Public HackerOne bug reports.

Show Bounties Only

Team Bounty Title
Legal Robot - design issue exists on login page
Legal Robot - Coding error !
TTS Bug Bounty - {REDACTED} subdomain takeover.
Legal Robot - Insufficient Security Configurability-Weak Registration Implementation-Allows Disposable Email Addresses
Legal Robot - I cant login to my account
TTS Bug Bounty - Email Spoofing - SPF record set to Neutral
TTS Bug Bounty - Email Spoofing - SPF record set to Neutral
Legal Robot - Improper error message
Legal Robot - Email Length Verification
TTS Bug Bounty - vulnerable to Sweet32 attack
TTS Bug Bounty - Subdomain take-over of {REDACTED}
Legal Robot - Name can't be numbers or email
Gratipay - Reflected XSS -
HackerOne - IDOR on HackerOne Feedback Review
Gratipay - Gratipay rails secret token (secret_key_base) publicly exposed in GitHub
Legal Robot - Password Restriction On Change
Legal Robot - UX: JS error on Password Safety link
Gratipay - xss
Unikrn $200 HTML injection in email in
Legal Robot - Information disclosure
Rockstar Games $500 dom based xss in (Fix bypass)
Legal Robot - Special characters are not filtered out on profile fields
Legal Robot - Change password session fixed
Legal Robot - Weak Cryptography for Passwords
Legal Robot $20 No length limit in invite_code can cause server degradation
Legal Robot $20 CSP script-src includes "unsafe-inline"
Legal Robot $20 Improper validation of parameters while creating issues
Legal Robot $100 Update any profile
Legal Robot - Invalid Email Verification
Legal Robot $20 first name and last name restrictions bypass
Legal Robot $20 TabNabbing issue (due to taget=_blank)
Legal Robot - Tampering the mail id on chatbox
Legal Robot $20 Incorrect error message
Legal Robot $20 Incorrect email content when disabling 2FA
Legal Robot $20 Lengthy manual entry of 2FA secret
Trello $128 A CRLF injection into the redirect URL of can be used to cause a denial of service when later redirected to
Udemy - No password length restriction
ownCloud - open redirect
Quora $500 [Quora Android] Possible to steal arbitrary files from mobile device
WordPress - Clickjacking -
Snapchat $5,000 RCE/LFI on test Jenkins instance due to improper authentication flow
Gratipay - Sub domain take over in
Ruby - Open aws s3 bucket s3://rubyci
Udemy - CSRF Token
Legal Robot $40 Code injection
Khan Academy - Weak Bithdate Validation Implemented on Sign Up
WakaTime - Impersonation of Wakatime user using Invitation functionality.
ownCloud - This is not the security issue.
Legal Robot $20 User enumeration from failed login error message
Udemy - Violation of secure design principle
Udemy - Weak Password
Legal Robot - Mixed Content over HTTPS
Brave Software $200 URL Spoof / Brave Shield Bypass
Khan Academy - Password Functionality not working correctly
Legal Robot $20 Change password logic inversion
Legal Robot $20 Profile fields validation bypass
arxius - No Email Verification and No email sent on Forget Pasword
Phabricator - Credential gets exposed
Legal Robot - LUCKY13 (CVE-2013-0169) effects
WakaTime - Failure to check password history
Legal Robot - Create Api Key is not working
Legal Robot $20 Profile shows incorrect account creation date
Legal Robot - Password Reset page Session Fixation
Legal Robot - Lack of input validation in e-mail & user name, job title, company name field
Legal Robot - SSL : breach compression attack (CVE-2013-3587) effects
Coinbase - Device confirmation Flaw
Rockstar Games $500 dom based xss in
Bitvise $100 The POODLE attack (SSLv3 supported)
Unikrn $50 Escaping images directory in S3 bucket when saving new avatar, using Path Traversal in filename
Boozt Fashion AB $60 Password reset token issue
Legal Robot $20 [Cross-domain Referer leakage] Password reset token leakage via referer
Automattic $225 XSS Vulnerability in WooCommerce Product Vendors plugin
Rockstar Games $600 CSRF Vulnerability allows attackers to steal SocialClub private token.
Dropbox - Missing URL sanitization in comments can be leveraged for phishing
Phabricator - Hyper Link Injection In email and Space Characters Allowed at Password Field.
Tor - [Android] Possible to force list of bridges
Legal Robot $20 Token leakage by referrer header & analytics
Zomato $500 Restaurant payment information leakage
Unikrn $40 Flash CSRF: Update Ad Frequency %: []
Frans Visits Vegas - Frans Visits Vegas Announcement
Zomato $100 Length extension attack leading to HTML injection
Legal Robot $20 No notification on change password feature
Legal Robot $20 Meta characters are not filtered into full name on profile page
Legal Robot $20 Pages don't render in old browsers like IE11
Legal Robot $60 Missing Issuer parameter on TOTP 2FA
Moneybird $50 Stored XSS at Moneybird
Legal Robot - Subdomain misconfiguration []
Legal Robot $20 [New Feature] Password history check
TTS Bug Bounty $150 The Federalsit session cookie (federalist.sid) is not properly invalidated - backdoor access to the account is possible
ExpressionEngine - Potential code injection in fun delete_directory
Legal Robot $20 User enumeration
Cuvva - CSRF on allows to attacker to send multiple SMS to download the app without visiting the cuvva
ExpressionEngine - Image lib - unescaped file path
Legal Robot $20 Password complexity ignores empty spaces
Legal Robot $60 Users with 2FA can have multiple sessions
Legal Robot $20 Account profile shows encryption recovery box for all users
Legal Robot $60 Enhancement: email confirmation for 2FA recovery
Legal Robot $20 Intercom chat session information persists after logout
Legal Robot $60 2FA Error Handling on Google Authenticator
Legal Robot - 2FA user enumeration via login
Legal Robot $90 2FA user enumeration via password reset
Legal Robot $40 Password complexity not evenly enforced
Legal Robot $90 Missing link to 2FA recovery code
Legal Robot $90 Missing link to TOTP manual enroll option
Legal Robot $60 Non-functional 2FA recovery codes
TTS Bug Bounty $150 Race condition on the Federalist API endpoints can lead to the Denial of Service attack
Zomato $50 Posting to Twitter CSRF on php/post_twitter_authenticate.php
Trello - Unpatched ( Unviladate File Upload to XSS on trello-attachment Bucket
Grabtaxi Holdings Pte Ltd $1,000 Git repository found
Twitter $10,080 XXE on in SXMP Processor
Coinbase $100 Information disclosure same issue #176002
Grabtaxi Holdings Pte Ltd $200 [] DOM XSS at /assets/bower_components/lodash/perf/
concrete5 - Stored XSS vulnerability in RSS Feeds Description field
Gratipay - SQL TEST
HackerOne $1,500 Reading redacted data via hackbot's answers
concrete5 - Stored XSS in Name field in User Groups/Group Details form
concrete5 - Stored XSS in Private Messages 'Reply' allows to execute malicious JavaScript against any user while replying to the message which contains payload
Grabtaxi Holdings Pte Ltd $200 Dom based xss affecting all pages from
WakaTime - Session Duplication due to Broken Access Control
Zomato $250 Bypass OTP verification when placing Order
Moneybird - Moneybird customers invoices leak in cacheable urls $100 Узнать название частной группы и ее аватарку по видеоролику.
ICQ - Apache Server-Status Detected
Zomato $500 [█████████] Hardcoded credentials in Android App
Twitter $420 Open Redirect
WakaTime - by pass rate limit exceed
Pornhub - Private videos can be added to our playlists
Snapchat $250 [] Bypassing quantity limit in orders
Coinbase $100 Captcha Bypass in Coinbase SignUp Form
Rockstar Games $500 Reflected XSS via Double Encoding
WakaTime - [Privilege Escalation] Authenticated users can manipulate others fullname without their knowledge [Team Vector]
Zomato $300 SQL Injection, exploitable in boolean mode
WakaTime - Running 2 accounts with a single email
Mixmax - Public calendar link can be invisible
WakaTime - Password Policy Issue
TTS Bug Bounty $350 [IDOR] The authenticated user can restart website build or view build logs on any another Federalist account
TTS Bug Bounty $300 The user, who was deleted from Github Organization, still can access all functions of federalist, in case he didn't do logout
Gratipay - self cross site scripting
WakaTime - Blocking users to sign up on the site
WakaTime - No rate limit on creating private leaderboards.
Weblate - []-Missing SPF Record
WakaTime - Sensitive Cookie Without 'HttpOnly' Flag
Zomato $1,000 Login to any account with the emailaddress
WakaTime - JSON CSRF on POST Heartbeats API
WakaTime - Bypassing Access control, changing owner's name in a private leaderboard
WakaTime - Lack of Password Confirmation When Changing Email
WakaTime - Missing Account Deletion Notification
WakaTime - Two email addresses can access the same account
WakaTime - Missing filteration of meta characters in all full name field on
Mapbox - null pointer dereference and segfault in tile-count-merge
TTS Bug Bounty $300 Double Stored Cross-Site scripting in the admin panel
WakaTime - No rate limiting for confirmation email, can spam anyone with confirmation emails
WakaTime - Session not expired on logout
WakaTime - No notificatoin sent on email after account deletion.
WakaTime - Clickjacking on authorized page
WakaTime - No redirect uri for Twitter Oath resulting in token leak
WakaTime - Login page password - guessing attack
shopify-scripts $800 Use after free in mruby-mpdecimal
WakaTime - Session Not Expired On Logout
Paragon Initiative Enterprises - [Critical] billion dollars issue
WakaTime - No rate limit when creating new goals []
WakaTime - Logout CSRF
WakaTime - website CSP "script-src" includes "unsafe-inline"
WakaTime - Unsafe Inline and Eval CSP Usage
Mail.Ru - Open Redirect on []
WakaTime - UI Redressing on Embedded Charts
WakaTime - Add arbitrary content to Password Reset Email
WakaTime - Forgot password link doesn't expire after used, only after some hours
WakaTime - IDOR create accounts and verify them with original account email
WakaTime - Password token validation in
WakaTime - Password reset links should expire after being used, instead of at specific time
WakaTime - [Privilege Escalation] Authenticated users can manipulate others fullname without their knowledge
WakaTime - Email Spoofing Via /api/v1/users/reset_password
WakaTime - Mailgun misconfiguration
Apache httpd (IBB) $1,500 Apache HTTP Request Parsing Whitespace Defects CVE-2016-8743
WakaTime - [] Leaking password reset token via referrer
WakaTime - Missing SPF Flags
Weblate - Password token validation in Weblate Bypass #2
arxius - Missing Rate Limit for Password Reset Verification - Vulnerable to brute force
Gratipay - SSl Weak Ciphers
Shopify $500 IDOR [] - User with ONLY Manage apps permission is able to get shops info and staff names from inside the shop
Weblate - Password token validation in Weblate Bypass
Weblate - Error Message When Changing Username
Weblate - Improper validation of unicode characters #3
Weblate - No Rate Limitation on Regenerate Api Key
Weblate - Previous password could set as new password
Weblate - Improper validation of unicode characters still not fixed #2
Weblate - The username of an account can be ..
Weblate - Reset password more than once with a reset link
arxius - Disclose of phpmyadmin
arxius - another local file disclosure via ffmpeg
Mixmax - SSRF via webhook
RubyGems $1,000 Installing a crafted gem package may create or overwrite files CVE-2017-0901
Mixmax - Improper parsing of input could lead to future XSS vulnerabilities in Sequences
arxius - Open redirects protection bypass
Airbnb - Call back number not verified
RubyGems - No limit of summary length allows Denail of Service CVE-2017-0900
Weblate - No filteration of null characters in name field
Rockstar Games $1,000 XSS in
arxius - Local File Disclosure via ffmpeg
Gratipay - Possible User Session Hijack using Invalid HTTPS certificate on domain
Quora - Possibility of DOS Through logging System $100 Нет маркера на добавление песни в плейлист пользователя
shopify-scripts $800 Null pointer dereference with send/method_missing
Maximum $50 Open redirect on
Pornhub $500 Stored XSS in the any user profile using website link
Weblate - Improper validation of unicode characters
Gratipay - Possible user session hijack by invalid HTTPS certificate on domain
Weblate - Persistence of Third Party Association.
Apache httpd (IBB) $1,500 ap_find_token() Buffer Overread CVE-2017-7668
Weblate - Full Name Overwrite on Third party login
Weblate - Improper validation of unicode characters still not fixed
Starbucks $2,000 Possible subdomain takeover at
Gratipay - CSP Policy Bypass and javascript execution Still Not Fixed
Rockstar Games $500 flash injection in
Python (IBB) $500 Unsafe arithmetic in PyString_DecodeEscape
Pornhub $750 nickname field is vulnerable on xss
Gratipay - CSP Policy Bypass and javascript execution
Shopify $500 Stored XSS in *
Zomato - xss found in zomato
Gratipay - Email Spoofing
Yelp - Firefly's verify_access_token() function does a byte-by-byte comparison of HMAC values. - heap-buffer-overflow (READ of size 1) in cpptoml::parser::consume_whitespace()
Mixmax - Design issue with webhook (several) notifications on
Maximum $350 Open Redirect & Information Disclosure [] - HTTP - Basic Authentication on - Session Cookie without HttpOnly and secure flag set
Bumble - CSRF bug
Algolia - Text injection on
Mixmax - Stored XSS in Templates>Enahance>Social Badges
Algolia - SAUCE Access_key and User_name leaked in Travis CI build logs
Parrot Sec - XSS on
Parrot Sec - vulnerable to MITM
Weblate - Open redirect while disconnecting Email
Mail.Ru $100 BruteForce Any [] Account Credentials.
Mixmax - Stored XSS templates -> 'call for action' feature
Nextcloud - CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service)
Shopify - SQL Exception thrown during product import
Automattic $800 SSRF and local file disclosure in via FFmpeg HLS processing
Snapchat $500 CRLF Injection at
HackerOne - Invitation tokens leak to Google Analytics
Mixmax - no string size restriction on team name
Mixmax - [] Stored XSS on Adding new enhancement.
Coinbase - X-Frame-Options
ExpressionEngine - Open redirects protection bypass
Cuvva - Session cookie without secure flag on
Mixmax - Email Leakage in staging environment
Mixmax - Blind SSRF due to img tag injection in career form
Starbucks - Unable to register in starbucks app
Mixmax - Missing restriction on string size of contact field e.U. $20 Cross-site Scripting (XSS) in /updates-pro/archive/
Mixmax - [] Stored XSS on in contact names.
ToyTalk $200 Host Header Injection and Cache Poisoning
Mixmax - Privilege escalation-User who does not have access is able to add notes to the contact
Cuvva - Sensitive Support Mail Disclosure
Mixmax - CRLF Injection on
Mixmax - Clickjacking on
Mixmax - Security Vulnerability - SMTP protection not used
Perl (IBB) $500 heap-buffer-overflow (READ of size 61) in Perl_re_intuit_start()
Mixmax - Subdomain takeover (
Mixmax - Possible Subdomain Takeover
Mixmax - Attacker can trick other into logging in as themselves
Mixmax - mailbomb through invite feature on chrome addon
Weblate - API Does Not Apply Access Controls to Translations
Cuvva - Missing rate-limits at endpoints
Starbucks - Full Api Access and Run All Functions via Starbucks App
Weblate - Uploaded XLF files result in External Entity Execution
Cuvva - IDOR spam anyone's cellphone number through Cuvva app link
Rockstar Games $250 Control characters incorrectly handled on Crew Status Update
Keybase $500 Universal Cross-Site Scripting in Keybase Chrome extension
Cuvva - Missing Rate limiting on
U.S. Dept Of Defense - Remote Code Execution (RCE) vulnerability in a DoD website
Ubiquiti Networks - CRLF Injection on CVE-2017-5868
Weblate - Improper Cookie expiration | Cookies Expiration Set to Future
Cuvva - Subdomain take over and
Shopify $5,000 XSS on $shop$ and via whitelist bypass in SVG icon for sales channel applications
Perl (IBB) $500 heap-buffer-overflow (READ of size 11) in Perl 5.25.x
U.S. Dept Of Defense - Remote Code Execution (RCE) in a DoD website
Cuvva - Verification code for Underwriter dashboard can be brute-forced
ThisData - Insecure Cache-Control Leading to API key Retrieval
Coinbase - Open redirect on sign in
Cuvva - Your two domain login email address are disclosed in
OLX - OLX is vulnerable to clickjaking
Cuvva - Clickjacking vulnerability in
U.S. Dept Of Defense - Remote Code Execution (RCE) vulnerability in multiple DoD websites
Gratipay - Gratipay Website CSP "script-scr" includes "unsafe-inline"
Cuvva - CRLF Injection [] CVE-2017-5868
Snapchat $15,000 Open prod Jenkins instance
Rockstar Games $1,000 Stored XSS in profile activity feed messages
Cuvva - is vulnerable to Clickjacking attacks due to missing X-Frame-Options
Rockstar Games $1,000 Stored XSS in snapmatic comments
Cuvva - Missing rate limit on
Cuvva - website CSP "script-src" includes "unsafe-inline"
Gratipay - CSP "script-src" includes "unsafe-inline" in
Cuvva - RC4 cipher suit in use in
Weblate - CSP "script-src" includes "unsafe-inline" in and
Shopify $3,000 XSS on any Shopify shop via abuse of the HTML5 structured clone algorithm in postMessage listener on "/:id/digital_wallets/dialog"
Uber - Session not expired When logout []
U.S. Dept Of Defense - Arbitary file download vulnerability on a DoD website
Weblate - CSRF bypass ( Delate Source Translation From dictionaries ) in
Zomato - CSRF To Like/Unlike Photos
Cuvva - vulnerable to sweet32
U.S. Dept Of Defense - Arbitary file download vulnerability on a DoD website $100 CSRF на сброс ключа трансляции.
Cuvva - Reflected XSS on Branch domain
Cuvva - No rate limiting at POST /2/2017-05-22/send_identifier_token
Weblate - Weblate |Security Misconfiguration| Method Enumeration Possible on domain
Weblate - Weblate- Banner Grabbing-Ngnix Server version
WordPress - Vulnerable to clickjacking
Legal Robot $20 Domain takeover (
Coinbase - CSRF bug on password change
WordPress $275 DOM Based XSS In
Coinbase - Csrf bug on signup session
Trello - api flaw
concrete5 - Stored XSS in Headline TextControl element in Express forms [ concrete5 8.1.0 ]
WordPress - [] Reflected XSS via AngularJS Template Injection
WordPress $275 Stored self-XSS in checkout
Mail.Ru $150 XSS в портальной навигации
Weblate - Option method enabled
Zomato - Reflected XSS in Zomato Mobile - category parameter
Paragon Initiative Enterprises - Full directory path listing
Weblate - Takeover of an account via reset password options after removing the account
concrete5 - Stored XSS in Pages SEO dialog Name field (concrete5 8.1.0)
Weblate - Password token validation in
Trello - XML entity expansion using svg file
Weblate - Password Restriction
Weblate - No notificatoin sent on email after account deletion.
Weblate - Adding Email lacks Password validation
Weblate - Rate Limit Issue on
Weblate - Missing restriction on string size
Weblate - Self-XSS can be achieved in the editor link using filter bypass
Zomato - Amazon S3 bucket misconfiguration (share)
Weblate - Information Disclosure on
Nextcloud - Email Spoofing Vulnerability from nextcloud.
Weblate - Captcha bypass at registration
Weblate - Old password can be new password
Weblate - Captcha Bypass at Email Reset can lead to Spamming users.
Weblate - Login CSRF : Login Authentication Flaw
Weblate - No Rate Limiting at /contact
Weblate - Improper validation of unicode characters
Weblate - Design Flaw in session management of password reset
Weblate - Csrf in watch-unwatch projects
U.S. Dept Of Defense - Limited code execution vulnerability on a DoD website
PortSwigger Web Security - Misconfiguration: Missing Custom Error Page (CWE-12 & CWE-756)
HackerOne $10,000 WannaCrypt “Killswitch”
Quora - self xss in
Mail.Ru $500 Xss в
Pornhub $250 Partial disclosure of Private Videos through data-mediabook attribute information leak
Discourse $256 Any authenticated user can download full list of users, including email
Discourse $64 SSRF in upload IMG through URL
Teradici - Weak Password Policy on
Paragon Initiative Enterprises $50 Directory Disclose,Email Disclose Zendmail vulnerability
Maximum $50 Cross-site Scripting (XSS) on []
Trello $256 Cross-Site Scripting on Trello's iPhone App
Instacart $150 Reverse Tab-nabbing at
Instacart $100 XSS at in
shopify-scripts $100 Heap Overflow in fiber_switch triggered from Fiber.transfer
Dashlane $100 [] Test Panel Disclosure
Teradici - Weak password requirement on
U.S. Dept Of Defense - Cross-site scripting (XSS) vulnerability on a DoD website
U.S. Dept Of Defense - SQL Injection vulnerability in a DoD website
Maximum $300 IDOR in editing courses
Shopify - API Webhooks Fire And Are Unlisted After Permissions Removed
Mail.Ru $500 Xss в
Harvest $300 [] Reflected XSS in Error Message via URL parameters
Nextcloud - Nextcloud Server Remote Command Execution
Ubiquiti Networks $100 HTML Injection on $1,000 local file disclosure via FFmpeg hls processing
Paragon Initiative Enterprises - Broken Authentication & Session Management - Failure to Invalidate Session on all other browsers at Password change
concrete5 - Password Reset link hijacking via Host Header Poisoning
Gratipay - Unauthorized access to the slack channel via
Mail.Ru - IDOR in leading to Information Disclosure
Mixmax - CSRF
Paragon Initiative Enterprises - no session logout after changing the password in
Paragon Initiative Enterprises - Full Path Disclousure on
Paragon Initiative Enterprises - There is an vulnerability in where an attacker can users directory
Shopify $2,000 Reflected XSS in <any> through theme preview
U.S. Dept Of Defense - Information disclosure vulnerability on a DoD website
HackerOne $500 HackerOne reports escalation to JIRA is CSRF vulnerable
Shopify - Open Redirect in shopify app URL
RubyGems $500 Escape sequence injection in "summary" field CVE-2017-0899
Paragon Initiative Enterprises - Improper validation of Email
U.S. Dept Of Defense - Remote code execution (RCE) in multiple DoD websites
Paragon Initiative Enterprises - directory information disclose
U.S. Dept Of Defense - SQL Injection vulnerability in a DoD website
Paragon Initiative Enterprises $50 Cross-site-Scripting
shopify-scripts $200 OP_SCALL in LHS of a OP_ASGN resulting in arbitrary memory write
HackerOne $1,000 Changing Victim's JIRA Integration Settings Through Multiple Bugs
YouPorn - I am because bug
Nextcloud - I am because bug
Paragon Initiative Enterprises - I am because bug
Nextcloud - Wordpress Vulnerable to Potential Unauthorized Password Reset
U.S. Dept Of Defense - Cross-site scripting (XSS) vulnerability on a DoD website
Weblate - Missing filteration of meta characters in full name field on registration page
Dashlane $350 Throttling Bypass -
HackerOne - website CSP "script-src" includes "unsafe-inline"
Dashlane $300 Extract Billing admin email address using random team id
Weblate - Facebook share URL should be HTTPS
HackerOne - Insecure SHA1withRSA in and
Weblate - 7BO: Binary Option Robot URL should be HTTPS
Weblate - Account Takeover using Third party Auth CSRF
Weblate - ClickJacking on Debug
Weblate - Incorrect HTTPS Certificate
Mapbox $300 Node modules path disclosure due to lack of error handling
Weblate - full path disclosure at
Uber $2,000 phone number exposure for riders/drivers given email/uuid
Weblate - CSRF to Connect third party Account
Nextcloud - Missing Rate Limiting protection leading to mass triggering of e-mails
Dropbox - SSL Key Certificate expires
Weblate - Weak password policy
Weblate - Rate Limit Bypass on login Page
Weblate - session id missing secure flag - Hosted Website
Weblate - Invalidate session after password reset - hosted website
Weblate - Bypassing captcha in registration on Hosted site
Weblate - Open redirect while disconnecting authenticated account
Weblate - CSV Injection with the CVS export feature - Glossary
Weblate - Email verification over an unencrypted channel
WordPress - Lack of Password Confirmation when Changing Password and Email
GitLab - Missing/Breach of Internal Security Boundary - Access to Job Queue Results in Remote Code Execution
Weblate - Email spoofing at
Nextcloud - Cross Site Scripting
Shopify - ShopifyAPI is vulnerable to timing attacks.
ownCloud - password reset email spamming
Weblate - Running 2 accounts with a single email
Weblate - Specify maximal length in translation
Weblate - HttpOnly Flag not set
Weblate - CSV export filter bypass leads to formula injection.
Weblate - Specify maximal length in new comment
Weblate - No Password Length Restriction leads to Denial of Service
Weblate - Setting a password with a single character
Weblate - Access to completion page without performing any action
Nextcloud - information disclose
Weblate - X-XSS-Protection not enabled
Weblate - Open redirect in Signing in via Social Sites
Weblate - No Rate Limitting at Change Password
Weblate - Self XSS at translation page through Editor Link at
Weblate - is vulnerable to SWEET32 Vulnerability
Weblate - []Account Takeover
Weblate - Content Spoofing
Weblate - Null Password - Setting a new password doesn't check for empty spaces
Weblate - Notify user about password change $100 Посмотреть видеоролики, которые пользователь когда-либо скидывал в ЛС.
