $500 Know undisclosed Bounty Amount when Bounty Statistics are enabled.
Veris - Email spoofing in support@veris.in
Badoo $140 Change contents of the careers iframe in https://corp.badoo.com/jobs
Mail.Ru - Back Refresh Attack after registration and successful logout
Moneybird $25 Logging out any user
leetfiles - [leetfil.es] MSIE, Edge XSS via Request-URI
Coinbase $100 Application error message
concrete5 - Local File Inclusion path bypass
Slack $100 Generate new Test token
FantasyTote - Session doesn't expired after login
Slack $100 User can start call in a channel of an unpaid account
The Internet $500 ntpd: read_mru_list() does inadequate incoming packet checks CVE-2016-7434
FantasyTote - Weak HSTS age
FantasyTote - Betting more than max amount
FantasyTote - Urgent Fix Balance Limit bypass
FantasyTote - Bypass logout
FantasyTote - Insecure password change mechanism may lead to full account takeover
Informatica - [careers.informatica.com] Reflected Cross Site Scripting to XSS Shell Possible
FantasyTote - Stored number of clicks in the Deposits button
FantasyTote - No email verification required when we change email from settings
Informatica - [oneclickdrsfdc-test.informatica.com] Tomcat Example Scripts Exposed Unauthenticated
Dropbox - Can make any number of dropbox accounts with one email
Zomato - Clickjacking login page of http://book.zomato.com/
VK.com - DOM XSS в /activation.php?act=activate_mobile
Maximum $20 The POODLE attack (SSLv3 supported)
Maximum $20 RC4 cipher suites detected
New Relic - http://newrelic.com SSRF/XSPA
Uber - faspex.uber.com uses an invalid SSL certificate
HackerOne $500 Race Conditions in Popular reports feature.
Uber - Authentication Issue for easter egg on bonjour.uber.com
Uber - Command Injection, Information
LocalTapiola $150 Mixed Active Scripting Issue on https://www.lahitapiola.fi
Pornhub $500 RCE Possible Via Video Manager Export using @ character in Video Title
Informatica - [product360.informatica.com] Unauthenticated Apache Tomcat 8 Installation
Nextcloud - No Rate Limiting on stats.nextcloud.com login
Ruby - Ruby:HTTP Header injection in 'net/http'
Mail.Ru - BRUTE FORCE ATTACK
Uber - Server version disclosure: team.uberinternal.com
New Relic - Html injection in monitor name textbox
Nextcloud - Deny access to download.nextcloud.com + folders
Nextcloud - Log pollution can lead to HTML Injection.
PHP $1,000 ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize
PHP $1,000 Use After Free Vulnerability in PHP's GC algorithm and unserialize
Trello - Report bug on jetpack plugin
Nextcloud - REG: Content provider information leakage
Instacart - Authentication Bypass in Updating Personal Information
Nextcloud - Email ID Disclosure.
Nextcloud - WordPress Vulnerabilities: User Enumeration, Vulnerable Akismet Plugin, XML-RPC Interface available
Nextcloud $100 Read-only share recipient can restore old versions of file
Nextcloud $250 Uploading files to a folder where invited user don't have any EDIT privilege
Nextcloud - Password reset link remains valid after email change
Uber - Error Message on 404 page
Nextcloud - Content Injection in subdomain
Nextcloud - Content injection in subdomain
Nextcloud - Content Spoofing/Text Injection - docs.nextcloud.org
Nextcloud - Content Injection 404 page
Nextcloud - Business/Functional logic bypass: Remove admins from admin group.
Nextcloud - help.nextcloud Email Address/Username enumeration
Nextcloud - newsletter.nextcloud.com: Bypass firewall protection
Nextcloud - Bruteforcing help.nextcloud.com
Nextcloud - Bruteforce attack is possible on newsletter.nextcloud.com
Zomato - CSS
Algolia $100 2-factor authentication bypass
Slack - Unauthenticated Access to some old file thumbnails
Nextcloud - No captcha on newsletter.nextcloudcom leaves vulnerable to email spammers
Nextcloud - Avatar image upload and bypass real image verification
Nextcloud - https://newsletter.nextcloud.com Directory listening and Information Disclosure
Nextcloud - Lost Password CSRF
Nextcloud - Directory Listing On download.nextcloud.com & Practical Attacks on PGP (Pretty Good Privacy)
Nextcloud - Server side request forgery (SSRF) on nextcloud implementation.
Nextcloud - Vulnerable Javascript library
Nextcloud - nextcloud.com: Directory listening for 'wp-includes' forders
Nextcloud - failure to invalidate session on password change
Vimeo $600 Downloading password protected / restricted videos
Nextcloud $50 Nextcloud server software: Content Spoofing
Nextcloud - No rate limiting on password protected shared file link
Nextcloud - nextcloud.com: Mail Bombing ( No Rate Limiting On Sending Emails On Contact us Page)
Nextcloud $350 Share owner has no possibility to list all existing derived shares
Nextcloud - help.nextcloud.com: Session Management Issue
Nextcloud - help.nextcloud.com: Known DoS condition (null pointer deref) in Nginx running
Nextcloud - No permission set on Activities [Android App]
Nextcloud - Enumeration of subscribed users and unauthenticated email unsubscriptions on https://newsletter.nextcloud.com/?p=unsubscribe
Nextcloud - Response Header injection using redirect_uri together with PHP that utilizes Header Folding according to RFC1945 and Internet Explorer 11
Nextcloud - stats.nextcloud.com: Content Injection
Nextcloud - Content Spoofing
Nextcloud $750 Stored XSS on Share-popup of a directory's Gallery-view
Nextcloud - nextcloud.com: Content Injection Custom 404 Error
Veris - Registeration Link "Jacking&Redirecting"
Paragon Initiative Enterprises - Session Management
Uber - Self-XSS in Partners Profile
Uber $7,000 xss in https://www.uber.com
Paragon Initiative Enterprises - Full path disclosure vulnerability on paragonie.com
Zomato - Stored Cross site scripting
Ubiquiti Networks $1,000 Subdomain takeover on partners.ubnt.com due to non-used CloudFront DNS entry
Gratipay - set Expires header
Uber $1,500 Bulk UUID enumeration via invite codes
Ubiquiti Networks $150 [account-global.ubnt.com] CRLF Injection
Ian Dunn $50 Stored XSS from ticket messages in admin table in SupportFlow
Ian Dunn $50 Stored XSS in SupportFlow Ticket Subject
Uber - Bruteforce INVITE codes easy way
Uber - Email Address Enumeration
Python $1,000 CVE-2016-0772 - python: smtplib StartTLS stripping attack
Sucuri $250 [support.sucuri.net] CRLF Injection
Sucuri $250 SSRF in sitecheck.sucuri.net
Mail.Ru $150 [townwars.mail.ru] Time-Based SQL Injection
Uber $750 Brute-Forcing invite codes in partners.uber.com
bitaccess $200 EXTREMELY URGENT: Missing control of bitcoin amount when selling bitcoin allows a user to withdraw any amount of money, unrestricted.
New Relic - Open redirection bypass .
Ruby - Heap corruption in string.c tr_trans() due to undersized buffer
Ruby - Heap corruption in DateTime.strftime() on 32 bit for certain format strings
Ruby $500 StringIO strio_getline() can divulge arbitrary memory
WebSummit - Time Based SQL injection in url parameter
Uber - Newsroom.uber HTML form without CSRF protection
HackerOne $500 All information is not removed from published reports
SecNews - Text injection on error page.
SecNews - Content spoofing due to the improper behavior of the not-found message
Instacart $100 Authorization Bypass in Delivery Chat Logs
The Internet $7,500 Insufficient shell characters filtering leads to (potentially remote) code execution (CVE-2016-3714)
Slack $500 File upload over private IM channel
Uber $10,000 Change any Uber user's password through /rt/users/passwordless-signup - Account Takeover (critical)
Uber - Email Enumeration Vulnerability
Badoo $280 Получение оригинала скрытого изображения
Phabricator - Full path disclosure
Coinbase - Transaction Pending Via Ip Change
Shopify $3,000 Authentication Bypass on Icinga monitoring server
Shopify $1,500 Potentially Sensitive Information on GitHub
Informatica - [uk.informatica.com] XSS on uk.informatica..com
Veris - Unauthenticated CSRF(User can input any value for CSRF Token)
Zomato - XSS on zomato.com
Uber - Password Reset Does Not Confirm the Existence of an Email Address
Mail.Ru $250 Mail.ru for Android Content Provider Vulnerability
Zomato - Unvalidated redirect on user profile website
Mapbox $500 XSS on www.mapbox.com/authorize/ because of open redirect at /core/oauth/auth
Mapbox $500 XSS on www.mapbox.com/authorize
Gratipay $40 upgrade Aspen on inside.gratipay.com to pick up CR injection fix
Uber - Header Injection
drchrono $50 Information Disclosure
Python $500 Heap corruption via Python 2.7.11 IOBase readline()
Uber $750 xss vulnerability in http://ubermovement.com/community/daniel
drchrono $50 Bug Report
Moneybird $50 [STORED XSS] in debtor reports of ,,invoices''
WePay $250 Invited users can modify and/or remove account owner
Shopify $500 Fetching external resources through svg images
LocalTapiola $100 DOM XSS bypassing in Regional Office -selector
Urban Dictionary - Infinite Upvoting/Downvoting: Lockout Bypass, Plus: Exposed API Documentation
Pornhub $10,000 [RCE] Unserialize to XXE - file disclosure on ams.upload.pornhub.com
Twitter $560 Information Disclosure through .DS_Store in ██████████
Pushwoosh - Cross-Site Scripting Stored On Rich Media
Mail.Ru $150 [tidaltrek.mail.ru] SQL Injection
OpenSSL $500 CVE-2016-2177 Undefined pointer arithmetic in SSL code
Pornhub $1,500 (Pornhub & Youporn & Brazzers ANDROID APP) : Upload Malicious APK / Overrite Existing APK / Android BackOffice Access
Zomato - Bypass OTP verification when placing Order
Trello - XSS in Jetpack plugin
VK.com $1,500 XSS в upload.php
drchrono $50 User with no permissions can create, edit, delete favorite prescriptions /erx/
Slack $200 [Screenhero] Subdomain takeover
Ubiquiti Networks $125 Stored XSS in unifi.ubnt.com
General Motors - IE search XSS
Pornhub $20,000 [phpobject in cookie] Remote shell/command execution
Pornhub $1,000 Private Photo Disclosure - /user/stream_photo_attach?load=album&id= endpoint
drchrono $50 Bypassing Password Reset
drchrono - XSS in Blog
GlassWire $25 Bypass GlassWire's monitoring of Hosts file
New Relic - SSRF on synthetics.newrelic.com permitting access to sensitive data
Bime - Bime Unable to load Data Sources
HackerOne $500 Able to remove the admin access of my program
drchrono $50 User with no permissions can access full wdcalendar feed
Pornhub - Reflected XSS by way of jQuery function
drchrono $50 Stored XSS via AngularJS Injection
Ubiquiti Networks $260 Open Redirect in unifi.ubnt.com [Controller Finder]
drchrono $50 [CRITICAL] CSRF leading to account take over
Uber - Uber is Flooding my Mobile with SMS Daily like a cron JOB
Mail.Ru $150 Code source discloure & ability to get database information "SQL injection" in [townwars.mail.ru]
New Relic - Blind SSRF on synthetics.newrelic.com
Zendesk $100 XSS in zendesk.com/product/
drchrono $100 Angular injection in the profile name of onpatient
Nginx - Module ngx_http_auth_basic_module is broken and allowing all password after specific length
drchrono $50 Template stored XSS
drchrono $50 node.drchrono.com - Information Disclosure and Windows Host Exposed
drchrono $50 Ngnix Server version disclosure
Starbucks $4,000 Parameter Manipulation allowed for editing the shipping address for other user’s teavana.com subscriptions.
Pushwoosh - Stored XSS in Filters
Starbucks $6,000 Parameter Manipulation allowed for viewing of other user’s teavana.com orders
drchrono $50 Bypass password complexity requirements on passsword reset page
drchrono $100 Security Issue : CSRF Token Design Flaw
Mail.Ru $150 [tidaltrek.mail.ru] SQL Injection
Mail.Ru - [sales.mail.ru] CRLF Injection
Uber - XSS in people.uber.com
Mail.Ru - Insecure cookies without httpOnly flag set
Coinbase - Cookie not secure
HackerOne - Denial of service in report view.
Mail.Ru $100 [my.mail.ru] HTML injection в письмах от myadmin@corp.mail.ru
Starbucks $375 www.starbucks.co.uk Reflected XSS via utm_source parameter
Mail.Ru $160 [upload-X.my.mail.ru] /uploadphoto Insecure Direct Object References
Slack $500 Open Redirect on slack.com
Gratipay $10 configure a redirect URI for Facebook OAuth
Binary.com $50 CJ vulnerability in subdomain
Gratipay - don't store CSRF tokens in cookies
New Relic - Session takeover
New Relic - No CSRF validation on Account Monitors in Synthetics Block
Trello $128 XSS in Jetpack Plugin
Zomato - XSS onmouseover
New Relic - JIRA account misconfig causes internal info leak
Phabricator - No authentication required to add an email address.
LocalTapiola $100 Exploiting Secure Shell (SSH) on mobilelt.lahitapiola.fi
Uber - DOM based XSS on
Phabricator $300 Passphrase credential lock bypass
Dovecot - Outdated Apache Server in www.dovecot.fi is vulnerable to various attack.
Dovecot - Apache version disclosure
New Relic - Privilege Escalation In Moniter
Informatica - [kb.informatica.com] Unauthenticated emails and HTML injection in email messages
Ubiquiti Networks $2,750 Read-Only user can execute arbitraty shell commands on AirOS
ok.ru - Missing proper error message.
Automattic $500 WordPress core stored XSS via attachment file name
Badoo $280 Ability to collect users' ids that have visited a specific web page with malicious code
New Relic - Improper Session Management
Dropbox - Lack of account link warning enables dropbox hijacking
LocalTapiola $300 Persistent XSS at verkkopalvelu.tapiola.fi using spoofed React element and React v.0.13.3
Uber - Phone Number Enumeration
Uber $7,000 OneLogin authentication bypass on WordPress sites via XMLRPC
New Relic - Missing rate limit on password
Pornhub $750 [idor] Profile Admin can pin any other user's post on his stream wall
LocalTapiola $100 Remote Code Execution in NovaStor NovaBACKUP DataCenter backup software (Hiback)
Veris - Text injection can be used in phishing 404 page and should not include attacker text
Pornhub $1,000 SSRF & XSS (W3 Total Cache)
Gratipay - don't expose path of Python
Uber - Self-XSS on partners.uber.com
Dovecot - DIrectory Listing Found
Mail.Ru - [torg.mail.ru] CRLF Injection
LocalTapiola $300 Abusing and Hacking the SMTP Server secure.lahitapiola.fi
Zomato - Instagram OAuth2 Implementation Leaks Access Token; Allows for Cross-Site Script Inclusion (XSSI)
Zomato - Reflected Cross-Site Scripting in www.zomato.com/php/instagram_tag_relay
WP API $100 Missing access control exposing detailed information on all users
Pornhub $1,000 [IDOR] Deleting other users comment
Pornhub $150 Same-Origin Method Execution bug in plupload.flash.swf on /insights
OpenSSL $1,000 Bleichenbacher oracle in SSLv2 (CVE-2016-0704)
OpenSSL $2,500 Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703)
Pornhub $5,000 Weak user aunthentication on mobile application - I just broken userKey secret password
Pornhub $1,500 [stored xss, pornhub.com] stream post function
Pornhub $250 XSS Reflected incategories*p
Pornhub $250 XSS ReflectedGET /*embed_player*?
StopTheHacker - Wordpress flashmediaelement.swf XSS on stopthehacker.com
Mail.Ru $150 SQL Injection
Pornhub $1,500 [IDOR] post to anyone even if their stream is restricted to friends only
Veris - Reflected XSS in domain www.veris.in
Zomato - Reflected XSS on business-blog.zomato.com - Part 2
Zomato - Reflected XSS on business-blog.zomato.com - Part I
Pornhub $100 CSV Macro injection in Video Manager (CEMI)
Veris - Stored XSS on 'Badges' page
Square Open Source - Cache poisoning for okhttp
Pornhub - vulnerabilitie
Ruby - SMTP command injection
HackerOne - Inadequate access controls in "Vote" functionality???
Vimeo $600 All Vimeo Private videos disclosure via Authorization Bypass
LocalTapiola $100 Amazon Bucket Accessible (http://inpref.s3.amazonaws.com/)
New Relic - New Relic - Session Hijacking
Twitter - List of a ton of internal twitter servers available on GitHub
Sucuri $500 CRLF/HTTP header injection www.sucuri.net
Dovecot - nginx server vulnerable
Dropbox - Dropbox apps Server side request forgery
ThisData - Host Header Poisoning in thisdata.com
Uber - Clickjacking in love.uber.com
Veris - [Stored XSS] sandbox.veris.in
ok.ru $500 Xss in m.ok.ru
Veris - [XSS] sandbox.veris.in
Mail.Ru - AXFR на plexus.m.smailru.net работает
Vimeo - XSS in Subtitles of Vimeo Flash Player and Hubnut
Udemy - Csrf on creating course
OpenSSL $2,500 Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
Ubiquiti Networks $1,000 Source code disclosure on https://107.23.69.180
Uber $8,000 [CRITICAL] -- Complete Account Takeover
Gratipay $1 don't leak server version of grtp.co in error pages
Moneybird $50 Reflected XSS in Backend search
Uber - Compromising Atlassian Confluence (team.uberinternal.com) via WordPress (newsroom.uber.com)
Vimeo $750 CSRF on Vimeo via cross site flashing leading to info disclosure and private videos go public
ThisData - STORED XSS FOUND
GitLab - Persistent XSS on public wiki pages
Mapbox $400 Denial of service in account statistics endpoint
Uber $10,000 OneLogin authentication bypass on WordPress sites
Moneybird $100 Employees with Any Permissions Can Create App with Full Permissions and Perform any API Action
OpenSSL $500 EBCDIC overread (CVE-2016-2176)
OpenSSL $500 EVP_EncryptUpdate overflow (CVE-2016-2106)
OpenSSL $500 EVP_EncodeUpdate overflow (CVE-2016-2105)
Uber - Missing authentication on Notification setting .
Romit $50 Session Fixation
Moneybird $25 information disclose
Shopify $500 View all deleted comments and rating of any app .
Dropbox Acquisitions - Session hacking
Udemy - Showing Up Source Code
Dovecot - Cross-Site Scripting Vulnerability in dovecot.fi
Uber $5,000 Multiple vulnerabilities in a WordPress plugin at drive.uber.com
Paragon Initiative Enterprises - Email Authentication Bypass
LocalTapiola $400 Possibly big authorization problem in Lähitapiola´s varainhoito
Mapbox $1,000 Reflected cross-site scripting (XSS) on api.tiles.mapbox.com
LocalTapiola $100 HTTP status code manipluation & java stack trace
LocalTapiola $5,000 Blind Stored XSS Against Lahitapiola Employees - Session and Information leakage
PHP $1,500 Integer overflow in ZipArchive::getFrom*
HackerOne $2,500 RCE in profile picture upload
OpenSSL - Potential double free in EVP_DigestInit_ex
Paragon Initiative Enterprises - The Anti-CSRF Library fails to restrict token to a particular IP address when being behind a reverse-proxy/WAF
OpenSSL $500 ASN.1 BIO excessive memory allocation (CVE-2016-2109)
Mail.Ru $250 XSS с помощью специально сформированного файла.
Veris - SSL/TLS BEAST ATTACK VULNERABILITY
Shopify $500 staff memeber can install apps even if have limitied access
Automattic $1,337 WordPress SOME bug in plupload.flash.swf leading to RCE
Automattic $1,337 WordPress Flash XSS in *flashmediaelement.swf*
Uber - Uber for Business Allows Administrators to Change Uber Driver Ratings Due to Failure to Authenticate `fast-rating` Endpoint
Zendesk $250 XSS In /zuora/ functionality
LocalTapiola - Source Code Disclosure on out of scope domain viestinta.lahitapiola.fi
LocalTapiola $100 Content Spoofing or Text Injection (404 error page injection)
Algolia $500 RCE on facebooksearch.algolia.com
GitLab - Private snippets in public / internal projects leaked though GitLab API
GitLab - Confidential issues leaked in public projects when attached to milestone
GitLab - Attacker can post notes on private MR, snippets, and issues
GitLab - Attacker can delete (and read) private project webhooks
ownCloud - doc.owncloud.com: PHP info page disclosure
Uber - Defect-Security | Driver-Broken Authentication | Able to update the Subscription Setting anonymously
QIWI - SSL Certificate on qiwi.com will expire soon.