Weblate - Abuse of Api that causes spamming users and possible DOS due to missing rate limit
Weblate - Missing DMARC on
Weblate - Abuse of Api that causes spamming users and possible DOS due to missing rate limit on contact form
Weblate - User Enumeration when adding email to account
Weblate - Spamming any user from Reset Password Function
Weblate - Existing sessions valid after removing third party auth
Weblate - Weak e-mail change functionality could lead to account takeover
Weblate - Content Spoofing in error message
Weblate - Missing restriction on string size of Full Name at
Weblate - Open SMTP port can let anyone send email from
Weblate - Improper access control when an added email address is deleted from authentication
Weblate - Content Spoofing
Weblate - Login using disconnected google account i.e login using old email id
Weblate - X-XSS-Protection not enabled
Weblate - Clickjacking
Weblate - Directory Listing
Weblate - You can simply just use passwords that simply are as 123456
Weblate - CSRF - Changing the full name / adding a secondary email identity of an account via a GET request
Weblate - Improper Password Reset Policy on
Weblate - Insecure Account Removal
Weblate - Web server is vulnerable to Beast Attack
Weblate - CSRF : Lock and Unlock Translation
Weblate - CSV Injection with the CSV export feature
Weblate - Already Registered Email Disclosure
Weblate - Activation tokens are not expiring
Weblate - No BruteForce Protection
Weblate - CSRF : Reset API
Weblate - [] Stored Self-XSS via Editor Link in Profile
Weblate - Logout CSRF
Weblate - No expiration of session ID after Password change
Weblate - Open Redirect via "next" parameter in third-party authentication
Weblate - Registration captcha bypass
Uber $8,500 SAML Authentication Bypass on
Phabricator $300 IRC-Bot exposes information
Nextcloud - Stored XSS in Gallery application (NC-SA-2017-010) CVE-2017-0893
Nextcloud - Content (Text) Injection at
Nextcloud - Clickjacking In
Mapbox $500 Open Aws Amazon S3 Buckets
Nextcloud - Possible SSRF in email server settings(SMTP mode)
Nextcloud - The email API to test email-server settings is unlimited and can be used as a email bomb
Pornhub - XSS on
Pornhub $350 Mixed Reflected-Stored XSS on (without user interaction) in the playlist playing section
shopify-scripts $800 heap-use-after-free in mrb_vm_exec - vm.c:1247
ICQ $1,000 Дубликат: (доступ к аккаунту, через сброс пароля)
WordPress $150 Stored but [SELF] XSS in
shopify-scripts $100 heap use after free in fiber_switch
Homebrew - Stack Trace on
Homebrew - [] Full Path Disclosure
OWOX, Inc. - Broken Authentication & Session Management (Login Bypass) at
Nextcloud - The email API to reset password is unlimited and can be used as a email bomb
Homebrew - Sensitive information disclosure via response headers on
Nextcloud - Content Spoofing/Text Injection in
WordPress $387.50 Reflected XSS at via "s=" parameter
The Internet $500 Mercurial can be tricked into granting authorized users access to the Python debugger CVE-2017-9462
Homebrew - Server version disclosure on []
Phabricator - The special code in editor has no Authority control and can lead to Information Disclosure
Phabricator - The mailbox verification API interface is unlimited and can be used as a mailbox bomb
Trello $128 Malicious file can be hidden as Card Attachment or Card Cover image
Homebrew - Host header Injection
WordPress $275 XSS in the search bar of
YouPorn $250 DOM-based XSS on (main page)
Homebrew - [] Jenkins in Debug Mode with Stack Traces Enabled
OpenSSL (IBB) $500 Excessive allocation of memory in dtls1_preprocess_fragment() (CVE-2016-6308) CVE-2016-6308
OpenSSL (IBB) $500 Excessive allocation of memory in tls_get_message_header() (CVE-2016-6307) CVE-2016-6307
OpenSSL (IBB) $500 Certificate message OOB reads (CVE-2016-6306) CVE-2016-6306
OpenSSL (IBB) $500 OOB read in TS_OBJ_print_bio() (CVE-2016-2180) CVE-2016-2180
OpenSSL (IBB) $500 OOB write in BN_bn2dec() (CVE-2016-2182) CVE-2016-2182
OpenSSL (IBB) $500 Malformed SHA512 ticket DoS (CVE-2016-6302) CVE-2016-6302
OpenSSL (IBB) $500 OOB write in MDC2_Update() (CVE-2016-6303) CVE-2016-6303 $300 Blind SQL Injection
WordPress - Administrator(s) Information disclosure via JSON on
shopify-scripts $800 Null pointer dereferences in kh_copy_mt
Brave Software - homograph-attack (unicode vuln)
concrete5 - Stored XSS in RSS Feeds Title (Concrete5 v8.1.0)
GlobaLeaks - Information Disclosure
Twitter $560 HTTP 401 response injection on "" through "image_src" parameter
concrete5 - Stored XSS in Express Objects - Concrete5 v8.1.0
Nextcloud - GIT Detected
Starbucks - Java Deserialization RCE via JBoss on
LibSass - heap-use-after-free in Sass::SharedPtr::incRefCount()
LibSass - null pointer dereference in Sass::Eval::operator()(Sass::Map*)
shopify-scripts $800 heap-buffer-overflow (read outside of buffer) in mrb_vm_exec()
Nextcloud - CSRF token validation is missing
Nextcloud - file is readable
Phabricator - Autoclose can close any task regardless of policies/spaces
Open-Xchange $200 Critical : View/Edit access to private appointments of calendar folder by read only user (Vertical privilege escalation)
Open-Xchange $200 Unauthorized access to attachments details of Private Calendar appointments (Access control issue)
Mavenlink $50 Tabnabbing via Window.Opener @Mavenlink
Ubiquiti Networks $100 Expired SSL certificate
Algolia $200 [GitHub Extension] Unsanitised HTML leading to XSS on
HackerOne $750 Race condition leads to duplicate payouts
Skyliner - Password reset Token not expiring
Ubiquiti Networks - 200 http code in 403 forbidden directories on main domain
HackerOne $500 Subdomain takeover #4 at
shopify-scripts $100 mirb only: stack-buffer-overflow (OOB write) in main()
Maximum $25 XSS
U.S. Dept Of Defense - Reflected XSS on a DoD website $100 отдаёт в ответ HTML авторизированную страницу
Dovecot $600 Dovecot authentication is vulnerable to timing attacks.
Gratipay - Transferring incorrect data to the endpoint with correct Content-Type leads to local paths disclosure through the error message
Mail.Ru - Open Redirection at
Gratipay - POODLE SSLv3.0
Mail.Ru - Open Redirect
shopify-scripts $100 Invalid Pointer reference in L_RESCUE
Harvest $400 Client can redirect payment, causing payment discrepancy between Harvest and PayPal
Uber $5,000 Authentication bypass on via subdomain takeover of
Harvest - Login bypass on travel.██████████ aka "Harvest Spring Summit 2017"
Twitter $280 [██████████] .htpasswd disclosure
Open-Xchange $200 Resend invitation to members by Read only user(Privilege Escalation) $2,000 Возможность взлома любого пользователя, не использующего двухфакторной аутентификации, через получения кода восстановления на чужой номер.
Ubiquiti Networks $150 XSS
Ubiquiti Networks $500 [] Insecure CORS, Stealing Cookies
Nextcloud - Share tokens for public calendars disclosed (NC-SA-2017-011) CVE-2017-0894
GitLab - Stored XSS on Files overview by abusing git submodule URL
shopify-scripts $100 SIGABRT in sym_validate_len - symbol.c:44
Adobe - Parameter tampering can result in product price manipulation
Nextcloud - Design Issues on ( ███ ) Lead to show ( IPS of Users )
HackerOne - Example HackerOne security@ forward domain is not registered
Coinbase $100 []Content Injection
shopify-scripts $800 Invalid pointer dereference in OP_ENTER
shopify-scripts $800 SIGSEGV in array_copy - array.c:71
Twitter $560 [Gnip Blogs] Reflected XSS via "plupload.flash.swf" component vulnerable to SOME
Ruby - RCE (Remote Code Execution) Vulnerability on Ruby
Phabricator - An unsafe design practice in the Passphrase may result in Secret being accidentally changed.
Kaspersky Lab $400 In App purchase Hack
Automattic $500 An Automattic employee's GitHub personal access token exposed in Travis CI build logs
shopify-scripts $800 Null pointer dereference in OP_ENTER
Starbucks $500 Stored XSS in comments on*
Nextcloud - Directory Listing In Subdomain Of
U.S. Dept Of Defense - Reflected XSS vulnerability on a DoD website
RubyGems $1,000 Request Hijacking Vulnerability in RubyGems 2.6.11 and earlier CVE-2017-0902
Shopify $1,000 XSS in $shop$ via twine template injection in "Shopify.API.Modal.input" method when using a malicious app
U.S. Dept Of Defense - Information disclosure vulnerability on a DoD website
Shopify $800 XSS in $shop$ via "Button Objects" in malicious app
shopify-scripts $800 kh_put_iv SEGFAULT - mruby 1.2.0
Maximum $300 Possible to view and takeover other user's education and courses @
Maximum $150 Possible to unsubscribe from activities using CSRF @
Udemy - sweet32
Starbucks - [] Open Redirect and abuse of
ownCloud - CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service)
HackerOne $1,000 Subdomain takeover #3 at
U.S. Dept Of Defense - Reflected XSS in a DoD Website
shopify-scripts $100 SIGSEGV in mrb_vm_exec
shopify-scripts $800 SIGSEGV in mrb_str_inum
HackerOne - CRLF injection in
Mail.Ru $750 Stored XSS in (payload affect multiple users)
Dropbox - CSV Injection with the CVS export feature
shopify-scripts $800 Heap Buffer Overflow in mrb_hash_keys
OpenSSL (IBB) $2,500 OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
Nextcloud $450 Reflected XSS in error pages (NC-SA-2017-008) CVE-2017-0891
Pornhub $250 Reflected XSS in login redirection module
Phabricator $750 Phabricator is vulnerable to padding oracle attacks and chosen-ciphertext attacks.
shopify-scripts $800 SIGABRT - in free
shopify-scripts $800 heap use-after-free in mrb_vm_exec()
U.S. Dept Of Defense - SQL Injection vulnerability in a DoD website
shopify-scripts $800 Crash in ary_concat()
Pornhub - Reflected XSS on - /export/GetPreview
GitLab - Unfiltered `class` attribute in markdown code
Shopify $500 Full access at an internal service of Shopify
Pornhub $500 Blind Stored XSS against Pornhub employees using Amateur Model Program
Uber - deleting payment profile during active trip puts account into arrears but active trip is temporarily “free”
shopify-scripts $800 Null pointer dereferences in mrb_get_args
Legal Robot - Big XSS vulnerability!
Urban Dictionary - Session replay vulnerability in
GitLab - CSV injection in via issues export feature.
Udemy - CSRF Token Design Flaw
GitLab - [Repository Import] Open Redirect via "continue[to]" parameter
shopify-scripts $800 SIGABRT in mrb_debug_info_append_file
shopify-scripts $800 Null pointer dereference in mrb_class
shopify-scripts $300 Garbage collector crash
HackerOne $2,000 A HackerOne employee's GitHub personal access token exposed in Travis CI build logs
shopify-scripts $800 SIGSEGV in mrb_class
ownCloud $150 HTML Injection in Owncloud
GitLab - [Subgroups] Unprivileged User Can Disclose Private Group Names
Twitter $2,520 CSRF on Periscope Web OAuth authorization endpoint
Nextcloud - Server version/OS type disclosure via HTTP Response Header $200 Подмена SSL-сертификата для любой группы в секции Управление группой->Работа с API неавторизированным пользователем.
Ubiquiti Networks $6,000 Ability to log in as any user without authentication if █████████ is empty
Brave Software $100 [iOS] URL can be replaceState by blob URL in iOS Brave
shopify-scripts $800 SIGSEGV in mrb_vm_exec
HackerOne $500 Report invitation links not restricted to any existing user
Rockstar Games $350 Profile bio at rockstar is accepting control characters
shopify-scripts $800 Null pointer dereference in ary_concat
Mail.Ru - Reflected XSS on
CloudFlare - Cloudflare based XSS for IE11
Shopify $500 Stored passive XSS at scheduled posts (
shopify-scripts $100 SIGABRT - mirb - Double Free
Rockstar Games $350 Login form on non-HTTPS page
Airbnb - Nginx Version Disclosure
Mail.Ru - Stored XSS
Gratipay - Content-Length restriction bypass to heap overflow in
Blockchain - HTTP Header Injection/HTTP_Response_Splitting
Trello $768 Rate limiting of incorrect Two Factor Authentication codes not enforced
Nextcloud - Content spoofing due to the improper behavior of the 403 page
shopify-scripts $800 Null pointer dereferences in ary_concat
Yelp $100 Clickjacking Vulnerability found on Yelp
Shopify $1,500 Stored XSS in [shop][id]
GitLab - Open redirect
Discourse $512 Admin Command Injection via username in user_archive ExportCsvFile
BrickFTP $600 File access controls incorrectly enforced for files shared via QuickLink - Unshared files can be accessed
shopify-scripts $800 SIGABRT - mirb and mruby
Shopify - Setting Arbitrary Cookie at
Phabricator $600 Differential "Show Raw File" feature exposes generated files to unauthorised users
Legal Robot $60 Token leakage by referrer
Nextcloud - Update php-saml library to 2.10.5
shopify-scripts $800 SIGSEGV - mrb_obj_value
U.S. Dept Of Defense - Remote Command Execution on a DoD website
Legal Robot - Password Policy Bypass
Discourse $512 Arbitrary Local-File Read from Admin - Restore From Backup due to Symlinks
Trello - Phone verification code fails to expire and can be used multiple times also in different accounts to verify same cellphone number on
Trello - Email authentication token fails to expire and can be used multiple times for same Email address on
Nextcloud - Content Spoofing/Text Injection in
Nextcloud - SSRF at
shopify-scripts $800 Use-after-free leading to an invalid pointer dereference
shopify-scripts $100 SIGSEGV in str_buf_cat
U.S. Dept Of Defense - Blind SQLi vulnerability in a DoD Website
Nextcloud $250 DOM XSS vulnerability in search dialogue (NC-SA-2017-007) CVE-2017-0890
Starbucks - Reflected XSS in /searchasyoutype/v1/search?x-api-key=
Legal Robot $40 Password reset form ignores email field
GitLab - is vulnerable to reverse tabnabbing via AsciiDoc links. (#3)
U.S. Dept Of Defense - Remote Code Execution (RCE) in a DoD website
Nextcloud - Invalid request may lead content spoofing for phishing
U.S. Dept Of Defense - Remote code execution vulnerability on a DoD website
shopify-scripts $800 SIGABRT in only mirb
Nextcloud - Content spoofing due to the improper behavior of the 403 page
HackerOne $750 IE 11 Self-XSS on Jira Integration Preview Base Link
Imgur $5,000 RCE by command line argument injection to `gm convert` in `/edit/process?a=crop`
GitLab - is vulnerable to reverse tabnabbing. (#2)
Trello - Exporting JSON of other Boards
shopify-scripts $800 SIGSEGV - kh_get_n2s - in /src/symbol.c:37
Ubiquiti Networks - XSS via SVG file
shopify-scripts $100 sprintf gem - format string combined attack
shopify-scripts $800 Null pointer dereference in mrb_class
shopify-scripts $800 SIGSEGV - mrb_yield_with_class
Algolia $100 An “algobot”-s GitHub access token was leaked
U.S. Dept Of Defense - Remote Code Execution (RCE) in a DoD website
Starbucks - Unable to register in starbucks IN app
Moneybird $50 Stored Cross Site Scripting in Customer Name
Shopify $500 Stealing users' facebook access tokens -
Rockstar Games $150 Source Code Disclosure (CGI)
U.S. Dept Of Defense - Remote Code Execution (RCE) in a DoD website
Nextcloud -; allows open redirect
Nextcloud - Version 4.7.2 of wordpress is vulnerable
Gratipay $1 Inadequate/dangerous jQuery behavior $200 Написать от имени любого пользователя на его стене, если он перейдет по ссылке.
GitLab - is vulnerable to reverse tabnabbing.
shopify-scripts $800 Null pointer dereference in 'get_file'
Rockstar Games $350 Control Character Injection In Messages
LocalTapiola $100 XSS on 3rd party service Localtapiola is using
Rockstar Games $300 use of unsafe host header leads to open redirect
shopify-scripts $800 Null pointer dereferences from mrb_vm_exec
Slack $850 Bypass to postMessage origin validation via FTP
Rockstar Games $150 Full path Disclosure in
U.S. Dept Of Defense - Information disclosure vulnerability on a DoD website
shopify-scripts $800 mrb_vm_exec - null ptr dereference
Mail.Ru - Open Redirect
Rockstar Games $150 SSLv3 POODLE Vulnerability
shopify-scripts $800 Invalid Pointer Reference from OP_RESCUE
HackerOne $500 Transitioning a Private Program to Public Does Not Clear Previously Private Updates to Hackers
Ubiquiti Networks - Subdomain takeover on due to non-used CloudFront DNS entry
shopify-scripts $800 SIGSEGV - mark_context_stack
HackerOne $100 javascript: and mailto: links are allowed in JIRA integration settings
Gratipay - URL Given leading to end users ending up in malicious sites
shopify-scripts $800 Heap buffer overflow in mruby value_move
Starbucks $250 DOM XSS on via "pr_zip_location" parameter - Content Spoofing on
shopify-scripts $800 Heap buffer overflow with long array assignment
LocalTapiola $264 HTML Injection in email from
Ruby $500 public report - Reproducible - Writable RubyCi Amazon s3 bucket[207053]
Ruby $500 Open S3 Bucket WriteAble To Any Aws User
HackerOne $1,000 Subdomain takeover #2 at
Twitter $7,560 [URGENT] Opportunity to publish tweets on any twitters account
Brave Software - Address bar spoofing in Brave browser via. window close warnings
BrickFTP $100 CSRF @ configuration
Udemy $50 Subdomain Takeover at $100 Обход: "Аудиозапись недоступна для прослушивания в Вашем регионе."
Ubiquiti Networks $100 Reflected cross-site scripting (XSS) vulnerability in allows attackers to inject arbitrary web script via p parameter.
ownCloud - Outdated Jenkins server hosted at
U.S. Dept Of Defense - Cross-site scripting (XSS) vulnerability on a DoD website
shopify-scripts $800 Null pointer dereference in mark_context_stack
U.S. Dept Of Defense - Remote file inclusion vulnerability on a DoD website
Lyst $100 Site configured improperly at subdomain of
HackerOne - Able to create basic user account via Google login on HackerOne Drupal CMS
shopify-scripts $100 Memory corrouption in mrb_gc_mark
LocalTapiola $200 Brute force unsubscription on /webApp/unsub_sb (
LocalTapiola $50 /icons/README is still available on
Perl (IBB) $1,000 read outside of buffer (heap buffer overflow) in S_regmatch - regexec.c:6057
Pornhub $50 stored XSS in widget stylesheet
U.S. Dept Of Defense - Reflected XSS vulnerability in a DoD website
shopify-scripts $800 Heap use-after-free in mrb_vm_exec
Ubiquiti Networks $1,000 sqli
Shopify $500 Subdomain takeover on
Khan Academy - No Security check at changing password and at adding mobile number which leads to account takeover and spam
Khan Academy - SSL/TLS Vulnerability at
Dovecot - SSL Certification Expired And TLS Vulnerability
Lyst $100 Mixed Active content issue on
shopify-scripts $100 Controlled address leak due to type confusion - ASLR bypass
HackerOne $750 Information leakage via CSV when content is valid JavaScript
U.S. Dept Of Defense - Potentially sensitive information disclosure on a DoD website
Slack $3,000 Stealing xoxs-tokens using weak postMessage / call-popup redirect to current team domain
U.S. Dept Of Defense - Insecure Direct Object Reference (IDOR) vulnerability in a DoD website
Ruby $500 Writable RubyCi Amazon s3 bucket
HackerOne $1,500 Stealing contact form data on using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP
ownCloud - HTML injection in Desktop Client
Uber $2,500 SQL injection in 3rd party software Anomali
Robinhood $100 Open Redirect located at
YouPorn $100 XSS via login cookie
OLX - Subdomain Takeover ( ,,
PortSwigger Web Security - Email Spoofing
Starbucks $750 Persistent CSRF in /GiftCert-AddToBasket prevents purchases on eCommerce sites
shopify-scripts $800 Heap Buffer Overflow while processing OP_SEND
Imgur $2,500 Remote Code Execution on
OLX - Reflected XSS in
shopify-scripts $800 mruby heap use-after-free
OWOX, Inc. - Subdomain takeover in many subdomains
Boozt Fashion AB - Application code is not obfuscated -- OWASP M9 (2016)
LocalTapiola $50 show control page if you insert ' at
shopify-scripts $100 Interger overflow in str_substr leading to read/write out of bound memory
shopify-scripts $800 Use After Free in mrb_vm_exec
OLX - Combined attacks leading to stealing user's account
shopify-scripts $800 Heap Buffer overflow in mrb_ary_unshift
GitLab - [Textile] XSS in project README files
GitLab - [reStructuredText] XSS in project README files
shopify-scripts $100 SIGABRT - method_missing - mark_context_stack
Nextcloud - Missing SPF Flags on
Zopim $50 express config leaking stacktrace
Informatica - []- Subdomain missconfiguration
Uber $1,500 pam-ussh may be tricked into using another logged in user's ssh-agent
shopify-scripts $800 A crash when an exception is caught in a caller and the receiver returned from `ensure`
shopify-scripts $100 segafult in mruby's sprintf - mrb_str_format
WordPress $350 Infrastructure - Photon - SSRF
shopify-scripts $800 Heap buffer oveflow with many arguments
Rockstar Games $1,400 <- Critical IDOR vulnerability in socialclub allow to insert and delete comments as another user and it discloses sensitive information ->
LocalTapiola $315 High server resource usage on captcha (
Brave Software - Clickjacking or URL Masking
Ubiquiti Networks - Weak credentials for
YouPorn - [Android API] SQL injection ( errortoken.json )
shopify-scripts $1,000 Segmentation fault while printing backtrace
YouPorn $250 Reflected XSS in Meta Tag
YouPorn $2,500 Time Based SQL-inject in post-parametr login[username] [domain -]
Informatica - Stored XSS via Discussion Title and Send as Email attribute in [] $100 Open Redirect in <customer>
Ubiquiti Networks $150 AirFibre products vulnerable to HTTP Header injection
Phabricator - Restricted file access when it exists in old versions of task or wiki document
Phabricator - Enumerating emails through "Forgot Password" form
U.S. Dept Of Defense - Remote code execution vulnerability on a DoD website
shopify-scripts $800 forgot to add the patch
Nextcloud $183 Calendar and addressbook names disclosed (NC-SA-2017-012) CVE-2017-0895
WordPress $350 Wordpress 4.7.2 - Two XSS in Media Upload when file too large.
shopify-scripts $100 SIGSEGV - mrb_vm_exec - line:1312
Gratipay - HTTP trace method is enabled on
Ubiquiti Networks - Content Spoofing or Text Injection in (403 forbidden page injection) and Nginx version disclosure via response header
Gratipay - Content length restriction bypass can lead to DOS by reading large files on
Gratipay - HTTP trace method is enabled on
U.S. Dept Of Defense - Bypass file access control vulnerability on a DoD website
Algolia $100 Reflected XSS
Brave Software - Brave payments remembers history even after clearing all browser data.
U.S. Dept Of Defense - Cross-site scripting (XSS) on a DoD website
YouPorn $150 Find whether a video has been favourited or not, for any user [via YouPorn Mobile API]
Informatica - []- Stored XSS on Image title and Edit Property
Pornhub $1,500 Wordpress Content injection
Pornhub - Debug.log file Exposed to Public \Full Path Disclosure\
Zomato - Unauthorised Access to Anyone's User Account
OLX - is using a very vulnerable version of WordPress and contains directory listing
Twitter $7,560 Vine all registered user Private/sensitive information disclosure .[ Ip address/phone no/email and many other informations ]
U.S. Dept Of Defense - Cross-site request forgery (CSRF) vulnerability in a DoD website
WebSummit - found a vulnerability in your website
ExpressionEngine - Type Juggling -> PHP Object Injection -> SQL Injection Chain
HackerOne $1,000 Subdomain takeover at $400 Missing Server Side Rate Limiting can Lead to VK Account Take over
Mapbox $750 Public access to objects in AWS S3 bucket
arxius - XSS in content type header when uploading file.
U.S. Dept Of Defense - Remote command execution (RCE) vulnerability on a DoD website
U.S. Dept Of Defense - SQL injection vulnerability on a DoD website
shopify-scripts $800 Denial of service (segfault) due to null pointer dereference in mrb_vm_exec
shopify-scripts $800 Denial of service (segfault) due to null pointer dereference in mrb_obj_instance_eval
Pornhub $250 XSS Vulnerability at URL endpoint
Pornhub $250 [xss], /redeem?code= URL endpoint
Phabricator $300 User with only Viewing Privilege can send message to Room
U.S. Dept Of Defense - Stored XSS vulnerability on a DoD website
shopify-scripts $100 Null pointer dereference in mrb_random_initialize
Coinbase - Requestor Email Disclosure via Email Notification
Instacart $100 Login with Google Not Authenticated on iOS App
Ubiquiti Networks $600 Wordpress directories/files visible to internet
Mail.Ru - Disclosure of information on
YouPorn $1,000 Account hijack via deleted PH account
shopify-scripts $800 SIGSEGV - vm.c - line:1214
shopify-scripts $100 Segmentfault at mrb_vm_exec
shopify-scripts $2,000 Recursion causing uninitialized memory reads leading to a segfault
Coinbase - Information disclosue in Android Application
Automattic $250 cloudup Subdomain Takeover That resolves to ( CNAME )
LocalTapiola $400 Single user DOS on selectedLanguage -cookie (
Ubiquiti Networks $150 Can upload files without authentication on AirFibre 3.2
Zomato - is vulnerable to SSL POODLE
U.S. Dept Of Defense - SQL Injection vulnerability in a DoD website
Nextcloud - Wordpress 4.7.1
OpenSSL (IBB) $1,000 CVE-2017-3730: Bad (EC)DHE parameters cause a client crash
LocalTapiola $100 Enumeration in unsubscribe -function of /omatalousuk (
Twitter $5,040 Attacker can get vine repost user all informations even Ip address and location .
Informatica - []- Broken Authentication
LocalTapiola $150 Reflected XSS on iltakoulu_varkaus (
PHP (IBB) $500 Out of bounds memory read in unserialize() CVE-2016-10161
Algolia $100 [] DOM Based XSS github-btn.html
shopify-scripts $100 heap-use-after-free /home/operac/testafl/mruby/mrubylast/mruby/src/gc.c
LocalTapiola $1,350 SQL Injection /webApp/cancel_iltakoulu regId parameter (
Nextcloud - Email Spoofing
Ubiquiti Networks $100 [] DOM Based XSS nuttyapp github-btn.html
Boozt Fashion AB - Email spoofing at
GitLab - [RDoc] XSS in project README files
LocalTapiola $50 CSRF bypass + XSS on
U.S. Dept Of Defense - SQL injection vulnerability on a DoD website
Dovecot - Information About Your System(Sensitive Directories)
Alvosec $3 Alvocrypt uses a cryptographically insecure PRNG.
Slack $1,000 Access of Android protected components via embedded intent
Pushwoosh - Clickjacking
shopify-scripts $100 Incorrect code generation with redo inside NODE_RESCUE.
Zomato - MailPoet Newsletters <= 2.7.2 - Authenticated Reflected Cross-Site Scripting (XSS)
Zomato - XSS in flashmediaelement.swf (
LocalTapiola $1,350 SQL Injection on /webApp/lapsuudenturva (
LocalTapiola $350 Sql injection on /webApp/sijoituswebinaari (
LocalTapiola $350 SQL Injection on /webApp/viivanalle (
U.S. Dept Of Defense - Information disclosure vulnerability on a DoD website
Boozt Fashion AB - Bypass email validity in newsletter field
Informatica - [] Search XSS
Harvest $250 Persistent XSS on ForecastApp
HackerOne $500 Google Analytics could be used as CSP bypass for data exfiltration on
shopify-scripts $800 Aborted - proc.c - line:143
Nextcloud - Missing Rate Limit for Current Password field in
U.S. Dept Of Defense - Privilege Escalation on a DoD Website
Nextcloud - is vulnerable to SWEET32 attack
Legal Robot - SWEET32 TLS attack
Nextcloud - Group admin can remove user from all his groups via API
Brave Software - No user confirmation when an auto-updated extension gets more permissions - HTML Injection possible due to bad filter
Nextcloud - Drone Nextcloud
New Relic - SSRF in exposes entire internal network
Nextcloud - HTTP-Basic Authentication on
Twitter $560 Clickjacking on Chrome
Starbucks - Lack of Controls Allowing for Card and PIN Enumeration Leading to Fraud
Starbucks - csrf
shopify-scripts $100 SIGABRT - mrb_realloc_simple - gc.c - line:201
Starbucks - Time-based Blind SQLi on
U.S. Dept Of Defense - Reflected XSS vulnerability on a DoD website
QIWI $150 [XSS/] Pay SubDomain Hard-Use XSS
QIWI $250 [XSS/] 3DSecure XSS
New Relic - Restricted User can view multiple account details including customer_root_account_id, payment method, date of first payment, etc.