Uber - Stored self-XSS at m.uber.com
Uber $2,000 Reflected XSS via Livefyre Media Wall in newsroom.uber.com
New Relic - newrelic.com rails directory traversal vuln
General Motors - Reflected XSS and something more Store XSS too
Automattic $75 XSS on www.wordpress.com
concrete5 - ProBlog 2.6.6 CSRF Exploit
Moneybird $25 Content Spoofing In Moneybird
Veris - XSS in Asset name
GitLab - GFM renderer leaks external issue tracker URL of private project
Badoo - AWS S3 Bucket hotornot-images permissions allow for listing and removing files
Uber - Information Disclosure on lite.uber.com
Legal Robot - No DMARC Record in legalrobot-uat.com
HackerOne - Manipulate report timeline activity by using null byte.
New Relic - Cache-Control Misconfiguration Leads to Sensitive Information Leakage
GitLab - Labels created in private projects are leaked
New Relic - Stored Cross-Site Scripting via Angular Template Injection
Udemy $50 Stored XSS at Udemy
New Relic - Open redirection
Slack $1,000 Stored XSS on team.slack.com using new Markdown editor of posts inside the Editing mode and using javascript-URIs
HackerOne - Reputation Manipulation (Theoretical)
Zendesk $500 [HIGH RISK] CSRF could potentially delete a zendesk subdomain.
Moneybird $50 Open Redirect vulnerability in moneybird.com
bitaccess - Missing SPF for hackerone.com
Uber - CrashPlan Backup is Vulnerable Allowing to a DoS Attack Against Uber's Backups to ```backup.uber.com```
New Relic - Login Open Redirect
Zendesk $100 AWS S3 bucket writable for authenticated aws user
Udemy - AWS S3 bucket writable for authenticated aws user
Gratipay - PHP 5.4.45 is Outdated and Full of Preformance Interupting Arbitrary Code Execution Bugs
Uber $7,500 Stored XSS in developer.uber.com
CloudFlare - Reflected XSS on partners.cloudflare.com
GitLab - Privilege escalation to access all private groups and repositories
Twitter $840 [Critical] - Steal OAuth Tokens
Coinbase $100 User's legal name could be changed despite front end controls being disabled
Uber - XSS via password recovering
Automattic $75 Akismet Several CSRF vulnerabilities
ownCloud $150 Open Redirector via (apps/files_pdfviewer) for un-authenticated users.
Gratipay $1 bring grtp.co up to A grade on SSLLabs
Gratipay - Submit a non valid syntax email
Uber - XSS in uber oauth
Gratipay - Possible Blind SQL injection | Language choice in presentation
Moneybird $50 Stored XSS in Financial Account executing in Bank tab
Moneybird $100 Malicious File Upload
Paragon Initiative Enterprises - Vunerability : spf
ownCloud - doc.owncloud.org: XSS via Referrer
Vimeo - Error page Text Injection.
Ubiquiti Networks $275 Reflected XSS in scores.ubnt.com
Trello - Error Page Text Injection.
New Relic - Sensitive information contained with New Relic APM iOS application
Moneybird $150 XXE issue
Moneybird $25 Stored XSS thru SVG upload
Uber - Unsubscribe any user from receiving email
bitaccess $50 BYASSING OTP Verification
Badoo - Badoo and Hotornot User Disclosure
Uber - Requested and received edit access to Google form
Moneybird $50 CSV Injection with the CSV export feature
Trello $128 Cross site scripting in blog.trello.com
Uber - developer.uber.com/404 and developer.uber.com/docs/404 are susceptible to iframes
HackerOne - Missing Certificate Authority Authorization rule
Xero - Insecure Payment System Integration
Slack $2,000 Authentication bypass leads to sensitive data exposure (token+secret)
APITest.IO - beta version reveals paths, environment variables and partially files contents
Zendesk $50 Stored XSS on [your_zendesk].zendesk.com in Facebook Channel
APITest.IO - Login Via FB Leads To Create A New Account Instead Of Loging In
Dropbox - No Rate Limiting while sending the feedback under Dropbox Help Centre
Python $500 Python 2.7 strop.replace Integer Overflow
GitLab - Persistent XSS on public project page
Uber - reopen #128853 (Information disclosure at lite.uber.com)
APITest.IO - Clickjacking: X-Frame-Options header missing
ownCloud - Cross site scripting in apps.owncloud.com
Twitter $700 xss in DM group name in twitter
Twitter $700 niche s3 buckets are readable/writeable/deleteable by authorized AWS users
Veris - Stored XSS in member book
Gratipay - After removing app from facebook app session not expiring.
New Relic - APT repository is signed using weak digest (SHA-1)
Automattic $75 CPU utilization 99% on visiting wordpress site url & open redirect found
Uber - Disclosure of ways to the site root
LocalTapiola $300 The PdfServlet-functionality used by the "Tee vakuutustodistus" allows injection of custom PDF-content via CSRF-attack
LocalTapiola $400 Cookie-based client-side denial-of-service to all of the Lähitapiola domains
Gratipay - prevent %2f spoofed URLs in profile statement
Uber - User credentials are not strong on vault.uber.com
Gratipay $10 Send email asynchronously
Uber - Information disclosure at lite.uber.com
Algolia $100 No rate-limit in Two factor Authentication leads to bypass using bruteforce attack
Gratipay - text injection in website title
Ubiquiti Networks $1,500 Read-Only user can execute arbitraty shell commands on AirOS
Uber - Enumerating userIDs with phone numbers
APITest.IO - SSRF on testing endpoint
New Relic - Clickjacking on authenticated pages which is inscope for New Relic
ownCloud - doc.owncloud.org: X-XSS-Protection not enabled
Trello $1,536 Payments informations are sent to the webhook when a team changes its visibility
OpenSSL $1,000 BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
Gratipay $10 fix bug in username restriction
Snapchat $1,000 Administrator access to a Django Administration Panel on *.sc-corp.net via bruteforced credentials
InVision $400 CRITICAL : Delete Boards Admin's ( or any other user ) comment. ( IDOR )
HackerOne $2,500 AWS S3 bucket writeable for authenticated aws users
GitLab - Bypassing password authentication of users that have 2FA enabled
GitLab - Attacker can extract list of private project's project members
Gratipay - Getting Error Message and in use python version 2.7 is exposed.
Gratipay - An adversary can harvest email address for spamming.
Gratipay $1 Limit email address length
Uber $5,000 Stored XSS on newsroom.uber.com admin panel / Stream WordPress plugin
Uber $250 Easy spam with USE My PHONE Feature
HackerOne - Deleted name still present via mouseover functionality for user accounts
HackerOne $1,500 Web Authentication Endpoint Credentials Brute-Force Vulnerability
HackerOne - DOS Report FILE html inside <code> in markdown
New Relic - Password disclosure during signup process
New Relic - Open redirection bypass
Badoo $852 [CRITICAL] Full account takeover using CSRF
Uber - Session Impersonation in riders.uber.com
HackerOne $500 New hacktivity view discloses report IDs of non-public reports
ownCloud - Reflected XSS in owncloud.com
HackerOne $500 New hacktivity view discloses report IDs of non-public reports
PHP $1,000 php_snmp_error() Format String Vulnerability
New Relic - rpm.newrelic.com - monitor creation to other accounts
New Relic - Mobile Authentication Endpoint Credentials Brute-Force Vulnerability
HackerOne - HackerOne Important Emails Notification are sent in clear-text
Coursera - XSS in https://www.coursera.org/courses/
Uber $5,000 Information regarding trips from other users
Uber $5,000 Possibility to get private email using UUID
Twitter $280 XSS using javascript:alert(8007)
Uber $3,000 Possible to View Driver Waybill via Driver UUID
Uber - Use Partner/Driver App Without Being Activated
LocalTapiola $100 www.lahitapiola.fi DOM XSS by choosing regional company
New Relic - CSV Injection in sub_accounts.csv
New Relic - Old CAPTCHA offers no protection
New Relic - User enumeration possible from log-in timing difference
Uber - Brute Forcing rider-view Endpoint Allows for Counting Number of Active Uber Drivers
Uber $3,000 Stored XSS in archive.uber.com Due to Injection of Javascript:alert(0)
Badoo - Insecure Direct Object Reference on badoo.com
Uber - It is possible to re-rate a driver after a very long time
Uber - Pixel flood attack in https://riders.uber.com/profile
Coinbase $1,000 Sending payments via QR code does not require confirmation
Uber - Disclosure of ip addresses in local network of uber
Shopify $500 XSS on https://app.shopify.com/
Uber - SMS Flood with Update Profile
Uber - Changing Driver Passwords With Only an Authenticated Session (no password, no email)
Coinbase $500 Email leak in transcations in Android app
Uber - Uploading Plain Text to uber-documents.s3.amazonaws.com Through the Driver Document Upload Page
Uber - Uber password reset link EMAIL FLOOD
Uber - Privilege escalation to allow non activated users to login and use uber partner ios app
Trello $1,024 If a team is public, the web socket receives data about the Team visible boards
Uber - text injection in get.uber.com/check-otp
LocalTapiola $1,000 Posting modified information in 'Investment section' will cause unintended information change in verkkopalvelu.tapiola.fi
Uber $500 CBC "cut and paste" attack may cause Open Redirect(even XSS)
Uber $750 XSS In archive.uber.com Due to Mime Sniffing in IE
Uber $1,000 CSV Injection in business.uber.com
Uber $2,000 Stored XSS in drive.uber.com WordPress admin panel
Uber - Cross-site Scripting (XSS)
Gratipay $10 prevent content spoofing on /~username/emails/verify.html
Uber - CRLF Injection in developer.uber.com
Uber $10,000 uber.com may RCE by Flask Jinja2 Template Injection
Uber $3,000 SQL injection in Wordpress Plugin Huge IT Video Gallery at https://drive.uber.com/frmarketplace/
Veris - XSS on multiple fields
Uber $3,000 Reflected XSS via Unvalidated / Open Redirect in uber.com
Zomato - Reflected XSS on Zomato API
Uber - Session retention is present which reveals the customer info
Uber - Brute Force Amplification Attack
Uber - CSRF on eng.uber.com may lead to server-side compromise
Uber $5,000 Possibility to brute force invite codes in riders.uber.com
Uber - Stored Cross Site Scripting [SELF] in partners.uber.com
Uber $3,000 Dom Based Xss
Uber $500 Estimation of a Lower Bound on Number of Uber Drivers via Enumeration
New Relic - Too many included lookups
PHP - Null pointer deref (segfault) in stream_context_get_default
Mapbox $1,000 XSS (cross-site scripting) on www.mapbox.com/maki
Uber $3,000 Avoiding Surge Pricing
Uber - Create account in uber without signup form
Uber $2,000 Bypassing Uber Partner's 3 Cancel Limit
Uber $3,000 Lack of rate limiting on get.uber.com leads to enumeration of promotion codes and estimation of a lower bound on the number of Uber drivers
Uber $3,000 SQLi in love.uber.com
Uber - XSS on love.uber.com
Uber - HTML Escaping Error in the 404 Page on developer.uber.com/docs/
Uber $1,500 Lack of CNAME/A Record Trimming Pointing Uber Domains to Insecure Non-Uber AWS Instances/Sites
Uber $3,000 XSS in getrush.uber.com
Uber - LIsting of http://archive.uber.com/pypi/simple/
Uber - Self-XSS Vulnerability on Password Reset Form
Uber $3,000 Reflected XSS on developer.uber.com via Angular template injection
Uber $500 Open Redirect in m.uber.com
Gratipay $1 Hijacking user session by forcing the use of invalid HTTPs Certificate on images.gratipay.com
Uber - Cross-site Scripting (XSS) autocomplete generation in https://www.uber.com/
HackerOne $1,500 External programs revealing info
HackerOne $500 Websites opened from reports can change url of report page
Shopify $500 Bypassed password authentication before enabling OTP verification
New Relic - Stored XSS through Angular Expression Sandbox Escape
HackerOne - External links should use rel="noopener" or use the redirect service
HackerOne $500 Disclosure of private programs that have an "external" page on HackerOne
General Motors - Angular Expression Injection in the my.gmc.com Search Page
Vimeo - Missing rate limit on private videos password
Shopify $500 Stored XSS via "Free Shipping" option (Discounts)
Imgur $100 XSS via React element spoofing
HackerOne $500 CSV Injection via the CSV export feature
Veris - Captcha Bypass enable login bruteforce
Zomato - Authentication Bypassing and Sensitive Information Disclosure on Verify Email Address in Registration Flow
Shopify $1,500 Shopify GitHub Login and Password exposed all private source code might be available.
Veris - Wordpress Pingback DDoS Attacks in domain: veris.in
Trello $768 Using WebSocket I can always access organization data even if I am removed
Veris - Stored XSS in Access Rules
Veris - Complete Profile URL is not Random and not expiring
Gratipay - csrf_token cookie don't have the flag "HttpOnly"
Gratipay $1 auto-logout after 20 minutes
Gratipay $1 Cookie Does Not Contain The "secure" Attribute
Gratipay - Vulnerable to clickjacking
Veris - Not Using Secure Flag Option on Cookies Could Lead to a Man in the Middle Session Highjacking
HackerOne - Sending emails (via HackerOne) impersonating other users
Gratipay $1 suppress version in Server header on gratipay.com or grtp.co
Veris - Complete or Edit Another User's Profile
Veris - Insecure Direct 'org-visitor-log' References
Veris - Insecure Direct 'org-invite-log' References
Dropbox - Possible SQL injection can cause denial of service attack
New Relic - Synthetics Xss
Informatica - [marketplace.informatica.com] Open Redirect
HackerOne $500 SECURITY: Referencing previous Reports attachment_IDs on new Reports via Draft_Sync DELETES Attachments
HackerOne - Unauthorized Team members viewing
Veris - Security Vulnerability - SMTP protection not used
New Relic - Host Header Injection / Cache Poisoning
Veris - Insecure Direct Member Disclosure
Veris - User enumeration via error message
New Relic - Normal user can set "Job title" of other users by Direct Object Reference
HackerOne $500 Mediation link can be accepted by other users
Mail.Ru - Обход basic авторизации [qpt.mail.ru]
Veris - Creating multiple user with the same link which is sent to email after registeration
LocalTapiola $500 CSRF allows attacker to delete item from customer's "Postilaatikko"
HackerOne - Possible XSS
Veris - Server and PHP version Disclosed in Response Header
New Relic - All the active session should destroy when user change his password
New Relic - Open redirection on login
HackerOne - Email Address Leak
New Relic - no email confirmation on signup
New Relic - newrelic.com vulnerable to clickjacking !
Shopify $500 XSS on hardware.shopify.com
New Relic - Emails and alert policies can be altered by malicious users.
New Relic - CSRF- delete all empty server policy
Mail.Ru - Reflected XSS на games.mail.ru
New Relic - CSRF - Delete all empty application policy
New Relic - No Rate Limitation on Promo Code
New Relic - Vulnerable Link Leaks the User Names
New Relic - https://rpm.newrelic.com/login vulnerable to host header attack
New Relic - https://rpm.newrelic.com/.htaccess file is world readable
HackerOne $1,000 Edit Auto Response Messages
Zomato - Persistent XSS on Reservation / Booking Page
Mail.Ru $200 bgplay.mail.ru
Xero - Default.aspx exposing full path and other info on wip.origin-community.xero.com
Shopify $500 Stored XSS in https://checkout.shopify.com/
Uber - Active Email Hyperlink Sent on riders.uber.com
New Relic - Server Side Browsing - localhost open port enumeration
Imgur $5,000 Local file read in image editor
Xero - stored xss issue in folder name on go.xero.com/Docs/Folders
Xero - Open-redirect on login.xero.com
Mapbox $200 Mapbox API Access Token with No Scope Can Read Styles
Ubiquiti Networks $1,300 Shell Injection via Web Management Console (dl-fw.cgi)
Vimeo $100 Private, embeddable videos leaks data through Facebook & Open Graph
Xero - Additonal stored XSS in Add note/Expected payment Date
PHP $1,000 Buffer overflow in HTTP url parsing functions
Badoo $850 Account Takeover
Xero - Vulnerability : XSS Vulnerability
LocalTapiola $400 CRLF injection in https://verkkopalvelu.lahitapiola.fi/
Badoo $427 Broken Authentication on Badoo
Bime $150 Subdomain takeover due to unclaimed Amazon S3 bucket on a2.bime.io
Coinbase - Inaccurate Payment receipt
ownCloud - doc.owncloud.org has missing PHP handler
Veris - Multiple Stored XSS on Sanbox.veris.in through Veris Frontdesk Android App
General Motors - Content Spoof in opel.es.wpsegment2.gm.com
Zomato - NexTable: Credentials exposure
General Motors - XSS Vulnerability in developer.gm.com
General Motors - Reflected Cross Site Script in m.chevrolet.com.wpsegment5.gm.com
General Motors - Reflected Cross Site Script in imtportal.gm.com
Veris - Multiple Stored XSS
Veris - Critical IDOR - Make Rule for Any Group & Any Venue remotely
Veris - Critical IDOR - Get Rules of any organization remotely
Veris - Critical IDOR - Can select any Parent while creating new Venue
Veris - Critical IDOR - Get venue data of any organization remotely
Veris - Critical IDOR - Get Authentication Details of any Terminal/Gatekeeper
Veris - Critical IDOR - Set anyone's Terminal Data remotely
Veris - Critical IDOR - Get anyone's Terminal Data remotely
Veris - Critical IDOR - Delete any terminal/gatekeeper of any organization remotely
Bime $250 SSRF issue
Veris - Missing Server Side Validation of CSRF Middleware Token in Change Password Request
Veris - Critical IDOR - Delete any rule of any organization remotely
Veris - Critical IDOR - Delete any venue of any organization remotely
Veris - Critical IDOR - Delete any group of any organization remotely
Veris - Critical - Insecure Direct Object Reference - Deleting any member of any organization remotely
Gratipay $1 don't serve hidden files from Nginx
OpenSSL - b2i_PVK_bio heap corruption
Pornhub $250 Public Facing Barracuda Login
OpenSSL $500 BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
Pornhub $2,500 Unprotected Memcache Installation running
Pornhub $50 HTTP Track/Trace Method Enabled
LeaseWeb - Found clickjacking vulnerability
ownCloud - DROWN Attack
Badoo - Password modification without knowing actual password & httpOnly bypass
LeaseWeb - Server version is disclosure in http://leasewebnoc.com/
Coinbase - An adversary can overwhelm the resources by automating Forgot password/Sign Up requests
Twitter $1,120 DOMXSS in Tweetdeck
Veris - Password(s) can be found via login process.
Veris - www.veris.in DOM based XSS
Mail.Ru $150 By pass admin panel [conference.mail.ru]
Mail.Ru $150 By pass admin panel [seminars.mail.ru]
HackerOne - Race Conditions Exist When Accepting Invitations
Ubiquiti Networks $1,500 Read-Only user can execute arbitraty shell commands on AirOS
Udemy $150 Session Takeover vulnerability
Shopify $500 xss in the all widgets of shopifyapps.com
Uber $500 Open Redirection on Uber.com
HackerOne $500 User with Read-Only permissions can edit the Internal comment Activities on Bug Reports After Revoke the team access permissions
Twitter $280 Sub-Domain Takeover
InVision $500 CRITICAL Stored XSS in https://projects.invisionapp.com
Udemy $150 Able to view others' gifts on /gift/share URL, giftId is predictable, and easy to manipulate
New Relic - CSRF - Regenerate all admin api keys
Coinbase $500 Misconfiguration in 2 factor allows sensitive data expose
New Relic - Reflected XSS on Signup Page
Cakebet - Sender policy framework (SPF) records evaluation return (Too many DNS lookups) error
Twitter $2,520 Tweet Deck XSS- Persistent- Group DM name
HackerOne $500 Distinguish EP+Private vs Private programs in HackerOne
Veris - Stored XSS
Veris - Password reset link is not Expiring
Algolia $1,000 API Key added for one Indices works for all other indices too.