Nextcloud - Disclosure of administrators via JSON on Wordpress
Ubiquiti Networks $2,000 [EdgeSwitch] Web GUI command injection as root with Privilege-1 and Privilege-15 users
shopify-scripts $100 Crash in print_backtrace
Discourse $256 Stored XSS in posts because of absence of oembed variables values escaping
U.S. Dept Of Defense - Misconfigured user account settings on DoD website
Discourse $256 Stored XSS in topics because of whitelisted_generic engine vulnerability
Nextcloud - WordPress <= 4.6.1 Stored XSS Via Theme File
Nextcloud - User Information Disclosure via REST API
ownCloud - User Information Disclosure via REST API
U.S. Dept Of Defense - SQL Injection vulnerability in a DoD website
shopify-scripts $800 Null pointer dereference in mrb_str_modify
shopify-scripts $800 Still heap overflow in mrb_ary_splice
shopify-scripts $100 SIGSEGV - mrb_obj_extend - line:413
shopify-scripts $800 SIGSEGV - mrb_vm_exec - line:1681
Starbucks - is reachable via ip address thus possible to link any doamin to Starbucks.
Discourse $256 XSS in topics because of bandcamp preview engine vulnerability $300 SSRF через Share-ботов
Rockstar Games $650 [IMP] - Blind XSS in the admin panel for reviewing comments
FormAssembly - is vulnerable to padding-oracle attacks.
OLX - Server Version Of
Rockstar Games $500 Ability to post comments to a crew even after getting kicked out
YouPorn $1,000 IDOR - Access to private video thumbnails even if video requires password authentication
U.S. Dept Of Defense - Information disclosure vulnerability on a DoD website
FormAssembly - XSS on username when register to proffesional account
ownCloud - bug reporting template encourages users to paste config file with passwords $100 Возможность смотреть видео рекомендации любого пользователя вконтакте
Nextcloud - bug reporting template encourages users to paste config file with passwords
Starbucks $375 Open redirect / Reflected XSS payload in root that affects all your sites (store.starbucks.* / shop.starbucks.* /
CodeIgniter - Vulnerable Javascript library
shopify-scripts $800 Heap Buffer overflow in mrb_funcall_with_block
Mail.Ru - CSRF Send a message at
HackerOne $2,000 Disclose any user's private email through API
Slack $200 dom xss in
shopify-scripts $800 Segmentation fault on program counter
U.S. Dept Of Defense - Information disclosure vulnerability on a DoD website
Shopify $500 - CSRF token leakage through Google Analytics
U.S. Dept Of Defense - Local file inclusion vulnerability on a DoD website
shopify-scripts - Clearing , Shifting and Pop Value from Frozen Array
shopify-scripts $800 SIGSEGV - mrb_vm_exec - vm.c in line:1272
shopify-scripts $800 SIGSEGV in mrb_vm_exec
HackerOne - Report redaction doesn't apply to report title update activities
U.S. Dept Of Defense - Blind SQLi in a DoD Website
Snapchat $250 RTLO char allowed in chat
Instacart $100 XSS in
PHP (IBB) $500 Use of uninitialized memory in unserialize() CVE-2017-5340
Mail.Ru - Излишние права при авторизации через интерфейс
shopify-scripts $100 Segmentation fault - mrb_gc_mark
U.S. Dept Of Defense - Information disclosure vulnerability on a DoD website
U.S. Dept Of Defense - Information disclosure vulnerability on a DoD website
U.S. Dept Of Defense - Information disclosure vulnerability on a DoD website
U.S. Dept Of Defense - Exposed Access Control Data Backup Files on DoD Website
U.S. Dept Of Defense - HTML Injection/Load Images vulnerability on a DoD website
Slack $100 Subdomain takeover on
GlobaLeaks - No valid SPF records on
Starbucks $250 SAP Server - default credentials enabled
Shopify $1,000 CSRF in all API endpoints when authenticated using HTTP Authentication
GitLab - Users with guest access can post notes to private merge requests, issues, and snippets
GitLab - User with guest access can access private merge requests
GitLab - Every user can delete public deploy keys
GitLab - Users can download old project exports due to unclaimed namespace
U.S. Dept Of Defense - SQL injection vulnerability in a DoD website
Open-Xchange $250 Set Cookie Via SVG
Envoy - Primary Cloning of Envoy web application resulting confidential information disclosure
shopify-scripts $800 Heap overflow due to off-by-one when expanding stack
shopify-scripts $200 Heap use-after-free during range creation
shopify-scripts - Deleting Key-value pair from Frozen HASH or Clearing a Frozen HASH
Shopify $500 Authentication Bypass on monitoring server
LocalTapiola $100 OpenSSL Padding Oracle Attack (CVE-2016-2107) on
GlobaLeaks - GlobaLeaks is vulnerable to timing attacks.
Nextcloud - Review remote code execution in SwiftMailer
Starbucks - Exposed Unencrypted Telnet Endpoint
Yelp $100 Able to download arbitrary PHP files at
Skyport Systems $25 Nginx version disclosure via forbidden page
Starbucks - Brute Force Attack against PIN on Card History Page Could Lead to Card Information Discovery / Fraud
U.S. Dept Of Defense - Password reset vulnerability on a DoD website
U.S. Dept Of Defense - Reflected XSS on a DoD website
LocalTapiola $400 Reflected XSS and Open Redirect (
Apache httpd (IBB) - DoS vulnerability in mod_auth_digest CVE-2016-2161
U.S. Dept Of Defense - SQL injection vulnerability on a DoD website
U.S. Dept Of Defense - Misconfigured password reset vulnerability on a DoD website
Trello - The contact page is vulnerable to self-XSS via upload file name
shopify-scripts $800 SIGABRT - mrb_default_allocf - Способ узнать имя человека удаленной страницы 2
Dovecot - Directory listing
shopify-scripts $800 SIGSEGV - kh_resize_iv - Null Deref
shopify-scripts $200 Double free of filename after codegen error
Gratipay - Session Fixation At Logout /Session Misconfiguration
shopify-scripts $800 attempting double-free using the mruby compiler `mrbc`
U.S. Dept Of Defense - Reflected XSS on a DoD website
Starbucks - Create New User Whilst Logged On
Zendesk $2,000 a stored xss in web widget chat
U.S. Dept Of Defense - SQL injection vulnerability on a DoD website - Способ узнать имя человека удаленной страницы
shopify-scripts $800 Use After Free in str_replace
shopify-scripts $800 Null pointer dereference in mrb_str_prepend
shopify-scripts $800 mrb_str_modify try to write to memory not marked for writing
shopify-scripts $800 SIGSEGV - mrb_check_intern_str() - NullPointer
WebSummit $20 Subdomain Takeover at
CloudFlare - [] Open Redirect
Gratipay - User Enumeration
U.S. Dept Of Defense - Server-side include injection vulnerability in a DoD website
OWOX, Inc. - Stored XSS at
shopify-scripts $1,000 Memory disclosure in timegm
Mapbox $1,000 Mapbox Android SDK uses Broadcast Receiver instead of Local Broadcast Manager
Nextcloud - Reflected XSS in U2F plugin by shipping the example endpoints
U.S. Dept Of Defense - XSS vulnerability on a DoD website
Starbucks - [] CRLF Injection, XSS
shopify-scripts $800 SIGSEGV Null Pointer mrb_str_concat()
shopify-scripts $100 heap-buffer-overflow on mruby
YouPorn $1,000 Account takeover via Pornhub Oauth
LocalTapiola $150 Creating arbitrary cookies values /cs/CookieServer (
Discourse $128 Users can bookmark other user's messages
shopify-scripts $800 kh_get_n2s() stack overrun
U.S. Dept Of Defense - Server side information disclosure
U.S. Dept Of Defense - Remote code execution vulnerability on a DoD website
shopify-scripts $800 SIGABRT, SIGSEGV mspace_free() and mrb_default_allocf()
shopify-scripts $800 SIGSEGV on mrb_vm_exec() Null Deref
Harvest $300 Unauthorised read Access to Expense Receipt of any user in the company(Vertical Privilege escalation)
Mail.Ru - [] Open Redirect
Mail.Ru - [] Open Redirect
shopify-scripts $800 Heap Overflow in mrb_arb_splice
shopify-scripts $100 mrb_vformat() heap overflow could lead to code execution
OLX - is vulnerable to POODLE attack
shopify-scripts $100 Integer Overflow in mrb_ary_set
Discourse $256 XSS vulnerability on Audio and Video parsers
Shopify $1,000 Stored XSS in blog comments through Shopify API
Coinbase - Information disclosure in coinbase android app
Shopify $500 XSS on postal codes
Badoo $280 CSRF Attack on ( account and erasing imported contacts
Ruby $500 Buffer underflow in sprintf
U.S. Dept Of Defense - SQL Injection vulnerability in a DoD website
U.S. Dept Of Defense - SQL Injection vulnerability in a DoD website
U.S. Dept Of Defense - Default credentials on a DoD website
shopify-scripts $800 SIGSEGV mrb_obj_freeze() Manipulating Register RAX and RSI
Nextcloud $300 Limitation of app specific password scope can be bypassed (NC-SA-2017-009) CVE-2017-0892
shopify-scripts $800 SIGSEGV on mruby mrb_get_args()
Discourse $256 XSS Vulnerability on Image link parser
U.S. Dept Of Defense - HTML injection vulnerability on a DoD website
Discourse $256 DOM Based XSS in Discourse Search
Twitter - Remote Unrestricted file Creation/Deletion and Possible RCE.
U.S. Dept Of Defense - Cross-site request forgery (CSRF) vulnerability on a DoD website
U.S. Dept Of Defense - Server side information disclosure on a DoD website
shopify-scripts $1,000 Incorrect code generation when result of NODE_NEGATE is not used
Pornhub $1,000 XSS vulnerability using GIF tags
Legal Robot $20 Password complexity requirements not enforced
U.S. Dept Of Defense - Cross-site request forgery vulnerability on a DoD website
LocalTapiola $1,350 SQL Injection on /webApp/sijoitustalousuk email-parameter + potential lack of CSRF Token (
U.S. Dept Of Defense - DOM Based XSS on a DoD website
U.S. Dept Of Defense - DOM Based XSS on an Army website
LocalTapiola $450 Reflected XSS and Open Redirect in several parameters (
U.S. Dept Of Defense - Reflected cross-site scripting (XSS) vulnerability on a DoD website
Twitter $1,680 CRLF and XSS stored on
OLX - Reflected XSS in []
shopify-scripts $100 Invalid memory access in `mrb_str_format`
Twitter $140 Sub Domain Takeover at
U.S. Dept Of Defense - File upload vulnerability on a DoD website
PortSwigger Web Security - HTTP OPTION Method is Enabled on
Uber $2,500 Authorization issue in Google G Suite allows DoS through HTTP redirect
Starbucks - Creation of Google G Suite Account on Behalf of starbucks.
LocalTapiola $1,350 SQL Injection in lapsuudenturva (
LocalTapiola $50 Reflected XSS on sankarikoulutus (
Gratipay - Content type incorrectly stated
Shopify $500 XSS on manually entering Postal codes
PHP (IBB) $500 Invalid parameter in memcpy function trough openssl_pbkdf2
Nextcloud - Stored XSS on new Calling plugin (spreed)
PHP (IBB) $500 imagefilltoborder stackoverflow on truecolor images
Starbucks $250 Reflected XSS on (Locale-Change)
LocalTapiola $1,350 SQL Injection in sijoitustalous_peruutus (
U.S. Dept Of Defense - Reflected XSS on a DoD website
Gratipay - Gratipay uses the random module's cryptographically insecure PRNG.
GoCD - Reflected XSS vector
Informatica - [] Profile stored XSS
U.S. Dept Of Defense - Reflected XSS on a DoD website
QIWI $100 [] .bash_history
Gratipay - Cookie HttpOnly Flag Not Set
LocalTapiola $400 Open Redirect bypass and cookie leakage on
shopify-scripts $1,000 Segfault when passing invalid values to `values_at`
Informatica - [] XSS on "isJTN"
Informatica - [] The login form XSS via the referer value
Gratipay - Certificate signed using SHA-1
U.S. Dept Of Defense - Time Based SQL Injection vulnerability on a DoD website
Informatica - [] DOM based XSS in the bindBreadCrumb function
Quora $150 [Android] XSS via start ContentActivity
Quora $300 [] 429 Too Many Requests Error-Page XSS
HackerOne $500 Websites opened from reports can change url of report page
shopify-scripts - Segmentation fault due to invalid memory access in codegen when using break with the 127th argument a constant
U.S. Dept Of Defense - Server Side Request Forgery (SSRF) vulnerability in a DoD website
shopify-scripts $10,000 Certain inputs cause tight C-level recursion leading to process stack overflow
Twitter - GNIP subdomain take over
U.S. Dept Of Defense - Information disclosure vulnerability on a DoD website
U.S. Dept Of Defense - Information disclosure on a DoD website
Shopify $500 Unauthenticated Stored XSS on <any> via checkout page
Urban Dictionary - Text injection on Auth problem at
U.S. Dept Of Defense - SQL injection vulnerability on a DoD website
U.S. Dept Of Defense - Reflected XSS on a DoD website
Pornhub $5,000 Unsecured DB instance
U.S. Dept Of Defense - QuickTime Promotion on a DoD website
U.S. Dept Of Defense - SQL injection vulnerability on a DoD website
Legal Robot - S3 ACL misconfiguration
Starbucks $500 Persistent XSS in
U.S. Dept Of Defense - Time Based SQL Injection vulnerability on a DoD website
U.S. Dept Of Defense - XXE on DoD web server
HackerOne $10,000 Information Disclosure in /skills call
Robinhood - httponly flag not set + csrftoken in url
U.S. Dept Of Defense - Reflected XSS in a Navy website
Pornhub $750 Unsecured Kibana/Elasticsearch instance
shopify-scripts $10,000 Buffer overflow in mrb_time_asctime
shopify-scripts $8,000 Segmentation fault due to bad memory access in kh_get_mt
U.S. Dept Of Defense - Remote code execution on an Army website
OLX - Multiple vulnerabilities in
Shopify - Redirect in adding advance cash on delivery app
Nextcloud - BruteForce in to Admin Account
Nextcloud - Login Hints on Admin Panel
Starbucks $150 Dom Based Xss DIV.innerHTML parameters store.starbucks*
U.S. Dept Of Defense - Personal information disclosure on a DoD website
Nextcloud - Wordpress Version Disclosure Bug On Nextcloud
U.S. Dept Of Defense - Violation of secure design principles on a DoD website
Brave Software - Command Execution because of extension handling
LocalTapiola - /icons/README available on
U.S. Dept Of Defense - Open redirect vulnerability in a DoD website
U.S. Dept Of Defense - XSS vulnerability on an Army website
U.S. Dept Of Defense - Reflected XSS vulnerability on a DoD website
U.S. Dept Of Defense - Persistent XSS vulnerability on a DoD website
Twitter $280 Vine - overwrite account associated with email via android application
U.S. Dept Of Defense - Authentication bypass vulnerability on a DoD website
Mail.Ru - [] /.svn/entries
shopify-scripts - Null pointer dereference due to bug in codegen with negation of floats
shopify-scripts $10,000 Null pointer derefence due to bug in codegen with negation without using value
Nextcloud - Files Drop: WebDAV endpoint is leaking existence of resources
Trello - SVG Uploads / Attachments can be viewed by anyone that knows the URL
Slack $500 Store XSS
ownCloud - Stored xss
shopify-scripts $10,000 Invalid handling of zero-length heredoc identifiers leads to infinite loop in the sandbox
U.S. Dept Of Defense - Arbitrary Script Injection (Mail) in a DoD Website
Dovecot - Web Browser XSS Protection Not Enabled
PortSwigger Web Security - JSBeautifier BApp: Race condition leads to memory disclosure
Pushwoosh - Publicy accessible IDRAC instance at
U.S. Dept Of Defense - Open Redirect in a DoD website
PortSwigger Web Security - Order-phishing via Payment ID URL
Starbucks $2,000 Subdomain takeover on due to non-used AWS S3 DNS record
shopify-scripts $10,000 Crash: Overwriting NoMethodError with a builtin class crashes/corrupts memory
Pornhub $150 Stored XSS on the
OWOX, Inc. - Access to Grafana Dashboard
Starbucks $100 Stored XSS in Adress Book (
U.S. Dept Of Defense - Information disclosure vulnerability on a DoD website
Shopify $500 Stored XSS at 'Buy Button' page
U.S. Dept Of Defense - Cross-Site Scripting (XSS) on a DoD website
OWOX, Inc. - Subdomain Takeover on OWOX.RU
Phabricator $300 Fetching binaries (for software installation) over HTTP without verification (RCE as ROOT by MITM)
U.S. Dept Of Defense - Arbitary file download vulnerability on a DoD website
U.S. Dept Of Defense - Information disclosure on a DoD website
U.S. Dept Of Defense - DNS Misconfiguration
U.S. Dept Of Defense - Cross-site scripting (XSS) vulnerability on a DoD website
U.S. Dept Of Defense - Information disclosure vulnerability in a DoD website
U.S. Dept Of Defense - Information disclosure vulnerability on a DoD website
Pornhub $1,500 IDOR - disclosure of private videos - /api_android_v3/getUserVideos
HackerOne $12,500 Internal attachments can be exported via "Export as .zip" feature
GitLab - State filter in IssuableFinder allows attacker to delete all issues and merge requests CVE-2016-9469
U.S. Dept Of Defense - Information leakage on a Department of Defense website
U.S. Dept Of Defense - SQL Injection vulnerability on a DoD website
shopify-scripts $1,000 Crash: A call to leads to a crash when inspecting the resulting object
Ian Dunn $25 constant cache_page_secret in regolith
Ian Dunn $50 unchecked unserialize usages in audit-trail-extension/audit-trail-extension.php
Ian Dunn $25 unchecked unserialize usage in WordPress-Functionality-Plugin-Skeleton/functionality-plugin-skeleton.php
shopify-scripts $1,000 Invalid memory write caused by incorrect upper bound in array_copy
Twitter $560 Twitter for android is exposing user's location to any installed android app
Gratipay - Secure Pages Include Mixed Content
Gratipay $1 Incomplete or No Cache-control and Pragma HTTP Header Set
Shopify $500 XSS in in widget
shopify-scripts $8,000 Crash: mrb_any_to_s can't handle NilClass, Symbol and Fixnum
shopify-scripts $10,000 Crash: Initialize Decimal with itself triggers an assertion
shopify-scripts - Null pointer dereference in mrb_str_concat
shopify-scripts $1,000 Null pointer dereference regression in parse.y
shopify-scripts $18,000 Type confusion in wrap_decimal leading to memory corruption
shopify-scripts $20,000 Type confusion in mrb_exc_set leading to memory corruption
U.S. Dept Of Defense - Insecure direct object reference vulnerability on a DoD website
U.S. Dept Of Defense - Stored cross site scripting (XSS) vulnerability on a DoD website
OWOX, Inc. - Subdomain Takeover on
OWOX, Inc. - invalid URL parsing with and '@'
shopify-scripts $8,000 Crash: calling Proc::initialize_copy with a Proc instance where initialize never ran leads to a crash
U.S. Dept Of Defense - XSS on a DoD website
U.S. Dept Of Defense - Reflected XSS on a DoD website
shopify-scripts $1,000 Read after free in mrb_vm_exec with OP_ARYCAT reading R(B)
shopify-scripts $8,000 Denial of service due to invalid memory access in mrb_ary_concat
Slack $1,000 Eavesdropping on private Slack calls
shopify-scripts $8,000 mruby-time: Crash host with uninitialized Time obj
U.S. Dept Of Defense - Unrestricted File Upload
U.S. Dept Of Defense - Cross-site scripting vulnerability on a DoD website
U.S. Dept Of Defense - Information disclosure vulnerability on a DoD website
U.S. Dept Of Defense - Cross-site scripting (XSS) vulnerability on a DoD website
LocalTapiola $50 Disclosure of IBM Websphere page
U.S. Dept Of Defense - Reflected XSS on a Department of Defense website
U.S. Dept Of Defense - RCE on a Department of Defense website
U.S. Dept Of Defense - Reflected XSS on a DoD website
U.S. Dept Of Defense - Reflected XSS on an Army website
U.S. Dept Of Defense - Reflected XSS vulnerability on a DoD website
U.S. Dept Of Defense - Information disclosure on a DoD website
Pushwoosh - Read Application Name , Subscribers Count
U.S. Dept Of Defense - Reflected cross-site scripting vulnerability on a DoD website
U.S. Dept Of Defense - Local File Inclusion vulnerability on an Army system allows downloading local files
U.S. Dept Of Defense - Stored cross-site scripting (XSS) on a DoD website
U.S. Dept Of Defense - Unrestricted File Download / Path Traversal
U.S. Dept Of Defense - Reflected XSS on a Navy website
U.S. Dept Of Defense - Reflected XSS on a DoD website
U.S. Dept Of Defense - Reflected XSS on a Department of Defense website
U.S. Dept Of Defense - Reflective XSS vulnerability on a DoD website
U.S. Dept Of Defense - Reflected XSS on a DoD website
U.S. Dept Of Defense - Reflected XSS vulnerability on a DoD website
LocalTapiola $450 XSS and open redirect in
shopify-scripts - Invalid memory access while freeing memory, caused by invalid type passed to mrb_ary_unshift
shopify-scripts - Null pointer dereference in ary_concat
Pornhub $520 Race Condition Vulnerability On
WordPress $350 [Buddypress] Arbitrary File Deletion through bp_avatar_set
LocalTapiola $100 SMTP configuration vulnerability
shopify-scripts $8,000 Segmentation fault when a Ruby method is invoked by a C method via Object#send
shopify-scripts $8,000 Null target_class DoS
shopify-scripts $10,000 Segfault and/or potential unwanted (byte)code execution with "break" and "||=" inside a loop $500 Возможность провести DoS атаку от имени сервера
OWOX, Inc. - Direct IP Access
Pushwoosh - Nginx version disclosure via response header
shopify-scripts $8,000 SIGSEGV on mruby's mark_tbl() (Invalid memory access)
shopify-scripts $8,000 SIGSEGV on mruby mrb_str_modify() (Invalid memory access)
OWOX, Inc. - ClickJacking
Boozt Fashion AB $200 Email link poisoning / Host header attack
Pushwoosh - Administrator Access To Management Console
OWOX, Inc. - Subdomain Takeover on
Brave Software - links the user may download can be a malicious files
Pushwoosh - Bypass the resend limit in Send Invites
GitLab - CSRF Token Bypass in Account Deletion
shopify-scripts $10,000 Broken handling of maximum number of method call arguments leads to segfault
Badoo $140 Email Spoofing
HackerOne $10,000 Partial disclosure of report activity through new "Export as .zip" feature
shopify-scripts $10,000 Null pointer dereference due to TOCTTOU bug in mrb_time_initialize
Pushwoosh - Password Forgot/Password Reset Request Bug
LocalTapiola $60 Option method enabled (
Pushwoosh - Unsecured Grafana instance
Python (IBB) $500 Type confusion in FutureIter_throw() which may potentially lead to an arbitrary code execution
PortSwigger Web Security $350 XSS in IE11 on via Flash
Pornhub $200 Reflected cross-site scripting (XSS) vulnerability in allows attackers to inject arbitrary web script or HTML.
Udemy $300 Completed Compromise & Source Code Disclosure via Exposed Jenkins Dashboard at
Pushwoosh - Spam Some one using (user.saveInvite) system
Pushwoosh - Nginx server version disclosure
Pushwoosh - Reflected Xss on
shopify-scripts $8,000 SIGSEV on mrb_ary_splice
Pushwoosh - htaccess file is accesible
Pushwoosh - Spoof Email with Hyperlink Injection via Invites functionality
Imgur $250 Stored xss in ALBUM DESCRIPTION
Mail.Ru - [] CRLF Injection / Open Redirect
shopify-scripts $10,000 Range constructor type confusion DoS
shopify-scripts $20,000 TOCTTOU bug in mrb_str_setbyte leading the memory corruption
shopify-scripts $18,000 Struct type confusion RCE
shopify-scripts $10,000 SIGSEGV when invalid argument on remove_method
shopify-scripts $20,000 DoS: type confusion in mrb_no_method_error
Udemy $200 Jenkins
LocalTapiola $150 Multiple Reflected XSS /webApp/lahti (
shopify-scripts $10,000 Segfault in mruby, mruby_engine and the parent MRI Ruby due to null pointer dereference
LocalTapiola $350 SQL Injection /webApp/sijoitustalous_peruutus locId parameter ( $1,500 Stored XSS в личных сообщениях
Informatica - [] Persistent XSS through document title
LocalTapiola $264 HTML Injection in email /webApp/lahti (
LocalTapiola $350 SQL Injection /webApp/oma_conf ctx parameter (
LocalTapiola $60 Poodle attack SSLv3 Support (
Twitter $1,120 [IDOR][] Opportunity to change any comment at the forum
shopify-scripts $8,000 Undefined method_missing null pointer dereference
shopify-scripts $10,000 Range#initialize_copy null pointer dereference
shopify-scripts $10,000 NULL pointer dereference when parsing ternary operators
Ubiquiti Networks $500 Subdomain Takeover (
LocalTapiola $100 Error Page Content Spoofing or Text Injection (
shopify-scripts $20,000 Use after free vulnerability in mruby Array#to_h causing DOS possible RCE
shopify-scripts $2,000 Memory disclosure in mruby String#lines method
Paragon Initiative Enterprises - Not using Binary::safe* functions for substr/strlen function
shopify-scripts $8,000 Denial of Service in mruby due to null pointer dereference
Paragon Initiative Enterprises - Missing rel=noopener noreferrer in target=_blank links (Phishing attack)
Paragon Initiative Enterprises - Using plain git protocol (vulnerable to MITM)
Paragon Initiative Enterprises - Missing GIT tag/commit verification in Docker
Paragon Initiative Enterprises - Incorrect detection of onion URLs
Coinbase $100 Window.opener bug at
Brave Software - Remote Stack Overflow Vulnerability (DoS)
shopify-scripts $10,000 Exception cause SIGABRT
Legal Robot $40 Password reset access control
shopify-scripts $8,000 ruby DoS
Legal Robot $40 Missing restriction on string size in profile fields
Yelp $300 X.509 certificate validation fails on international vanity domains $300 SSRF (open) - via GET request
Boozt Fashion AB - Cookie Misconfiguration
Paragon Initiative Enterprises - Subdomain Takeover
Zomato - takeover a lot of accounts
Trello $2,048 Stealing power up private tokens (trello, twitter, github...)