OpenSSL $500 CVE-2016-0799 memory issues in BIO_*printf functions
ThisData - Login CSRF using Google OAuth
HackerOne - User with Read-Only permissions can edit the SwagAwarded Activities on Bug Reports
HackerOne $500 User with Read-Only permissions can manually public disclosure the report
Shopify $500 File name and folder enumeration.
HackerOne - Abusing HOF rankings in limited circumstances
HackerOne - Denial of Service any Report
Coinbase $200 XSSI (Cross Site Script Inclusion)
HackerOne $500 CSV Injection at the CSV export feature
KIWI.KI GmbH - Subdomain takeover : URGENT
Mail.Ru - Утечка информации через JSONP (XXSI)
Shopify - Injection via CSV Export feature in Admin Orders
QIWI $150 Content Spoofing in mango.qiwi.com
Gratipay - X-Content-Type Header Missing For aspen.io
GitLab - Markdown based stored XSS (IE only)
VK.com $100 Дорк
Mail.Ru $500 Admin panel access restrictions bypass [poll.mail.ru/admin/]
LeaseWeb - MISSING SPF RECORDS & MISSING DKIM POLICY
Gratipay $1 limit number of images in statement
LeaseWeb - Apache version disclosed on developer.leaseweb.com
LeaseWeb - Directory Listening
Zendesk $50 Stored XSS via Angular Expression injection on developer.zendesk.com
Gratipay $1 strengthen Diffie-Hellman (DH) key exchange parameters in grtp.co
Shopify $500 XSS in Draft Orders in Timeline i SHOPIFY Admin Site!
LeaseWeb - PHP and Web Server version disclosed on leasewebnoc.com
Gratipay $1 stop serving grtp.co over HTTP
Gratipay $10 DMARC is misconfigured for grtp.co
Gratipay - Login csrf.
Uber $3,000 Reflected XSS on Uber.com careers
Gratipay $10 Prevent content spoofing on /~username/emails/verify.html
Mail.Ru - Stored XSS на street-combats.mail.ru
Gratipay $2 SPF/DKIM/DMARC for aspen.io
Mail.Ru $250 SSRF на element.mail.ru
Gratipay $2 SPF/DKIM/DMARC for grtp.co
Gratipay $1 limit HTTP methods on other domains
Gratipay $10 Email Forgery through Mandrillapp SPF
Uber $250 Multiple Vulnerabilities (Including SQLi) in love.uber.com
Informatica - [informatica.com] Blind SQL Injection
Uber $3,000 XSS @ love.uber.com
Gratipay $10 No Valid SPF Records.
HackerOne $500 Increase number of bugs by sending duplicate of your own valid report
Zopim $100 Chat History CSV Export Excel Injection Vulnerability
Paragon Initiative Enterprises - Spf
Legal Robot $20 SSL Issue on legalrobot.com
HackerOne $500 Private Program Disclosure in /:handle/settings/allow_report_submission.json endpoint
Gratipay - UDP port 5060 (SIP) Open
VK.com $200 vk.com/login.php
Algolia - PHP version disclosed on blog.algolia.com
Gratipay - server calendar and server status available to public
Gratipay - proxy port 7000 and shell port 514 not filtered
Legal Robot $20 SPF Issue
Legal Robot $120 Remote Code Execution (upload)
Mail.Ru $600 VERY DANGEROUS XSS STORED inside emails
Gratipay - Markdown parsing issue enables insertion of malicious tags
Mail.Ru $150 [3k.mail.ru] SQL Injection
Ubiquiti Networks $1,000 Auth bypass on directory.corp.ubnt.com
General Motors - E-mail Spoof in media.gm.com
Slack $100 an xss issue in https://hunter22.slack.com/help/requests/793043
General Motors - Content Spoof in webcaps.ecomm.gm.com
Gratipay $1 The POODLE attack (SSLv3 supported) for https://grtp.co/
Gratipay - nginx SPDY heap buffer overflow for https://grtp.co/
New Relic - open redirection at login
WePay $150 2-step Verification bypass
Python $1,000 Type confusion in partial.setstate, partial_repr, partial_call leads to memory corruption, reliable control flow hijack
ownCloud - owncloud.com: Persistent XSS In Account Profile
New Relic - Potential Subdomain Takeover - http://storefront.newrelic.com/
Sucuri $500 Manipulating of Sucuri.net (List Subscription) Emails (HTML/Script Injection)
HackerOne - Null byte injection
New Relic - Unauthorized Access
General Motors - Reflected Cross Site Script in www.gmcar.gm.com
Paragon Initiative Enterprises - file full path discloser.
HackerOne $500 Private Program Disclosure in /:handle/reports/draft.json endpoint
HackerOne $5,000 Private program activity timeline information disclosure
Shopify $500 XSS on hardware.shopify.com
Imgur $1,000 SSRF / Local file enumeration / DoS due to improper handling of certain file formats by ffmpeg
New Relic - [download.newrelic.com] Access to private directories
New Relic - [login.newrelic.com] XSS via return_to
Imgur $800 SSRF and local file read in video to gif converter
Legal Robot $20 Rate limiting on Email confirmation link
Legal Robot - Rate limiting on password reset links
Imgur $2,000 SSRF in https://imgur.com/vidgif/url
New Relic - SUBDOMAIN TAKEOVER(FIXED)
Zomato - Two XSS vulns in widget parameters (all_collections.php and o2.php)
Paragon Initiative Enterprises - Email Spoof
Urban Dictionary - Cross-Site Scripting Vulnerability in urbandictionary.com
Zomato - XSS via modified Zomato widget (res_search_widget.php)
Paragon Initiative Enterprises - Missing SPF for paragonie.com
Paragon Initiative Enterprises $50 Full Path Disclosure
Paragon Initiative Enterprises - CSRF AT SUBSCRIBE TO LIST
Paragon Initiative Enterprises - Missing SPF for paragonie.com
Paragon Initiative Enterprises - Blind SQL INJ
Paragon Initiative Enterprises - Missing SPF
Mail.Ru $300 [orsotenslimselfie.lady.mail.ru] SQL Injection
Gratipay $10 prevent content spoofing on /search
Gratipay $5 SPF DNS Record
Paragon Initiative Enterprises - SSL certificate public key less than 2048 bit
Paragon Initiative Enterprises - Missing SPF records for paragonie.com
Zomato - XSS and CSRF in Zomato Contact form
Paragon Initiative Enterprises - DNSsec not configured
Paragon Initiative Enterprises - Email Authentication bypass Vulnerability
Paragon Initiative Enterprises - Email spoofing
Keybase $50 Content spoofing due to the improper behavior of the not-found meesage
Paragon Initiative Enterprises - Information Disclosure in Error Page
Paragon Initiative Enterprises - Missing SPF for https://paragonie.com/
Uber - Unauthorized file (invoice) download
HackerOne $500 Putting link inside link in markdown
Zomato - Weak Password Policy
Keybase $350 Race conditions can be used to bypass invitation limit
Zomato - Persistent input validation mail encoding vulnerability in the "just followed you" email notification.
New Relic - Basic Authorization over HTTP
New Relic - Html injection in monitor name textbox
New Relic - Unsafe HTML in reset password email and Account verification in email is missing in Sign up
New Relic - A Signup page does not properly validate the authenticity token at the server side.
New Relic - A Log in page does not properly validate the authenticity token at the server side
New Relic - No validation on account names
Keybase $250 Remote Server Restart Lead to Denial of Service by only one Request.
Zomato - Several XSS affecting Zomato.com and developers.zomato.com
Mapbox $200 Content Spoofing and Local Redirect in Mapbox Studio
VK.com $2,500 Внедрение внешних сущностей в функционале импорта пользователей YouTrack
Shopify $500 CSRF on https://shopify.com/plus
Zomato - Remote File Upload Vulnerability in business-blog.zomato.com
Mail.Ru - [touch.lady.mail.ru] CRLF Injection
Twitter $2,520 Bypassing Digits web authentication's host validation with HPP
Zomato - Cross Site Scripting - type Patameter
Snapchat $1,000 Subdomain takeover in http://support.scan.me pointing to Zendesk (a Snapchat acquisition)
Zomato - Twitter Disconnect CSRF
Keybase $250 Remote Server Restart Lead to Denial of Server by only one Request.
Ruby on Rails - Remote code execution using render :inline
Zomato - Subdomain Takeover
Zomato - CSRF AT INVITING PEOPLE THOUGH PHONE NUMBER
Zomato - CSRF AT SELECTING ZAMATO HANDLE
Ruby on Rails - Regarding [CVE-2016-0752] Possible Information Leak Vulnerability in Action View
Paragon Initiative Enterprises - Cross-domain AJAX request
Mail.Ru - [api.login.icq.net] Reflected XSS
Mail.Ru - [api.login.icq.net] Open Redirect
OpenSSL $2,500 OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701)
ownCloud - No Any Kind of Protection on Delete account
Paragon Initiative Enterprises $50 Open-redirect on paragonie.com
HackerOne $500 Multiple issues with Markdown and URL parsing
withinsecurity $250 WordPress Failure Notice page will generate arbitrary hyperlinks
HackerOne $500 Unintended HTML inclusion as a result of https://hackerone.com/reports/110578
Gratipay - grtp.co is vulnerable to http-vuln-cve2011-3192
Mail.Ru $300 [afisha.mail.ru] SQL Injection
Coinbase $1,000 Session Issue Maybe Can lead to huge loss [CRITICAL]
Binary.com $250 Full takeover of some binary.com sub domains
ownCloud - owncloud.help: Text Injection
Mail.Ru - Logical Vulnerability : REDIRECTING on pw.mail.ru by Parameter Spoofing
Bime $100 The JDBC driver used by the Vertica connector allows to create files on the backends
Bime $1,000 SSRF in the Connector Designer (REST and Elastic Search)
Bime $750 XXE in the Connector Designer
Udemy - Stored XSS
General Motors - XSS on gmchat.gm.com
General Motors - Full Path Disclosure on gmchat.gm.com
HackerOne $500 Interstitial redirect bypass / open redirect in https://hackerone.com/zendesk_session
Mail.Ru $150 [allods.my.com] SSRF / XSPA
Zendesk $100 [CRITICAL] HTML injection issue leading to account take over
HackerOne - Report title and issue information prepopulated
withinsecurity $250 Error Page Text Injection #106350
Khan Academy - XSS vulnerability in "/coach/roster/" ( create your first class)
Imgur $50 Big Bug in SSL : breach compression attack (CVE-2013-3587) affect imgur.com
HackerOne - attack in not an authorized user
Shopify $500 Full access to Amazon S3 bucket containing AWS CloudTrail logs
Mail.Ru - [3k.mail.ru] Content Spoofing
Automattic $75 XSS at wordpress.com
Shopify $500 www.shopify.com XSS via third-party script
Trello $1,152 DOM based XSS via Wistia embedding
VK.com $100 Checking whether user liked the media or not even when you are blocked
Vimeo $100 Legacy API exposes private video titles
Automattic $75 XSS at www.woothemes.com
Pornhub $1,500 [ssrf] libav vulnerable during conversion of uploaded videos
ownCloud - The csrf token remains same after user logs in
Shopify $500 Attach Pinterest account - no State/CSRF parameter in Oauth Call back
Shopify $500 Twitter Disconnect CSRF
HackerOne $500 CSV Injection via the CSV export feature
Binary.com - XSS
withinsecurity $250 Content Spoofing OR Text Injection in https://withinsecurity.com
Gratipay $15 Sub Domian Take over
Automattic $250 Internal GET SSRF via CSRF with Press This scan feature
ownCloud $250 Information Exposure Through Directory Listing CVE-2016-1499
HackerOne $500 HTML injection can lead to data theft
Twitter $5,040 Bypassing Digits bridge origin validation
Perl $1,000 Perl 5.22 VDir::MapPathA/W Out-of-bounds Reads and Buffer Over-reads
Phabricator $300 Extended policy checks are buggy
Udemy $25 CSRF in Udemy.com
Binary.com - HTML injection via 'underlying' parameter
Coinbase $200 Direct URL access to completed reports
Coinbase - The 'Create a New Account' action is vulnerable to CSRF
Ubiquiti Networks $500 Subdomain Takeover in http://assets.goubiquiti.com/
HackerOne $500 User with Read-Only permissions can request/approve public disclosure
General Motors - refelected Xss on https://gmid.gm.com/gmid/jsp/GMIDInitialLogin.jsp
HackerOne - Requesting unknown file type returns Ruby object w/ address
General Motors - gmmovinparts.com SQLi via forgot_password.jsp
Mail.Ru - Multiple vulnerabilities in mail.ru subdomains
General Motors - XSS in GM
Mail.Ru $150 [parapa.mail.ru] SQL Injection
PHP $1,000 Use After Free in sortWithSortKeys()
Gratipay - Directory Listing on grtp.co
Gratipay $5 HTTP trace method is enabled
HackerOne - Signals get affected once reports closed as self
Ruby on Rails - Validation bypass for Active Record and Active Model
ownCloud - Mixed Active Scripting Issue on stats.owncloud.org
Gratipay - Harden resend throttling
ownCloud - otrs.owncloud.com: Reflected Cross-Site Scripting
Twitter $2,520 Bypassing callback_url validation on Digits
ownCloud $350 Exploiting unauthenticated encryption mode
HackerOne - HackerOne is still prone to Internet Explorer UXSS
Ubiquiti Networks $150 Reflected File Download in community.ubnt.com/restapi/
VK.com $500 API: Bug in method auth.signup , дающий возможность бесконечно звонить
ownCloud - [https://test1.owncloud.com/owncloud6/] Guessable password used for admin user
Mail.Ru $150 [cfire.mail.ru] Time Based SQL Injection
Mail.Ru - XSS at forum :
Mail.Ru $500 reflected in xss
HackerOne $500 Team Member(s) associated with a Group have Read-only permission (Post internal comments) can post comment to all the participants
WePay $100 Unauthenticated Stored XSS in API Panel
Automattic $50 Possible Timing Side-Channel in XMLRPC Verification
GlassWire $100 GlassWireSetup.exe subject to EXE planting attack
Imgur $150 XSS in imgur mobile 3
Imgur $150 XSS in imgur mobile
Shopify $500 Stored XSS in /admin/orders
Informatica - [rev-app.informatica.com] - XXE via SAML
VK.com $100 Добавление в меню сообщества без ведома пользователя (нажатия пользователем)
Informatica - [marketplace.informatica.com] - XXE
Informatica - [marketplace.informatica.com] - XXE
Zendesk $500 Stored XSS in comments
Informatica - [now.informatica.com] Reflective XSS
Shopify $500 Strored Cross Site Scripting
PHP $1,000 Format string vulnerability in zend_throw_or_error()
Shopify $500 HTTP-Response-Splitting on v.shopify.com
Maximum $20 Application error message
CloudFlare - Clickjacking : https://partners.cloudflare.com/
Coinbase $100 Race condition allowing user to review app multiple times
withinsecurity $250 text injection can be used in phishing 404 page should not include attacker text
Algolia $100 text injection can be used in phishing 404 page should not include attacker text
Coinbase - Potential for Double Spend via Sign Message Utility
HackerOne $500 Improve signals in reputation
Shopify $500 Reflective XSS on wholesale.shopify.com
HackerOne $500 Team Member(s) associated with a Custom Group Created with 'Program Managment' only permissions can Comments on Bug Reports
ownCloud - owncloud.com: Parameter pollution in social sharing buttons
Shopify $500 "Remember me" token generated when "Remember me" box unchecked
ownCloud - XXE at host vpn.owncloud.com
GlassWire $100 DLL Hijacking Vulnerability in GlassWireSetup.exe
HackerOne $500 Parameter pollution in social sharing buttons
HackerOne $500 Know whether private program for company exist or not
Informatica - XXE in upload file feature
Informatica - [app.informaticaondemand.com] XXE
LeaseWeb $100 DOM Based XSS in Checkout
Shopify $500 many xss in widgets.shopifyapps.com
Phabricator - libphutil: removing bytes from a PhutilRope does not work as intended
Pornhub $50 [crossdomain.xml] Dangerous Flash Cross-Domain Policy
Pornhub $250 PornIQ Reflected Cross-Site Scripting
Imgur $150 risk of having secure=false in a crossdomain.xml
Informatica - [rev-app.informatica.com] - XXE
Instacart $100 Cookie-Based Injection
Shopify - [livechat.shopify.com] Cookie bomb at customer chats
Square Open Source $2,000 Unsafe usage of Ruby string interpolation enabling command injection in git-fastclone
ownCloud - directory listing in https://demo.owncloud.org/doc/
Shopify $500 CSRF in Connecting Pinterest Account
Instacart $100 Cross-Site Scripting Reflected On Main Domain
Zopim $100 [status.zopim.com] Open Redirect
Coinbase - XXE in OAuth2 Applications gallery profile App logo
Automattic $75 XSS on codex.wordpress.org
Coinbase $200 HTML injection in apps user review
QIWI $200 [rubm.qiwi.com] Yui charts.swf XSS
Square Open Source $2,000 git-fastclone allows arbitrary command execution through usage of ext remote URLs in submodules
Shopify $1,000 shopifyapps.com XSS on sales channels via currency formatting
Slack $1,000 Trick make all fixed open redirect links vulnerable again
Python $500 tokenizer crash when processing undecodable source code
Python $1,000 PyFloat_FromString & PyNumber_Long Buffer Over-reads
PHP - Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow) CVE-2015-4643
PHP $500 Memory Corruption in phar_parse_tarfile when entry filename starts with null CVE-2015-4021
PHP $500 invalid pointer free() in phar_tar_process_metadata() CVE-2015-3307
Python $500 use after free in load_newobj_ex
Python $500 array.fromstring Use After Free
Python $1,000 bytearray.find Buffer Over-read
Python $500 hotshot pack_string Heap Buffer Overflow
Python $500 audioop.adpcm2lin Buffer Over-read
Python $500 audioop.lin2adpcm Buffer Over-read
PHP $500 Files extracted from archive may be placed outside of destination directory CVE-2015-6833
PHP $1,500 Multiple Use After Free Vulnerabilites in unserialize() CVE-2015-6831
PHP $1,000 Arbitrary code execution in str_ireplace function CVE-2015-6527
PHP $1,000 Dangling pointer in the unserialization of ArrayObject items CVE-2015-6832
PHP $500 curl_setopt_array() type confusion
The Internet $1,000 libcurl duphandle read out of bounds CVE-2014-3707
PHP $500 heap buffer overflow in enchant_broker_request_dict() CVE-2014-9705
PHP $500 Integer overflow in unserialize() (32-bits only) CVE-2014-3669
PHP $500 AddressSanitizer reports a global buffer overflow in mkgmtime() function CVE-2014-3668
PHP $1,500 SOAP serialize_function_call() type confusion / RCE CVE-2015-6836
PHP $500 zend_throw_or_error() format string vulnerability
PHP $1,000 Uninitialized pointer in phar_make_dirstream CVE-2015-7804
PHP $1,000 Buffer over-read in exif_read_data with TIFF IFD tag
PHP $500 Null pointer deref (segfault) in spl_autoload via ob_start
PHP $500 null pointer deref (segfault) in zend_eval_const_expr
PHP $500 Mem out-of-bounds write (segfault) in ZEND_ASSIGN_DIV_SPEC_CV_UNUSED_HANDLER
Python $1,000 Python deque.index() uninitialized memory
Python $500 Python scan_eol() Buffer Over-read
Python $500 time_strftime() Buffer Over-read
Python $500 Python xmlparse_setattro() Type Confusion
PHP $500 Use after free vulnerability in unserialize() with GMP
PHP $500 Use After Free Vulnerability in session deserializer CVE-2015-6835
PHP $1,000 Use After Free Vulnerability in unserialize() CVE-2015-6834
PHP $1,000 Use After Free Vulnerability in unserialize() with SplObjectStorage CVE-2015-6834
PHP $1,000 Use After Free Vulnerability in unserialize() with SplDoublyLinkedList CVE-2015-6834
Python $500 Python 3.3 - 3.5 product_setstate() Out-of-bounds Read
Ruby $1,500 Request Hijacking Vulnerability In RubyGems 2.4.6 And Earlier CVE-2015-3900
Python $500 Integer overflow in _Unpickler_Read
Apache httpd $500 mod_lua: Crash in websockets PING handling CVE-2015-0228
PHP $500 Null pointer dereference in phar_get_fp_offset() CVE-2015-7803
Khan Academy - Escaping the iframe via exceptions
HackerOne $2,500 CSRF possible when SOP Bypass/UXSS is available
Shopify $500 Open Redirect at *.myshopify.com/account/login?checkout_url=
CERT/CC - manipulate the Practical HTTP Host header
Urban Dictionary - URGENT - Subdomain Takeover in support.urbandictionary.com pointing to Zendesk
Shopify $500 [CSRF] Install premium themes
Imgur - Attack User Privacy Settings - X-Frame-Options missing on m.imgur.com/user/username/settings
Algolia $100 Stored XSS in name selection
ok.ru $500 Обход защиты от csrf-ок в m.ok.ru
withinsecurity $250 content injection
ok.ru $500 Same-Origin Policy Bypass #2
ok.ru $500 Same-Origin Policy bypass on main domain - ok.ru
Zendesk $500 [CRITICAL] CSRF leading to account take over
Sucuri $250 XSS Vuln in Sucuri Security - Auditing, Malware Scanner
Binary.com $75 Cookie bug
Imgur - Login to any user account using other facebook app access token
Shopify $500 Open redirect using theme install
Ubiquiti Networks $200 account.ubnt.com CSRF
Shopify $500 XSS in creating tweets
Maximum $20 RC4 cipher suites detected
Maximum $10 SSL certificate invalid date
Maximum $40 RC4 cipher suites detected
Automattic $75 Remove anyone's pic gravtar
Pornhub $250 Reflected Cross-Site Scripting on French subdomain
Twitter $140 Subdomain Expired
InVision $300 Stored Cross-Site Scripting on █████████ (with small user interaction)
Uber $500 Drivers can change profile picture
Shopify - Cookie securing your "Opening soon" store is not secured against XSS
Shopify $500 An administrator without any permission is able to get order notifications using his APNS Token.