Zopim $100 Android SDK - CREATE_REQUEST broascast is unprotected
Open-Xchange $500 Reflected Cross-Site Scripting due to vulnerable Flash component (Flashmediaelement.swf)
Paragon Initiative Enterprises - BAD Code !
Open-Xchange $100 Selecting encryption for email with drive attachment overrides the drive email password
Paragon Initiative Enterprises - DMARC Not found for URGENT
General Motors - Flash XSS on Buick_RotatingMasthead_JellyBeanSlider.swf
LocalTapiola $100 Suspicious browser fingerprinting(?) scripts on redirector
LocalTapiola $1,560 SQL Injection on /webApp/omatalousuk (
Blockchain - username enumeration
Blockchain $100 Information disclosure at
Open-Xchange $666 Tab nabbing via window.opener
Open-Xchange $300 Stored XSS in Template Documents
Blockchain $400 Reflected XSS on $1,000 Новый 2FA Bypass
LocalTapiola $400 Open Redirect (
Brave Software - Denial of service(POP UP Recursion) on Brave browser
Blockchain $50 server version dislosure
Ubiquiti Networks $500 Stored XSS in
Brave Software - Information disclosure of website
Imgur $5,000 Unauthenticated Docker registry
Nextcloud $50 Content Spoofing in "files" app CVE-2017-0888
Paragon Initiative Enterprises - [Airship CMS] Local File Inclusion - RST Parser
Legal Robot - The websocket traffic is not secure enough
Yelp $500 CSRF on signup endpoint (
Badoo $280 Leave inaccessible messaging system with a message (
Informatica - [] Sql injection
Revive Adserver - Reflected XSS on Zones > Invocation Code
Badoo $260 Arbitrary modification value "session" (Cookie) in
New Relic - Potential sub-domain hijacking
Instacart $100 Access private list metadata
Uber $1,000 ability to retrieve a user's phone-number/email for a given inviteCode
RubyGems - Possible Subdomain Takeover at pointing to Fastly
OLX - CSRF in delete advertisement on
InVision $300 CORS Man-in-the-Middle account compromise
HackerOne - Limited Open redirection using SSO-SAML
Shopify $1,500 Misconfiguration in Two Factor Authorisation
Informatica - [] Reflected Cross Site Scripting and Open Redirect
Mail.Ru - [] XSS Request-URI
Mail.Ru - [] Cross-Site Request Forgery (Add-Item)
Twitter $280 SSRF in
GitLab - Read files on application server, leads to RCE CVE-2016-9086
Informatica - [] Sql injection Oracle
QIWI $300 Раскрытие баланса на //
Harvest $250 Stored XSS in Restoring Archived Tasks
Nextcloud - xss on due to outdated version
Starbucks $375 CSRF exploit | Adding/Editing comment of wishlist items ( - Wishlist-Comments)
Starbucks $150 CSRF vulnerability in saving payment card on (COBilling -AddCreditCard)
Badoo $140 Unvalidated redirect on
OLX - Reflective XSS at
LocalTapiola $588 Lahitapiola´s customer names send to 3rd party
Starbucks $375 Reflected XSS by exploiting CSRF vulnerability on wishlist comment module. (wishlist-comments)
New Relic - Open Redirect
HackerOne - Information disclosure via policy update notifications after removal from program
Starbucks $250 CSRF: add item to victim's cart automatically ( - updatecart)
Nextcloud - Content spoofing due to the improper behavior of the 403 page in Private Server
OLX - Reflective XSS at
LocalTapiola $750 Email Server Compromised at
Brave Software - invalid homepage URL causes 'uncaught typeerror' or blank state
Mindoktor $2,000 XSS at endpoint in flash cookie
Mindoktor $300 Storing sensitive information on cookie post-registration
Coinbase $200 Authentication Issue
Brave Software $50 [ios] Address bar spoofing in Brave for iOS
Harvest $100 Editing a project (LIMITED)
Twitter $2,520 Cross-site scripting (reflected)
Ian Dunn - No CAPTCHA ia exist in pages
itBit Exchange $1,000 Round error issue -> produce money for free
Brave Software - DOS in browser using window.print() function
Brave Software $100 Denial of service attack(window object) on brave browser
Brave Software - [iOS] URI Obfuscation in iOS application
Shopify $500 race condition in adding team members
Revive Adserver - Weak Forgot Password implementation
Brave Software - JavaScript URL Issues in the latest version of Brave Browser
Brave Software - Javascript confirm() crashes Brave on PC
Brave Software $50 Denial of service attack on Brave Browser.
Coinbase $100 Information disclosure of user by email using buy widget
Brave Software $100 Access to local file system using javascript
Brave Software $200 [iOS/Android] Address Bar Spoofing Vulnerability
OLX - Reflected XSS in
Brave Software $100 Address Bar Spoofing - Already resolved - Retroactive report
OpenSSL (IBB) - Remote client memory corruption in ssl_add_clienthello_tlsext()
OLX - Directory Listing of all the resource files of
Brave Software - Status Bar Obfuscation
Brave Software $150 URI Obfuscation
Shopify $2,000 Able to Login deactivated staff account in shopify app mobile
Twitter $140 Full Path Disclosure at
OLX - Reflected XSS at
Trello $256 Can run arbitrary script on
Brave Software $50 [website] Script injection in newsletter signup
Brave Software - Subdomain Takeover of
Brave Software - Brave: Admin Panel Access
Brave Software $50 2 Directory Listing on &
PHP (IBB) $500 memcpy negative parameter _bc_new_num_ex
PHP (IBB) $500 memcpy negative size parameter in php_resolve_path
PHP (IBB) $500 Write out-of-bounds at number_format
Brave Software $100 Homograph attack
OpenSSL (IBB) - Double-free in X509 parsing
Shopify $500 [] Invalidated redirection
DigitalSellz - Public profile is vulnerable to stored XSS / Facebook Token can be stolen
Python (IBB) $1,000 chain.__setstate__ Type Confusion
Nextcloud - URI scheme bypass in mail app lead to HTML content spoof and opener control
Uber $1,000 Subdomain takeover on due to non-existent distribution on Cloudfront
Slack $700 Information Disclosure on
WePay $200 Enumeration of registered email addresses using bruteforce search on userIds
GitLab - Mailgun misconfiguration leads to email snooping and postmaster@-access on
Veris - Reflected Cross site scripting
Nextcloud - Dav sharing permissions issue
Sucuri $500 Administrator Access to grafana instance with default credentials
Yelp $500 Requesting Show CheckIn Alert for Non Friend User
Harvest $150 Linking Invoice to uninvited project.
Trello $128 XSS on
Twitter $1,260 View liked twits of private account via
Badoo $140 No rate-limit in SERVER_SECURITY_CHECK
BrickFTP $250 Existence of Folder path by guessing the path through response
Nextcloud $250 Filename enumeration && DoS
Twitter $560 Circumventing the Twitter account lockout process [ACCOUNT TAKEOVER]
Harvest $300 Cookie Injection at ''
HackerOne - Possible CSRF during external programs
HackerOne - Researcher gets email updates on a private program after he/she quits that program.
Trello $128 Full Sub Domain Takeover at
Zopim $150 Full Sub Domain Takeover at
Slack $500 CSRF in github integration
Gratipay - CSRF csrftoken in cookies
PHP (IBB) $1,000 Buffer overflow in HTTP parse_hostinfo(), parse_userinfo() and parse_scheme() $100 web.xml configuration file disclosure
Instacart $150 Full access to any list
Boozt Fashion AB $400 Git available containing passwords.
Nextcloud - Bad content-type in response header when getting document can lead to html injection
Romit $513 [CRITICAL]-Taking over entire subdomain of
Nextcloud - Bypassing quota limit CVE-2017-0887
Uber $10,000 password reset token leaking allowed for ATO of an Uber account
Revive Adserver - Stored XSS on Admin Access Page - Email field
Algolia - Possilbe Sub Domain takever at
WebSummit - Full Sub Domain Takeover at
RubyGems - Login credentials transmitted in cleartext on
RubyGems - Password Reset emails missing TLS leads account takeover
Legal Robot $40 Bypass 8 chars password complexity with 6 chars only due to insecure password reset functionaliy
HackerOne - Obtain the username & the uid of the one doing the S3 sync on Hackerone
Snapchat $250 Bypassing "You've requested your data the maximum number of times today." + "Please Verify an email address with snapchat to continue"
Rockstar Games $500 DOM based reflected XSS in through cross domain ajax request
Shopify $500 password less login token expiration issue
General Motors - Flash XSS on homepage fliptilescroller
General Motors - Flash XSS on global nav
Starbucks $750 out of date disqus shortname usage in the web app source code
WebSummit - WebSummit - Open Redirect
Shopify $500 Add signature to transactions without any permission
Udemy $50 Content Spoofing in udemy
Udemy - Udemy s3 storage can be used by an attacker personal website because of missing CSRF Token
WebSummit $40 Subdomain take over signup.websummit
itBit Exchange - Open Redirect in - False Positive
Udemy - Critical : Malware and XSS file can be uploaded and executed on udemy
Ian Dunn - All Plugins - Direct file access to plugin files Vulnerability
Ian Dunn - Google Authenticator0.6 - PHP Version Dosclosure
Ian Dunn - Google Authenticator - Cross Site Scripting
LocalTapiola $50 Reflected XSS in LTContactFormReceiver (/cs/Satellite)
Automattic $100 Follow Button XSS
Python (IBB) $1,500 LZMADecompressor.decompress Use After Free
PHP (IBB) $500 Heap overflow caused by type confusion vulnerability in merge_param()
Trello - Unvalidated/Open Redirect allowing attackers to implement phishing attack
Legal Robot $20 Information Disclosure on rate limit defense mechanism
Ubiquiti Networks $500 Authentication bypass on via subdomain takeover of
Trello - Subdomain Take over & username enemuration
Snapchat - Subdomain takeover of
OLX - Name, email, phone and more disclosure on user ID (API)
CodeIgniter - Link sanitation bypass in xss_clean()
InVision $150 CRITICAL Any █████ of any screen can be removed by anyone!
Nextcloud - Content spoofing in
OWOX, Inc. - HTTP Response Splitting(CRLF injection) in
HackerOne - (HackerOne SSO-SAML) Login CSRF, Open Redirect, and Self-XSS Possible Exploitation
Legal Robot $20 Near-duplicate accounts allowed with ignored email mutations
ownCloud - Accessable Htaccess
Algolia $100 No rate limit for Referral Program
Zendesk - Missing function level access controls allowing attacker to abuse file access controls. Multiple vulnerabilities
OLX - Full path disclosure vulnerability at
Maximum $75 Facebook and twitter page claimed of [important]
LocalTapiola $18,000 Oracle Webcenter Sites administrative and hi-privilege access available directly from the internet (/cs/Satellite)
Boozt Fashion AB - ADB Backup is enabled within AndroidManifest
Informatica - [] Stored XSS
HackerOne $500 Bypass rate limiting on /users/password (possibly site-wide rate limit bypass?)
RubyGems - Invalid username updating
DigitalSellz - Access to Amazon S3 bucket
New Relic - Stored Xss in
Revive Adserver - Reflected XSS in Step 2 of the Installation
Trello $128 SSRF in account webhook (through API)
Mail.Ru $300 Time-based sql-injection на
DigitalSellz - AWS Signature Disclosure in allows access to S3
Slack $400 Email information leakage for certain addresses
Shopify $500 Open redirect in bulk edit
Imgur $100 Stored XSS in albums on
Skyliner - DNSSEC misconfiguration
Nextcloud $750 Bypass permissions
OLX - Stored XSS in buy topup OLX Gold Credits
Zomato - CORS Misconfiguration on
Twitter $2,100 Twitter iOS fails to validate server certificate and sends oauth token
Coinbase $100 Information leakage on
IRCCloud $50 Exposed, outdated nginx server (v1.4.6) potentially vulnerable to heap-based buffer overflow & RCE
Snapchat $250 Incoming email hijacking on
Uber $500 Users can falsely declare their own Uber account info on the monthly billing application
Paragon Initiative Enterprises - Not clearing hex-decoded variable after usage in Authentication
Coinbase - coinbase Email leak while sending and requesting
Boozt Fashion AB - Http header injection
Instacart - User Information sent to client through websockets
SecNews - DOM based XSS in search functionality
New Relic - SSO Authentication Bypass
concrete5 - Content Spoofing possible in
Nextcloud - Unauthenticated Stored xss
Zomato - [CRITICAL] Complete source code disclosure via exposed Jenkins Dashboard
Shopify $500 Deleted Post and Administrative Function Access in eCommerce Forum
HackerOne - Ability to enumerate private programs using SAML
Boozt Fashion AB $80 Make victim buy in attacker's account without any idea -
Boozt Fashion AB - Broken Authentication and Session Management(Session Fixation)
Python $1,000 msilib.OpenDatabase Type Confusion
Boozt Fashion AB - Host header poisoning leads to account password reset links hijacking
Pornhub $750 Unsecured Grafana instance
Pornhub $750 Disclosure of private photos/albums -
Yelp $200 Bybass The Closing of the account and logged again to your account
Nextcloud - Android - Possible to intercept broadcasts about uploaded files
New Relic - Session Hijacking
Legal Robot - content spoofing
Eobot $12 No password length restriction
Boozt Fashion AB $120 XSS $1,050 Второй способ обхода 2FA
OLX - XSS and Open Redirect on
Shopify $500 XSS in SHOPIFY: Unsanitized Supplier Name can lead to XSS in Transfers Timeline
Legal Robot - Server version disclosure
Twitter $560 leaking Digits OAuth authorization to third party websites
Shopify $500 Unsanitized Location Name in POS Channel can lead to XSS in Orders Timeline
Boozt Fashion AB $80 Instance of Apache Vulnerable to Several Issues
Boozt Fashion AB $120 Potential Subdomain Takeover Possible
Boozt Fashion AB - Android app does not use SSL for login
Yelp $100 Self-XSS via location cookie city field when getting suggestions for a new location
WebSummit - Reflected xss on
Boozt Fashion AB $250 xss in Theme
Keybase $100 Denial of Service through set_preference.json
Ruby $200 Arbitrary heap overread in strscan on 32 bit Ruby, patch included
OpenSSL $500 SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
OpenSSL $2,500 Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
Nextcloud - Privilege escalation - Normal user can somehow make admin to delete shared folders
Yelp $500 Verification of E-Mail address possible on and
Legal Robot - CSRF Issue
Envoy - Abuse of API can Lead to DoS
Boozt Fashion AB $60 PHP info page disclosure on
Boozt Fashion AB - No csrf protection on logout
Boozt Fashion AB - User Enumeration.
Harvest $500 Invoices can be added to any retainers - even closs-platform
OLX - Bypassing Phone Verification For Posting AD On OLX
Slack $500 Rate-limit bypass
Mindoktor $500 Vulnerable Mobile Phone configuration
Nextcloud $500 Reflected XSS in Gallery App CVE-2016-9466
Legal Robot - clickjacking at
Harvest $250 XSS on expenses attachments
Shopify - Subdomain Takeover in pointing to Fastly
Open-Xchange $300 OX (Guard): Stored Cross-Site Scripting via Email Attachment
Mapbox - target="_blank" Vulnerability Resulting in Critical Phishing Vector
Instacart $50 Seemingly sensitive information at /api/v2/zones
Python $1,000 urllib HTTP header injection CVE-2016-5699
Shopify $500 Access to Splunk via endpoint
Shopify $500 Open redirect allows changing iframe content in *<id>/editor
LocalTapiola $400 Open redirection protection bypass (/cs/Satellite)
Algolia $100 Hyperlink Injection in Friend Invitation Emails
LocalTapiola $400 SQL Injection on `/cs/Satellite` path
Legal Robot $60 Validation bypass on user profile
Ian Dunn $50 CSV Injection in Camptix
Twitter $5,040 [] See someone else pics
LocalTapiola $100 Oracle WebCenter Sites Support Tools available and Information disclosure (/cs/Satellite)
LocalTapiola $50 Reflected XSS in (/cs/Satellite) using Oracle WebCenter -page
Harvest $150 CSRF bypass on Submit Time sheet for Approval
Nextcloud - Reflected Self-XSS Vulnerability in the Comment section of Files (Different-payloads)
Harvest $150 Project Manager can approve pending reports(Access control Issue)
Phabricator - link reset problem
Unikrn $400 Urgent: Server side template injection via Smarty template allows for RCE
QIWI $150 [] Information Disclosure
QIWI $150 [] UI Redressing via Request-URI
Legal Robot $20 Possible content spoofing due to missing error page
Mail.Ru - Reflected XSS @
Nextcloud $100 Reflected Self-XSS Vulnerability in the Comment section of Files Information
Gratipay - Username Restriction is not applied for reserved folders
Slack $2,500 Snooping into messages via email service
Gratipay - Username can be used to trick the victim on the name of
Legal Robot - Click Jacking
Legal Robot $20 unsecured assets $1,000 Обход 2ух-шаговой авторизации / 2FA Bypass
Nextcloud - Slow Http attack on nextcloud(DOS)
Gratipay - Lack of CSRF token validation at server side
Gratipay - Insecure Transportation Security Protocol Supported (TLS 1.0)
Instacart - [Critical] Subdomain Takeover
Legal Robot - UI Redressing ( ClickJacking ) Issue on Information submit form
Legal Robot - News Feed Detected
Dropbox - XSS in OAuth Redirect Url
Legal Robot - 2 vulns
Legal Robot $20 Legal | Application is Missing CSP(Content Security Policy) Header
Legal Robot - Clickjacking: X-Frame-Options header missing
Legal Robot - Amazon Bucket Accessible (
New Relic - Java RMI (Remote Code Execution)
Skyliner - Email Spoofing
Legal Robot - Email spoofing-fake mail from your mail domain server
Legal Robot $20 CORS (Cross-Origin Resource Sharing)
Legal Robot $20 Information Disclosure in AWS S3 Bucket
Legal Robot - Email spoofing possible via Legal Robot domain
Legal Robot $120 User Information leak allows user to bypass email verification.
Legal Robot $120 User Information sent to client through websockets
Nextcloud - Wordpress: Directory Traversal / Denial of Serivce
Nextcloud - Expired SSL certificate
Nextcloud - \OCA\DAV\CardDAV\ImageExportPlugin allows serving arbitrary data with user-defined or empty mimetype CVE-2016-9465
Instacart $100 WordPress Authentication Denial of Service
Dropbox $1,458 Subtile Code Injection Vulnerability in Dropbox for Windows
Khan Academy - OPEN URL REDIRECT through PNG files
New Relic - Cookie Misconfiguration
Paragon Initiative Enterprises - Email Spoofing With Your Website's Email
HackerOne - Users contents on AWS is cacheable
Skyliner - [ /] Open Redirect
Nextcloud - Information Disclosure of .htaccess file in Private Server/Subdomain
Uber $100 Stealing users password (Limited Scenario)
Slack $750 Code Injection in Slack's Windows Desktop Client leads to Privilege Escalation
Instacart $150 Fetch private list metadata and any user's personal name
Uber $5,000 Changing paymentProfileUuid when booking a trip allows free rides
Gratipay - x-xss protection header is not set in response header
OLX - XSS and HTML Injection
GitLab - Boards leak private label names and desciptions
Gratipay - Cross Site Scripting In Profile Statement
Shopify $500 Open Redirect possible in
Gratipay - Usernames ending in .json are not restricted
Certly - Non secure requests at not upgrading to https
Nextcloud - Password Reset Link issue
Gratipay - Reset Link Issue
Trello - Security code not getting invalidate on requesting New
Harvest $500 Possible to steal any protected files on Android
Airbnb - ████ discloses valid Airbnb SSO login names via Google Search Results
Gratipay - XSS Via Method injection
Ian Dunn - Potentially vulnerable version of Apache software in and default files on
Bime $150 Subdomain takeover at due to unclaimed Amazon S3 bucket
Mail.Ru - [] CSRF Bypassed - Changing anyone's 'User Info'
Nextcloud - Content Injection -
Instacart $50 READ .svg files by changing .svg into .png extension
Nextcloud - Content Injection -
Ian Dunn - bypass to csv injection
Harvest $150 Extracting private info of estimates.
Ian Dunn $100 Bypass fix in report.
Ian Dunn $50 Bypassing CSV injection using new line charcter
Coinbase $300 window.opener is leaking to external domains upon redirect on Safari
Ian Dunn - stored SELF xss on Basic Google Maps Placemarks Settings plugin
Instacart - API OAuth Public Key disclosure in mobile app
Instacart $150 Brute force login and bypass locked account restrictions via iOS app
Shopify $500 [] Open Redirect
Mail.Ru - [] XSS, SSI Injection
GitLab - XSS On meta tags in profile page
Ian Dunn - Send emails to all users using Camptix
HackerOne - Ability to monitor reports' submission in real time
Snapchat $400 [] Stored XSS via an incorrect avatar property value
Instacart $150 Issues with uploading list images
Shopify $500 Open CouchDB on
HackerOne $500 Information leakage of private program
Shopify $500 Open redirect using checkout_url
HackerOne $500 Requesting Mediation possible on reports that are too old for mediation
QIWI $950 [] Oauth захват аккаунта
LocalTapiola $3,000 Blind Stored XSS Against Lahitapiola Employees - Session and Information leakage
bitaccess - Missing Rate limiting for sensitive actions (like "forgot password") and reCaptcha error.
OLX - full path disclosure vulnerability at*
Slack $1,000 Stored XSS(Cross Site Scripting) In Slack App Name
Harvest $150 Unauthorized read access to Invoices by PM (Access control Issues)
Harvest $150 Unauthorized access to all the actions of invoices by PM (Access control Issues)
Harvest $100 PM can delete payment of any invoice in company (Access control Issue)
Harvest $100 Record payment for any invoice by PM (Access control Issue)
Harvest $100 PM can delete the company logo image (Vertical Privilege Escalation )
Starbucks $150 Improper Validation on Cancel Link Redirect
Khan Academy - The web app's forgot password page is vulnerable to text injection/content spoofing
OLX - Full Account Takeover
HackerOne $1,000 Hacker.One Subdomain Takeover
Harvest $250 PM with can Set up email for invoices and estimates (Access control Issue)
OLX - [Critical] Delete any account $75 Cross site scripting
Informatica - [] Expensive DOMXSS
Instacart $100 Hyperlink Injection in Friend Invitation Emails
Moneybird - Webhook allows sending payload using insecure HTTP protocol
Instacart - Reflected File Download on recipe list search
Ubiquiti Networks $150 [] DOM based XSS at form.html
Gratipay - Host Header poisoning on
Mapbox $750 Blind XSS in
Shopify $1,000 (BYPASS) Open redirect and XSS in
Uber - Attacker could setup reminder remotely using brute force
GitLab - Ability to access all user authentication tokens, leads to RCE
Certly - Business logic Failure - Browser cache management and logout vulnerability in Certly
Trello $1,024 File access using image tragick
HackerOne $500 Non-secure requests are not automatically upgraded to HTTPS
Instacart $250 shopper login_code's can be brute forced
Twitter $560 redirects to vulnerable
Shopify $500 Access to Splunk at
Trello - XSS and Open-Redirect via SVG
Instacart $100 Image Upload Path Disclosure
Instacart $150 Host Header Injection/Redirection in:
Instacart $50 Server side request forgery on image upload for lists
Instacart $75 Missing rel=noreferrer tag allows link in list to change url of currently open tab
Instacart $200 Race Condition in Redeeming Coupons
Instacart $100 Cross-Site Request Forgery (CSRF)
Veris - Internal server error 500 at
Instacart $150 Stored XSS
Instacart $50 CSRF To change Email Notification Settings
OLX - these are my old reports and still i have not receive any good replys, these all are Cross Site Scripting(XSS) issues: POC1:
Shopify $500 (FULL PATH DISCLOSURE) Unknown MySQL server host ''
OLX - XSS on Meta Tag at
HackerOne $500 Disclosure of external users invited to a specific report
Gratipay - Cookie:HttpOnly Flag not set
Gratipay - nginx version disclosure on
Gratipay - Host Header Injection/Redirection Attack
New Relic - All Active user sessions should be destroyed when user change his password!
Nextcloud - XSS on IOS app via HTML rendering
SecNews $300 Querying private posts and changing post meta
New Relic - CSRF vulnerability that allows an attacker to purge plugin metric data
New Relic - Login CSRF vulnerability
Veris - bug
Gratipay $1 Avoid "resend verification email" confusion
Ubiquiti Networks $500 IDOR Causing Deletion of any account
Uber $10,000 Reading Emails in Uber Subdomains
Algolia $400 Unauthorized team members can leak information and see all API calls through /1/admin/* endpoints, even after they have been removed.
Nextcloud - Directory listening enabled in:
Nextcloud - Content spoofing due to default Apache Error Page
Algolia $100 Stored XSS from Display Settings triggered on Save and viewing realtime search demo
Algolia $100 Stored xss
Algolia $100 Stored XSS triggered by json key during UI generation
Open-Xchange $1,000 OX (Guard): Stored Cross-Site Scripting via Incoming Email
Phabricator - Error page Text Injection.
Zomato - Visibility Robots.txt file
Uber - XSS At ""
Trello - Verification Code Reused For activating 2FA
Slack $500 CSRF - Add optional two factor mobile number
Coinbase - Create Multiple Account Using Similar X-CSRF token
Shopify $500 Staff member can delete Private Apps
Nextcloud - Arbitrary File Upload in Logo & Log in image Theming setting.
Uber - Content injection on 404 error page at
ownCloud $100 Arbitrary Code Injection in ownCloud’s Windows Client
Uber - User Enumeration and Information Disclosure
Algolia - [] XSS
arxius - No SPF/DKIM/DMARC Record for
Shopify $500 (BYPASS) Open Redirect after login at
Nextcloud - Content spoofing due to default Apache Error Page
OLX - Unauthorised access to user accounts.
Twitter $1,120 Stealing User emails by clickjacking
Gratipay $1 Content Spoofing/Text Injection
New Relic - Leaking license key in source code
Nextcloud $50 More content spoofing through dir param in the files app
Uber $3,000 Missing authorization checks leading to the exposure of administrator accounts
Nextcloud - Bookmarks: Delete all existing bookmarks of a user
Snapchat $3,000 Subdomain takeover on
Shopify $500 Delete/modify your own comment after limited access(IDOR)
Harvest $150 Opportunity to set arbitrary cookies
Moneybird $50 [Stored Cross-Site-Scripting] When search about Incoming ( Manual Jurnal )
Shopify $1,000 Unauthorized access to Zookeeper on
ownCloud - [] IE, Edge XSS via Request-URI
ownCloud - [] CRLF Injection
New Relic - Cache purge requests are not authenticated
ownCloud - [] CRLF Injection
Uber $500 Blind OOB XXE At ""
Nextcloud $100 IDOR - Disable sharing CVE-2016-9464
Nextcloud - xss for admin of
Twitter $1,120 csp bypass + xss
Shopify - Redirect url after login is not validated
New Relic - [] Scanning local network via notification channel
Ian Dunn - [Not just a server configuration issue] Full Path Disclosure
Rockstar Games $500 Reflected XSS via #tags= while using a callback in newswire
Ian Dunn - CSRF in changing settings of Basic Google Maps Placemarks
Nextcloud - [Nextcloud 9.0.53] Content Spoofing in 'trustDomain' parameter
Mail.Ru - [] system accounts enumeration
Uber - Can add employee in without add payment method
Uber - Text Only Content Spoofing on Community Page
Starbucks - Java Deserialization RCE via JBoss JMXInvokerServlet/EJBInvokerServlet on
Ian Dunn $50 Multiple XSS in Camptix Event Ticketing Plugin
New Relic - Session Management Flaw
Harvest $500 Project Disclosure of all Harvest Instances
Nextcloud - Content spoofing in
Gratipay - [] Cross Site Tracing
Harvest $1,000 Leak of all project names and all user names , even across applications
Harvest $350 Users enumeration is possible through cycling through recurring[client_id] argument value.