Twitter $560 xss in link items (mopub.com)
Yelp $1,500 Access to internal CMS containing private Data
Imgur $5,500 Imgur dev environments facing the Internet
Twitter $560 URGENT : NICHE.co Account Take Over Vulnerability
Coinbase $5,000 Stored-XSS in https://www.coinbase.com/
Twitter $560 Add tweet to collection CSRF
Mail.Ru - Reflected XSS on hi-tech.mail.ru
Shopify - CSV Excel Macro Injection Vulnerability in export list of current users - app.shopify.com
Slack - Executing scripts on slack-files.com using SVG
Pornhub $250 Cross Site Scripting - On Mouse Over, Blog page
Pornhub $250 [xss, pornhub.com] /user/[username], multiple parameters
HackerOne $1,000 Pre-generation of 2FA secret/backup codes seems like an unnecessary risk
Mail.Ru - [tz.mail.ru] XSS в функционале авторизации
QIWI $100 Open Redirect in meeting.qiwi.com
Coinbase $500 Transactions visible on Unconfirmed devices
Algolia $200 User with limited access to Index configuration can rename the Index
drchrono $100 Request Accepts without X-CSRFToken [ Header - Cookie ]
HackerOne $500 Limited CSRF bypass.
HackerOne - profile cover can also load external URL's
Mail.Ru - [w1.dwar.ru] Core Dump
drchrono $100 CSRF Add Album On onpatient.com
Boozt Fashion AB $100 Reflected XSS on www.boozt.com
Badoo $153 Open redirect helps to steal Facebook access_token
Uber $1,000 Mass Assignment Vulnerability in partners.uber.com
Shopify $500 deleted staff member can add his amazon marketplace web services account to the store.
Algolia $100 an xss issue
Shopify $500 [CSRF] Activate PayPal Express Checkout
QIWI $3,137 XML External Entity (XXE) in qiwi.com + waf bypass
Mail.Ru - [gitmm.corp.mail.ru] Auth Bypass, Information Disclosure
Mail.Ru - [otus.p.mail.ru] CRLF Injection
Mail.Ru - [otus.p.mail.ru] Full Path Disclosure
Mapbox $1,000 XSS in L.mapbox.shareControl in mapbox.js
Slack $100 RC4 cipher suites detected on status.slack.com
Mail.Ru - [opensource.mail.ru] Debug Mode
Shopify $1,000 S3 Buckets open to the world thanks to 'Authenticated Users' ACL
ownCloud - RCE in ci.owncloud.com / ci.owncloud.org
Shopify $500 Apps can access 'channels' beta api
Binary.com $50 Email Verification Link can be Used as Password Reset Link!
Twitter $280 Urgent : Disclosure of all the apps with hash ID in mopub through API request (Authentication bypass)
QIWI $200 XSS Reflected in test.qiwi.ru
Shopify $1,500 'Limited' RCE in certain places where Liquid is accepted
Binary.com $300 login to any user's cashier account and full account information disclosure
Shopify - Non-owner user can remove online store channel and re-add it.
itBit Exchange $100 No password length restriction denial of service
Algolia $100 Stored XSS on https://www.algolia.com/realtime-search-demo/*
HackerOne $2,500 Cross-domain AJAX request
Imgur $150 XSS m.imgur.com
Slack $100 Reflected Self-XSS in Slack
Twitter $1,120 File Upload XSS in image uploading of App in mopub
Slack $200 File upload XSS (Java applet) on http://slackatwork.com/
Binary.com - User Enumeration : Due to rate limiting on registration
Shopify $500 List of devices is accessible regardless of the account limitations
Twitter $280 Following a User After Favoriting Actually Follows Another User (related to #95243)
Shopify $500 SVG parser loads external resources on image upload
Shopify $500 Staff members with no permission can access to the files, uploaded by the administrator
Mail.Ru $300 Potential SSRF in sales.mail.ru
HackerOne - Hackerone impersonation
Mail.Ru - [allods.my.com] Full Path Disclosure
Mail.Ru - [allods.my.com] Full SQL Disclosure
ok.ru $250 Multiple critical vulnerabilities in Odnoklassniki Android application
HackerOne $1,000 HTTP header injection in info.hackerone.com allows setting cookies for hackerone.com
HackerOne $2,500 Send AJAX request to external domain
Twitter $1,120 Can see private tweets via keyword searches on tweetdeck
Shopify $500 An administrator without the 'Settings' permission is able to see payment gateways
Shopify $500 A 'Full access' administrator is able to see the shop owners user details
Shopify $500 Staff members with no permission to access domains can access them.
Keybase $50 Un-handled exception leads to Information Disclosure
itBit Exchange - email not required to be unique
Badoo $310 crossdomain.xml too permissive on eu1.badoo.com, us1.badoo.com, etc.
Snapchat $1,500 Password Reset - query param overrides postdata
Mail.Ru - [it.mail.ru] Open Redirect
Shopify $500 Missing of csrf protection
Imgur $50 Persistent XSS in https://p.imgur.com/albumview.gif and http://p.imgur.com/imageview.gif / post statistics
Mail.Ru - Reflected XSS.
Slack $500 Stored XSS in Slack (weird, trial and error)
withinsecurity - DDOS using xmlrpc.php
Vimeo $250 XSS on player.vimeo.com without user interaction and vimeo.com with user interaction
withinsecurity - Uses unsafe-inline without nonce
Shopify - Domain takoever - https://sellocdn.com
Binary.com $75 Http Response Splitting - Validate link
itBit Exchange $50 user-agent Content spoofing
Mail.Ru - [allods.mail.ru] Reflected XSS
Mail.Ru $300 [api.allodsteam.com] Authentication Data
Udemy - Reflected XSS and/or malicious redirection via JWPlayer 6 configuration modification
Binary.com $50 Cross Site Scripting
Shopify $500 Privilege escalation and circumvention of permission to limited access user
Imgur $250 Persistent XSS in image title
Twitter $280 CSRF on cards API
Twitter $5,040 IDOR- Activate Mopub on different organizations- steal api token- Fabric.io
Shopify $500 Unauthorized access to any Store Admin's First & Last name
Twitter $280 Following a User Actually Follows Another User
Twitter $280 XSS in the "Poll" Feature on Twitter.com
Mail.Ru - Reflected XSS.
InVision - X-Frame-Options Header Not Set
Shopify $500 Reflected XSS in cart at hardware.shopify.com
Coinbase - Balance Manipulation - BUG
Shopify $4,000 Paid account can review\download any invoice of any other shop
Whisper $30 SMS Invite Form Abuse
Whisper $30 Host Header Injection/Redirection
Ruby on Rails - http_basic_authenticate_with is suseptible to timing attacks.
Mail.Ru - Reflective Xss on news.mail.ru and admin.news.mail.ru
Shopify $500 Some S3 Buckets are world readable (and one is world writeable)
HackerOne - Minimum bounty of a private program is visible for users that were removed from the program
Zopim $1,000 Cross-site Scripting in all Zopim
Shopify $1,500 Arbitrary read on s3://shopify-delivery-app-storage/files
Shopify $2,500 Unauthorized access to all collections, products, pages from other stores
Shopify $500 Bypassing password requirement during deletion of accout
FanFootage - XSS by image file name
Shopify $2,000 Arbitrary write on s3://shopify-delivery-app-storage/files
Shopify $500 Missing authorization check on dashboard overviews
Shopify $500 get users information without full access
Adobe - Reflected XSS via. search
Shopify $1,000 Unauthenticated access to details of hidden products in any shop via title emuneration
Shopify $500 First & Last Name Disclosure of any Shopify Store Admin
Gratipay - SPF Protection not used, I can hijack your email server
Imgur - Csrf near report abuse meme
WePay $100 Subdomain Takeover in http://staging.wepay.com/ pointing to Fastly
VK.com $100 Способ узнать имя человека и ВУЗ удаленной страницы
Shopify $2,000 unauthorized access to all collections name
Keybase - xss
Coinbase $100 SPF records not found
HackerOne - HackerOne Private Programs users disclosure and de-anonymous-ize
ownCloud - apps.owncloud.com: Referer protection Bypassed
Shopify - The POS Firmware is leaking the root Password which can be used for unauthorized access to the device.
HackerOne - Content spoofing on invitations page
Shopify $500 Accessing Payments page and adding payment methods with limited access accounts
Badoo $456 Tokens from services like Facebook can be stolen
Shopify $2,500 unauthorized access to all customers first and last name
Automattic $75 CSV Injection in polldaddy.com
Trello $128 CSV Injection
Shopify $500 customers password hash leak!!!!
Uber $100 Issue with Password reset functionality
ownCloud - Self-XSS in mails sent by hello@owncloud.com
Trello $256 Normal User can add new users to group
Imgur $1,600 Server Side Request Forgery In Video to GIF Functionality
Imgur $50 Crossdomain.xml settings on api.imgur.com too open
Automattic $50 WooCommerce: Support Ticket indirect object reference
Imgur $50 Reflected Flash XSS using swfupload.swf with an epileptic reloading to bypass the button-event
Imgur - Content Sniffing not enabled
Imgur $50 "Sign me out everywhere" does not work for desktop sessions
Imgur - Open Url redirection on login with facebook
ownCloud - owncloud.com: WP Super Cache plugin is outdated
IRCCloud $500 Inadequate input validation on API endpoint leading to self denial of service and increased system load.
Shopify - Passwords Returned in Later Responses.
Gratipay - change bank account numbers
Gratipay - implement a cross-domain policy for Adobe products
Zendesk $50 Content Spoofing
Mail.Ru - [ling.go.mail.ru] Server-Status opened for all users
Shopify $1,000 change Login Services settings without owner access
Shopify $1,000 create staff member without owner access
Shopify $500 Privilege escalation vulnerability
ownCloud - No email verification during registration
ownCloud - [s3.owncloud.com] Web Server HTTP Trace/Track Method Support
Ruby on Rails - Nested attributes reject_if proc can be circumvented by providing "_destroy" parameter
Zaption - CSV Excel Macro Injection in Export Response
HackerOne - Minor Bug: Public un-compiled CSS with original sass, versioning, source map, comments, etc.
ownCloud - Apache documentation
Coinbase $100 User email enumuration using Gmail
Zopim $100 CSV Excel Macro Injection Vulnerability in export chat logs
Twitter $280 Tweetdeck (twitter owned app) not revoked
VK.com $500 CSRF в получении резервных токенов+framing , приводящие к компроментации 2fa
Zendesk $100 CSV Excel Macro Injection Vulnerability in export customer tickets
Mail.Ru - Reflected XSS на https://aw.mail.ru/news/
Zendesk $100 Cross-site Scripting https://www.zendesk.com/product/pricing/
Slack $100 Self-XSS in posts by formatting text as code
BitHunt - No rate limit or captcha to identify humans
ownCloud - owncloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service)
Mail.Ru - Vulnerability :- "XSS vulnerability"
ownCloud - Apache Range Header Denial of Service Attack (Confirmed PoC)
Mail.Ru $500 XSS: https://light.mail.ru/compose, https://m.mail.ru/compose/[id]/reply при ответе на специальным образом сформированное письмо
Twitter $2,520 Multiple DOMXSS on Amplify Web Player
Vimeo $200 XSS when using captions/subtitles on video player based on Flash (requires user interaction)
Phabricator $300 Information leakage through Graphviz blocks
Vimeo $100 XSS on vimeo.com | "Search within these results" feature (requires user interaction)
Vimeo - XSS on mobile version of vimeo.com where the button "Follow" appears
Vimeo $1,500 XSS on vimeo.com/home after other user follows you
ownCloud - Webview Vulnerablity [OwnCloudAndroid Application]
Mail.Ru - [support.my.com] Internet Explorer XSS
Mail.Ru - [rabota.mail.ru] Open Redirect
ownCloud - gallery_plus: Content Spoofing
Udemy $100 XSS Vulnerability
Vimeo $200 Stored XSS on vimeo.com and player.vimeo.com
Coinbase $100 OAUTH pemission set as true= lead to authorize malicious application
Gratipay - Mail spaming
ownCloud $25 Full Path Disclosure CVE-2016-1501
Shopify $500 www.shopify.com XSS on blog pages via sharing buttons
Twitter $2,520 XSS on OAuth authorize/authenticate endpoint
Keybase $500 [keybase.io] Open Redirect
Anghami $100 [CRITICAL] Login To Any Account Linked With Google+ With Email Only
Anghami $300 [https://www.anghami.com/updatemailinfo/] Sql Injection
Mail.Ru - xss на нескольких форумах игр от mail.ru (Cross-Site Scripting)
HackerOne - Weak HSTS age in support hackerone site
Phabricator $450 Multiple so called 'type juggling' attacks. Most notably PhabricatorUser::validateCSRFToken() is 'bypassable' in certain cases.
Romit $250 IDOR on remoing Share
Vimeo $100 Reflected XSS on vimeo.com/musicstore
ownCloud - apps.owncloud.com: Potential XSS
ownCloud - apps.owncloud.com: CSRF change privacy settings
ownCloud - Password appears in user name field
ownCloud - apps.owncloud.com: Mixed Active Scripting Issue
ownCloud - apps.owncloud.com: Edit Question didn't check ACLs
Vimeo $500 Stored XSS on player.vimeo.com
Mail.Ru $150 XSS at af.attachmail.ru
InVision $400 Deleting a Project for which the user is not owner but a normal member
Shopify $500 XSS https://www.shopify.com/signup
ownCloud $25 Full Path Disclosure CVE-2016-1501
Phabricator - Dashboard panel embedded onto itself causes a denial of service
ownCloud - Config
Gratipay - Stored XSS On Statement
Zopim $100 [API ISSUE] agents can Create agents even after they are disabled !
ownCloud - owncloud.com: Outdated plugins contains public exploits
ownCloud - Lack of HSTS on https://apps.owncloud.com
ownCloud - CSRF in apps.owncloud.com
ownCloud - apps.owncloud.com: Malicious file upload leads to remote code execution
ownCloud - owncloud.com: Account Compromise Through CSRF
ownCloud - apps.owncloud.com: Stored XSS in profile page
Gratipay - DKIM records not present, Email Hijacking is possible
ownCloud - demo.owncloud.org: HTTP compression is enabled potentially leading to BREACH attack
ownCloud - daily.owncloud.com: Information disclosure
ownCloud - *.owncloud.com / *.owncloud.org: Using not strong enough SSL ciphers
ownCloud - test1.owncloud.com: Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability
Ruby on Rails - DoS Attack in Controller Lookup Code
InVision $100 Content Spoofing - Signout Warning Page
ownCloud - s2.owncloud.com: SSL Session cookie without secure flag set
ownCloud - s2.owncloud.com: Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability
ownCloud - demo.owncloud.org: Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability
ownCloud - apps.owncloud.com: SSL Server Allows Anonymous Authentication Vulnerability (SMTP)
ownCloud - apps.owncloud.com: Path Disclosure
ownCloud - apps.owncloud.com: SSL Session cookie without secure flag set
ownCloud - apps.owncloud.com: Session Cookie in URL can be captured by hackers
Khan Academy - Html injection on khanacademy
Mail.Ru - [riot.mail.ru] Reflected XSS in debug-mode
ownCloud - owncloud.com: PermError SPF Permanent Error: Too many DNS lookups
Mail.Ru - [start.icq.com] Reflected XSS via Cookies
Pornhub $100 [reflected xss, pornhub.com] /blog, any
ownCloud - apps.owncloud.com: Multiple reflected XSS by insecure URL generation (IE only)
ownCloud - apps.owncloud.com: XSS via referrer
ownCloud - owncloud.com: Cross Site Tracing
ownCloud - owncloud.com: Content Sniffing not disabled
ownCloud - owncloud.com: Allowed an attacker to force a user to change profile details. (XCSRF)
ownCloud - owncloud.com: DOM Based XSS
Pornhub $50 Cross Site Scripting – Album Page
Zendesk $500 Stored XSS in comments
Hired $420 Stored XSS in Company Name
Shopify $500 Self XSS in chat.
Automattic $100 XSS in WordPress
Gratipay $1 Possible SQL injection on "Jump to twitter"
Shopify $500 XSS https://delivery.shopifyapps.com/ (Digital Downloads App in myshopify.com)
Ruby on Rails - [Rails42] We can inject HTML tags when server is using strip_tags method
Ruby on Rails $2,000 Potential XSS on sanitize/Rails::Html::WhiteListSanitizer
InVision $100 Reflective XSS in projects.invisionapp.com
Informatica - [now.informatica.com] Reflective Xss
HackerOne $500 Internal bounty and swag details disclosed as part of JSON response
HackerOne $500 Private Program and bounty details disclosed as part of JSON search response
Gratipay - Authentication errors in server side validaton of E-MAIL
Urban Dictionary - Reflective Xss Vulnerability
HackerOne $500 Number of invited researchers disclosed as part of JSON search response
Coinbase - Runtime manipulation iOS app breaking the PIN
VK.com $500 Внедрение произвольного javascript-сценария в функционале просмотра изображений мобильной версии сайта
Gratipay - [gratipay.com] CRLF Injection
QIWI $500 Открытый доступ к корпоративным данным.
Slack $1,000 OSX slack:// protocol handler javascript injection
Flox $25 Content spoofing through Referel header
ok.ru $300 Доступ к чужим групповым беседам.
ok.ru $150 Critical : Access to group videos where videos are restricted for all users(Broken authentication )
Udemy $50 information disclosure
Flox - Email spoofing configuration missing
ok.ru $200 Доступ к чужим приватным фотографиям (3) через обложку видео
Mail.Ru $150 Time-Based Blind SQL Injection Attacks
ok.ru $500 (URGENT!) Покупка OK дешевле, чем он стоит
Mail.Ru $150 Cross site scripting
ok.ru $200 Stored XSS в имени песни (2) на платёжном гейте.
ok.ru $100 Покупка=>скачка песен, которые не предназначены для продажи
ok.ru $150 Покупка песни дешевле, чем она стоит.
ok.ru $150 xss in group
Keybase - Sensitive server-side/application information disclosure
ok.ru - Cross site scripting On api Calculator API requests
ok.ru $100 cross siite scripting in the blog
ok.ru $500 SSRF/XSPA в форме загрузки видео по URL
Shopify $1,000 TCP Source Port Pass Firewall
ok.ru $100 http://217.20.144.201 privilege escalation in apache tomcat SessionEample-script
MapLogin - Account creation code bypass
Keybase $100 Full path disclosure at https://keybase.io/_/api/1.0/invitation_request.json
WordPoints $25 Weak Cryptographic Hash
Mavenlink $25 Open/Unvalidated Redirect Issue
Keybase $250 Content Sniffing not disabled
Romit $250 GA code not verified on the server side allows sending Verification Documents on behalf of another user
Keybase $250 No rate limiting for sensitive actions (like "forgot password") enables user enumeration
Keybase $500 Stealing CSRF Tokens
Keybase $500 SMTP protection not used
Keybase - NO SPF RECORDS
Zaption - Cheating at gallery rating
Zaption $25 Open redirect filter bypass
Zaption $25 Using GET method for account login with CSRF token leaking to external sites Via Referer.
Zaption $50 XSS - Gallery Search Listing
Gratipay - Self XSS Protection not used , I can trick users to insert JavaScript
Gratipay - weak ssl cipher suites
Zopim - Security Missconfiguration in Autologin
Zendesk $200 Stored Cross site scripting In developer.zendesk.com
Romit $250 No rate limit which leads to "Users information Disclosure" including verfification documents etc.
Envoy - Stored XSS
Envoy - XSS in "Guest Pre-Registration" page after registration
HackerOne $500 Accessing title of the report of which you are marked as duplicate
QIWI $100 Session Cookie without HttpOnly and secure flag set
Envoy - Stored XSS in /settings/ipad Page
Mapbox $500 Disclosure of map information
DigitalSellz - The product/status method CSRF
DigitalSellz - The email updates issues
Zendesk $50 Error stack trace enabled
DigitalSellz - Own downloading link isn't properly checked in the email template
Romit $250 Potential for financial loss, negative Values for "Buy fee" and "Sell Fee"
Ubiquiti Networks $500 Yet another Buffer Overflow in PHP of the AirMax Products
Ubiquiti Networks $500 Other Buffer Overflow in PHP of the AirMax Products
Udemy $150 Extremely high Course rating values could be set in order to make really high Average rating of the course. Negative values could be set to.
Shopify $3,000 Attention! Remote Code Execution at http://wpt.ec2.shopify.com/
Shopify $500 Reflected XSS in chat
Ubiquiti Networks $250 Buffer Overflow in PHP of the AirMax Products
Ubiquiti Networks $18,000 Arbritrary file Upload on AirMax
Python $1,000 Integer overflow in _json_encode_unicode leads to crash
Python $500 Integer overflow in _pickle.c
Python $1,000 Python: imageop Unsafe Arithmetic
PHP $500 PHP yaml_parse/yaml_parse_file/yaml_parse_url Unsafe Deserialization
PHP $1,500 PHP yaml_parse/yaml_parse_file/yaml_parse_url Double Free
PHP $500 str_repeat() sign mismatch based memory corruption
Python $500 Multiple type confusions in unicode error handlers
Python $500 Use after free in get_filter
Python $1,500 Multiple use after free bugs in json encoding
Python $1,500 Multiple use after free bugs in heapq module
Python $1,500 Multiple use after free bugs in element module
Python $500 Tokenizer crash when processing undecodable source code
PHP $500 php_stream_url_wrap_http_ex() type-confusion vulnerability
PHP $500 Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER
PHP $500 Type Confusion Vulnerability in SoapClient
PHP $1,500 Use after free vulnerability in unserialize() with DateInterval
The Internet $3,000 libcurl: URL request injection CVE-2014-8150
OpenSSL $2,500 Malformed ECParameters causes infinite loop CVE-2015-1788
PHP $1,500 Integer overflow in ftp_genlist() resulting in heap overflow CVE-2015-4022
PHP $1,500 ZIP Integer Overflow leads to writing past heap boundary CVE-2015-2331
PHP $1,000 Buffer Over-read in unserialize when parsing Phar CVE-2015-2783
PHP $1,000 Buffer Over flow when parsing tar/zip/phar in phar_set_inode CVE-2015-3329
OpenSSL $500 X509_to_X509_REQ NULL pointer deref CVE-2015-0288
PHP $1,500 Use After Free Vulnerability in unserialize() CVE-2015-2787
PHP $500 out of bounds read crashes php-cgi CVE-2014-9427
Shopify - Body injection in mailto link while commenting shop blog
Shopify - Prevent Shop Admin From Seeing his Installed Apps / Install Persistent Unremovable App
HackerOne $500 CSV Injection with the CVS export feature
VK.com $300 Уязвимость Создание фотографий без ведома пользователей
Pornhub $5,000 Unauthenticated access to Content Management System - www1.pornhubpremium.com
ThisData - Xss via Dropbox
Shopify $500 XSS at Bulk editing ProductVariants
Pornhub $2,500 Multiple endpoints are vulnerable to XML External Entity injection (XXE)
Pornhub $10,000 Publicly exposed SVN repository, ht.pornhub.com
Hired $250 URGENT - Subdomain Takeover on be.hired.com. due to unclaimed domain pointing to Heroku.com
Shopify $500 XSS in Myshopify Admin Site in DISCOUNTS
VK.com $250 Отвязываем Twitter от любого профиля вк ! + несколько багов по дизайну
Airbnb - authenticity_token is not random across page loads
HackerOne - Redirection Page throwing error instead of redirecting to site
Automattic $100 Verification code issues for Two-Step Authentication
VK.com $100 Issue in the implementation of captcha and race condition
Shopify $1,000 Bypass access restrictions from API
InVision $150 Enumeration and Guessable Email (OWASP-AT-002)T hrough Login Form
Shopify $500 SSRF via 'Insert Image' feature of Products/Collections/Frontpage
Mail.Ru $160 [my.mail.ru] CRLF Injection
Shopify $500 SSRF via 'Add Image from URL' feature
VK.com $200 Уязвимость получения всех номеров телефонов вк (по совместительству логинов профилей)
Shopify $500 Expire User Sessions in Admin Site does not expire user session in Shopify Application in IOS
Mail.Ru $200 Possible xWork classLoader RCE: shared.mail.ru
Shopify $500 XSS at Bulk editing products
Shopify $500 XSS at importing Product List
Slack - Link vulnerability leads to phishing attacks
Sandbox Escape $3,000 Microsoft Internet Explorer ActiveX Broker Allows EPM Bypass
Marktplaats - Multiple Apache 2.2.22 Vulnerabilities (XSS/ Code Exec/ DoS)
Marktplaats - Content Spoofing - http://aanbieding.marktplaats.nl/wp-admin/admin-ajax.php
Legal Robot $20 - Guessing registered users in legalrobot.com
LibSass - type confusion in Sass::ParserState::ParserState(Sass::ParserState const&) CVE-2015-4459
Marktplaats - Secret Password reset key disclosed to third party site via referer in header
Mail.Ru - [tanks.mail.ru] Internet Explorer XSS via Request-URI
Mail.Ru - [mrgs.mail.ru] Internet Explorer XSS via Request-URI
Shopify $500 [www.*.myshopify.com] CRLF Injection
Legal Robot $20 No valid SPF record
Envoy - [dashboard.signwithenvoy.com] Open Redirect
HackerOne $500 mailto: link injection on https://hackerone.com/directory
Mail.Ru $250 [s.mail.ru] CRLF Injection
VK.com $200 Уязвимость в Указание мест на фото + фича + хакинг
Coinbase - Two-factor authentication (via SMS)
HackerOne $500 Invitation is not properly cancelled while inviting to bug reports.
VK.com $500 XSS at http://vk.com on IE using flash files
VK.com $400 Уязвимость приватных записей пользователя (личных)
Mail.Ru - help2.m.smailru.net: XSS
Coinbase $5,000 OAuth authorization page vulnerable to clickjacking
concrete5 - No CSRF protection when creating new community points actions, and related stored XSS
Mail.Ru $150 Activities are not Protected and able to crash app using other app (Can Malware or third parry app).
VK.com $100 Не достаточная проверка логина скайп
VK.com - XSS on added name album on videos.
Mapbox $1,000 Stored Cross-Site Scripting in Map Share Page
Legal Robot $20 CSRF
Coinbase $5,000 Big Bug with Vault which i have already reported: Case #606962
Mail.Ru $250 HTML Injection на e.mail.ru
VK.com $500 API: Bug in method auth.validatePhone
Legal Robot $40 Registration bypass using OAuth logical bug
Shopify - Header Misconfiguration - PHP API
VK.com $100 Able to intercept app Traffic after choosing up the Secured Connection using SSL (HTTPS)
MapLogin - Bypass verification of email while creating account(No rate limiting enable for verification code)
Legal Robot $20 Missing security headers, possible clickjacking
MapLogin - Not Completed Accounts Take Over (Urgent bug)
Legal Robot $20 missing SPF for legalrobot.com
concrete5 - No csrf protection on index.php/ccm/system/user/add_group, index.php/ccm/system/user/remove_group
Shopify $1,000 Privilege Escalation - A `MEMBER` with no ACCESS to `ORDERS` can still access the orders by using `Order Printer APP`
Romit $50 Cross site scripting
HackerOne $100 Potential denial of service in hackerone.com/<program>/reward_settings
HackerOne $500 Logic error with notifications: user that has left team continues to receive notifications and can not 'clean' this area on account
Mavenlink $100 XSS in https://app.mavenlink.com/workspaces/
HackerOne $500 External URL page bypass
Ruby on Rails - Changeable model ids on vanilla update can lead to severely bad side-effects
Mail.Ru - https://voip.agent.mail.ru/phpinfo.php
Shopify $500 Bulk Discount App in myshopify.com exposes http://bulkdiscounts.shopifyapps.com vulnerable to XSS
HackerOne - Email Notification should be get while changing Paypal Email
Udemy $150 Multiple sub domain are vulnerable because of leaking full path
Mail.Ru $150 http://tp-dev1.tp.smailru.net/
Mail.Ru $200 tt-mac.i.mail.ru: Quagga 0.99.23.1 (Router) : Default password and default enable password
Shopify $500 XSS in myshopify.com Admin site in TAX Overrides
Udemy $100 XSS on https://www.udemy.com/asset/export.html
jsDelivr - Pretty Photo Dom XSS
Udemy $100 Ability to add pishing links in discusion ," Bypassing uneductional Links add "
concrete5 - Multiple XSS Vulnerabilities in Concrete5 5.7.3.1
Sandbox Escape $3,000 Internet Explorer Enhanced Protected Mode sandbox escape via a broker vulnerability
Udemy $150 leak receipt of another user
Udemy $100 xss on autoserch
Slack $100 Bypass of the SSRF protection (Slack commands, Phabricator integration)
Mail.Ru $400 http://fitter1.i.mail.ru/browser/ торчит Graphite в мир
HackerOne - Logical Issue (Boosting Reputation points)
Mail.Ru $400 store-agent.mail.ru: stacked blind injection
HackerOne $500 Content Spoofing - External Link Warning Page
Udemy - Misconfigured SPF Record Flag
Mobile Vikings - XSS Vulnerability on all pages
Udemy $150 teach.udemy.com log poison vulnerability through wordpress debug.log being publically available
Udemy $150 xss profile
concrete5 - Local File Inclusion Vulnerability in Concrete5 version 5.7.3.1
concrete5 - SQL Injection Vulnerability in Concrete5 version 5.7.3.1
concrete5 - Sendmail Remote Code Execution Vulnerability in Concrete5 version 5.7.3.1
concrete5 - Multiple Stored Cross Site Scripting Vulnerabilities in Concrete5 version 5.7.3.1
concrete5 - Multiple Reflected Cross Site Scripting Vulnerabilities in Concrete5 version 5.7.3.1
concrete5 - Multiple Cross Site Request Forgery Vulnerabilities in Concrete5 version 5.7.3.1
HackerOne $500 Reopen Disable Accounts/ Hidden Access After Disable
drchrono $100 Accessing all appointments vulnerability
drchrono $150 Create and Update patients vulnerability
HackerOne $500 Fake URL + Additional vectors for homograph attack
HackerOne $500 Homograph attack
HackerOne - Homograph Attack
HackerOne $500 Making any Report Failed to load
Dropbox $512 XSS in dropbox main domain
Dropbox $216 Race condition when redeeming coupon codes
Shopify $500 Stored XSS in the Shopify Discussion Forums
Mail.Ru - Flash XSS on img.mail.ru
OkCupid - An XSS bug was fixed due to my report, but I didn't submit it through the h1
Shopify $500 SSL cookie without secure flag set
Shopify $500 Content Spoofing
HackerOne $500 Homograph attack
Whisper $50 Insecure Local Data Storage : Application stores data using a binary sqlite database
Romit $50 HTML injection in email sent by romit.io
Coinbase $100 ByPassing the email Validation Email on Sign up process in mobile apps
HackerOne - Missing spf flags for hackerone.com
Romit $50 Server responds with the server error logs on account creation
Vimeo $500 API: missing invalidation of OAuth2 Authorization Code during access revocation causes authorization bypass
Shopify $500 amazon aws s3 bucket content is public :- http://shopify.com.s3.amazonaws.com/
Shopify $500 XSS in experts.shopify.com
Twitter $280 DOM based cookie bomb
WordPoints - Rank Creation function not validating user inputs.
HackerOne $500 Open-redirect on hackerone.com
Shopify - comment out causes information disclosure
Shopify $4,000 Notification request disclose private information about other myshopify accounts
Dropbox $512 SSRF vulnerablity in app webhooks
Dropbox - XSS in version history of an HTML file in a shared folder
Shopify - Multiple issues on Checkout Process
Whisper $30 Missing DMARC record
Shopify $500 XSS on ecommerce.shopify.com
Shopify - XSS on support.shopify.com
HackerOne $1,000 SPF whitelist of mandrill leads to email forgery
Shopify $500 Invitation issue
Shopify - XSS - URL Redirects
Shopify $500 Payment gateway status transferred to Shopify without authentication
Shopify $1,000 Shop admin can change external login services
Shopify $1,000 IDOR expire other user sessions
Dropbox Acquisitions $216 Get email ID of any user on hackpad.com
Vimeo - May cause account take over (Via invitation page)
Coin.Space - SMTP protection not used
Twitter - Privecy Issue : view "Protected users" followers and following
Shopify $2,000 Shopify android client all API request's response leakage, including access_token, cookie, response header, response body content
Shopify $500 CSRF token fixation in facebook store app that can lead to adding attacker to victim acc
Shopify $1,000 [persistent cross-site scripting] customers can target admins
Coinbase - iframes considered harmful
Shopify $500 Force 500 Internal Server Error on any shop (for one user)
Twitter $280 Fabric.io: Ex-admin of an organization can delete team members
Shopify - Lack of SSL Pinning on POS Application ( iOS )
Shopify $500 Open Redirect after login at http://ecommerce.shopify.com
Shopify $500 Authentication Failed Mobile version
Shopify $500 Open redirection in OAuth
Twitter - Privacy Issue on protected tweets
drchrono $700 XML Parser Bug: XXE over which leads to RCE
Faceless - Bypass Setup by External Activity Invoke
PHP $3,000 Use after free vulnerability in unserialize()
PHP $2,500 SoapClient's __call() type confusion through unserialize()
PHP $2,500 Use after free vulnerability in unserialize() with DateTimeZone
PHP $2,500 Free called on unitialized pointer in exif.c
OpenSSL $3,000 Segmentation fault for invalid PSS parameters
Python $9,000 Multiple Python integer overflows
Factlink - Frameset Proxy Problem
Shopify $500 Missing spf flags for myshopify.com
Coinbase $1,000 Sandboxed iframes don't show confirmation screen
Mail.Ru $500 e.mail.ru stored XSS in agent via sticker (smile)
Snapchat $100 Captcha Bypass in Snapchat's Geofilter Submission Process
Snapchat $100 Vulnerable to JavaScript injection. (WXS) (Javascript injection)!
Slack $100 Logout any user of same team
Mapbox $1,000 Persistent cross-site scripting (XSS) in map attribution
Shopify $500 Xss in website's link
HackerOne - Reflected Filename Download
Twitter $420 Insecure Direct Object Reference - access to other user/group DM's
Twitter $2,800 HTTP Response Splitting (CRLF injection) due to headers overflow
Mapbox $1,000 Stored xss in editor
Dropbox Acquisitions $216 XSS in https://hackpad.com/
Twitter $1,400 XSS in twitter.com/safety/unsafe_link_warning
Phabricator $300 SSRF vulnerability (access to metadata server on EC2 and OpenStack)
Coinbase $100 Blacklist bypass on Callback URLs
Vimeo $250 [URGENT ISSUE] Add or Delete the videos in watch later list of any user .
OkCupid - XSS on Send A Message Option
Phabricator $300 XSS with Time-of-Day Format
Vimeo $250 Share your channel to any user on vimeo without following him
Vimeo $250 Invite any user to your group without even following him
Twitter $420 Insecure direct object reference - have access to deleted DM's
itBit Exchange $200 secretKey for OTP , is getting leaked in response of a delete request !
itBit Exchange $200 confirmation bypass of 2FA devices while they are deleting
Ubiquiti Networks $500 UniFi v3.2.10 Cross-Site Request Forgeries / Referer-Check Bypass
HackerOne - "learn more here", reward email - domain expired.
Dropbox Acquisitions - unknow files Upload in profile photo
Vimeo $150 Insecure Direct Object References that allows to read any comment (even if it should be private)
Vimeo $500 Insecure Direct Object References in https://vimeo.com/forums
Twitter $3,500 HTTP Response Splitting (CRLF injection) in report_story
HackerOne $500 Open redirect in "Language change".
Caviar $500 Remotely modifying courier Account Details
Vimeo $250 Post in private groups after getting removed
Flash $2,000 Flash Cross Domain Policy Bypass by Using File Upload and Redirection - only in Chrome
IRCCloud - Email verification links still valid after changing it 2x
itBit Exchange - ITBit Vulnerable to SSLSTrip
Mail.Ru - XSS in touch.sports.mail.ru
Mail.Ru - XSS in ad.mail.ru
Mail.Ru - XSS in realty.mail.ru
Vimeo $250 A user can enhance their videos with paid tracks without buying the track
Whisper $10 CVE-2014-0224 openssl ccs vulnerability
Whisper $100 Bypass pin(4 digit passcode on your android app)
Vimeo $500 A user can post comments on other user's private videos
Vimeo $250 A user can add videos to other user's private groups
concrete5 - Stored XSS in Image Alt. Text
concrete5 - Stored XSS in Message to Display When No Pages Listed.
concrete5 - Stored XSS in Bio/Quote
Vimeo $250 A user can edit comments even after video comments are disabled
Twitter $560 open redirect sends authenticity_token to any website or (ip address)
Ubiquiti Networks $500 CSRF in login form would led to account takeover
concrete5 - Stored XSS In Company URL
HackerOne - Reflected File Download attack allows attacker to 'upload' executables to hackerone.com domain
concrete5 - Stored XSS in testimonial Company
concrete5 - Stored XSS in Testimonial Position
concrete5 - Stored XSS in Testimonial name
concrete5 - Stored Xss in Feature Paragraph
concrete5 - Stored XSS in Feature tile
concrete5 - Stored XSS in title of date navigation
concrete5 - Stored XSS in Title of the topic List
concrete5 - Stored XSS in Contact Form
concrete5 - Stored XSS on Search Title
concrete5 - Stored XSS on Title of Page List in edit page list
concrete5 - Stored XSS on Blog's page Tile
Phabricator - Server Side Request Forgery in macro creation
concrete5 - Self Xss on File Replace
Adobe - Adobe XSS
Adobe - Open redirect and reflected xss in http://youthvoices.adobe.com/community?return_url=[payload her]
Adobe - files.acrobat.com stored XSS via send file
The Internet $7,500 FREAK: Factoring RSA_EXPORT Keys to Impersonate TLS Servers
Adobe - Reflected Cross Site Scripting - 'puser' Parameter in login page
Twitter $1,400 XSS in original referrer after follow
Square - Invitation threshold
Romit $50 The csrf token remains same after user logs in
Ruby on Rails $1,000 rails-ujs will send CSRF tokens to other origins
Twitter $560 Twitter Ads Campaign information disclosure through admin without any authentication.
Twitter $1,400 Open Redirect leak of authenticity_token lead to full account take over.