Harvest $350 Stored XSS on invoice, executing on any subdomain
Harvest $250 CSRF token fixation in Sign in with Google
Harvest $1,000 S3 bucket takeover due to
Harvest $100 Cross-Site Request Forgery (CSRF)
Nextcloud - Information disclosure
Gratipay - Username .. (double dot) should be restricted or handled carefully
Dashlane $100 Missing Access Control(IDOR) To Know LinkedAccounts
New Relic - XSS in a site
PHP $500 NULL Pointer Dereference in exif_process_user_comment
PHP $1,000 Out of bound read in exif_process_IFD_in_MAKERNOTE
Coursera - Broken authentication and session management flaw
OLX - Stored XSS on contact name
Uber $5,000 Stored XSS on via admin account compromise
concrete5 - CSRF Full Account Takeover
Rockstar Games $750 CSRF in 'set.php' via age causes stored XSS on 'get.php' -'
Algolia $100 No Rate Limit In Inviting Similar Contact Multiple Times
Nextcloud - The application uses basic authentication.
Gratipay - User Supplied links on profile page is not validated and redirected via gratipay.
Gratipay - The contribution save option seem to be vulnerable to CSRF
GoCD - X-Content-Type-Options header missing at Auth Login
GoCD - Directory Listening
OLX - XSS on Home page via auto save search text
Ian Dunn - User enumeration in wp-admin
Ian Dunn $375 CSV Injection at Camptix Event Ticketing
ownCloud $50 ownCloud DLL Hijacking Vulnerability
Uber $2,000 [IODR] Get business trip via organization id
Uber $3,000 Get organization info base on uuid
Slack $500 Creating Post on a restricted channel
OLX - xss
Gratipay - don't leak Server version for
Gratipay - don't allow directory browsing on
OLX - Reflected XSS at
Paragon Initiative Enterprises - Content-type sniffing leads to stored XSS in CMS Airship on Internet Explorer
Gratipay - This is a test report
OLX - Manipulating Job Vacancy alert subscription emails (HTML Injection / Script Injection)
Automattic $300 [bbPress] Stored XSS in any forum post.
Dropbox $729 SSRF allows access to internal services like Ganglia
Shopify $1,500 Stealing livechat token and using it to chat as the user - user information disclosure
QIWI $200 Xss on billing
OLX - cross-site scripting in get request
Gratipay - prevent null bytes in email field
OLX - Reflected Cross Site scripting Attack (XSS)
OLX - XSS @ *
OLX - Arbitrary File Reading
OLX - Reflected XSS in
OLX - stored XSS in - ogloszenie TITLE element - moderator acc can be hacked
OLX - SQLi in Payment Request
OLX - Updating and Deleting any Ads on OLX Philippines
OLX - CSRF in account configuration leads to complete account compromise
OLX - XSS @ *
Uber $1,000 is vulnerable to 'SOME' XSS attack via plupload.flash.swf
Shopify $500 takeover
Twitter $420 Html Injection and Possible XSS in
Uber $4,000 SQL Injection on
IRCCloud $500 Cross Site Scripting(XSS) on IRCCloud Badges Page (using Parameter Pollution)
Ian Dunn - Brute force on wp-login
Ian Dunn - SSL certificate public key less than 2048 bit
Paragon Initiative Enterprises - Full Path Disclosure by removing CSRF token
Bime $1,000 Attacker can access graphic representation of every query
Bime $1,000 Urgent: attacker can access every data source on Bime
Nextcloud $50 Content (Text) Injection at NextCloud Server 9.0.52 - via http://custom_nextcloud_url/remote.php/dav/files/ CVE-2016-9468
Gratipay - don't leak Server version for
Uber $2,250 Subdomain takeover of, and
GitLab - Insecure 2FA/authentication implementation creates a brute force vulnerability
WordPress $1,337 CSRF to add admin [wordpress]
Legal Robot $40 AWS S3 website can't serve security headers, may allow clickjacking
Whisper $100 Stored XSS in
Uber - Server version disclosure
Paragon Initiative Enterprises - Site support SNI But Browser can't
HackerOne - Reward Money Leakage
Paragon Initiative Enterprises - ssl info shown
CodeIgniter - Web Server Disclosure
Ubiquiti Networks $185 Reflected Xss in AirMax [Nanostation Loco M2]
ExpressionEngine - Arbitrary SQL query execution and reflected XSS in the "SQL Query Form"
ExpressionEngine - Filename and directory enumeration
ExpressionEngine - Full path + some back-end code disclosure
Algolia $100 Stored xss
Paragon Initiative Enterprises - [URGENT] Password reset emails are sent in clear-text (without encryption)
Paragon Initiative Enterprises - Issue with password reset functionality [Minor]
Slack $500 a stored xss issue in
Maximum $20 Application error message
Coinbase - Content Injection error page
Paragon Initiative Enterprises - Session Management Issue CMS Airship
Paragon Initiative Enterprises - User enumeration via Password reset page [Minor]
Paragon Initiative Enterprises - Airship doesn't reject weak passwords
Nextcloud - [Thirdparty] Stored XSS in chat module - nextcloud server 9.0.51 installed in ubuntu 14.0.4 LTS
Paragon Initiative Enterprises - Full path disclosure when CSRF validation failed
Phabricator $600 HTML in Diffusion not escaped in certain circumstances
Paragon Initiative Enterprises $50 Stored XSS using SVG
Slack $500 "a stored xss issue in share post menu"
Maximum $20 Microsoft IIS tilde directory enumeration
Legal Robot $100 Subdomain takeover at due to non-used domain in
Paragon Initiative Enterprises - Nginx Version Disclosure On Forbidden Page
Pornhub $1,500 [idor] Unauthorized Read access to all the private posts(Including Photos,Videos,Gifs)
Paragon Initiative Enterprises - Email spoofing in
Paragon Initiative Enterprises $25 Stored XSS in comments
Paragon Initiative Enterprises $50 Stored Cross-Site-Scripting in CMS Airship's authors profiles
Dropbox - XSS, Unvalidated redirects & phishing website hosting on dropbox servers
Keybase $350 Register multiple users using one invitation (race condition)
Coinbase - No authorization required in iOS device web-application
Coinbase - No authorization required in Windows phone web-application
HackerOne - Possible CSRF during joining report as participant $100 Паблики: Модератор паблика может удалять добавленные редакторами материалы с таймером на публикацию.
Instacart - CSRF with redeem coupon request
concrete5 - Full Page Caching Stored XSS Vulnerability
Uber $1,000 Wordpress Vulnerabilities in and domains
Mail.Ru - Cross Site Request Forgery (CSRF)
ownCloud - SMB User Authentication Bypass and Persistence CVE-2016-9463
Trello - Sending Unlimited Mails To Anybody With Easy Social Share Buttons Plugin
Slack $1,500 Source code leakage through GIT web access at host ''
HackerOne $500 Know undisclosed Bounty Amount when Bounty Statistics are enabled.
Veris - Email spoofing in
Badoo $140 Change contents of the careers iframe in
Mail.Ru - Back Refresh Attack after registration and successful logout
Moneybird $25 Logging out any user
leetfiles - [] MSIE, Edge XSS via Request-URI
Coinbase $100 Application error message
concrete5 - Local File Inclusion path bypass
Slack $100 Generate new Test token
FantasyTote - Session doesn't expired after login
Slack $100 User can start call in a channel of an unpaid account
The Internet $500 ntpd: read_mru_list() does inadequate incoming packet checks CVE-2016-7434
FantasyTote - Weak HSTS age
FantasyTote - Betting more than max amount
FantasyTote - Urgent Fix Balance Limit bypass
FantasyTote - Bypass logout
FantasyTote - Insecure password change mechanism may lead to full account takeover
Informatica - [] Reflected Cross Site Scripting to XSS Shell Possible
FantasyTote - Stored number of clicks in the Deposits button
FantasyTote - No email verification required when we change email from settings
Informatica - [] Tomcat Example Scripts Exposed Unauthenticated
Dropbox - Can make any number of dropbox accounts with one email
Zomato - Clickjacking login page of - DOM XSS в /activation.php?act=activate_mobile
Maximum $20 The POODLE attack (SSLv3 supported)
Maximum $20 RC4 cipher suites detected
New Relic - SSRF/XSPA
Uber - uses an invalid SSL certificate
HackerOne $500 Race Conditions in Popular reports feature.
Uber - Authentication Issue for easter egg on
Uber - Command Injection, Information
LocalTapiola $150 Mixed Active Scripting Issue on
Pornhub $500 RCE Possible Via Video Manager Export using @ character in Video Title
Informatica - [] Unauthenticated Apache Tomcat 8 Installation
Nextcloud - No Rate Limiting on login
Ruby - Ruby:HTTP Header injection in 'net/http'
Uber - Server version disclosure:
New Relic - Html injection in monitor name textbox
Nextcloud - Deny access to + folders
Nextcloud - Log pollution can lead to HTML Injection.
PHP $1,000 ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize
PHP $1,000 Use After Free Vulnerability in PHP's GC algorithm and unserialize
Trello - Report bug on jetpack plugin
Nextcloud - REG: Content provider information leakage
Instacart - Authentication Bypass in Updating Personal Information
Nextcloud - Email ID Disclosure.
Nextcloud - WordPress Vulnerabilities: User Enumeration, Vulnerable Akismet Plugin, XML-RPC Interface available
Nextcloud $100 Read-only share recipient can restore old versions of file
Nextcloud $250 Uploading files to a folder where invited user don't have any EDIT privilege
Nextcloud - Password reset link remains valid after email change
Uber - Error Message on 404 page
Nextcloud - Content Injection in subdomain
Nextcloud - Content injection in subdomain
Nextcloud - Content Spoofing/Text Injection -
Nextcloud - Content Injection 404 page
Nextcloud - Business/Functional logic bypass: Remove admins from admin group.
Nextcloud - help.nextcloud Email Address/Username enumeration
Nextcloud - Bypass firewall protection
Nextcloud - Bruteforcing
Nextcloud - Bruteforce attack is possible on
Zomato - CSS
Algolia $100 2-factor authentication bypass
Slack - Unauthenticated Access to some old file thumbnails
Nextcloud - No captcha on newsletter.nextcloudcom leaves vulnerable to email spammers
Nextcloud - Avatar image upload and bypass real image verification
Nextcloud - Directory listening and Information Disclosure
Nextcloud - Lost Password CSRF
Nextcloud - Directory Listing On & Practical Attacks on PGP (Pretty Good Privacy)
Nextcloud - Server side request forgery (SSRF) on nextcloud implementation.
Nextcloud - Vulnerable Javascript library
Nextcloud - Directory listening for 'wp-includes' forders
Nextcloud - failure to invalidate session on password change
Vimeo $600 Downloading password protected / restricted videos
Nextcloud $50 Nextcloud server software: Content Spoofing
Nextcloud - No rate limiting on password protected shared file link
Nextcloud - Mail Bombing ( No Rate Limiting On Sending Emails On Contact us Page)
Nextcloud $350 Share owner has no possibility to list all existing derived shares
Nextcloud - Session Management Issue
Nextcloud - Known DoS condition (null pointer deref) in Nginx running
Nextcloud - No permission set on Activities [Android App]
Nextcloud - Enumeration of subscribed users and unauthenticated email unsubscriptions on
Nextcloud - Response Header injection using redirect_uri together with PHP that utilizes Header Folding according to RFC1945 and Internet Explorer 11
Nextcloud - Content Injection
Nextcloud - Content Spoofing
Nextcloud $750 Stored XSS on Share-popup of a directory's Gallery-view
Nextcloud - Content Injection Custom 404 Error
Veris - Registeration Link "Jacking&Redirecting"
Paragon Initiative Enterprises - Session Management
Uber - Self-XSS in Partners Profile
Uber $7,000 xss in
Paragon Initiative Enterprises - Full path disclosure vulnerability on
Zomato - Stored Cross site scripting
Ubiquiti Networks $1,000 Subdomain takeover on due to non-used CloudFront DNS entry
Gratipay - set Expires header
Uber $1,500 Bulk UUID enumeration via invite codes
Ubiquiti Networks $150 [] CRLF Injection
Ian Dunn $50 Stored XSS from ticket messages in admin table in SupportFlow
Ian Dunn $50 Stored XSS in SupportFlow Ticket Subject
Uber - Bruteforce INVITE codes easy way
Uber - Email Address Enumeration
Python $1,000 CVE-2016-0772 - python: smtplib StartTLS stripping attack
Sucuri $250 [] CRLF Injection
Sucuri $250 SSRF in
Mail.Ru $150 [] Time-Based SQL Injection
Uber $750 Brute-Forcing invite codes in
bitaccess $200 EXTREMELY URGENT: Missing control of bitcoin amount when selling bitcoin allows a user to withdraw any amount of money, unrestricted.
New Relic - Open redirection bypass .
Ruby - Heap corruption in string.c tr_trans() due to undersized buffer
Ruby - Heap corruption in DateTime.strftime() on 32 bit for certain format strings
Ruby $500 StringIO strio_getline() can divulge arbitrary memory
WebSummit - Time Based SQL injection in url parameter
Uber - Newsroom.uber HTML form without CSRF protection
HackerOne $500 All information is not removed from published reports
SecNews - Text injection on error page.
SecNews - Content spoofing due to the improper behavior of the not-found message
Instacart $100 Authorization Bypass in Delivery Chat Logs
The Internet $7,500 Insufficient shell characters filtering leads to (potentially remote) code execution (CVE-2016-3714)
Slack $500 File upload over private IM channel
Uber $10,000 Change any Uber user's password through /rt/users/passwordless-signup - Account Takeover (critical)
Uber - Email Enumeration Vulnerability
Badoo $280 Получение оригинала скрытого изображения
Phabricator - Full path disclosure
Coinbase - Transaction Pending Via Ip Change
Shopify $3,000 Authentication Bypass on Icinga monitoring server
Shopify $1,500 Potentially Sensitive Information on GitHub
Informatica - [] XSS on
Veris - Unauthenticated CSRF(User can input any value for CSRF Token)
Zomato - XSS on
Uber - Password Reset Does Not Confirm the Existence of an Email Address
Mail.Ru $250 for Android Content Provider Vulnerability
Zomato - Unvalidated redirect on user profile website
Mapbox $500 XSS on because of open redirect at /core/oauth/auth
Mapbox $500 XSS on
Gratipay $40 upgrade Aspen on to pick up CR injection fix
Uber - Header Injection
drchrono $50 Information Disclosure
Python $500 Heap corruption via Python 2.7.11 IOBase readline()
Uber $750 xss vulnerability in
drchrono $50 Bug Report
Moneybird $50 [STORED XSS] in debtor reports of ,,invoices''
WePay $250 Invited users can modify and/or remove account owner
Shopify $500 Fetching external resources through svg images
LocalTapiola $100 DOM XSS bypassing in Regional Office -selector
Urban Dictionary - Infinite Upvoting/Downvoting: Lockout Bypass, Plus: Exposed API Documentation
Pornhub $10,000 [RCE] Unserialize to XXE - file disclosure on
Twitter $560 Information Disclosure through .DS_Store in ██████████
Pushwoosh - Cross-Site Scripting Stored On Rich Media
Mail.Ru $150 [] SQL Injection
OpenSSL $500 CVE-2016-2177 Undefined pointer arithmetic in SSL code
Pornhub $1,500 (Pornhub & Youporn & Brazzers ANDROID APP) : Upload Malicious APK / Overrite Existing APK / Android BackOffice Access
Zomato - Bypass OTP verification when placing Order
Trello - XSS in Jetpack plugin $1,500 XSS в upload.php
drchrono $50 User with no permissions can create, edit, delete favorite prescriptions /erx/
Slack $200 [Screenhero] Subdomain takeover
Ubiquiti Networks $125 Stored XSS in
General Motors - IE search XSS
Pornhub $20,000 [phpobject in cookie] Remote shell/command execution
Pornhub $1,000 Private Photo Disclosure - /user/stream_photo_attach?load=album&id= endpoint
drchrono $50 Bypassing Password Reset
drchrono - XSS in Blog
GlassWire $25 Bypass GlassWire's monitoring of Hosts file
New Relic - SSRF on permitting access to sensitive data
Bime - Bime Unable to load Data Sources
HackerOne $500 Able to remove the admin access of my program
drchrono $50 User with no permissions can access full wdcalendar feed
Pornhub - Reflected XSS by way of jQuery function
drchrono $50 Stored XSS via AngularJS Injection
Ubiquiti Networks $260 Open Redirect in [Controller Finder]
drchrono $50 [CRITICAL] CSRF leading to account take over
Uber - Uber is Flooding my Mobile with SMS Daily like a cron JOB
Mail.Ru $150 Code source discloure & ability to get database information "SQL injection" in []
New Relic - Blind SSRF on
Zendesk $100 XSS in
drchrono $100 Angular injection in the profile name of onpatient
Nginx - Module ngx_http_auth_basic_module is broken and allowing all password after specific length
drchrono $50 Template stored XSS
drchrono $50 - Information Disclosure and Windows Host Exposed
drchrono $50 Ngnix Server version disclosure
Starbucks $4,000 Parameter Manipulation allowed for editing the shipping address for other user’s subscriptions.
Pushwoosh - Stored XSS in Filters
Starbucks $6,000 Parameter Manipulation allowed for viewing of other user’s orders
drchrono $50 Bypass password complexity requirements on passsword reset page
drchrono $100 Security Issue : CSRF Token Design Flaw
Mail.Ru $150 [] SQL Injection
Mail.Ru - [] CRLF Injection
Uber - XSS in
Mail.Ru - Insecure cookies without httpOnly flag set
Coinbase - Cookie not secure
HackerOne - Denial of service in report view.
Mail.Ru $100 [] HTML injection в письмах от
Starbucks $375 Reflected XSS via utm_source parameter
Mail.Ru $160 [] /uploadphoto Insecure Direct Object References
Slack $500 Open Redirect on
Gratipay $10 configure a redirect URI for Facebook OAuth $50 CJ vulnerability in subdomain
Gratipay - don't store CSRF tokens in cookies
New Relic - Session takeover
New Relic - No CSRF validation on Account Monitors in Synthetics Block
Trello $128 XSS in Jetpack Plugin
Zomato - XSS onmouseover
New Relic - JIRA account misconfig causes internal info leak
Phabricator - No authentication required to add an email address.
LocalTapiola $100 Exploiting Secure Shell (SSH) on
Uber - DOM based XSS on
Phabricator $300 Passphrase credential lock bypass
Dovecot - Outdated Apache Server in is vulnerable to various attack.
Dovecot - Apache version disclosure
New Relic - Privilege Escalation In Moniter
Informatica - [] Unauthenticated emails and HTML injection in email messages
Ubiquiti Networks $2,750 Read-Only user can execute arbitraty shell commands on AirOS - Missing proper error message.
Automattic $500 WordPress core stored XSS via attachment file name
Badoo $280 Ability to collect users' ids that have visited a specific web page with malicious code
New Relic - Improper Session Management
Dropbox - Lack of account link warning enables dropbox hijacking
LocalTapiola $300 Persistent XSS at using spoofed React element and React v.0.13.3
Uber - Phone Number Enumeration
Uber $7,000 OneLogin authentication bypass on WordPress sites via XMLRPC
New Relic - Missing rate limit on password
Pornhub $750 [idor] Profile Admin can pin any other user's post on his stream wall
LocalTapiola $100 Remote Code Execution in NovaStor NovaBACKUP DataCenter backup software (Hiback)
Veris - Text injection can be used in phishing 404 page and should not include attacker text
Pornhub $1,000 SSRF & XSS (W3 Total Cache)
Gratipay - don't expose path of Python
Uber - Self-XSS on
Dovecot - DIrectory Listing Found
Mail.Ru - [] CRLF Injection
LocalTapiola $300 Abusing and Hacking the SMTP Server
Zomato - Instagram OAuth2 Implementation Leaks Access Token; Allows for Cross-Site Script Inclusion (XSSI)
Zomato - Reflected Cross-Site Scripting in
WP API $100 Missing access control exposing detailed information on all users
Pornhub $1,000 [IDOR] Deleting other users comment
Pornhub $150 Same-Origin Method Execution bug in plupload.flash.swf on /insights
OpenSSL $1,000 Bleichenbacher oracle in SSLv2 (CVE-2016-0704)
OpenSSL $2,500 Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703)
Pornhub $5,000 Weak user aunthentication on mobile application - I just broken userKey secret password
Pornhub $1,500 [stored xss,] stream post function
Pornhub $250 XSS Reflected incategories*p
Pornhub $250 XSS ReflectedGET /*embed_player*?
StopTheHacker - Wordpress flashmediaelement.swf XSS on
Mail.Ru $150 SQL Injection
Pornhub $1,500 [IDOR] post to anyone even if their stream is restricted to friends only
Veris - Reflected XSS in domain
Zomato - Reflected XSS on - Part 2
Zomato - Reflected XSS on - Part I
Pornhub $100 CSV Macro injection in Video Manager (CEMI)
Veris - Stored XSS on 'Badges' page
Square Open Source - Cache poisoning for okhttp
Pornhub - vulnerabilitie
Ruby - SMTP command injection
HackerOne - Inadequate access controls in "Vote" functionality???
Vimeo $600 All Vimeo Private videos disclosure via Authorization Bypass
LocalTapiola $100 Amazon Bucket Accessible (
New Relic - New Relic - Session Hijacking
Twitter - List of a ton of internal twitter servers available on GitHub
Sucuri $500 CRLF/HTTP header injection
Dovecot - nginx server vulnerable
Dropbox - Dropbox apps Server side request forgery
ThisData - Host Header Poisoning in
Uber - Clickjacking in
Veris - [Stored XSS] $500 Xss in
Veris - [XSS]
Mail.Ru - AXFR на работает
Vimeo - XSS in Subtitles of Vimeo Flash Player and Hubnut
Udemy - Csrf on creating course
OpenSSL $2,500 Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
Ubiquiti Networks $1,000 Source code disclosure on
Uber $8,000 [CRITICAL] -- Complete Account Takeover
Gratipay $1 don't leak server version of in error pages
Moneybird $50 Reflected XSS in Backend search
Uber - Compromising Atlassian Confluence ( via WordPress (
Vimeo $750 CSRF on Vimeo via cross site flashing leading to info disclosure and private videos go public
GitLab - Persistent XSS on public wiki pages
Mapbox $400 Denial of service in account statistics endpoint
Uber $10,000 OneLogin authentication bypass on WordPress sites
Moneybird $100 Employees with Any Permissions Can Create App with Full Permissions and Perform any API Action
OpenSSL $500 EBCDIC overread (CVE-2016-2176)
OpenSSL $500 EVP_EncryptUpdate overflow (CVE-2016-2106)
OpenSSL $500 EVP_EncodeUpdate overflow (CVE-2016-2105)
Uber - Missing authentication on Notification setting .
Romit $50 Session Fixation
Moneybird $25 information disclose
Shopify $500 View all deleted comments and rating of any app .
Dropbox Acquisitions - Session hacking
Udemy - Showing Up Source Code
Dovecot - Cross-Site Scripting Vulnerability in
Uber $5,000 Multiple vulnerabilities in a WordPress plugin at
Paragon Initiative Enterprises - Email Authentication Bypass
LocalTapiola $400 Possibly big authorization problem in Lähitapiola´s varainhoito
Mapbox $1,000 Reflected cross-site scripting (XSS) on
LocalTapiola $100 HTTP status code manipluation & java stack trace
LocalTapiola $5,000 Blind Stored XSS Against Lahitapiola Employees - Session and Information leakage
PHP $1,500 Integer overflow in ZipArchive::getFrom*
HackerOne $2,500 RCE in profile picture upload
OpenSSL - Potential double free in EVP_DigestInit_ex
Paragon Initiative Enterprises - The Anti-CSRF Library fails to restrict token to a particular IP address when being behind a reverse-proxy/WAF
OpenSSL $500 ASN.1 BIO excessive memory allocation (CVE-2016-2109)
Mail.Ru $250 XSS с помощью специально сформированного файла.
Shopify $500 staff memeber can install apps even if have limitied access
Automattic $1,337 WordPress SOME bug in plupload.flash.swf leading to RCE
Automattic $1,337 WordPress Flash XSS in *flashmediaelement.swf*
Uber - Uber for Business Allows Administrators to Change Uber Driver Ratings Due to Failure to Authenticate `fast-rating` Endpoint
Zendesk $250 XSS In /zuora/ functionality
LocalTapiola - Source Code Disclosure on out of scope domain
LocalTapiola $100 Content Spoofing or Text Injection (404 error page injection)
Algolia $500 RCE on
GitLab - Private snippets in public / internal projects leaked though GitLab API
GitLab - Confidential issues leaked in public projects when attached to milestone
GitLab - Attacker can post notes on private MR, snippets, and issues
GitLab - Attacker can delete (and read) private project webhooks
ownCloud - PHP info page disclosure
Uber - Defect-Security | Driver-Broken Authentication | Able to update the Subscription Setting anonymously
QIWI - SSL Certificate on will expire soon.
Uber - Stored self-XSS at
Uber $2,000 Reflected XSS via Livefyre Media Wall in
New Relic - rails directory traversal vuln
General Motors - Reflected XSS and something more Store XSS too
Automattic $75 XSS on
concrete5 - ProBlog 2.6.6 CSRF Exploit
Moneybird $25 Content Spoofing In Moneybird
Veris - XSS in Asset name
GitLab - GFM renderer leaks external issue tracker URL of private project
Badoo - AWS S3 Bucket hotornot-images permissions allow for listing and removing files
Uber - Information Disclosure on
Legal Robot - No DMARC Record in
HackerOne - Manipulate report timeline activity by using null byte.
New Relic - Cache-Control Misconfiguration Leads to Sensitive Information Leakage
GitLab - Labels created in private projects are leaked
New Relic - Stored Cross-Site Scripting via Angular Template Injection
Udemy $50 Stored XSS at Udemy
New Relic - Open redirection
Slack $1,000 Stored XSS on using new Markdown editor of posts inside the Editing mode and using javascript-URIs
HackerOne - Reputation Manipulation (Theoretical)
Zendesk $500 [HIGH RISK] CSRF could potentially delete a zendesk subdomain.