Vimeo - URGENT - Subdomain Takeover on status.vimeo.com due to unclaimed domain pointing to statuspage.io
HackerOne $5,000 Improperly validated fields allows injection of arbitrary HTML via spoofed React objects
HackerOne - Auto Approval of Invitation to join Team as a Team member
Vimeo $250 Vimeo + & Vimeo PRO Unautorised Tax bypass
Airbnb - SSL Issues
Airbnb - Vulnerability type xss uncovered in airbnb.es
Airbnb - Generating Unlimited Free Travel Gift Invites | IDOR
Twitter - Cross site Port Scanning bug in twitter developers console
Mail.Ru $300 RCE через JDWP
Dropbox - Create N Accounts In Dropbox Irrespective Of Domain
HackerOne - Substantially weakened authenticity verification when using 'Remember me for a week'
Airbnb - I Can Delete Any Airbnb Users Symbol!
Vimeo - Bypassing Email verification
Yelp $500 Information disclosure - emails disclosed in response > staging.seatme.us
Mail.Ru $150 scfbp.tng.mail.ru: Heartbleed
Mail.Ru $150 HDFS NameNode Public disclosure: http://185.5.139.33:50070/dfshealth.jsp
Todoist $25 Remotely removing credit cards from business accounts!
Todoist $25 Taking over a Business Account Admin
Twitter $1,400 Redirect URL in /intent/ functionality is not properly escaped
HackerOne $500 Team member invitations to sandboxed teams are not invalidated consistently (v2)
HackerOne - Restrict any user from logging into his account.
The Internet $5,000 Bad Write in TTF font parsing (win32k.sys)
Coinbase $100 open authentication bug
Slack $200 Team admin can add billing contacts
Dropbox Acquisitions $729 Privilege Escalation at invite feature @hackpad.com
Twitter $140 Reporting user's profile by using another people's ID
Mail.Ru - Full Path Disclosure
The Internet $3,000 Heap overflow in H. Spencer’s regex library on 32 bit systems
Romit $50 Email Enumeration (POC)
QIWI $200 [ishop.qiwi.com] XSS + Misconfiguration
Mail.Ru $600 Same Origin Policy bypass
HackerOne $2,000 CSP Bypass: Click handler for links with data-method="post" can cause authenticity_token to be sent off domain
Mobile Vikings - Approve topup method by sender of this method
Mobile Vikings - Enum phone numbers thru /en/sims/topup/add/
Mobile Vikings - Username and sim id enum
Mobile Vikings - CSRF token from another valid user session accepted
Mobile Vikings - Stored xss in user name (2) affected another user.
Mobile Vikings - Stored xss in user name
Mobile Vikings - Reflected xss in user name thru cookie
Mail.Ru - XSS Vulnerability in cfire.mail.ru/screen/1/
Ruby on Rails - JSON keys are not properly escaped
Informatica - XSS in Search Communities Function
Flash $7,500 Use After Free in Flash MessageChannel.send can cause arbitrary code execution
Flash $10,000 Use after free during the StageVideoAvailabilityEvent can result in arbitrary code execution
Flash $10,000 Race condition in workers may cause an exploitable double free by abusing bytearray.compress()
InVision $200 Javascript Injection
itBit Exchange $50 Leakage of sensitive wallet tokens to third party sites
Flash $2,000 Adobe Flash Player Out-of-Bound Access Vulnerability
Vimeo $250 Red October 1511493148.cloud.vimeo.com
HackerOne - Markdown code block sequence makes report unreadable
HackerOne $5,000 Markdown parsing issue enables insertion of malicious tags and event handlers
Twitter $560 Twitter Card - Parent Window Redirection
Slack $100 Team admin can change unauthorized team setting (allow_message_deletion)
Slack $200 Team admin can change unauthorized team setting (require_at_for_mention)
Romit - CSRF token leakage
Romit $50 Frictionless Transferring of Wallet Ownership
Square - Redirecting a victim elsewhere through shopseen 0auth
Twitter $1,260 Problem with OAuth
HackerOne $500 Team member invitations to sandboxed teams are not invalidated consistently
HackerOne $500 Insecure Direct Object Reference vulnerability
Nearby Live - Group Invite not properly authenticated
Whisper $10 Error stack trace
Whisper $25 Directory index and information disclosure
HackerOne - In markdown, parsing things like @danlec and #46072 after links is unsafe
Vimeo - Can message users without the proper authorization
Vimeo - Brute force on "vimeo" cookie
HackerOne $5,000 Vulnerability with the way \ escaped characters in <http://danlec.com> style links are rendered
Ruby on Rails - Explicit, dynamic render path: Dir. Trav + RCE
Vimeo $250 CRITICAL vulnerability - Insecure Direct Object Reference - Unauthorized access to `Videos` of Channel whose privacy is set to `Private`.
Zaption - [zaption.com] Open Redirect
Trello $128 [blog.trello.com] CRLF Injection
Trello $64 [trello.com] Open Redirect
Vimeo $100 XSS on Vimeo
Vimeo - CSRF bypass
itBit Exchange $150 Stored xss in bank name withdraw
Vimeo $100 ftp upload of video allows naming that is not sanitized as the manual naming
Mobile Vikings - Number, username and name disclosure
Mobile Vikings - Stored XSS in Direct debit name
Vimeo - Full account takeover via Add a New Email to account without email verified and without password confirmation.
Informatica - [community.informatica.com] - CSRF in Private Messages allows to move user's messages to Trash
Square - HTTP Header revealing server information.
itBit Exchange $50 weird bug ! ( missing validation on new email verfication )
HackerOne $500 Improper way of validating a program
itBit Exchange $200 Unsecure data in "device" response - OTP
Vimeo $100 Vimeo Search - XSS Vulnerability [http://vimeo.com/search]
Dropbox - Unvalidated Redirects and Stored XSS
Twitter $140 Insecure Data Storage in Vine Android App
Mobile Vikings - Insecure crossdomain.xml
itBit Exchange $50 Email Length Verification
Twitter - URGENT - SUBDOMAIN TAKEOVER ON TWITTER ACQ.
itBit Exchange $500 Notification Emails: IP + Content-Spoofing
Ruby on Rails $500 RCE due to Web Console IP Whitelist bypass in Rails 4.0 and 4.1
Vimeo $1,000 XSS on any site that includes the moogaloop flash player | deprecated embed code
Twitter $140 Flaw in login with twitter to steal Oauth tokens
Vimeo - unvalid open authentication with facebook
Twitter - Path disclosure in platform0.twitter.com
HackerOne - Add text to the title of the page "Thanks"
Mail.Ru - http://217.69.136.200/?p=2&c=Fetcher%20cluster&h=fetcher1.mail.ru
Mail.Ru $150 Heartbleed: my.com (185.30.178.33) port 1433
Vimeo - Application XSS filter function Bypass may allow Multiple stored XSS
Vimeo - Poodle bleed vulnerability in cloud sub domain
Vimeo - Open Redirection Security Filter bypassed
Vimeo $1,000 Make API calls on behalf of another user (CSRF protection bypass)
Vimeo - USER PRIVACY VIOLATED (PRIVATE DATA GETTING TRANSFER OVER INSECURE CHANNEL )
Mail.Ru $150 Hadoop Node available to public
Vimeo $100 CRITICAL full source code/config disclosure for Cameo
Vimeo - Serious Vulnerability Found
Twitter $420 twitter android app Fragment Injection
Vimeo $1,000 abusing Thumbnails(https://vimeo.com/upload/select_thumb) to see a private video
Vimeo - No Limitation on Following allows user to follow people automatically!
Vimeo - Securing "Reset password" pages from bots
Vimeo $250 Ability to Download Music Tracks Without Paying (Missing permission check on`/musicstore/download`)
Vimeo - profile photo update bypass
Mail.Ru $100 Раскрытие номера мобильного телефона при двухфакторной аутентификации
Mail.Ru - 3k.mail.ru: XSS
Vimeo $100 player.vimeo.com - Reflected XSS Vulnerability
Vimeo $1,000 Adding profile picture to anyone on Vimeo
Vimeo $260 Buying ondemand videos that 0.1 and sometimes for free
Python $1,000 PyUnicode_FromFormatV crasher
Ruby on Rails $1,000 Arbitrary file existence disclosure in Action Pack CVE-2014-7829
OkCupid - Stored XSS in popup messages window
HackerOne - HTTPS is not enforced for objects stored by HackerOne on Amazon S3
Dropbox - WP User Enumeration is possible at https://blog.dropbox.com
Vimeo - Misconfigured crossdomain.xml - vimeo.com
Twitter $1,120 Fabric.io - an app admin can delete team members from other user apps
Twitter $1,400 fabric.io - app member can make himself an admin
Ruby on Rails - Denial of Service in Action Pack Exception Handling
Nearby Live - Web Server information disclosure.
Ruby on Rails - Data-Tags and the New HTML Sanitizer Subverts CSRF protection
Vimeo $100 APIs for channels allow HTML entities that may cause XSS issue
Vimeo $5,000 Vimeo.com Insecure Direct Object References Reset Password
Vimeo $100 Vimeo.com - reflected xss vulnerability
Vimeo $100 Vimeo.com - Reflected XSS Vulnerability
Informatica - [careers.informatica.com] Cross Site Script Vulnerability on informatica
Twitter - Account Deleted without any confirmation
Uber $500 XSS on partners.uber.com
Twitter - No rate limiting on creating lists
concrete5 - Stored XSS in adding fileset
Flash $1,000 chrome allows POST requests with custom headers using flash + 307 redirect
Twitter $420 URGENT - Subdomain Takeover on users.tweetdeck.com , the same issue of report #32825
Romit $250 stored xss in transaction
Nearby Live - Gain access to any user's email address
Mail.Ru - /surveys/2auth: DOM-based XSS
Mail.Ru - GET /surveys/2auth: XSS
Twitter $1,400 HTML/XSS rendered in Android App of Crashlytics through fabric.io
Romit $250 Stored XSS in api key of operator wallet
Romit $100 Error stack trace
Twitter $140 POODLE Bug: 199.16.156.44, 199.16.156.108, mx4.twitter.com
HackerOne - Reflected File Download
Twitter $280 Open redirection in fabric.io
Mail.Ru $100 No bruteforce protection leads to enumeration of emails in http://e.mail.ru/
Phabricator $500 Phabricator Phame Blog Skins Local File Inclusion
Mail.Ru - [odnoklassniki.ru] XSS via Host
Dropbox - [monitor.sjc.dropbox.com] CRLF Injection
Informatica - Missing SPF for informatica.com
WePay - Broken Authentication – Session Token bug
C2FO - [admin.c2fo.com] Open Redirect
Vimeo $500 [vimeopro.com] CRLF Injection
HackerOne - URL Crashing browser. {Tested on firefox, Chrome and Safari}
Phabricator $300 Phabricator Diffusion application allows unauthorized users to delete mirrors
concrete5 - stored XSS in concrete5 5.7.2.1
concrete5 - SQL injection in conc/index.php/ccm/system/search/users/submit
Square $500 Delayed, fraudulent transactions possible with encrypted Square Reader devices due to lack of server-side verification of device transaction counter
Mail.Ru $250 [connect.mail.ru] Memory Disclosure / IE XSS
HackerOne $500 Issue with password change
HackerOne $500 Breaking Bugs as team member
Openfolio $100 xss in /browse/contacts/
Python $6,500 Misc Python bugs (Memory Corruption & Use After Free)
QIWI $150 [qiwi.com] Open Redirect
QIWI $100 Stored xss in agent.qiwi.com
Greenhouse.io $1,000 Subdomain Takeover using blog.greenhouse.io pointing to Hubspot
Eobot - Multiple information disclosure
Twitter - Abuse of "Remember Me" functionality.
OkCupid - Rosetta flash vulnerability in clientstats AJAX script
Sucuri - Form contained inside page loaded over SSL submits its contents to another page over HTTP
Eobot $10 XSS in www.eobot.com(IE9 only)
Sucuri $250 Open Redirect in unmask.sucuri.net
InVision $150 CSRF Token in cookies!
Twitter - Homograph attack.
Eobot - OPTIONS METHOD ENABLED
Twitter $1,400 [Stored XSS] vine.co - profile page
Twitter - Notifications can mark as read by CSRF
Coinbase $100 New Device Confirmation, token is valid until not used.
QIWI - Metadata in hosted files is disclosing Usernames, Printers, paths, admin guides. emails
ThisData - Missing SPF header on revert.io
QIWI $1,000 [send.qiwi.ru] Soap-based XXE vulnerability /soapserver/
Openfolio - Options Method Enabled
QIWI $100 [qiwi.com] /oauth/confirm.action XSS
Flash $2,000 Adobe Flash Player MP4 Use-After-Free Vulnerability
Apache httpd $500 mod_proxy_fcgi buffer overflow CVE-2014-3583
HackerOne $500 Logic Issue with Reputation: Boost Reputation Points
Phabricator - Content injection
QIWI $250 CRLF Injection [ishop.qiwi.com]
Twitter - Headers Missing
Factlink - File name/folder enumeration.
QIWI - Code for registration of qiwi account is not coming even after a long interval of time for Indian mobile number
QIWI $200 [send.qiwi.ru] XSS at auth?login=
QIWI $200 [static.qiwi.com] XSS proxy.html
Twitter $140 getting emails of users/removing them from victims account [using typical attack]
HackerOne $500 Gain reputation by creating a duplicate of an existing report
PHP $2,500 Locale::parseLocale Double Free
Ian Dunn - XSS in Tagregator plugin
Block.io - Bypassed or command injection
Mail.Ru - Нежелательная информация
Eobot - IDOR on https://www.eobot.com/paypal
Twitter $280 XSS via Fabrico Account Name
Mail.Ru $500 Ошибка фильтрации
Block.io - Various Low level Vulnerabilities
Mail.Ru - Flash XSS на old.corp.mail.ru
Block.io $150 SMPT Protection not used, I can hijack your email server.
Twitter $420 Bad extended ascii handling in HTTP 301 redirects of t.co
Twitter - Options Method Enabled
Twitter - Option Method Enabled on web server
HackerOne $500 File Name Enumeration
Twitter - BROKEN AUTHENTICATION IN MOBILE VERIFICATION
InVision - Password reset tokens is valid after changing the password by logging in the account
Uzbey - test
Twitter - Flaw in valid password policy.
Uzbey - Test
Uzbey - Test
Twitter $1,400 DOM Cross-Site Scripting ( XSS )
InVision $300 Backup of wordpress configuration file found. Leaking database users/passwords
Slack $500 a stored xss in slack integration https://onerror.slack.com/services/import
HackerOne - Enumeration/Guess of Private (Invited) Programs
WP API - MD5 used for Key-Auth signatures
Twitter $1,680 URGENT - Subdomain Takeover on media.vine.co due to unclaimed domain pointing to AWS
99designs - Source Code Disclosure (PHP)
Mail.Ru $200 OpenSSL HeartBleed (CVE-2014-0160)
Twitter $280 XSS in fabric.io
HackerOne - Content Spoofing via reports
The Internet $3,000 Drupal 7 pre auth sql injection and remote code execution
Twitter $140 Singup Page HTML Injection Vulnerability
Mail.Ru - Авторизуюсь от имени любого пользователя parapa.mail.ru
RelateIQ $500 PoodleBleed
Flash $5,000 Adobe Flash Player Out-of-Bound Read/Write Vulnerability
HackerOne $1,000 Ability to see common response titles of other teams (limited)
Localize - files likes of README.md is public
Twitter - Creating Unauthorized Audience Lists
Bookfresh - Reflected XSS on www.bookfresh.com/index.html?view=upload_form
concrete5 - Weak random number generator used in concrete/authentication/concrete/controller.php
WP API $50 Cryptographic Side Channel in OAuth Library
joola.io - Timing Attack Side-Channel on API Token Verification
joola.io - Weak Random Number Generator for Auth Tokens
Twitter $420 Unauthorized Tweeting on behalf of Account Owners
Khan Academy - Sql injection And XSS
Twitter $560 Improper Verification of email address while saving Account Settings
RelateIQ $250 Relateiq SSLv3 deprecated protocol vulnerability.
Localize - PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
Bookfresh - Missing Function Level Access Control in /cindex.php/widget/customize/
Flash $2,000 Adobe Flash Player MP4 Use-After-Free Vulnerability
Coinbase $100 New Device confirmation tokens are not properly validated.
99designs - CSRF to connect attacker's twitter account to logged in victims account
concrete5 - Stored XSS in concrete5 5.7.0.4.
Square $250 CSRF on adding a calendar event
Square $500 square google calendar integration CSRF,https://squareup.com/appointments/business/settings(state parameter not checking properly)
Mail.Ru - Выполнение кода PHP через FastCGI
Square $500 CSRF on adding clients
The Internet $20,000 GNU Bourne-Again Shell (Bash) 'Shellshock' Vulnerability
Twitter $280 Profile Pic padding (Length-hiding) fails due to use of GZIP
HackerOne $500 homograph attack. IDNs displayed in unicode in bug reports and on external link warning page
IRCCloud $300 Unvalidated Channel names causes IRC Command Injection
Square $250 Privilege Escalation
WePay $350 Horizontal Privilege Escalation
Twitter $1,120 XSS platform.twitter.com | video-js metadata
HackerOne $500 No email verification on username change
Twitter $1,120 XSS platform.twitter.com
Sucuri $250 Usage of HTTP for exporting graph data as images
Square $250 Redirect while opening link in new tabs
Coinbase $100 Credit Card Validation Issue
Twitter - Twitter Flight SSL 2.0 deprecated protocol vulnerability.
HackerOne - "early preview" programs disclosure
HackerOne $500 Redirect FILTER bypass in report/comment
Mail.Ru $500 touch.mail.ru XSS via message id
Phabricator - Content Spoofing through URL
IRCCloud - Weak password policy
Mavenlink - Email field filtering problem.
Twitter $420 iOS App can establish Facetime calls without user's permission
Ruby on Rails $1,500 Active Record SQL Injection Vulnerability Affecting PostgreSQL CVE-2014-3483
Ruby on Rails $1,500 Active Record SQL Injection Vulnerability Affecting PostgreSQL CVE-2014-3482
PHP $2,500 SPL ArrayObject/SPLObjectStorage Unserialization Type Confusion Vulnerabilities CVE-2014-3515
Twitter $1,400 Cross site scripting on ads.twitter.com
HackerOne $500 Window Opener Property Bug
Twitter $1,400 Stored xss
Square $2,000 malicious file upload
Flash $1,000 Flash Local Sandbox Bypass CVE-2014-0554
GlassWire - Clickjacking: X-Frame-Options header missing
Phabricator - Content spoofing
Twitter $1,400 ads.twitter.com xss
Square $400 Reflected XSS in widget script thru cookie
Twitter $2,800 Delete Credit Cards from any Twitter Account in ads.twitter.com [New Vulnerability]
Square $1,000 Reflected XSS in connect.square.com
Square $750 Editing Client Details of other People
Twitter $140 Missing Rate Limiting on https://twitter.com/account/complete
The Internet $3,000 open redirect in rfc6749
Mail.Ru $1,337 XSS via .eml file
WePay $350 Critical : Account removing using CSRF attack
Square - XSS on bookfresh
Twitter $140 Full path disclosure at ads.twitter.com
Slack - HTTP Strict Transport Policy not enabled on newly made accounts
Phabricator - Password Policy issue
Square $2,000 CRITICAL Account takeover via AngularJS template injection in connect.squareup.com
Django $1,000 CSRF protection bypass on any Django powered site via Google Analytics
Square $500 XSS in Client Past Activity
ExpressionEngine - Stored Cross-Site Scripting Vulnerability in /admin.php?/cp/admin_system/general_configuration
HackerOne - Notification of previous signed out user leakage.
Mavenlink - DNS load balancing not enabled
WePay - CSRF (Make email primary) may lead to account compromise
CloudFlare - Apache mod_negotiation filename bruteforcing
Square $250 Open Redirect [FreshBook]
Square $500 XSS [BookFresh]
HackerOne $100 Change Any username and profile link in hackerone
Greenhouse.io - [greenhouse.io] CRLF Injection / Insecure nginx configuration
CloudFlare - User can request for password reset link without giving his website, eventhough he have it
Greenhouse.io - SMTP protection not used (please read carefully )
Phabricator $400 Open redirection on secure.phabricator.com
Twitter - HTML form without CSRF protection at http://try.crashlytics.com/enterprise/
Greenhouse.io - openssh-server Forced Command Handling Information Disclosure Vulnerability on blog.greenhouse.io
Factor.io - Reflected XSS - factor.io
Mail.Ru - Не уверен, что этому место на периметре: 94.100.180.95, 94.100.180.96, 94.100.180.97, 94.100.180.98
concrete5 - broken authentication
Twitter - User's DM won't deleted after logout from Twitter for iOS (com.atebits.xxx.application-state)
Mail.Ru $150 money.mail.ru: Странное поведение SMS
Secret - Broken Authentication and Session Management
Mail.Ru - Version Disclosure (NginX)
HackerOne $500 Redirect while opening links in new tabs
Phabricator $300 Forgot Password Issue
Square - CSRF login
Square $1,500 Blind SQL injection in www.bookfresh.com
Uzbey - SQL Injection
Uzbey - XSS in 3rd party plugin (not affecting Uzbey's users)
Phabricator - Password Reset Links Not Expiring
Twitter - Broken authentication and invalidated email address leads to account takeover
Automattic - Open Redirect in WordPress Feed Statistics {Affected All Versions}
Slack $200 Content Spoofing all Integrations in https://team.slack.com/services/new/
Twitter - Password reset link not validated.
Yahoo! - caesary.yahoo.net Blind Sql Injection
IRCCloud - Bruteforce protection not enabled on the login page https://www.irccloud.com/
Slack $100 Content spoofing at Stripe Integrations
Mavenlink $50 privilege escalation
Mavenlink - Cookies are not cleared from Server side on Logout
Mavenlink $200 Flash XSS on swfupload.swf showing at app.mavenlink.com
Mavenlink $50 Clickjacking
HackerOne - Account Hijacking (Only rare case scenario)
Mavenlink $100 Login CSRF
Phabricator - Back - Refresh - Attack To Obtain User Credentials
Coinbase $1,000 Invoice Details activate JS that filled in
The Internet $3,000 rsync hash collisions may allow an attacker to corrupt or modify files
Apache httpd $500 moderate: mod_deflate denial of service CVE-2014-0118
Mail.Ru $150 cloud.mail.ru: File upload XSS using Content-Type header
Python $1,500 integer overflow in 'buffer' type allows reading memory
WePay - oauth redirect uri validation bug leads to open redirect and account compromise
Mail.Ru $1,000 e.mail.ru: File upload "Chapito" circus
Mail.Ru - files.mail.ru: HTTP Header Injection
Mail.Ru $100 m.agent.mail.ru: Подделываем j2me app-descriptor
DigitalSellz - USER Account is not being deleted after user "Delete Account" from DASHBOARD
DigitalSellz - Verbose SQL error messages
ExpressionEngine - Cross Site Scripting (Stored)
HackerOne - No option to logout concurrent sessions
Twitter - password sent over HTTP
Automattic - Missing HSTS header in https://app.simplenote.com
Automattic - Missing HSTS header in https://public-api.wordpress.com
RelateIQ $100 Cross-site Scripting in mailing (username)
Envoy - Authentication Bypass
Coin.co - Host header is not Validated resulting in Redirect
Envoy - Delete visitor from IPAD with fullname which contains JS results XSS
HackerOne - Session Hijacking attack (Different Scenario)
Envoy - Too much sensitive information in GET https://signwithenvoy.com/device_config/preview_badge
Envoy - Stored XSS on adding locations
Envoy - Stored XSS on sign_up page
Uzbey - Missing "size check" on files to upload could make memory leaks.
Uzbey - IFXSS (image filename XSS) by creating a new Photo Gallery
Localize - PHP PDOException and Full Path Disclosure
Mail.Ru - target.mail.ru: XSS через Referer
Mail.Ru - target.mail.ru: XSS
Secret - ClientId gives away platform (iOS/Android) from which a secret was posted.
Mail.Ru $3,000 Possibility to attach any mobile number to any email
Sandbox Escape $5,000 .NET Type Traversal Vulnerability CVE-2014-0257
Sandbox Escape - OSX ATS memory corruption may lead to App Sandbox bypass CVE-2014-1262
Sandbox Escape - OSX ATS arbitrary free issue may lead to App Sandbox bypass CVE-2014-1255
HackerOne - Email changing
WePay $100 Unauthorized Access via Join Email Link
Factlink - XSS 01 on staging.fct.li
DC Compendium $25 Multiple Full Path Disclosure (FPD) Vulnerability on Dccompendium.com domain
RelateIQ $190 Resubmitted with POC #18685 Password reset CSRF
Phabricator $1,000 XSS in editor by any user
WePay $150 CSRF on email address operations. Also performing unintended operations.
Automattic - Top 10 2013-A2-Broken Authentication and Session Management - wordpress.com
WePay $500 Session Fixation
jsDelivr - HSTS Policy not enabled on cdn.jsdelivr.net
DC Compendium $50 Backend source code disclosure on 404 pages
jsDelivr - Using nmap revealing sensitive information
jsDelivr - XSS
jsDelivr - Directory Traversal at http://staging.jsdelivr.net/
DC Compendium $25 source code disclosure
Yahoo! $250 Yahoo! Reflected XSS
DC Compendium $25 XSS on Home page
DC Compendium $25 Error page Cross-site scripting
DC Compendium - Forward Secrecy is disable
DC Compendium - Login CSRF
DC Compendium $25 Clickjacking: X-Frame-Options header missing
HackerOne $100 Denial of Service
Faceless - Tap Jacking Attack on Button Tags
The Internet $6,000 LZ4 Core CVE-2014-4611
Factlink - Click-Jacking due to missing X-frame header
Uzbey - Mass invitation send
IRCCloud $500 Reflected XSS in Pastebin-view
Uzbey - Information Disclosure (phpinfo())
HackerOne - Account takeover
Yahoo! $50 Default /docs folder of PHPBB3 installation on gamesnet.yahoo.com
Uzbey - Price Manipulation
Phabricator $300 Broken Authentication and Session Management
Uzbey - Flash Content-Type Sniffing Vulnerability
HackerOne $100 Category- Broken Authentication and Session Management (leads to account compromise if some conditions are met)
Mail.Ru - tp-demo1.corp.mail.ru: SVN наружу торчит
Uzbey - Email Flooding Vuln
Uzbey - Clickjacking at https://staging.uzbey.com/
Uzbey - HTML Form Without CSRF Protection Vulnerability
Uzbey - Breach Attack Vulnerability
Uzbey - Cross site scripting in type parameter
Uzbey - CMS Information Disclosure
Uzbey - email field doesn't filtered against XSS
Uzbey - Language version disclosure in response header
Uzbey - All Active user sessions should be destroyed when user change his password!
Uzbey - Cross-site scripting vulnerability detected
Uzbey - Missing HSTS (Strict Transport Security)
Uzbey - Album image XSS
Uzbey - SQL injection, time zoom script, tile ID
Uzbey - SQL injection, tile ID
Coin.co - Found clickjacking vulnerability
Slack $100 Password Policy issue (Weak Protect)
HackerOne - Cache leads to Privacy leaks
Mail.Ru - my.mail.ru: HTTP Header Injection
Mail.Ru $400 e.mail.ru: SMS spam with custom content
Slack $100 Open Redirect login account
Coinbase - 2FA settings allowed to be changed with no delay/freeze on funds
RelateIQ $250 SSRF (Portscan) via Register Function (Custom Server)
RelateIQ $200 Failed Certificate Validation On Custom Server (Register)
Automattic - User Enumeration and Guessable User Account Attack on WORDPRESS
Mail.Ru - Cross Site Scripting
Yahoo! $200 Yahoo Sports Fantasy Golf (Join Public Group)
Phabricator $300 Abusing daemon logs for Privilege escalation under certain scenarios
Coin.co - Facilitation of XSS attacks through supporting the HTTP TRACE method (cross-site tracing)
The Internet $5,000 Multiple issues in looking-glass software (aka from web to BGP injections)
Phabricator $600 Abusing VCS control on phabricator
Coin.co - Wordpress readme.html / X-Powered-By-Header (low crit)
Coin.co - Report: Wordpress Bug!‏‏‏
Coin.co - Directory Listing
Coin.co - OPTIONS method is enabled
Coin.co - Information disclosure : Web Server Version Details
Coin.co - Coin.co Admin interface accessible externally
Localize - PHP PDOException and Full Path Disclosure
Mavenlink $50 Non Validation of session after password reset
Mail.Ru - Раскрытие полного серверного пути
HackerOne $100 Session not invalidated after password reset
Automattic - Process of changing email address and password does not asks old Password.
Mail.Ru $150 SQL Injection on 11x11.mail.ru
Localize - Bug on registration as new Translator user
Mail.Ru - Reflected XSS
Mail.Ru - Перечисление каталогов за счёт уязвимости в IIS
FanFootage - Cookie fixation
FanFootage - Same user name and uuid for multiple user names
FanFootage - Reporting Bugs
Factlink - Criptographic Issue: Strisct Transport Security with not good max age..(TOO SHORT!)
Mail.Ru - [corp.mail.ru] CRLF Injection / Insecure nginx configuration
FanFootage - Session Token is not Verified while changing Account Setting's which Result In account Takeover
FanFootage - NO CSRF token found on user details update
Coinbase $1,000 Leaking CSRF token over HTTP resulting in CSRF protection bypass
Flash $3,000 Flash Sandbox Bypass CVE-2014-0535
Twitter - XSS ON MOPUB.COM
Mail.Ru - Flash XSS in http://go.mail.ru
Yahoo! - Open Redirect via Request-URI
Mail.Ru - Flash XSS in http://lingvo.mail.ru
Twitter - Cookie not marked as secure.
Mavenlink $100 Password reset token not expiring
Twitter - XSS vulnerability in video player page
Twitter - Captcha bypass with extension at http://www.mopub.com/about/contact/
Twitter - [mobile.twitter.com / twitter.com] CSRF protection bypass
Automattic - Serving Transitions From: HTTP Protocol (not secure)
WePay - Typical form vulnerable to csrf attack
Factlink - Anonymous Proxy and IP leak
WePay - CSRF & Nonce Token Weak Implementation
WePay $300 Open Redirect
WePay - Sensitive settings need Re authentication
Mavenlink $50 Clickjacking at https://www.mavenlink.com/ main website
Mavenlink $50 Login password guessing attack
WePay $100 Session fixation in wepay.com
Mavenlink - The web application https://mavenlink.com discloses version details of the underlying Platform / Server
Mavenlink - Clickjacking & CSRF attack can be done at https://app.mavenlink.com/login
Mail.Ru - Flash XSS - http://hi-tech.mail.ru/
Factlink - Password reset link doesn't expire.
Automattic - genericons.com - DOM based XSS.
Automattic - http://jetpack.me/ Self XSS
InVision - Sensitive information in cookies
Yahoo! - Multiple vulnerabilities
Twitter - uclfinal.twitter.com and euro2012.twitter.com are vulnerable to CRIME attack
Twitter - Token remains alive ever after logging out!
Slack $300 SSRF on https://whitehataudit.slack.com/account/photo
Slack - Remote file Inclusion - RFI in upload
Mail.Ru - XSS in "About Video"
Mail.Ru $300 connect.mail.ru: SSRF
Automattic $250 privilege escalation
Automattic - information disclosure
Twitter - CSRF in crashlytics.com
Automattic - XSS on gravatar
HackerOne $100 Potential denial of service in hackerone.com/teams/new
Automattic - xss in simperium.com
Automattic - logout csrf app.simplenote.com/logout
Automattic - xss in app.simplenote.com
Factlink - Meta characters not filtered on signup
Factlink - Proxy service crash DoS
Factlink - X/Csrf token problem
IRCCloud - Missing Character Restriction
IRCCloud - Password type input with auto-complete enabled
Factlink - Session not expired on logout
Factlink - Sign up CSRF
Factlink - Password Complexity very low.
Factlink - Missing SPF for factlink.com and Staging.factlink.com
Factlink - Leaking of password reset token through referer
Factlink - Login CSRF using Twitter oauth
Factlink - Url Redirection
Factlink - HTML5 cross-origin resource sharing
Factlink - Click jacking
Khan Academy - Unchecking hidden parameter is vulnerable to XSS-attack
Mail.Ru $1,000 https://217.69.135.63/rb/: money.mail.ru sources disclosure
Sandbox Escape $10,000 Linux PI futex self-requeue bug CVE-2014-3153
Mail.Ru - touch.afisha.mail.ru: XSS
Khan Academy - CRLF Injection
Mail.Ru - files.mail.ru: XSS
Mail.Ru - api.video.mail.ru: XSS
IRCCloud $100 Host Header Injection - irccloud.com
Khan Academy - Suffix of url-path is vulnerable to XSS-attack
Localize - full path disclosure from false language
Mail.Ru - (m.mail.ru) Password type input with auto-complete enabled
Mail.Ru $500 auth.mail.ru: XSS in login form
Secret - secret app for iOS and android is sending some info over HTTP
Urban Dictionary - Open URL Redirection
Urban Dictionary - Open Redirection
Mail.Ru - Reflected XSS connect.mail.ru (IE6-IE8)
Localize - missing sender policy framework (SPF)
HackerOne - Improper filtering of classes used in codeblocks in Markdown
Mail.Ru - Reflected XSS in User-Agent
Mail.Ru - Раскрытие путей сервера за счёт неопределённого индекса в сценарии /home/berserk-online.com/public_html/forum/Themes/berserker/Profile.template.php
HackerOne - Spamming any user from Reset Password Function
Yahoo! $100 Testing for user enumeration (OWASP‐AT‐002) - https://gh.bouncer.login.yahoo.com
Yahoo! $50 Authorization issue on creative.yahoo.com
Faceless - Account hijacking possible through ADB backup feature
joola.io - X-Content-Type-Options header missing
Mail.Ru $500 XSS in a file or folder name
Mail.Ru $700 XXE and SSRF on webmaster.mail.ru
Secret - Content Sniffing not disabled
Flash $7,500 Adobe Flash Player FileReference Use-after-Free Vulnerability CVE-2014-0538
ReddAPI - Content Sniffing not disabled
ReddAPI - Browser cross-site scripting filter misconfiguration
ReddAPI - Strict Transport Security Misconfiguration
Kadira - API keys being cached
Respondly - XSS in the input
InVision - Multiple Upload Vulnerability !File Upload + File Inclusion (Access Not Forbidden)
Kadira - Undeletable File
Kadira - MISSING SPF (Sender Policy Framework) for meteorapm.com
Python $1,500 Python vulnerability: reading arbitrary process memory CVE-2014-4616
joola.io - Login password guessing attack
Yahoo! - http://us.rd.yahoo.com/
CloudFlare - CSRF and No password requirement in this URL Billing Info
Yahoo! - TESTING FOR REFLECTED CROSS SITE SCRIPTING (OWASP‐DV‐001)
joola.io - SSH Port Wide Open
joola.io - HTTP Strict Transport Security (HSTS) Policy Not Enabled
Mail.Ru $150 Stored XSS on http://cards.mail.ru
Mail.Ru $300 Stored XSS on http://top.mail.ru
Mail.Ru $250 SQL injection update.mail.ru
CloudFlare - Password reset threshold not set
Musopen - Port 22 Open/Banner visible on musopen.org
Ian Dunn - Path Disclosure Vulnerability
Coinbase - Simultaneous Session Logon : Improper Session Management
Hubdia - Subscribe User bug
Musopen - USERNAME Related Issue!
Yahoo! $250 Infrastructure and Application Admin Interfaces (OWASP‐CM‐007)
Mail.Ru $400 XSS in https://e.mail.ru/cgi-bin/lstatic (Limited use)
4chan - Login panel brute force attack
Meteor - Open Url Reditection After authentication
4chan - XSS in settings
CloudFlare - Bug Report
Mail.Ru - Content Spoofing vulnerability in Mail.ru mobile
Yahoo! - Authentication Bypass due to Session Mismanagement
CloudFlare - User's data leak
Coinbase $100 CSRF in function "Set as primary" on accounts page
99designs $400 report a reflected XSS
99designs - Reflected XSS in 99designs.com
Yahoo! - Yahoo! Messenger v11.5.0.228 emoticons.xml shortcut Value Handling Stack-Based Buffer Overflow
99designs - Insecure transition from HTTP to HTTPS in form post
99designs - Server leaks version number
Localize - XSS in Team Only Area
Coinbase $100 CSRF on "Set as primary" option on the accounts page
Coinbase $1,000 Bypassing 2FA for BTC transfers
Mail.Ru $150 SQL inj
C2FO - All Active user sessions should be destroyed when user change his password!
The Internet $3,000 Bypassing Same Origin Policy With JSONP APIs and Flash
Slack $500 Stored XSS in slack.com (integrations)
RelateIQ - Old Sessions remain valid after the password change.
Mail.Ru - Persistent XSS in afisha.mail.ru
HackerOne - Flooding mailbox of user
Mail.Ru $150 SQL
Mail.Ru $150 SQL inj
Mail.Ru - Login without SSL-Protection
HackerOne $100 All Active user sessions should be deleted when user change his password!
Mail.Ru $200 Time based sql injection
Mail.Ru $200 SQL injection [дырка в движке форума]
OkCupid - XSS Vulnerability Found!
CloudFlare - Threat control information leak
Slack $500 Stored XSS Found
Localize - Full Path Disclosure (FPD) in www.localize.im
StopTheHacker - Reflected cross site scripting in login page
Yahoo! - Loadbalancer + URI XSS #3
CloudFlare - Security issue with your "bag" script
Automattic - https://polldaddy.com storage.swf XSS
Ian Dunn - PHP and Wordpress version disclosure
Ian Dunn - Multiple Path Disclosure
HackerOne $100 Anti-MIME-Sniffing header X-Content-Type-Options header has not been set.
Respondly - OAuth Bug
Ian Dunn $25 Xss in CampTix Event Ticketing
Ian Dunn $25 Stored XSS in all fields in Basic Google Maps Placemarks Settings
Mail.Ru $250 Home page reflected XSS
Localize - Full Path Disclosure (FPD) in www.localize.im
StopTheHacker - XSS 1
StopTheHacker - XSS Reflected - https://www.stopthehacker.com/
Respondly - Full Path Disclosure
Mail.Ru - Unproper usage of Mobile Number that will lead to Information Disclosure
Localize - Atttacker can send "Invitation Request" to a Project that is not even created yet!
Mail.Ru - No CSRF token used in Phone Verification POST
CloudFlare - Cookie missing the Secure flag
CloudFlare - Flash-based XSS in cdnjs.cloudflare.com subdomain
Localize - Criptographic Issue: Strisct Transport Security with not good max age..(TOO SHORT!)
Respondly - No Bruteforce Protection
CloudFlare - System Status Update CSRF
CloudFlare - XSS - http://js.cloudflare.com
CloudFlare - Apache Multiviews are enabled
StopTheHacker - XSS in Stopthehacker support
CloudFlare - csrf on password change functionality
Mail.Ru $150 localStorage не чистится после выхода
StopTheHacker - CSRF - Disabling orders at https://panel.stopthehacker.com/manage/disable-order/order/ID
CloudFlare - http://cdnjs.cloudflare.com/ Cross-site scripting 2
CloudFlare - Content spoofing /CSRF at https://www.cloudflare.com/ajax/modal-dialog.html
Mail.Ru - Admin panel of http://tp-test1.corp.mail.ru/ is acccessible publicly
CloudFlare - jplayer.swf Cross-site scripting
StopTheHacker - Information Disclosure (FPD) - stopthehacker.com
CloudFlare - CSRF in Cloudflare login
Respondly - Deleting team members
Mail.Ru $150 Clickjacking
Mail.Ru - Reflected XSS
Mail.Ru - Clicjacking on Login panel
Mail.Ru - Xss On http://my.mail.ru/
Mail.Ru - rs.mail.ru - Flash Based XSS
Yahoo! $300 information disclosure (LOAD BALANCER + URI XSS)
Yahoo! $500 https://caldav.calendar.yahoo.com/ - XSS (STORED)
OkCupid - Reflected XSS on www.okcupid.com/signup
Localize - Projects Watch or Notifications Settings Change Via CSRF
Respondly - Allowed method disclosure
Localize - No Wildcard DNS
Localize - Private Project Access Request Invitation Sent Via CSRF
Localize - Private Project Access Request Accpeted Via CSRF
Localize - Group Deletion Via CSRF
Localize - Group Creation Via CSRF
Localize - OPTIONS Method Enabled
Localize - Deleting groups in any project without permission
Localize - Making groups in any project without permission
Localize - infinite number of new project creation!
Localize - Full Path Disclosure / Info Disclosure in Importing XML Section!