Moneybird $50 Open Redirect vulnerability in
bitaccess - Missing SPF for
Uber - CrashPlan Backup is Vulnerable Allowing to a DoS Attack Against Uber's Backups to ``````
New Relic - Login Open Redirect
Zendesk $100 AWS S3 bucket writable for authenticated aws user
Udemy - AWS S3 bucket writable for authenticated aws user
Gratipay - PHP 5.4.45 is Outdated and Full of Preformance Interupting Arbitrary Code Execution Bugs
Uber $7,500 Stored XSS in
CloudFlare - Reflected XSS on
GitLab - Privilege escalation to access all private groups and repositories
Twitter $840 [Critical] - Steal OAuth Tokens
Coinbase $100 User's legal name could be changed despite front end controls being disabled
Uber - XSS via password recovering
Automattic $75 Akismet Several CSRF vulnerabilities
ownCloud $150 Open Redirector via (apps/files_pdfviewer) for un-authenticated users.
Gratipay $1 bring up to A grade on SSLLabs
Gratipay - Submit a non valid syntax email
Uber - XSS in uber oauth
Gratipay - Possible Blind SQL injection | Language choice in presentation
Moneybird $50 Stored XSS in Financial Account executing in Bank tab
Moneybird $100 Malicious File Upload
Paragon Initiative Enterprises - Vunerability : spf
ownCloud - XSS via Referrer
Vimeo - Error page Text Injection.
Ubiquiti Networks $275 Reflected XSS in
Trello - Error Page Text Injection.
New Relic - Sensitive information contained with New Relic APM iOS application
Moneybird $150 XXE issue
Moneybird $25 Stored XSS thru SVG upload
Uber - Unsubscribe any user from receiving email
bitaccess $50 BYASSING OTP Verification
Badoo - Badoo and Hotornot User Disclosure
Uber - Requested and received edit access to Google form
Moneybird $50 CSV Injection with the CSV export feature
Trello $128 Cross site scripting in
Uber - and are susceptible to iframes
HackerOne - Missing Certificate Authority Authorization rule
Xero - Insecure Payment System Integration
Slack $2,000 Authentication bypass leads to sensitive data exposure (token+secret)
APITest.IO - beta version reveals paths, environment variables and partially files contents
Zendesk $50 Stored XSS on [your_zendesk] in Facebook Channel
APITest.IO - Login Via FB Leads To Create A New Account Instead Of Loging In
Dropbox - No Rate Limiting while sending the feedback under Dropbox Help Centre
Python $500 Python 2.7 strop.replace Integer Overflow
GitLab - Persistent XSS on public project page
Uber - reopen #128853 (Information disclosure at
APITest.IO - Clickjacking: X-Frame-Options header missing
ownCloud - Cross site scripting in
Twitter $700 xss in DM group name in twitter
Twitter $700 niche s3 buckets are readable/writeable/deleteable by authorized AWS users
Veris - Stored XSS in member book
Gratipay - After removing app from facebook app session not expiring.
New Relic - APT repository is signed using weak digest (SHA-1)
Automattic $75 CPU utilization 99% on visiting wordpress site url & open redirect found
Uber - Disclosure of ways to the site root
LocalTapiola $300 The PdfServlet-functionality used by the "Tee vakuutustodistus" allows injection of custom PDF-content via CSRF-attack
LocalTapiola $400 Cookie-based client-side denial-of-service to all of the Lähitapiola domains
Gratipay - prevent %2f spoofed URLs in profile statement
Uber - User credentials are not strong on
Gratipay $10 Send email asynchronously
Uber - Information disclosure at
Algolia $100 No rate-limit in Two factor Authentication leads to bypass using bruteforce attack
Gratipay - text injection in website title
Ubiquiti Networks $1,500 Read-Only user can execute arbitraty shell commands on AirOS
Uber - Enumerating userIDs with phone numbers
APITest.IO - SSRF on testing endpoint
New Relic - Clickjacking on authenticated pages which is inscope for New Relic
ownCloud - X-XSS-Protection not enabled
Trello $1,536 Payments informations are sent to the webhook when a team changes its visibility
OpenSSL $1,000 BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
Gratipay $10 fix bug in username restriction
Snapchat $1,000 Administrator access to a Django Administration Panel on * via bruteforced credentials
InVision $400 CRITICAL : Delete Boards Admin's ( or any other user ) comment. ( IDOR )
HackerOne $2,500 AWS S3 bucket writeable for authenticated aws users
GitLab - Bypassing password authentication of users that have 2FA enabled
GitLab - Attacker can extract list of private project's project members
Gratipay - Getting Error Message and in use python version 2.7 is exposed.
Gratipay - An adversary can harvest email address for spamming.
Gratipay $1 Limit email address length
Uber $5,000 Stored XSS on admin panel / Stream WordPress plugin
Uber $250 Easy spam with USE My PHONE Feature
HackerOne - Deleted name still present via mouseover functionality for user accounts
HackerOne $1,500 Web Authentication Endpoint Credentials Brute-Force Vulnerability
HackerOne - DOS Report FILE html inside <code> in markdown
New Relic - Password disclosure during signup process
New Relic - Open redirection bypass
Badoo $852 [CRITICAL] Full account takeover using CSRF
Uber - Session Impersonation in
HackerOne $500 New hacktivity view discloses report IDs of non-public reports
ownCloud - Reflected XSS in
HackerOne $500 New hacktivity view discloses report IDs of non-public reports
PHP $1,000 php_snmp_error() Format String Vulnerability
New Relic - - monitor creation to other accounts
New Relic - Mobile Authentication Endpoint Credentials Brute-Force Vulnerability
HackerOne - HackerOne Important Emails Notification are sent in clear-text
Coursera - XSS in
Uber $5,000 Information regarding trips from other users
Uber $5,000 Possibility to get private email using UUID
Twitter $280 XSS using javascript:alert(8007)
Uber $3,000 Possible to View Driver Waybill via Driver UUID
Uber - Use Partner/Driver App Without Being Activated
LocalTapiola $100 DOM XSS by choosing regional company
New Relic - CSV Injection in sub_accounts.csv
New Relic - Old CAPTCHA offers no protection
New Relic - User enumeration possible from log-in timing difference
Uber - Brute Forcing rider-view Endpoint Allows for Counting Number of Active Uber Drivers
Uber $3,000 Stored XSS in Due to Injection of Javascript:alert(0)
Badoo - Insecure Direct Object Reference on
Uber - It is possible to re-rate a driver after a very long time
Uber - Pixel flood attack in
Coinbase $1,000 Sending payments via QR code does not require confirmation
Uber - Disclosure of ip addresses in local network of uber
Shopify $500 XSS on
Uber - SMS Flood with Update Profile
Uber - Changing Driver Passwords With Only an Authenticated Session (no password, no email)
Coinbase $500 Email leak in transcations in Android app
Uber - Uploading Plain Text to Through the Driver Document Upload Page
Uber - Uber password reset link EMAIL FLOOD
Uber - Privilege escalation to allow non activated users to login and use uber partner ios app
Trello $1,024 If a team is public, the web socket receives data about the Team visible boards
Uber - text injection in
LocalTapiola $1,000 Posting modified information in 'Investment section' will cause unintended information change in
Uber $500 CBC "cut and paste" attack may cause Open Redirect(even XSS)
Uber $750 XSS In Due to Mime Sniffing in IE
Uber $1,000 CSV Injection in
Uber $2,000 Stored XSS in WordPress admin panel
Uber - Cross-site Scripting (XSS)
Gratipay $10 prevent content spoofing on /~username/emails/verify.html
Uber - CRLF Injection in
Uber $10,000 may RCE by Flask Jinja2 Template Injection
Uber $3,000 SQL injection in Wordpress Plugin Huge IT Video Gallery at
Veris - XSS on multiple fields
Uber $3,000 Reflected XSS via Unvalidated / Open Redirect in
Zomato - Reflected XSS on Zomato API
Uber - Session retention is present which reveals the customer info
Uber - Brute Force Amplification Attack
Uber - CSRF on may lead to server-side compromise
Uber $5,000 Possibility to brute force invite codes in
Uber - Stored Cross Site Scripting [SELF] in
Uber $3,000 Dom Based Xss
Uber $500 Estimation of a Lower Bound on Number of Uber Drivers via Enumeration
New Relic - Too many included lookups
PHP - Null pointer deref (segfault) in stream_context_get_default
Mapbox $1,000 XSS (cross-site scripting) on
Uber $3,000 Avoiding Surge Pricing
Uber - Create account in uber without signup form
Uber $2,000 Bypassing Uber Partner's 3 Cancel Limit
Uber $3,000 Lack of rate limiting on leads to enumeration of promotion codes and estimation of a lower bound on the number of Uber drivers
Uber $3,000 SQLi in
Uber - XSS on
Uber - HTML Escaping Error in the 404 Page on
Uber $1,500 Lack of CNAME/A Record Trimming Pointing Uber Domains to Insecure Non-Uber AWS Instances/Sites
Uber $3,000 XSS in
Uber - LIsting of
Uber - Self-XSS Vulnerability on Password Reset Form
Uber $3,000 Reflected XSS on via Angular template injection
Uber $500 Open Redirect in
Gratipay $1 Hijacking user session by forcing the use of invalid HTTPs Certificate on
Uber - Cross-site Scripting (XSS) autocomplete generation in
HackerOne $1,500 External programs revealing info
HackerOne $500 Websites opened from reports can change url of report page
Shopify $500 Bypassed password authentication before enabling OTP verification
New Relic - Stored XSS through Angular Expression Sandbox Escape
HackerOne - External links should use rel="noopener" or use the redirect service
HackerOne $500 Disclosure of private programs that have an "external" page on HackerOne
General Motors - Angular Expression Injection in the Search Page
Vimeo - Missing rate limit on private videos password
Shopify $500 Stored XSS via "Free Shipping" option (Discounts)
Imgur $100 XSS via React element spoofing
HackerOne $500 CSV Injection via the CSV export feature
Veris - Captcha Bypass enable login bruteforce
Zomato - Authentication Bypassing and Sensitive Information Disclosure on Verify Email Address in Registration Flow
Shopify $1,500 Shopify GitHub Login and Password exposed all private source code might be available.
Veris - Wordpress Pingback DDoS Attacks in domain:
Trello $768 Using WebSocket I can always access organization data even if I am removed
Veris - Stored XSS in Access Rules
Veris - Complete Profile URL is not Random and not expiring
Gratipay - csrf_token cookie don't have the flag "HttpOnly"
Gratipay $1 auto-logout after 20 minutes
Gratipay $1 Cookie Does Not Contain The "secure" Attribute
Gratipay - Vulnerable to clickjacking
Veris - Not Using Secure Flag Option on Cookies Could Lead to a Man in the Middle Session Highjacking
HackerOne - Sending emails (via HackerOne) impersonating other users
Gratipay $1 suppress version in Server header on or
Veris - Complete or Edit Another User's Profile
Veris - Insecure Direct 'org-visitor-log' References
Veris - Insecure Direct 'org-invite-log' References
Dropbox - Possible SQL injection can cause denial of service attack
New Relic - Synthetics Xss
Informatica - [] Open Redirect
HackerOne $500 SECURITY: Referencing previous Reports attachment_IDs on new Reports via Draft_Sync DELETES Attachments
HackerOne - Unauthorized Team members viewing
Veris - Security Vulnerability - SMTP protection not used
New Relic - Host Header Injection / Cache Poisoning
Veris - Insecure Direct Member Disclosure
Veris - User enumeration via error message
New Relic - Normal user can set "Job title" of other users by Direct Object Reference
HackerOne $500 Mediation link can be accepted by other users
Mail.Ru - Обход basic авторизации []
Veris - Creating multiple user with the same link which is sent to email after registeration
LocalTapiola $500 CSRF allows attacker to delete item from customer's "Postilaatikko"
HackerOne - Possible XSS
Veris - Server and PHP version Disclosed in Response Header
New Relic - All the active session should destroy when user change his password
New Relic - Open redirection on login
HackerOne - Email Address Leak
New Relic - no email confirmation on signup
New Relic - vulnerable to clickjacking !
Shopify $500 XSS on
New Relic - Emails and alert policies can be altered by malicious users.
New Relic - CSRF- delete all empty server policy
Mail.Ru - Reflected XSS на
New Relic - CSRF - Delete all empty application policy
New Relic - No Rate Limitation on Promo Code
New Relic - Vulnerable Link Leaks the User Names
New Relic - vulnerable to host header attack
New Relic - file is world readable
HackerOne $1,000 Edit Auto Response Messages
Zomato - Persistent XSS on Reservation / Booking Page
Mail.Ru $200
Xero - Default.aspx exposing full path and other info on
Shopify $500 Stored XSS in
Uber - Active Email Hyperlink Sent on
New Relic - Server Side Browsing - localhost open port enumeration
Imgur $5,000 Local file read in image editor
Xero - stored xss issue in folder name on
Xero - Open-redirect on
Mapbox $200 Mapbox API Access Token with No Scope Can Read Styles
Ubiquiti Networks $1,300 Shell Injection via Web Management Console (dl-fw.cgi)
Vimeo $100 Private, embeddable videos leaks data through Facebook & Open Graph
Xero - Additonal stored XSS in Add note/Expected payment Date
PHP $1,000 Buffer overflow in HTTP url parsing functions
Badoo $850 Account Takeover
Xero - Vulnerability : XSS Vulnerability
LocalTapiola $400 CRLF injection in
Badoo $427 Broken Authentication on Badoo
Bime $150 Subdomain takeover due to unclaimed Amazon S3 bucket on
Coinbase - Inaccurate Payment receipt
ownCloud - has missing PHP handler
Veris - Multiple Stored XSS on through Veris Frontdesk Android App
General Motors - Content Spoof in
Zomato - NexTable: Credentials exposure
General Motors - XSS Vulnerability in
General Motors - Reflected Cross Site Script in
General Motors - Reflected Cross Site Script in
Veris - Multiple Stored XSS
Veris - Critical IDOR - Make Rule for Any Group & Any Venue remotely
Veris - Critical IDOR - Get Rules of any organization remotely
Veris - Critical IDOR - Can select any Parent while creating new Venue
Veris - Critical IDOR - Get venue data of any organization remotely
Veris - Critical IDOR - Get Authentication Details of any Terminal/Gatekeeper
Veris - Critical IDOR - Set anyone's Terminal Data remotely
Veris - Critical IDOR - Get anyone's Terminal Data remotely
Veris - Critical IDOR - Delete any terminal/gatekeeper of any organization remotely
Bime $250 SSRF issue
Veris - Missing Server Side Validation of CSRF Middleware Token in Change Password Request
Veris - Critical IDOR - Delete any rule of any organization remotely
Veris - Critical IDOR - Delete any venue of any organization remotely
Veris - Critical IDOR - Delete any group of any organization remotely
Veris - Critical - Insecure Direct Object Reference - Deleting any member of any organization remotely
Gratipay $1 don't serve hidden files from Nginx
OpenSSL - b2i_PVK_bio heap corruption
Pornhub $250 Public Facing Barracuda Login
OpenSSL $500 BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
Pornhub $2,500 Unprotected Memcache Installation running
Pornhub $50 HTTP Track/Trace Method Enabled
LeaseWeb - Found clickjacking vulnerability
ownCloud - DROWN Attack
Badoo - Password modification without knowing actual password & httpOnly bypass
LeaseWeb - Server version is disclosure in
Coinbase - An adversary can overwhelm the resources by automating Forgot password/Sign Up requests
Twitter $1,120 DOMXSS in Tweetdeck
Veris - Password(s) can be found via login process.
Veris - DOM based XSS
Mail.Ru $150 By pass admin panel []
Mail.Ru $150 By pass admin panel []
HackerOne - Race Conditions Exist When Accepting Invitations
Ubiquiti Networks $1,500 Read-Only user can execute arbitraty shell commands on AirOS
Udemy $150 Session Takeover vulnerability
Shopify $500 xss in the all widgets of
Uber $500 Open Redirection on
HackerOne $500 User with Read-Only permissions can edit the Internal comment Activities on Bug Reports After Revoke the team access permissions
Twitter $280 Sub-Domain Takeover
InVision $500 CRITICAL Stored XSS in
Udemy $150 Able to view others' gifts on /gift/share URL, giftId is predictable, and easy to manipulate
New Relic - CSRF - Regenerate all admin api keys
Coinbase $500 Misconfiguration in 2 factor allows sensitive data expose
New Relic - Reflected XSS on Signup Page
Cakebet - Sender policy framework (SPF) records evaluation return (Too many DNS lookups) error
Twitter $2,520 Tweet Deck XSS- Persistent- Group DM name
HackerOne $500 Distinguish EP+Private vs Private programs in HackerOne
Veris - Stored XSS
Veris - Password reset link is not Expiring
Algolia $1,000 API Key added for one Indices works for all other indices too.
OpenSSL $500 CVE-2016-0799 memory issues in BIO_*printf functions
ThisData - Login CSRF using Google OAuth
HackerOne - User with Read-Only permissions can edit the SwagAwarded Activities on Bug Reports
HackerOne $500 User with Read-Only permissions can manually public disclosure the report
Shopify $500 File name and folder enumeration.
HackerOne - Abusing HOF rankings in limited circumstances
HackerOne - Denial of Service any Report
Coinbase $200 XSSI (Cross Site Script Inclusion)
HackerOne $500 CSV Injection at the CSV export feature
KIWI.KI GmbH - Subdomain takeover : URGENT
Mail.Ru - Утечка информации через JSONP (XXSI)
Shopify - Injection via CSV Export feature in Admin Orders
QIWI $150 Content Spoofing in
Gratipay - X-Content-Type Header Missing For
GitLab - Markdown based stored XSS (IE only) $100 Дорк
Mail.Ru $500 Admin panel access restrictions bypass []
Gratipay $1 limit number of images in statement
LeaseWeb - Apache version disclosed on
LeaseWeb - Directory Listening
Zendesk $50 Stored XSS via Angular Expression injection on
Gratipay $1 strengthen Diffie-Hellman (DH) key exchange parameters in
Shopify $500 XSS in Draft Orders in Timeline i SHOPIFY Admin Site!
LeaseWeb - PHP and Web Server version disclosed on
Gratipay $1 stop serving over HTTP
Gratipay $10 DMARC is misconfigured for
Gratipay - Login csrf.
Uber $3,000 Reflected XSS on careers
Gratipay $10 Prevent content spoofing on /~username/emails/verify.html
Mail.Ru - Stored XSS на
Gratipay $2 SPF/DKIM/DMARC for
Mail.Ru $250 SSRF на
Gratipay $2 SPF/DKIM/DMARC for
Gratipay $1 limit HTTP methods on other domains
Gratipay $10 Email Forgery through Mandrillapp SPF
Uber $250 Multiple Vulnerabilities (Including SQLi) in
Informatica - [] Blind SQL Injection
Uber $3,000 XSS @
Gratipay $10 No Valid SPF Records.
HackerOne $500 Increase number of bugs by sending duplicate of your own valid report
Zopim $100 Chat History CSV Export Excel Injection Vulnerability
Paragon Initiative Enterprises - Spf
Legal Robot $20 SSL Issue on
HackerOne $500 Private Program Disclosure in /:handle/settings/allow_report_submission.json endpoint
Gratipay - UDP port 5060 (SIP) Open $200
Algolia - PHP version disclosed on
Gratipay - server calendar and server status available to public
Gratipay - proxy port 7000 and shell port 514 not filtered
Legal Robot $20 SPF Issue
Legal Robot $120 Remote Code Execution (upload)
Mail.Ru $600 VERY DANGEROUS XSS STORED inside emails
Gratipay - Markdown parsing issue enables insertion of malicious tags
Mail.Ru $150 [] SQL Injection
Ubiquiti Networks $1,000 Auth bypass on
General Motors - E-mail Spoof in
Slack $100 an xss issue in
General Motors - Content Spoof in
Gratipay $1 The POODLE attack (SSLv3 supported) for
Gratipay - nginx SPDY heap buffer overflow for
New Relic - open redirection at login
WePay $150 2-step Verification bypass
Python $1,000 Type confusion in partial.setstate, partial_repr, partial_call leads to memory corruption, reliable control flow hijack
ownCloud - Persistent XSS In Account Profile
New Relic - Potential Subdomain Takeover -
Sucuri $500 Manipulating of (List Subscription) Emails (HTML/Script Injection)
HackerOne - Null byte injection
New Relic - Unauthorized Access
General Motors - Reflected Cross Site Script in
Paragon Initiative Enterprises - file full path discloser.
HackerOne $500 Private Program Disclosure in /:handle/reports/draft.json endpoint
HackerOne $5,000 Private program activity timeline information disclosure
Shopify $500 XSS on
Imgur $1,000 SSRF / Local file enumeration / DoS due to improper handling of certain file formats by ffmpeg
New Relic - [] Access to private directories
New Relic - [] XSS via return_to
Imgur $800 SSRF and local file read in video to gif converter
Legal Robot $20 Rate limiting on Email confirmation link
Legal Robot - Rate limiting on password reset links
Imgur $2,000 SSRF in
Zomato - Two XSS vulns in widget parameters (all_collections.php and o2.php)
Paragon Initiative Enterprises - Email Spoof
Urban Dictionary - Cross-Site Scripting Vulnerability in
Zomato - XSS via modified Zomato widget (res_search_widget.php)
Paragon Initiative Enterprises - Missing SPF for
Paragon Initiative Enterprises $50 Full Path Disclosure
Paragon Initiative Enterprises - CSRF AT SUBSCRIBE TO LIST
Paragon Initiative Enterprises - Missing SPF for
Paragon Initiative Enterprises - Blind SQL INJ
Paragon Initiative Enterprises - Missing SPF
Mail.Ru $300 [] SQL Injection
Gratipay $10 prevent content spoofing on /search
Gratipay $5 SPF DNS Record
Paragon Initiative Enterprises - SSL certificate public key less than 2048 bit
Paragon Initiative Enterprises - Missing SPF records for
Zomato - XSS and CSRF in Zomato Contact form
Paragon Initiative Enterprises - DNSsec not configured
Paragon Initiative Enterprises - Email Authentication bypass Vulnerability
Paragon Initiative Enterprises - Email spoofing
Keybase $50 Content spoofing due to the improper behavior of the not-found meesage
Paragon Initiative Enterprises - Information Disclosure in Error Page
Paragon Initiative Enterprises - Missing SPF for
Uber - Unauthorized file (invoice) download
HackerOne $500 Putting link inside link in markdown
Zomato - Weak Password Policy
Keybase $350 Race conditions can be used to bypass invitation limit
Zomato - Persistent input validation mail encoding vulnerability in the "just followed you" email notification.
New Relic - Basic Authorization over HTTP
New Relic - Html injection in monitor name textbox
New Relic - Unsafe HTML in reset password email and Account verification in email is missing in Sign up
New Relic - A Signup page does not properly validate the authenticity token at the server side.
New Relic - A Log in page does not properly validate the authenticity token at the server side
New Relic - No validation on account names
Keybase $250 Remote Server Restart Lead to Denial of Service by only one Request.
Zomato - Several XSS affecting and
Mapbox $200 Content Spoofing and Local Redirect in Mapbox Studio $2,500 Внедрение внешних сущностей в функционале импорта пользователей YouTrack
Shopify $500 CSRF on
Zomato - Remote File Upload Vulnerability in
Mail.Ru - [] CRLF Injection
Twitter $2,520 Bypassing Digits web authentication's host validation with HPP
Zomato - Cross Site Scripting - type Patameter
Snapchat $1,000 Subdomain takeover in pointing to Zendesk (a Snapchat acquisition)
Zomato - Twitter Disconnect CSRF
Keybase $250 Remote Server Restart Lead to Denial of Server by only one Request.