Localize - Full Path Disclosure / Info Disclosure in Creating New Group
Localize - Full Path Disclosure (FPD) in www.localize.io
HackerOne $100 Password Reset Bug
Localize - Numerous open ports/services
Minr.es - readable .htaccess
Localize - X-Content-Type-Options header missing
Localize - Apache Documentation
Respondly - X-Content-Type-Options header missing
Localize - Possible sensitive files
Localize - Login page password-guessing attack
Localize - Full Path Disclosure (2)
Respondly - XSS via Email Link
Localize - XSS in password
Localize - Full Path Disclosure
Respondly - HTTP Strict transport security policy not enabled
Localize - Sensitive file
Localize - CSRF in adding phrase.
Localize - Password type input with auto-complete enabled
Localize - User credentials are sent in clear text
Respondly - DNS Misconfiguration
Respondly - x-frame options-sameorigin warning
Localize - A Serious Bug on SIGNUP Process!
Secret - Login CSRF in Secret.ly
HackerOne $150 Issue with remember_user_token
Localize - Information Disclosure (Directory Structure)
HackerOne - Arbitrary file uploads to Amazon WS.
Respondly - Clickjacking - changing role
Localize - Apache2 /icons/ folder accessible
Localize - Assigning a non-existing role to user causes exception when opening project page
Respondly - XSS via Email
Respondly - Find, private notes Cross-site scripting.
Localize - No Cross-Site Request Forgery protection at multiple locations
Localize - Uninitialized variable error message leaks information
Localize - Server header - information disclosure
Respondly - Import emails from Gmail are activate XSS
Localize - Business logic Failure - Browser cache management and logout vulnerability.
Localize - Path Disclosure (Info Disclosure) in http://www.localize.io
Respondly - OAuth open redirect
Respondly - Persistent Cross-site scripting vulnerability settings.
Localize - HTML/Javascript possible in "Discussion" section of reviews
Localize - Full path disclosure
Localize - XSS in Localize.io
Localize - Unexpected array leaks information about the system
Localize - XSS in invite approval
Localize - XSS in main page (invitation)
Localize - Password Policy
Localize - XSS in main page
Localize - XSS & HTML injection
Localize - Stored XSS
Localize - Change user settings through CSRF
Localize - No BruteForce Protection
Localize - XSS in Groups
Localize - Sign-up Form CSRF
Localize - HTML Form Without CSRF protection
Localize - ClickJacking
Automattic - HTML form without CSRF protection
Automattic - Session Cookie without Secure flag set
Yahoo! $250 readble .htaccess + Source Code Disclosure (+ .SVN repository)
Flash $2,000 Security bypass could lead to information disclosure
Yahoo! $2,500 Local File Include on marketing-dam.yahoo.com
Yahoo! - clickjacking on leaving group(flick)
concrete5 - FULL PATH DISCLOSUR
Yahoo! - ads.yahoo.com Unvalidate open url redirection
Automattic - Session Cookie without Secure flag set
Minr.es - OPTIONS method enabled on webserver
Yahoo! $400 invite1.us2.msg.vip.bf1.yahoo.com/ - CSRF/email disclosure
Automattic - Simplenote Silverlight cross-domain policy misconfiguration
IRCCloud $100 Login CSRF can be bypassed (Similar approach to previous one).
IRCCloud - Log Out Cross site Request Forgery
Minr.es - Session Cookie without Secure flag set
Minr.es - Clickjacking: X-Frame-Options header missing
IRCCloud $1,000 Dangerous Persistent xss
IRCCloud - Unwanted Spamming Using CSRF [LOGGED IN USER]
Coinbase $100 2 factor authentication design flaw
IRCCloud $100 Host Header is not validated resulting in Open Redirect
IRCCloud - CSRF - Creating accounts
The Internet $7,500 TLS Triple Handshake Attack
Faceless - Bruteforce attack in login panel
Yahoo! $500 XSS in https://hk.user.auctions.yahoo.com
Yahoo! $250 Bypass of the Clickjacking protection on Flickr using data URL in iframes
IRCCloud - Login page password-guessing attack(Brute-force attack-High).
IRCCloud $500 Persistent Cross Site Scripting within the IRCCloud Pastebin
IRCCloud - CSRF to Account Take Over Bug
IRCCloud - DNS Misconfiguration
IRCCloud - User Account Creation CSRF
IRCCloud $100 iOS application does not destroy session upon logout.
IRCCloud $100 Bug in iOS application which could lead to unauthorised access.
IRCCloud - "SESSION" Cookie without HttpOnly flag set
IRCCloud $100 Missing X-Content-Type-Options
IRCCloud - Session cookie can be leaked over an unencrypted HTTP connection
IRCCloud $500 Full account takeover using CSRF and password reset
IRCCloud $500 Session Token is not Verified while changing Account Setting's which Result In account Takeover
IRCCloud - HTML Form without CSRF protection
IRCCloud $100 Leaking Referrer in Reset Password Link
IRCCloud $100 Bruteforcing irccloud login
IRCCloud $100 Unsecure cookies, cookie flag secure not set
IRCCloud $100 Sign up CSRF
IRCCloud $100 Login CSRF
concrete5 - XSS on [/concrete/concrete/elements/dashboard/sitemap.php]
concrete5 - Cross-Site Scripting in getMarketplacePurchaseFrame
Faceless - Blocking yourself
C2FO - The server supports only older protocols for HTTPS connections
Yahoo! $2,000 Open Proxy, http://www.smushit.com/ysmush.it/, 4/09/14, #SpringClean
Yahoo! $200 CSRF Token is missing on DELETE message option on http://baseball.fantasysports.yahoo.com/b1/127146/messages
Yahoo! $400 CSRF Token missing on http://baseball.fantasysports.yahoo.com/b1/127146/messages
ReddAPI - No Captcha or rate limit on Login Page
InVision - TLS Renegotiation and Denial of Service Attacks on InVision.
Yahoo! $3,000 REMOTE CODE EXECUTION/LOCAL FILE INCLUSION/XSPA/SSRF, view-source:http://sb*.geo.sp1.yahoo.com/, 4/6/14, #SpringClean
Yahoo! $500 Comment Spoofing at http://suggestions.yahoo.com/detail/?prop=directory&fid=97721
OpenSSL - TLS heartbeat read overrun CVE-2014-0160
Khan Academy - XSS at http://smarthistory.khanacademy.org
ReddAPI - Login page password-guessing attack
OkCupid - okcupid.com vulnerable to Heartbleed attack
Khan Academy - Open Redirection in SmartHistory KhanAcademy
HackerOne - (lack of) smtp transport layer security
ReddAPI - Session Fixation Found
C2FO - c2fo.com is releasing sensitive Information about Database Configuration.
Khan Academy - Weak Ciphers Enabled
concrete5 - https://concrete5.org ::: HeartBleed Attack (CVE-2014-0160)
Khan Academy - Persistent class XSS [the fuck]
Khan Academy - https://www.khanacademy.org/coach/reports/activity XSS
Python $1,500 Integer overflow in strop.expandtabs
Flash $2,000 Same Origin Security Bypass Vulnerability CVE-2014-0503
Khan Academy - CSRF - Adding/Removing items to cart - shop.khanacademy.org
Khan Academy - User guessing/enumeration at sw.khanacademy.org
Khan Academy - Lighttpd version disclosure / directory listing
Khan Academy - Possible clickjacking at shop.khanacademy.org
Khan Academy - Stored XSS {dangerous?} https://www.khanacademy.org/coach/roster/?listId=allStudents
Khan Academy - Full Path Disclosure on [smarthistory.khanacademy.org]
Khan Academy - https://www.khanacademy.org/login open-redirect
RelateIQ $100 Wildcard DNS in website
Khan Academy - Dom based XSS https://www.khanacademy.org/
HackerOne $150 creating titleless and non-closable bugs
Khan Academy - http://smarthistory.khanacademy.org/search-results.html XSS
Yahoo! $1,000 Header injection on rmaitrack.ads.vip.bf1.yahoo.com
Yahoo! $250 Cross-origin issue on rmaiauth.ads.vip.bf1.yahoo.com
Yahoo! $300 reflected XSS, http://extprodweb11.cc.gq1.yahoo.com/, 4/8/14, #SpringClean
Yahoo! $500 Significant Information Disclosure/Load balancer access, http://extprodweb11.cc.gq1.yahoo.com/, 4/8/14, #SpringClean
InVision $200 captcha missing
Slack - open redirect in https://slack.com
Slack $500 Facebook Takeover using Slack using 302 from files.slack.com with access_token
Slack $300 Stored XSS in Slack.com
Yahoo! - Information Disclosure, groups.yahoo.com,6-april-2014, #SpringClean
HackerOne $100 Marking notifications as read CSRF bug
Coinbase $1,000 Multiple Issues related to registering applications
The Internet $500 Uncontrolled Resource Consumption with XMPP-Layer Compression
Coinbase $100 Coinbase Android Security Vulnerabilities
C2FO - Password reset token leakage through referrer at https://app.c2fo.com/password/reset/
C2FO - User guessing/enumeration at https://app.c2fo.com/api/password-reset
Lookout - Clickjacking at https://jira.corp.lookout.com
C2FO - OPTIONS Method Enabled
Slack - TLS1/SSLv3 Renegotiation Vulnerability
Lookout - DOM-XSS Vulnerability
MS-DOS - एमएस डॉस प्राणघाती है।
MS-DOS - Injecting Distrust and Disbelief in Addicted Gamers
MS-DOS - History Disclosure of MS-Dos
MS-DOS - Permanent Denial of Service
MS-DOS - Arbitrary command execution in MS-DOS
MS-DOS - Bug in Source Code Files(v1.1)
Yahoo! $100 XSS in Yahoo! Web Analytics
MS-DOS - Hack administrator password even if you are a guest
MS-DOS - Please contact me @sehacure otherwise i am going to disclose in Full disclosure mailing list :p
OkCupid - Xss high issue in www.okcupid.com main domain in users signup page
MS-DOS - CRITICAL BUG!
Coinbase $1,000 Coinbase Android Application - Bitcoin Wallet Leaks OAuth Response Code
Yahoo! - Out of date version
Coinbase - IFRAME loaded from External Domains
Coinbase - Cookie missing the HttpOnly flag
Coinbase - User Enumeration, Information Disclosure and Lack of Rate Limitation on API
Coinbase - Improper Validation of the Referrer header leading to Open URL Redirection
Coinbase - Information Disclosure That shows the webroot of CoinBase Server
concrete5 - page_controls_menu_js can reveal collection version of page
concrete5 - CONCRETE5 - path disclosure.
concrete5 - XSS IN member List (Because of City Textbox)
Yahoo! $800 From Unrestricted File Upload to Remote Command Execution
concrete5 - XSS in private message
concrete5 - dashboard/pages/types [Unknown column 'Array' in 'where clause'] disclosure.
concrete5 - /index.php/dashboard/sitemap/explore/ Cross-site scripting
concrete5 - Bypass auth.email-domains
concrete5 - HttpOnly flag not set for cookie on concrete5.org
concrete5 - XSS in Theme Preview Tools File
Nginx $3,000 SPDY heap buffer overflow CVE-2014-0133
Nginx $3,000 SPDY memory corruption CVE-2014-0088
Slack $500 Duplicate of #4550
Yahoo! - Open redirect on tw.money.yahoo.com
Slack $500 Stored XSS in Slackbot Direct Messages
Slack - Open Redirect in Slack
Yahoo! - Open URL Redirection
Yahoo! $500 Server Side Request Forgery
RelateIQ $100 TRACE disclosure attack may be possible
Yahoo! - Almost all the subdomains are infected.
Yahoo! - Stored Cross Site Scripting Vulnerability in Yahoo Mail
MoneyStream - Here is another XSS i got for you
OkCupid - XSS in okcupid.com by hamid
Yahoo! $250 XSS Vulnerability (my.yahoo.com)
OkCupid - Server leaks version number
OkCupid - DOM based XSS in changing email address
HackerOne - javascript: and mailto: links are allowed on users' profiles
Phabricator $300 Persistent XSS: Editor link
OkCupid - Security issue in OkCupid
HackerOne - Accepting Invalid characters on email address
HackerOne $100 Securing sensitive pages from SearchBots
Phabricator $400 OAuth Stealing Attack (New)
HackerOne - Adding an user email address to the list before confirming.
Phabricator $300 Control character allowed in username
Slack - User impersonation is possible with incoming webhooks
HackerOne - Criptographic Issue: Strisct Transport Security with not good max age..(TOO SHORT!)
Phabricator $450 OAuth access_token stealing in Phabricator
Yahoo! - Clickjacking at surveylink.yahoo.com
Yahoo! - Authentication bypass at fast.corp.yahoo.com
InVision - Found a Clickjacking in blog.invisionapp.com.
Slack $500 flash content type sniff vulnerability in api.slack.com
RelateIQ $100 Captcha Bypass With Extension
RelateIQ - RelateIQ GWT based application visible to unauthenticated users
OkCupid - XSS in "Questions" search module
Ruby on Rails $1,500 Directory traversal attack in view resolver CVE-2014-0130
Phabricator $300 UnAuthorized Editorial Publishing to Blogs
OkCupid - XSS in 404 page of cdn.okccdn.com
HackerOne $100 Control Characters Not Stripped From Username on Signup
OkCupid - XSS - okcupid.com
OkCupid - Stored XSS on your site..
OkCupid - Stored Cross-site scripting vulnerability in okcupid
Yahoo! $1,000 SQL Injection ON HK.Promotion
OkCupid - XSS In Profle
OkCupid - XSS on [okcupid.com]
OkCupid - Login destination open redirection
OkCupid - http://www.helloquizzy.com/quizzy/createlist Cross-site scripting vulnerability
Slack - Content Spoofing
OkCupid - Direct XSS vulnerabilities (persistent) in http://www.okcupid.com/profile
Slack - Deleting Teams implemenation
OkCupid - https://www.okcupid.com/hidden-users CSRF vulnerability.
OkCupid - Instagram Authentication - No Request Token
OkCupid - Users can easily be tricked into changing/disabling privacy and notification settings
OkCupid - http://www2.okcupid.com/profile Cross-site scripting
Slack - Stored XSS
Phabricator - CSRF token valid even after the session logout of a particular user
Slack $500 Reflected Xss
Slack - Email enumeration
Slack - Data exports stored on S3 can be scraped easily
RelateIQ $100 HTML injection in "Invite Collaborators"
Slack - Open redirect vulnerability
Slack - State parameter missing on google OAuth
Slack $500 Stored XSS in Channel Chat
Slack - Stored XSS on this link https://sehacure.slack.com/help/requests/
Slack - CSRF on add comment section
Slack - csrf
Slack $100 CSRF vulnerability on https://sehacure.slack.com/account/settings
Slack $500 Stored XSS in username.slack.com
Slack $200 URL redirection flaw
Slack $200 Stored XSS in www.slack-files.com
Yahoo! $100 http://conf.member.yahoo.com configuration file disclosure
Yahoo! - Yahoo mail login page bruteforce protection bypass
HackerOne $500 Weird Bug - Ability to see partial of other user's notification
Slack - Session Fixation disclosing email address
Slack $100 Slack OAuth2 "redirect_uri" Bypass
Slack $100 Broken Authentication (including Slack OAuth bugs)
Slack $150 Reflective XSS can be triggered in IE
RelateIQ $100 Cross Site Scripting (XSS) - app.relateiq.com
HackerOne - Hackerone Email Addresses Enumeration
RelateIQ $100 XSRF token problem
RelateIQ $100 Value of JSESSIONID and XSRF token parameter in cookie remains same before and after login
RelateIQ - open redirect
Yahoo! - Yahoo open redirect using ad
Sandbox Escape $5,000 Win32k Window Handle Vulnerability (EoP) CVE-2014-0262
Yahoo! - Reflected XSS in mail.yahoo.com
Phabricator $500 Bypass auth.email-domains (2)
Phabricator $300 Login CSRF using Twitter OAuth
Phabricator $1,000 Bypass auth.email-domains
HackerOne $100 CSS leaks SCSS debug info
HackerOne - harvesting attack on user registration
Flash $10,000 Flash double free vulnerability leads to code execution CVE-2014-0502
Yahoo! $1,500 XSS on Every sports.yahoo.com page
Flash $2,000 Flash local-with-fileaccess Sandbox Bypass CVE-2014-0508
Yahoo! $1,276 HK.Yahoo.Net Remote Command Execution
Yahoo! - Insufficient validation of redirect URL on login page allows hijacking user name and password
Flash $2,000 Handling of jar: URIs bypasses AllowScriptAccess=never CVE-2014-0491
Flash $10,000 Flash type confusion vulnerability leads to code execution CVE-2013-5331
Yahoo! - In Fantasy Sports iOS app, signup page is requested over HTTP
Yahoo! $1,390 Local file inclusion
Yahoo! - A csrf vulnerability which add and remove a favorite team from a user account.
Yahoo! - XSS Reflected - Yahoo Travel
Yahoo! $3,705 SQLi on http://sports.yahoo.com/nfl/draft
Yahoo! $750 Flickr: Invitations disclosure (resend feature)
HackerOne $100 DNS Misconfiguration
Secret - Strict Transport Security on secret.ly
Yahoo! $800 HTML Injection on flickr screename using IOS App
Yahoo! - URL Redirection
Secret - SSL Not Enforced
Factlink - Proxy discloses internal web servers
Yahoo! - Yahoo YQL Injection?
Yahoo! - HTML Code Injection
PHP $1,500 PHP Heap Overflow Vulnerability in imagecrop() CVE-2013-7226
Yahoo! - Vulnerability found, XSS (Cross site Scripting)
Yahoo! - ClickJacking on http://au.launch.yahoo.com
Yahoo! - Authentication Bypass in Yahoo Groups
Yahoo! - clickjacking
Yahoo! $800 XSS in my yahoo
Yahoo! $2,500 Security.allowDomain("*") in SWFs on img.autos.yahoo.com allows data theft from Yahoo Mail (and others)
HackerOne - LinkedIN URL should be HTTPS
Yahoo! - Directory Traversal
Yahoo! - Information Disclosure
Yahoo! - Bypass of anti-SSRF defenses in YahooCacheSystem (affecting at least YQL and Pipes)
Yahoo! - XSS using yql and developers console proxy
Sandbox Escape $3,000 Linux 3.4+: arbitrary write with CONFIG_X86_X32 CVE-2014-0038
Yahoo! $1,960 Store XSS Flicker main page
Yahoo! - Java Applet Execution On Y! Messenger
Yahoo! $2,173.75 Cross-site scripting on the main page of flickr by tagging a user.
Yahoo! $677.50 XSS Yahoo Messenger Via Calendar.Yahoo.Com
HackerOne $100 Autocomplete enabled in Paypal preferences
Phabricator $300 Improperly implemented password recovery link functionality
Phabricator $300 Log in a user to another account
HackerOne - Enumeration of users
HackerOne $100 A password reset page does not properly validate the authenticity token at the server side.
HackerOne $100 Information disclosure (reset password token) and changing the user's password
HackerOne $100 Improper session management
HackerOne $150 Switching the user to the attacker's account
HackerOne $500 Upload profile photo from URL
HackerOne $250 Email spoofing
HackerOne $100 CSRF login
HackerOne $150 Logical issues with account settings
PHP $4,000 PHP openssl_x509_parse() Memory Corruption Vulnerability CVE-2013-6420
The Internet $7,500 TLS Virtual Host Confusion
The Internet $1,500 OpenSSH: Memory corruption in AES-GCM support CVE-2013-4548
Ruby $1,500 Ruby: Heap Overflow in Floating Point Parsing CVE-2013-4164
HackerOne $100 DNS Cache Poisoning
HackerOne $100 Flawed account creation process allows registration of usernames corresponding to existing file names
HackerOne $500 PNG compression DoS
HackerOne $250 GIF flooding
HackerOne $500 Pixel flood attack
HackerOne $100 Session not expired on logout
HackerOne - Privilege escalation..., or not?!
HackerOne $250 CSP not consistently applied
HackerOne $500 RTL override symbol not stripped from file names
HackerOne $100 Session Management
HackerOne $100 Broken Authentication and session management OWASP A2
HackerOne $100 Real impersonation
HackerOne - Flawed account creation process allows registration of usernames corresponding to existing file names
HackerOne - Report title autocompletion
HackerOne $500 Missing SPF for hackerone.com
HackerOne - Login page password-guessing attack