Ruby on Rails - Remote code execution using render :inline
Zomato - Subdomain Takeover
Ruby on Rails - Regarding [CVE-2016-0752] Possible Information Leak Vulnerability in Action View
Paragon Initiative Enterprises - Cross-domain AJAX request
Mail.Ru - [] Reflected XSS
Mail.Ru - [] Open Redirect
OpenSSL $2,500 OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701)
ownCloud - No Any Kind of Protection on Delete account
Paragon Initiative Enterprises $50 Open-redirect on
HackerOne $500 Multiple issues with Markdown and URL parsing
withinsecurity $250 WordPress Failure Notice page will generate arbitrary hyperlinks
HackerOne $500 Unintended HTML inclusion as a result of
Gratipay - is vulnerable to http-vuln-cve2011-3192
Mail.Ru $300 [] SQL Injection
Coinbase $1,000 Session Issue Maybe Can lead to huge loss [CRITICAL] $250 Full takeover of some sub domains
ownCloud - Text Injection
Mail.Ru - Logical Vulnerability : REDIRECTING on by Parameter Spoofing
Bime $100 The JDBC driver used by the Vertica connector allows to create files on the backends
Bime $1,000 SSRF in the Connector Designer (REST and Elastic Search)
Bime $750 XXE in the Connector Designer
Udemy - Stored XSS
General Motors - XSS on
General Motors - Full Path Disclosure on
HackerOne $500 Interstitial redirect bypass / open redirect in
Mail.Ru $150 [] SSRF / XSPA
Zendesk $100 [CRITICAL] HTML injection issue leading to account take over
HackerOne - Report title and issue information prepopulated
withinsecurity $250 Error Page Text Injection #106350
Khan Academy - XSS vulnerability in "/coach/roster/" ( create your first class)
Imgur $50 Big Bug in SSL : breach compression attack (CVE-2013-3587) affect
HackerOne - attack in not an authorized user
Shopify $500 Full access to Amazon S3 bucket containing AWS CloudTrail logs
Mail.Ru - [] Content Spoofing
Automattic $75 XSS at
Shopify $500 XSS via third-party script
Trello $1,152 DOM based XSS via Wistia embedding $100 Checking whether user liked the media or not even when you are blocked
Vimeo $100 Legacy API exposes private video titles
Automattic $75 XSS at
Pornhub $1,500 [ssrf] libav vulnerable during conversion of uploaded videos
ownCloud - The csrf token remains same after user logs in
Shopify $500 Attach Pinterest account - no State/CSRF parameter in Oauth Call back
Shopify $500 Twitter Disconnect CSRF
HackerOne $500 CSV Injection via the CSV export feature - XSS
withinsecurity $250 Content Spoofing OR Text Injection in
Gratipay $15 Sub Domian Take over
Automattic $250 Internal GET SSRF via CSRF with Press This scan feature
ownCloud $250 Information Exposure Through Directory Listing CVE-2016-1499
HackerOne $500 HTML injection can lead to data theft
Twitter $5,040 Bypassing Digits bridge origin validation
Perl $1,000 Perl 5.22 VDir::MapPathA/W Out-of-bounds Reads and Buffer Over-reads
Phabricator $300 Extended policy checks are buggy
Udemy $25 CSRF in - HTML injection via 'underlying' parameter
Coinbase $200 Direct URL access to completed reports
Coinbase - The 'Create a New Account' action is vulnerable to CSRF
Ubiquiti Networks $500 Subdomain Takeover in
HackerOne $500 User with Read-Only permissions can request/approve public disclosure
General Motors - refelected Xss on
HackerOne - Requesting unknown file type returns Ruby object w/ address
General Motors - SQLi via forgot_password.jsp
Mail.Ru - Multiple vulnerabilities in subdomains
General Motors - XSS in GM
Mail.Ru $150 [] SQL Injection
PHP $1,000 Use After Free in sortWithSortKeys()
Gratipay - Directory Listing on
Gratipay $5 HTTP trace method is enabled
HackerOne - Signals get affected once reports closed as self
Ruby on Rails - Validation bypass for Active Record and Active Model
ownCloud - Mixed Active Scripting Issue on
Gratipay - Harden resend throttling
ownCloud - Reflected Cross-Site Scripting
Twitter $2,520 Bypassing callback_url validation on Digits
ownCloud $350 Exploiting unauthenticated encryption mode
HackerOne - HackerOne is still prone to Internet Explorer UXSS
Ubiquiti Networks $150 Reflected File Download in $500 API: Bug in method auth.signup , дающий возможность бесконечно звонить
ownCloud - [] Guessable password used for admin user
Mail.Ru $150 [] Time Based SQL Injection
Mail.Ru - XSS at forum :
Mail.Ru $500 reflected in xss
HackerOne $500 Team Member(s) associated with a Group have Read-only permission (Post internal comments) can post comment to all the participants
WePay $100 Unauthenticated Stored XSS in API Panel
Automattic $50 Possible Timing Side-Channel in XMLRPC Verification
GlassWire $100 GlassWireSetup.exe subject to EXE planting attack
Imgur $150 XSS in imgur mobile 3
Imgur $150 XSS in imgur mobile
Shopify $500 Stored XSS in /admin/orders
Informatica - [] - XXE via SAML $100 Добавление в меню сообщества без ведома пользователя (нажатия пользователем)
Informatica - [] - XXE
Informatica - [] - XXE
Zendesk $500 Stored XSS in comments
Informatica - [] Reflective XSS
Shopify $500 Strored Cross Site Scripting
PHP $1,000 Format string vulnerability in zend_throw_or_error()
Shopify $500 HTTP-Response-Splitting on
Maximum $20 Application error message
CloudFlare - Clickjacking :
Coinbase $100 Race condition allowing user to review app multiple times
withinsecurity $250 text injection can be used in phishing 404 page should not include attacker text
Algolia $100 text injection can be used in phishing 404 page should not include attacker text
Coinbase - Potential for Double Spend via Sign Message Utility
HackerOne $500 Improve signals in reputation
Shopify $500 Reflective XSS on
HackerOne $500 Team Member(s) associated with a Custom Group Created with 'Program Managment' only permissions can Comments on Bug Reports
ownCloud - Parameter pollution in social sharing buttons
Shopify $500 "Remember me" token generated when "Remember me" box unchecked
ownCloud - XXE at host
GlassWire $100 DLL Hijacking Vulnerability in GlassWireSetup.exe
HackerOne $500 Parameter pollution in social sharing buttons
HackerOne $500 Know whether private program for company exist or not
Informatica - XXE in upload file feature
Informatica - [] XXE
LeaseWeb $100 DOM Based XSS in Checkout
Shopify $500 many xss in
Phabricator - libphutil: removing bytes from a PhutilRope does not work as intended
Pornhub $50 [crossdomain.xml] Dangerous Flash Cross-Domain Policy
Pornhub $250 PornIQ Reflected Cross-Site Scripting
Imgur $150 risk of having secure=false in a crossdomain.xml
Informatica - [] - XXE
Instacart $100 Cookie-Based Injection
Shopify - [] Cookie bomb at customer chats
Square Open Source $2,000 Unsafe usage of Ruby string interpolation enabling command injection in git-fastclone
ownCloud - directory listing in
Shopify $500 CSRF in Connecting Pinterest Account
Instacart $100 Cross-Site Scripting Reflected On Main Domain
Zopim $100 [] Open Redirect
Coinbase - XXE in OAuth2 Applications gallery profile App logo
Automattic $75 XSS on
Coinbase $200 HTML injection in apps user review
QIWI $200 [] Yui charts.swf XSS
Square Open Source $2,000 git-fastclone allows arbitrary command execution through usage of ext remote URLs in submodules
Shopify $1,000 XSS on sales channels via currency formatting
Slack $1,000 Trick make all fixed open redirect links vulnerable again
Python $500 tokenizer crash when processing undecodable source code
Python $1,000 PyFloat_FromString & PyNumber_Long Buffer Over-reads
PHP - Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow) CVE-2015-4643
PHP $500 Memory Corruption in phar_parse_tarfile when entry filename starts with null CVE-2015-4021
PHP $500 invalid pointer free() in phar_tar_process_metadata() CVE-2015-3307
Python $500 use after free in load_newobj_ex
Python $500 array.fromstring Use After Free
Python $1,000 bytearray.find Buffer Over-read
Python $500 hotshot pack_string Heap Buffer Overflow
Python $500 audioop.adpcm2lin Buffer Over-read
Python $500 audioop.lin2adpcm Buffer Over-read
PHP $500 Files extracted from archive may be placed outside of destination directory CVE-2015-6833
PHP $1,500 Multiple Use After Free Vulnerabilites in unserialize() CVE-2015-6831
PHP $1,000 Arbitrary code execution in str_ireplace function CVE-2015-6527
PHP $1,000 Dangling pointer in the unserialization of ArrayObject items CVE-2015-6832
PHP $500 curl_setopt_array() type confusion
The Internet $1,000 libcurl duphandle read out of bounds CVE-2014-3707
PHP $500 heap buffer overflow in enchant_broker_request_dict() CVE-2014-9705
PHP $500 Integer overflow in unserialize() (32-bits only) CVE-2014-3669
PHP $500 AddressSanitizer reports a global buffer overflow in mkgmtime() function CVE-2014-3668
PHP $1,500 SOAP serialize_function_call() type confusion / RCE CVE-2015-6836
PHP $500 zend_throw_or_error() format string vulnerability
PHP $1,000 Uninitialized pointer in phar_make_dirstream CVE-2015-7804
PHP $1,000 Buffer over-read in exif_read_data with TIFF IFD tag
PHP $500 Null pointer deref (segfault) in spl_autoload via ob_start
PHP $500 null pointer deref (segfault) in zend_eval_const_expr
PHP $500 Mem out-of-bounds write (segfault) in ZEND_ASSIGN_DIV_SPEC_CV_UNUSED_HANDLER
Python $1,000 Python deque.index() uninitialized memory
Python $500 Python scan_eol() Buffer Over-read
Python $500 time_strftime() Buffer Over-read
Python $500 Python xmlparse_setattro() Type Confusion
PHP $500 Use after free vulnerability in unserialize() with GMP
PHP $500 Use After Free Vulnerability in session deserializer CVE-2015-6835
PHP $1,000 Use After Free Vulnerability in unserialize() CVE-2015-6834
PHP $1,000 Use After Free Vulnerability in unserialize() with SplObjectStorage CVE-2015-6834
PHP $1,000 Use After Free Vulnerability in unserialize() with SplDoublyLinkedList CVE-2015-6834
Python $500 Python 3.3 - 3.5 product_setstate() Out-of-bounds Read
Ruby $1,500 Request Hijacking Vulnerability In RubyGems 2.4.6 And Earlier CVE-2015-3900
Python $500 Integer overflow in _Unpickler_Read
Apache httpd $500 mod_lua: Crash in websockets PING handling CVE-2015-0228
PHP $500 Null pointer dereference in phar_get_fp_offset() CVE-2015-7803
Khan Academy - Escaping the iframe via exceptions
HackerOne $2,500 CSRF possible when SOP Bypass/UXSS is available
Shopify $500 Open Redirect at *
CERT/CC - manipulate the Practical HTTP Host header
Urban Dictionary - URGENT - Subdomain Takeover in pointing to Zendesk
Shopify $500 [CSRF] Install premium themes
Imgur - Attack User Privacy Settings - X-Frame-Options missing on
Algolia $100 Stored XSS in name selection $500 Обход защиты от csrf-ок в
withinsecurity $250 content injection $500 Same-Origin Policy Bypass #2 $500 Same-Origin Policy bypass on main domain -
Zendesk $500 [CRITICAL] CSRF leading to account take over
Sucuri $250 XSS Vuln in Sucuri Security - Auditing, Malware Scanner $75 Cookie bug
Imgur - Login to any user account using other facebook app access token
Shopify $500 Open redirect using theme install
Ubiquiti Networks $200 CSRF
Shopify $500 XSS in creating tweets
Maximum $20 RC4 cipher suites detected
Maximum $10 SSL certificate invalid date
Maximum $40 RC4 cipher suites detected
Automattic $75 Remove anyone's pic gravtar
Pornhub $250 Reflected Cross-Site Scripting on French subdomain
Twitter $140 Subdomain Expired
InVision $300 Stored Cross-Site Scripting on █████████ (with small user interaction)
Uber $500 Drivers can change profile picture
Shopify - Cookie securing your "Opening soon" store is not secured against XSS
Shopify $500 An administrator without any permission is able to get order notifications using his APNS Token.
Twitter $560 xss in link items (
Yelp $1,500 Access to internal CMS containing private Data
Imgur $5,500 Imgur dev environments facing the Internet
Twitter $560 URGENT : Account Take Over Vulnerability
Coinbase $5,000 Stored-XSS in
Twitter $560 Add tweet to collection CSRF
Mail.Ru - Reflected XSS on
Shopify - CSV Excel Macro Injection Vulnerability in export list of current users -
Slack - Executing scripts on using SVG
Pornhub $250 Cross Site Scripting - On Mouse Over, Blog page
Pornhub $250 [xss,] /user/[username], multiple parameters
HackerOne $1,000 Pre-generation of 2FA secret/backup codes seems like an unnecessary risk
Mail.Ru - [] XSS в функционале авторизации
QIWI $100 Open Redirect in
Coinbase $500 Transactions visible on Unconfirmed devices
Algolia $200 User with limited access to Index configuration can rename the Index
drchrono $100 Request Accepts without X-CSRFToken [ Header - Cookie ]
HackerOne $500 Limited CSRF bypass.
HackerOne - profile cover can also load external URL's
Mail.Ru - [] Core Dump
drchrono $100 CSRF Add Album On
Boozt Fashion AB $100 Reflected XSS on
Badoo $153 Open redirect helps to steal Facebook access_token
Uber $1,000 Mass Assignment Vulnerability in
Shopify $500 deleted staff member can add his amazon marketplace web services account to the store.
Algolia $100 an xss issue
Shopify $500 [CSRF] Activate PayPal Express Checkout
QIWI $3,137 XML External Entity (XXE) in + waf bypass
Mail.Ru - [] Auth Bypass, Information Disclosure
Mail.Ru - [] CRLF Injection
Mail.Ru - [] Full Path Disclosure
Mapbox $1,000 XSS in L.mapbox.shareControl in mapbox.js
Slack $100 RC4 cipher suites detected on
Mail.Ru - [] Debug Mode
Shopify $1,000 S3 Buckets open to the world thanks to 'Authenticated Users' ACL
ownCloud - RCE in /
Shopify $500 Apps can access 'channels' beta api $50 Email Verification Link can be Used as Password Reset Link!
Twitter $280 Urgent : Disclosure of all the apps with hash ID in mopub through API request (Authentication bypass)
QIWI $200 XSS Reflected in
Shopify $1,500 'Limited' RCE in certain places where Liquid is accepted $300 login to any user's cashier account and full account information disclosure
Shopify - Non-owner user can remove online store channel and re-add it.
itBit Exchange $100 No password length restriction denial of service
Algolia $100 Stored XSS on*
HackerOne $2,500 Cross-domain AJAX request
Imgur $150 XSS
Slack $100 Reflected Self-XSS in Slack
Twitter $1,120 File Upload XSS in image uploading of App in mopub
Slack $200 File upload XSS (Java applet) on - User Enumeration : Due to rate limiting on registration
Shopify $500 List of devices is accessible regardless of the account limitations
Twitter $280 Following a User After Favoriting Actually Follows Another User (related to #95243)
Shopify $500 SVG parser loads external resources on image upload
Shopify $500 Staff members with no permission can access to the files, uploaded by the administrator
Mail.Ru $300 Potential SSRF in
HackerOne - Hackerone impersonation
Mail.Ru - [] Full Path Disclosure
Mail.Ru - [] Full SQL Disclosure $250 Multiple critical vulnerabilities in Odnoklassniki Android application
HackerOne $1,000 HTTP header injection in allows setting cookies for
HackerOne $2,500 Send AJAX request to external domain
Twitter $1,120 Can see private tweets via keyword searches on tweetdeck
Shopify $500 An administrator without the 'Settings' permission is able to see payment gateways
Shopify $500 A 'Full access' administrator is able to see the shop owners user details
Shopify $500 Staff members with no permission to access domains can access them.
Keybase $50 Un-handled exception leads to Information Disclosure
itBit Exchange - email not required to be unique
Badoo $310 crossdomain.xml too permissive on,, etc.
Snapchat $1,500 Password Reset - query param overrides postdata
Mail.Ru - [] Open Redirect
Shopify $500 Missing of csrf protection
Imgur $50 Persistent XSS in and / post statistics
Mail.Ru - Reflected XSS.
Slack $500 Stored XSS in Slack (weird, trial and error)
withinsecurity - DDOS using xmlrpc.php
Vimeo $250 XSS on without user interaction and with user interaction
withinsecurity - Uses unsafe-inline without nonce
Shopify - Domain takoever - $75 Http Response Splitting - Validate link
itBit Exchange $50 user-agent Content spoofing
Mail.Ru - [] Reflected XSS
Mail.Ru $300 [] Authentication Data
Udemy - Reflected XSS and/or malicious redirection via JWPlayer 6 configuration modification $50 Cross Site Scripting
Shopify $500 Privilege escalation and circumvention of permission to limited access user
Imgur $250 Persistent XSS in image title
Twitter $280 CSRF on cards API
Twitter $5,040 IDOR- Activate Mopub on different organizations- steal api token-
Shopify $500 Unauthorized access to any Store Admin's First & Last name
Twitter $280 Following a User Actually Follows Another User
Twitter $280 XSS in the "Poll" Feature on
Mail.Ru - Reflected XSS.
InVision - X-Frame-Options Header Not Set
Shopify $500 Reflected XSS in cart at
Coinbase - Balance Manipulation - BUG
Shopify $4,000 Paid account can review\download any invoice of any other shop
Whisper $30 SMS Invite Form Abuse
Whisper $30 Host Header Injection/Redirection
Ruby on Rails - http_basic_authenticate_with is suseptible to timing attacks.
Mail.Ru - Reflective Xss on and
Shopify $500 Some S3 Buckets are world readable (and one is world writeable)
HackerOne - Minimum bounty of a private program is visible for users that were removed from the program
Zopim $1,000 Cross-site Scripting in all Zopim
Shopify $1,500 Arbitrary read on s3://shopify-delivery-app-storage/files
Shopify $2,500 Unauthorized access to all collections, products, pages from other stores
Shopify $500 Bypassing password requirement during deletion of accout
FanFootage - XSS by image file name
Shopify $2,000 Arbitrary write on s3://shopify-delivery-app-storage/files
Shopify $500 Missing authorization check on dashboard overviews
Shopify $500 get users information without full access
Adobe - Reflected XSS via. search
Shopify $1,000 Unauthenticated access to details of hidden products in any shop via title emuneration
Shopify $500 First & Last Name Disclosure of any Shopify Store Admin
Gratipay - SPF Protection not used, I can hijack your email server
Imgur - Csrf near report abuse meme
WePay $100 Subdomain Takeover in pointing to Fastly $100 Способ узнать имя человека и ВУЗ удаленной страницы
Shopify $2,000 unauthorized access to all collections name
Keybase - xss
Coinbase $100 SPF records not found
HackerOne - HackerOne Private Programs users disclosure and de-anonymous-ize
ownCloud - Referer protection Bypassed
Shopify - The POS Firmware is leaking the root Password which can be used for unauthorized access to the device.
HackerOne - Content spoofing on invitations page
Shopify $500 Accessing Payments page and adding payment methods with limited access accounts
Badoo $456 Tokens from services like Facebook can be stolen
Shopify $2,500 unauthorized access to all customers first and last name
Automattic $75 CSV Injection in
Trello $128 CSV Injection
Shopify $500 customers password hash leak!!!!
Uber $100 Issue with Password reset functionality
ownCloud - Self-XSS in mails sent by
Trello $256 Normal User can add new users to group
Imgur $1,600 Server Side Request Forgery In Video to GIF Functionality
Imgur $50 Crossdomain.xml settings on too open
Automattic $50 WooCommerce: Support Ticket indirect object reference
Imgur $50 Reflected Flash XSS using swfupload.swf with an epileptic reloading to bypass the button-event
Imgur - Content Sniffing not enabled
Imgur $50 "Sign me out everywhere" does not work for desktop sessions
Imgur - Open Url redirection on login with facebook
ownCloud - WP Super Cache plugin is outdated
IRCCloud $500 Inadequate input validation on API endpoint leading to self denial of service and increased system load.
Shopify - Passwords Returned in Later Responses.
Gratipay - change bank account numbers
Gratipay - implement a cross-domain policy for Adobe products
Zendesk $50 Content Spoofing
Mail.Ru - [] Server-Status opened for all users
Shopify $1,000 change Login Services settings without owner access
Shopify $1,000 create staff member without owner access
Shopify $500 Privilege escalation vulnerability
ownCloud - No email verification during registration
ownCloud - [] Web Server HTTP Trace/Track Method Support
Ruby on Rails - Nested attributes reject_if proc can be circumvented by providing "_destroy" parameter
Zaption - CSV Excel Macro Injection in Export Response
HackerOne - Minor Bug: Public un-compiled CSS with original sass, versioning, source map, comments, etc.
ownCloud - Apache documentation
Coinbase $100 User email enumuration using Gmail
Zopim $100 CSV Excel Macro Injection Vulnerability in export chat logs
Twitter $280 Tweetdeck (twitter owned app) not revoked $500 CSRF в получении резервных токенов+framing , приводящие к компроментации 2fa
Zendesk $100 CSV Excel Macro Injection Vulnerability in export customer tickets
Mail.Ru - Reflected XSS на
Zendesk $100 Cross-site Scripting
Slack $100 Self-XSS in posts by formatting text as code
BitHunt - No rate limit or captcha to identify humans
ownCloud - CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service)
Mail.Ru - Vulnerability :- "XSS vulnerability"
ownCloud - Apache Range Header Denial of Service Attack (Confirmed PoC)
Mail.Ru $500 XSS:,[id]/reply при ответе на специальным образом сформированное письмо
Twitter $2,520 Multiple DOMXSS on Amplify Web Player
Vimeo $200 XSS when using captions/subtitles on video player based on Flash (requires user interaction)
Phabricator $300 Information leakage through Graphviz blocks
Vimeo $100 XSS on | "Search within these results" feature (requires user interaction)
Vimeo - XSS on mobile version of where the button "Follow" appears
Vimeo $1,500 XSS on after other user follows you
ownCloud - Webview Vulnerablity [OwnCloudAndroid Application]
Mail.Ru - [] Internet Explorer XSS
Mail.Ru - [] Open Redirect
ownCloud - gallery_plus: Content Spoofing
Udemy $100 XSS Vulnerability
Vimeo $200 Stored XSS on and
Coinbase $100 OAUTH pemission set as true= lead to authorize malicious application
Gratipay - Mail spaming
ownCloud $25 Full Path Disclosure CVE-2016-1501
Shopify $500 XSS on blog pages via sharing buttons
Twitter $2,520 XSS on OAuth authorize/authenticate endpoint
Keybase $500 [] Open Redirect
Anghami $100 [CRITICAL] Login To Any Account Linked With Google+ With Email Only
Anghami $300 [] Sql Injection
Mail.Ru - xss на нескольких форумах игр от (Cross-Site Scripting)
HackerOne - Weak HSTS age in support hackerone site
Phabricator $450 Multiple so called 'type juggling' attacks. Most notably PhabricatorUser::validateCSRFToken() is 'bypassable' in certain cases.
Romit $250 IDOR on remoing Share
Vimeo $100 Reflected XSS on
ownCloud - Potential XSS
ownCloud - CSRF change privacy settings
ownCloud - Password appears in user name field
ownCloud - Mixed Active Scripting Issue
ownCloud - Edit Question didn't check ACLs
Vimeo $500 Stored XSS on
Mail.Ru $150 XSS at
InVision $400 Deleting a Project for which the user is not owner but a normal member
Shopify $500 XSS
ownCloud $25 Full Path Disclosure CVE-2016-1501
Phabricator - Dashboard panel embedded onto itself causes a denial of service
ownCloud - Config
Gratipay - Stored XSS On Statement
Zopim $100 [API ISSUE] agents can Create agents even after they are disabled !
ownCloud - Outdated plugins contains public exploits
ownCloud - Lack of HSTS on
ownCloud - CSRF in
ownCloud - Malicious file upload leads to remote code execution
ownCloud - Account Compromise Through CSRF
ownCloud - Stored XSS in profile page
Gratipay - DKIM records not present, Email Hijacking is possible
ownCloud - HTTP compression is enabled potentially leading to BREACH attack
ownCloud - Information disclosure
ownCloud - * / * Using not strong enough SSL ciphers
ownCloud - Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability
Ruby on Rails - DoS Attack in Controller Lookup Code
InVision $100 Content Spoofing - Signout Warning Page
ownCloud - SSL Session cookie without secure flag set
ownCloud - Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability
ownCloud - Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability
ownCloud - SSL Server Allows Anonymous Authentication Vulnerability (SMTP)
ownCloud - Path Disclosure
ownCloud - SSL Session cookie without secure flag set
ownCloud - Session Cookie in URL can be captured by hackers
Khan Academy - Html injection on khanacademy
Mail.Ru - [] Reflected XSS in debug-mode
ownCloud - PermError SPF Permanent Error: Too many DNS lookups
Mail.Ru - [] Reflected XSS via Cookies
Pornhub $100 [reflected xss,] /blog, any
ownCloud - Multiple reflected XSS by insecure URL generation (IE only)
ownCloud - XSS via referrer
ownCloud - Cross Site Tracing
ownCloud - Content Sniffing not disabled
ownCloud - Allowed an attacker to force a user to change profile details. (XCSRF)
ownCloud - DOM Based XSS
Pornhub $50 Cross Site Scripting – Album Page
Zendesk $500 Stored XSS in comments
Hired $420 Stored XSS in Company Name
Shopify $500 Self XSS in chat.
Automattic $100 XSS in WordPress
Gratipay $1 Possible SQL injection on "Jump to twitter"
Shopify $500 XSS (Digital Downloads App in
Ruby on Rails - [Rails42] We can inject HTML tags when server is using strip_tags method
Ruby on Rails $2,000 Potential XSS on sanitize/Rails::Html::WhiteListSanitizer
InVision $100 Reflective XSS in
Informatica - [] Reflective Xss
HackerOne $500 Internal bounty and swag details disclosed as part of JSON response
HackerOne $500 Private Program and bounty details disclosed as part of JSON search response
Gratipay - Authentication errors in server side validaton of E-MAIL
Urban Dictionary - Reflective Xss Vulnerability
HackerOne $500 Number of invited researchers disclosed as part of JSON search response
Coinbase - Runtime manipulation iOS app breaking the PIN $500 Внедрение произвольного javascript-сценария в функционале просмотра изображений мобильной версии сайта
Gratipay - [] CRLF Injection
QIWI $500 Открытый доступ к корпоративным данным.
Slack $1,000 OSX slack:// protocol handler javascript injection
Flox $25 Content spoofing through Referel header $300 Доступ к чужим групповым беседам. $150 Critical : Access to group videos where videos are restricted for all users(Broken authentication )
Udemy $50 information disclosure
Flox - Email spoofing configuration missing $200 Доступ к чужим приватным фотографиям (3) через обложку видео
Mail.Ru $150 Time-Based Blind SQL Injection Attacks $500 (URGENT!) Покупка OK дешевле, чем он стоит
Mail.Ru $150 Cross site scripting $200 Stored XSS в имени песни (2) на платёжном гейте. $100 Покупка=>скачка песен, которые не предназначены для продажи $150 Покупка песни дешевле, чем она стоит. $150 xss in group
Keybase - Sensitive server-side/application information disclosure - Cross site scripting On api Calculator API requests $100 cross siite scripting in the blog $500 SSRF/XSPA в форме загрузки видео по URL
Shopify $1,000 TCP Source Port Pass Firewall $100 privilege escalation in apache tomcat SessionEample-script
MapLogin - Account creation code bypass
Keybase $100 Full path disclosure at
WordPoints $25 Weak Cryptographic Hash
Mavenlink $25 Open/Unvalidated Redirect Issue
Keybase $250 Content Sniffing not disabled
Romit $250 GA code not verified on the server side allows sending Verification Documents on behalf of another user
Keybase $250 No rate limiting for sensitive actions (like "forgot password") enables user enumeration
Keybase $500 Stealing CSRF Tokens
Keybase $500 SMTP protection not used
Zaption - Cheating at gallery rating
Zaption $25 Open redirect filter bypass
Zaption $25 Using GET method for account login with CSRF token leaking to external sites Via Referer.
Zaption $50 XSS - Gallery Search Listing
Gratipay - Self XSS Protection not used , I can trick users to insert JavaScript
Gratipay - weak ssl cipher suites
Zopim - Security Missconfiguration in Autologin
Zendesk $200 Stored Cross site scripting In
Romit $250 No rate limit which leads to "Users information Disclosure" including verfification documents etc.
Envoy - Stored XSS
Envoy - XSS in "Guest Pre-Registration" page after registration
HackerOne $500 Accessing title of the report of which you are marked as duplicate
QIWI $100 Session Cookie without HttpOnly and secure flag set
Envoy - Stored XSS in /settings/ipad Page
Mapbox $500 Disclosure of map information
DigitalSellz - The product/status method CSRF
DigitalSellz - The email updates issues
Zendesk $50 Error stack trace enabled
DigitalSellz - Own downloading link isn't properly checked in the email template
Romit $250 Potential for financial loss, negative Values for "Buy fee" and "Sell Fee"
Ubiquiti Networks $500 Yet another Buffer Overflow in PHP of the AirMax Products
Ubiquiti Networks $500 Other Buffer Overflow in PHP of the AirMax Products
Udemy $150 Extremely high Course rating values could be set in order to make really high Average rating of the course. Negative values could be set to.
Shopify $3,000 Attention! Remote Code Execution at
Shopify $500 Reflected XSS in chat
Ubiquiti Networks $250 Buffer Overflow in PHP of the AirMax Products
Ubiquiti Networks $18,000 Arbritrary file Upload on AirMax
Python $1,000 Integer overflow in _json_encode_unicode leads to crash
Python $500 Integer overflow in _pickle.c
Python $1,000 Python: imageop Unsafe Arithmetic
PHP $500 PHP yaml_parse/yaml_parse_file/yaml_parse_url Unsafe Deserialization
PHP $1,500 PHP yaml_parse/yaml_parse_file/yaml_parse_url Double Free
PHP $500 str_repeat() sign mismatch based memory corruption
Python $500 Multiple type confusions in unicode error handlers
Python $500 Use after free in get_filter
Python $1,500 Multiple use after free bugs in json encoding
Python $1,500 Multiple use after free bugs in heapq module
Python $1,500 Multiple use after free bugs in element module
Python $500 Tokenizer crash when processing undecodable source code
PHP $500 php_stream_url_wrap_http_ex() type-confusion vulnerability
PHP $500 Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER
PHP $500 Type Confusion Vulnerability in SoapClient
PHP $1,500 Use after free vulnerability in unserialize() with DateInterval
The Internet $3,000 libcurl: URL request injection CVE-2014-8150
OpenSSL $2,500 Malformed ECParameters causes infinite loop CVE-2015-1788
PHP $1,500 Integer overflow in ftp_genlist() resulting in heap overflow CVE-2015-4022
PHP $1,500 ZIP Integer Overflow leads to writing past heap boundary CVE-2015-2331
PHP $1,000 Buffer Over-read in unserialize when parsing Phar CVE-2015-2783
PHP $1,000 Buffer Over flow when parsing tar/zip/phar in phar_set_inode CVE-2015-3329
OpenSSL $500 X509_to_X509_REQ NULL pointer deref CVE-2015-0288
PHP $1,500 Use After Free Vulnerability in unserialize() CVE-2015-2787
PHP $500 out of bounds read crashes php-cgi CVE-2014-9427
Shopify - Body injection in mailto link while commenting shop blog
Shopify - Prevent Shop Admin From Seeing his Installed Apps / Install Persistent Unremovable App
HackerOne $500 CSV Injection with the CVS export feature $300 Уязвимость Создание фотографий без ведома пользователей
Pornhub $5,000 Unauthenticated access to Content Management System -
ThisData - Xss via Dropbox
Shopify $500 XSS at Bulk editing ProductVariants
Pornhub $2,500 Multiple endpoints are vulnerable to XML External Entity injection (XXE)
Pornhub $10,000 Publicly exposed SVN repository,
Hired $250 URGENT - Subdomain Takeover on due to unclaimed domain pointing to
Shopify $500 XSS in Myshopify Admin Site in DISCOUNTS $250 Отвязываем Twitter от любого профиля вк ! + несколько багов по дизайну
Airbnb - authenticity_token is not random across page loads
HackerOne - Redirection Page throwing error instead of redirecting to site
Automattic $100 Verification code issues for Two-Step Authentication $100 Issue in the implementation of captcha and race condition
Shopify $1,000 Bypass access restrictions from API
InVision $150 Enumeration and Guessable Email (OWASP-AT-002)T hrough Login Form
Shopify $500 SSRF via 'Insert Image' feature of Products/Collections/Frontpage
Mail.Ru $160 [] CRLF Injection
Shopify $500 SSRF via 'Add Image from URL' feature $200 Уязвимость получения всех номеров телефонов вк (по совместительству логинов профилей)
Shopify $500 Expire User Sessions in Admin Site does not expire user session in Shopify Application in IOS
Mail.Ru $200 Possible xWork classLoader RCE:
Shopify $500 XSS at Bulk editing products
Shopify $500 XSS at importing Product List
Slack - Link vulnerability leads to phishing attacks
Sandbox Escape $3,000 Microsoft Internet Explorer ActiveX Broker Allows EPM Bypass
Marktplaats - Multiple Apache 2.2.22 Vulnerabilities (XSS/ Code Exec/ DoS)
Marktplaats - Content Spoofing -
Legal Robot $20 - Guessing registered users in
LibSass - type confusion in Sass::ParserState::ParserState(Sass::ParserState const&) CVE-2015-4459
Marktplaats - Secret Password reset key disclosed to third party site via referer in header
Mail.Ru - [] Internet Explorer XSS via Request-URI
Mail.Ru - [] Internet Explorer XSS via Request-URI
Shopify $500 [www.*] CRLF Injection
Legal Robot $20 No valid SPF record
Envoy - [] Open Redirect
HackerOne $500 mailto: link injection on
Mail.Ru $250 [] CRLF Injection $200 Уязвимость в Указание мест на фото + фича + хакинг
Coinbase - Two-factor authentication (via SMS)
HackerOne $500 Invitation is not properly cancelled while inviting to bug reports. $500 XSS at on IE using flash files $400 Уязвимость приватных записей пользователя (личных)
Mail.Ru - XSS
Coinbase $5,000 OAuth authorization page vulnerable to clickjacking
concrete5 - No CSRF protection when creating new community points actions, and related stored XSS
Mail.Ru $150 Activities are not Protected and able to crash app using other app (Can Malware or third parry app). $100 Не достаточная проверка логина скайп - XSS on added name album on videos.
Mapbox $1,000 Stored Cross-Site Scripting in Map Share Page
Legal Robot $20 CSRF
Coinbase $5,000 Big Bug with Vault which i have already reported: Case #606962
Mail.Ru $250 HTML Injection на $500 API: Bug in method auth.validatePhone
Legal Robot $40 Registration bypass using OAuth logical bug
Shopify - Header Misconfiguration - PHP API $100 Able to intercept app Traffic after choosing up the Secured Connection using SSL (HTTPS)
MapLogin - Bypass verification of email while creating account(No rate limiting enable for verification code)
Legal Robot $20 Missing security headers, possible clickjacking
MapLogin - Not Completed Accounts Take Over (Urgent bug)
Legal Robot $20 missing SPF for
concrete5 - No csrf protection on index.php/ccm/system/user/add_group, index.php/ccm/system/user/remove_group
Shopify $1,000 Privilege Escalation - A `MEMBER` with no ACCESS to `ORDERS` can still access the orders by using `Order Printer APP`
Romit $50 Cross site scripting
HackerOne $100 Potential denial of service in<program>/reward_settings
HackerOne $500 Logic error with notifications: user that has left team continues to receive notifications and can not 'clean' this area on account
Mavenlink $100 XSS in
HackerOne $500 External URL page bypass
Ruby on Rails - Changeable model ids on vanilla update can lead to severely bad side-effects
Mail.Ru -
Shopify $500 Bulk Discount App in exposes vulnerable to XSS
HackerOne - Email Notification should be get while changing Paypal Email
Udemy $150 Multiple sub domain are vulnerable because of leaking full path
Mail.Ru $150
Mail.Ru $200 Quagga (Router) : Default password and default enable password
Shopify $500 XSS in Admin site in TAX Overrides
Udemy $100 XSS on
jsDelivr - Pretty Photo Dom XSS
Udemy $100 Ability to add pishing links in discusion ," Bypassing uneductional Links add "
concrete5 - Multiple XSS Vulnerabilities in Concrete5
Sandbox Escape $3,000 Internet Explorer Enhanced Protected Mode sandbox escape via a broker vulnerability
Udemy $150 leak receipt of another user
Udemy $100 xss on autoserch
Slack $100 Bypass of the SSRF protection (Slack commands, Phabricator integration)
Mail.Ru $400 торчит Graphite в мир
HackerOne - Logical Issue (Boosting Reputation points)
Mail.Ru $400 stacked blind injection
HackerOne $500 Content Spoofing - External Link Warning Page
Udemy - Misconfigured SPF Record Flag
Mobile Vikings - XSS Vulnerability on all pages
Udemy $150 log poison vulnerability through wordpress debug.log being publically available
Udemy $150 xss profile
concrete5 - Local File Inclusion Vulnerability in Concrete5 version
concrete5 - SQL Injection Vulnerability in Concrete5 version
concrete5 - Sendmail Remote Code Execution Vulnerability in Concrete5 version
concrete5 - Multiple Stored Cross Site Scripting Vulnerabilities in Concrete5 version
concrete5 - Multiple Reflected Cross Site Scripting Vulnerabilities in Concrete5 version
concrete5 - Multiple Cross Site Request Forgery Vulnerabilities in Concrete5 version
HackerOne $500 Reopen Disable Accounts/ Hidden Access After Disable
drchrono $100 Accessing all appointments vulnerability
drchrono $150 Create and Update patients vulnerability
HackerOne $500 Fake URL + Additional vectors for homograph attack
HackerOne $500 Homograph attack
HackerOne - Homograph Attack
HackerOne $500 Making any Report Failed to load
Dropbox $512 XSS in dropbox main domain
Dropbox $216 Race condition when redeeming coupon codes
Shopify $500 Stored XSS in the Shopify Discussion Forums
Mail.Ru - Flash XSS on
OkCupid - An XSS bug was fixed due to my report, but I didn't submit it through the h1
Shopify $500 SSL cookie without secure flag set
Shopify $500 Content Spoofing
HackerOne $500 Homograph attack
Whisper $50 Insecure Local Data Storage : Application stores data using a binary sqlite database
Romit $50 HTML injection in email sent by
Coinbase $100 ByPassing the email Validation Email on Sign up process in mobile apps
HackerOne - Missing spf flags for
Romit $50 Server responds with the server error logs on account creation
Vimeo $500 API: missing invalidation of OAuth2 Authorization Code during access revocation causes authorization bypass
Shopify $500 amazon aws s3 bucket content is public :-
Shopify $500 XSS in
Twitter $280 DOM based cookie bomb
WordPoints - Rank Creation function not validating user inputs.
HackerOne $500 Open-redirect on
Shopify - comment out causes information disclosure
Shopify $4,000 Notification request disclose private information about other myshopify accounts
Dropbox $512 SSRF vulnerablity in app webhooks
Dropbox - XSS in version history of an HTML file in a shared folder
Shopify - Multiple issues on Checkout Process
Whisper $30 Missing DMARC record
Shopify $500 XSS on
Shopify - XSS on
HackerOne $1,000 SPF whitelist of mandrill leads to email forgery
Shopify $500 Invitation issue
Shopify - XSS - URL Redirects
Shopify $500 Payment gateway status transferred to Shopify without authentication
Shopify $1,000 Shop admin can change external login services
Shopify $1,000 IDOR expire other user sessions
Dropbox Acquisitions $216 Get email ID of any user on
Vimeo - May cause account take over (Via invitation page)
Coin.Space - SMTP protection not used
Twitter - Privecy Issue : view "Protected users" followers and following
Shopify $2,000 Shopify android client all API request's response leakage, including access_token, cookie, response header, response body content
Shopify $500 CSRF token fixation in facebook store app that can lead to adding attacker to victim acc
Shopify $1,000 [persistent cross-site scripting] customers can target admins
Coinbase - iframes considered harmful
Shopify $500 Force 500 Internal Server Error on any shop (for one user)
Twitter $280 Ex-admin of an organization can delete team members
Shopify - Lack of SSL Pinning on POS Application ( iOS )
Shopify $500 Open Redirect after login at
Shopify $500 Authentication Failed Mobile version
Shopify $500 Open redirection in OAuth
Twitter - Privacy Issue on protected tweets
drchrono $700 XML Parser Bug: XXE over which leads to RCE
Faceless - Bypass Setup by External Activity Invoke
PHP $3,000 Use after free vulnerability in unserialize()
PHP $2,500 SoapClient's __call() type confusion through unserialize()
PHP $2,500 Use after free vulnerability in unserialize() with DateTimeZone
PHP $2,500 Free called on unitialized pointer in exif.c
OpenSSL $3,000 Segmentation fault for invalid PSS parameters
Python $9,000 Multiple Python integer overflows
Factlink - Frameset Proxy Problem
Shopify $500 Missing spf flags for
Coinbase $1,000 Sandboxed iframes don't show confirmation screen
Mail.Ru $500 stored XSS in agent via sticker (smile)
Snapchat $100 Captcha Bypass in Snapchat's Geofilter Submission Process
Snapchat $100 Vulnerable to JavaScript injection. (WXS) (Javascript injection)!
Slack $100 Logout any user of same team
Mapbox $1,000 Persistent cross-site scripting (XSS) in map attribution
Shopify $500 Xss in website's link
HackerOne - Reflected Filename Download
Twitter $420 Insecure Direct Object Reference - access to other user/group DM's
Twitter $2,800 HTTP Response Splitting (CRLF injection) due to headers overflow
Mapbox $1,000 Stored xss in editor
Dropbox Acquisitions $216 XSS in
Twitter $1,400 XSS in
Phabricator $300 SSRF vulnerability (access to metadata server on EC2 and OpenStack)
Coinbase $100 Blacklist bypass on Callback URLs
Vimeo $250 [URGENT ISSUE] Add or Delete the videos in watch later list of any user .
OkCupid - XSS on Send A Message Option
Phabricator $300 XSS with Time-of-Day Format
Vimeo $250 Share your channel to any user on vimeo without following him
Vimeo $250 Invite any user to your group without even following him
Twitter $420 Insecure direct object reference - have access to deleted DM's
itBit Exchange $200 secretKey for OTP , is getting leaked in response of a delete request !
itBit Exchange $200 confirmation bypass of 2FA devices while they are deleting
Ubiquiti Networks $500 UniFi v3.2.10 Cross-Site Request Forgeries / Referer-Check Bypass
HackerOne - "learn more here", reward email - domain expired.
Dropbox Acquisitions - unknow files Upload in profile photo
Vimeo $150 Insecure Direct Object References that allows to read any comment (even if it should be private)
Vimeo $500 Insecure Direct Object References in
Twitter $3,500 HTTP Response Splitting (CRLF injection) in report_story
HackerOne $500 Open redirect in "Language change".
Caviar $500 Remotely modifying courier Account Details
Vimeo $250 Post in private groups after getting removed
Flash $2,000 Flash Cross Domain Policy Bypass by Using File Upload and Redirection - only in Chrome
IRCCloud - Email verification links still valid after changing it 2x
itBit Exchange - ITBit Vulnerable to SSLSTrip
Mail.Ru - XSS in
Mail.Ru - XSS in
Mail.Ru - XSS in
Vimeo $250 A user can enhance their videos with paid tracks without buying the track
Whisper $10 CVE-2014-0224 openssl ccs vulnerability
Whisper $100 Bypass pin(4 digit passcode on your android app)
Vimeo $500 A user can post comments on other user's private videos
Vimeo $250 A user can add videos to other user's private groups
concrete5 - Stored XSS in Image Alt. Text
concrete5 - Stored XSS in Message to Display When No Pages Listed.
concrete5 - Stored XSS in Bio/Quote
Vimeo $250 A user can edit comments even after video comments are disabled
Twitter $560 open redirect sends authenticity_token to any website or (ip address)
Ubiquiti Networks $500 CSRF in login form would led to account takeover
concrete5 - Stored XSS In Company URL
HackerOne - Reflected File Download attack allows attacker to 'upload' executables to domain
concrete5 - Stored XSS in testimonial Company
concrete5 - Stored XSS in Testimonial Position
concrete5 - Stored XSS in Testimonial name
concrete5 - Stored Xss in Feature Paragraph
concrete5 - Stored XSS in Feature tile
concrete5 - Stored XSS in title of date navigation
concrete5 - Stored XSS in Title of the topic List
concrete5 - Stored XSS in Contact Form
concrete5 - Stored XSS on Search Title
concrete5 - Stored XSS on Title of Page List in edit page list
concrete5 - Stored XSS on Blog's page Tile
Phabricator - Server Side Request Forgery in macro creation
concrete5 - Self Xss on File Replace
Adobe - Adobe XSS
Adobe - Open redirect and reflected xss in[payload her]
Adobe - stored XSS via send file
The Internet $7,500 FREAK: Factoring RSA_EXPORT Keys to Impersonate TLS Servers
Adobe - Reflected Cross Site Scripting - 'puser' Parameter in login page
Twitter $1,400 XSS in original referrer after follow
Square - Invitation threshold
Romit $50 The csrf token remains same after user logs in
Ruby on Rails $1,000 rails-ujs will send CSRF tokens to other origins
Twitter $560 Twitter Ads Campaign information disclosure through admin without any authentication.
Twitter $1,400 Open Redirect leak of authenticity_token lead to full account take over.
Vimeo - URGENT - Subdomain Takeover on due to unclaimed domain pointing to
HackerOne $5,000 Improperly validated fields allows injection of arbitrary HTML via spoofed React objects
HackerOne - Auto Approval of Invitation to join Team as a Team member
Vimeo $250 Vimeo + & Vimeo PRO Unautorised Tax bypass
Airbnb - SSL Issues
Airbnb - Vulnerability type xss uncovered in
Airbnb - Generating Unlimited Free Travel Gift Invites | IDOR
Twitter - Cross site Port Scanning bug in twitter developers console
Mail.Ru $300 RCE через JDWP
Dropbox - Create N Accounts In Dropbox Irrespective Of Domain
HackerOne - Substantially weakened authenticity verification when using 'Remember me for a week'
Airbnb - I Can Delete Any Airbnb Users Symbol!
Vimeo - Bypassing Email verification
Yelp $500 Information disclosure - emails disclosed in response >
Mail.Ru $150 Heartbleed
Mail.Ru $150 HDFS NameNode Public disclosure:
Todoist $25 Remotely removing credit cards from business accounts!
Todoist $25 Taking over a Business Account Admin
Twitter $1,400 Redirect URL in /intent/ functionality is not properly escaped
HackerOne $500 Team member invitations to sandboxed teams are not invalidated consistently (v2)
HackerOne - Restrict any user from logging into his account.
The Internet $5,000 Bad Write in TTF font parsing (win32k.sys)
Coinbase $100 open authentication bug
Slack $200 Team admin can add billing contacts
Dropbox Acquisitions $729 Privilege Escalation at invite feature
Twitter $140 Reporting user's profile by using another people's ID
Mail.Ru - Full Path Disclosure
The Internet $3,000 Heap overflow in H. Spencer’s regex library on 32 bit systems
Romit $50 Email Enumeration (POC)
QIWI $200 [] XSS + Misconfiguration
Mail.Ru $600 Same Origin Policy bypass
HackerOne $2,000 CSP Bypass: Click handler for links with data-method="post" can cause authenticity_token to be sent off domain
Mobile Vikings - Approve topup method by sender of this method
Mobile Vikings - Enum phone numbers thru /en/sims/topup/add/
Mobile Vikings - Username and sim id enum
Mobile Vikings - CSRF token from another valid user session accepted
Mobile Vikings - Stored xss in user name (2) affected another user.
Mobile Vikings - Stored xss in user name
Mobile Vikings - Reflected xss in user name thru cookie
Mail.Ru - XSS Vulnerability in
Ruby on Rails - JSON keys are not properly escaped
Informatica - XSS in Search Communities Function
Flash $7,500 Use After Free in Flash MessageChannel.send can cause arbitrary code execution
Flash $10,000 Use after free during the StageVideoAvailabilityEvent can result in arbitrary code execution
Flash $10,000 Race condition in workers may cause an exploitable double free by abusing bytearray.compress()
InVision $200 Javascript Injection
itBit Exchange $50 Leakage of sensitive wallet tokens to third party sites
Flash $2,000 Adobe Flash Player Out-of-Bound Access Vulnerability
Vimeo $250 Red October
HackerOne - Markdown code block sequence makes report unreadable
HackerOne $5,000 Markdown parsing issue enables insertion of malicious tags and event handlers
Twitter $560 Twitter Card - Parent Window Redirection
Slack $100 Team admin can change unauthorized team setting (allow_message_deletion)
Slack $200 Team admin can change unauthorized team setting (require_at_for_mention)
Romit - CSRF token leakage
Romit $50 Frictionless Transferring of Wallet Ownership
Square - Redirecting a victim elsewhere through shopseen 0auth
Twitter $1,260 Problem with OAuth
HackerOne $500 Team member invitations to sandboxed teams are not invalidated consistently
HackerOne $500 Insecure Direct Object Reference vulnerability
Nearby Live - Group Invite not properly authenticated
Whisper $10 Error stack trace
Whisper $25 Directory index and information disclosure
HackerOne - In markdown, parsing things like @danlec and #46072 after links is unsafe
Vimeo - Can message users without the proper authorization
Vimeo - Brute force on "vimeo" cookie
HackerOne $5,000 Vulnerability with the way \ escaped characters in <> style links are rendered
Ruby on Rails - Explicit, dynamic render path: Dir. Trav + RCE
Vimeo $250 CRITICAL vulnerability - Insecure Direct Object Reference - Unauthorized access to `Videos` of Channel whose privacy is set to `Private`.
Zaption - [] Open Redirect
Trello $128 [] CRLF Injection
Trello $64 [] Open Redirect
Vimeo $100 XSS on Vimeo
Vimeo - CSRF bypass
itBit Exchange $150 Stored xss in bank name withdraw
Vimeo $100 ftp upload of video allows naming that is not sanitized as the manual naming
Mobile Vikings - Number, username and name disclosure
Mobile Vikings - Stored XSS in Direct debit name
Vimeo - Full account takeover via Add a New Email to account without email verified and without password confirmation.
Informatica - [] - CSRF in Private Messages allows to move user's messages to Trash
Square - HTTP Header revealing server information.
itBit Exchange $50 weird bug ! ( missing validation on new email verfication )
HackerOne $500 Improper way of validating a program
itBit Exchange $200 Unsecure data in "device" response - OTP
Vimeo $100 Vimeo Search - XSS Vulnerability []
Dropbox - Unvalidated Redirects and Stored XSS
Twitter $140 Insecure Data Storage in Vine Android App
Mobile Vikings - Insecure crossdomain.xml
itBit Exchange $50 Email Length Verification
itBit Exchange $500 Notification Emails: IP + Content-Spoofing
Ruby on Rails $500 RCE due to Web Console IP Whitelist bypass in Rails 4.0 and 4.1
Vimeo $1,000 XSS on any site that includes the moogaloop flash player | deprecated embed code
Twitter $140 Flaw in login with twitter to steal Oauth tokens
Vimeo - unvalid open authentication with facebook
Twitter - Path disclosure in
HackerOne - Add text to the title of the page "Thanks"
Mail.Ru -
Mail.Ru $150 Heartbleed: ( port 1433
Vimeo - Application XSS filter function Bypass may allow Multiple stored XSS
Vimeo - Poodle bleed vulnerability in cloud sub domain
Vimeo - Open Redirection Security Filter bypassed
Vimeo $1,000 Make API calls on behalf of another user (CSRF protection bypass)
Mail.Ru $150 Hadoop Node available to public
Vimeo $100 CRITICAL full source code/config disclosure for Cameo
Vimeo - Serious Vulnerability Found
Twitter $420 twitter android app Fragment Injection
Vimeo $1,000 abusing Thumbnails( to see a private video
Vimeo - No Limitation on Following allows user to follow people automatically!
Vimeo - Securing "Reset password" pages from bots
Vimeo $250 Ability to Download Music Tracks Without Paying (Missing permission check on`/musicstore/download`)
Vimeo - profile photo update bypass
Mail.Ru $100 Раскрытие номера мобильного телефона при двухфакторной аутентификации
Mail.Ru - XSS
Vimeo $100 - Reflected XSS Vulnerability
Vimeo $1,000 Adding profile picture to anyone on Vimeo
Vimeo $260 Buying ondemand videos that 0.1 and sometimes for free
Python $1,000 PyUnicode_FromFormatV crasher
Ruby on Rails $1,000 Arbitrary file existence disclosure in Action Pack CVE-2014-7829
OkCupid - Stored XSS in popup messages window
HackerOne - HTTPS is not enforced for objects stored by HackerOne on Amazon S3
Dropbox - WP User Enumeration is possible at
Vimeo - Misconfigured crossdomain.xml -
Twitter $1,120 - an app admin can delete team members from other user apps
Twitter $1,400 - app member can make himself an admin
Ruby on Rails - Denial of Service in Action Pack Exception Handling
Nearby Live - Web Server information disclosure.
Ruby on Rails - Data-Tags and the New HTML Sanitizer Subverts CSRF protection
Vimeo $100 APIs for channels allow HTML entities that may cause XSS issue
Vimeo $5,000 Insecure Direct Object References Reset Password
Vimeo $100 - reflected xss vulnerability
Vimeo $100 - Reflected XSS Vulnerability
Informatica - [] Cross Site Script Vulnerability on informatica
Twitter - Account Deleted without any confirmation
Uber $500 XSS on
Twitter - No rate limiting on creating lists
concrete5 - Stored XSS in adding fileset
Flash $1,000 chrome allows POST requests with custom headers using flash + 307 redirect
Twitter $420 URGENT - Subdomain Takeover on , the same issue of report #32825
Romit $250 stored xss in transaction
Nearby Live - Gain access to any user's email address
Mail.Ru - /surveys/2auth: DOM-based XSS
Mail.Ru - GET /surveys/2auth: XSS
Twitter $1,400 HTML/XSS rendered in Android App of Crashlytics through
Romit $250 Stored XSS in api key of operator wallet
Romit $100 Error stack trace
Twitter $140 POODLE Bug:,,
HackerOne - Reflected File Download
Twitter $280 Open redirection in
Mail.Ru $100 No bruteforce protection leads to enumeration of emails in
Phabricator $500 Phabricator Phame Blog Skins Local File Inclusion
Mail.Ru - [] XSS via Host
Dropbox - [] CRLF Injection
Informatica - Missing SPF for
WePay - Broken Authentication – Session Token bug
C2FO - [] Open Redirect
Vimeo $500 [] CRLF Injection
HackerOne - URL Crashing browser. {Tested on firefox, Chrome and Safari}
Phabricator $300 Phabricator Diffusion application allows unauthorized users to delete mirrors
concrete5 - stored XSS in concrete5
concrete5 - SQL injection in conc/index.php/ccm/system/search/users/submit
Square $500 Delayed, fraudulent transactions possible with encrypted Square Reader devices due to lack of server-side verification of device transaction counter
Mail.Ru $250 [] Memory Disclosure / IE XSS
HackerOne $500 Issue with password change
HackerOne $500 Breaking Bugs as team member
Openfolio $100 xss in /browse/contacts/
Python $6,500 Misc Python bugs (Memory Corruption & Use After Free)
QIWI $150 [] Open Redirect
QIWI $100 Stored xss in $1,000 Subdomain Takeover using pointing to Hubspot
Eobot - Multiple information disclosure
Twitter - Abuse of "Remember Me" functionality.
OkCupid - Rosetta flash vulnerability in clientstats AJAX script
Sucuri - Form contained inside page loaded over SSL submits its contents to another page over HTTP
Eobot $10 XSS in only)
Sucuri $250 Open Redirect in
InVision $150 CSRF Token in cookies!
Twitter - Homograph attack.
Twitter $1,400 [Stored XSS] - profile page
Twitter - Notifications can mark as read by CSRF
Coinbase $100 New Device Confirmation, token is valid until not used.
QIWI - Metadata in hosted files is disclosing Usernames, Printers, paths, admin guides. emails
ThisData - Missing SPF header on
QIWI $1,000 [] Soap-based XXE vulnerability /soapserver/
Openfolio - Options Method Enabled
QIWI $100 [] /oauth/confirm.action XSS
Flash $2,000 Adobe Flash Player MP4 Use-After-Free Vulnerability
Apache httpd $500 mod_proxy_fcgi buffer overflow CVE-2014-3583
HackerOne $500 Logic Issue with Reputation: Boost Reputation Points
Phabricator - Content injection
QIWI $250 CRLF Injection []
Twitter - Headers Missing
Factlink - File name/folder enumeration.
QIWI - Code for registration of qiwi account is not coming even after a long interval of time for Indian mobile number
QIWI $200 [] XSS at auth?login=
QIWI $200 [] XSS proxy.html
Twitter $140 getting emails of users/removing them from victims account [using typical attack]
HackerOne $500 Gain reputation by creating a duplicate of an existing report
PHP $2,500 Locale::parseLocale Double Free
Ian Dunn - XSS in Tagregator plugin - Bypassed or command injection
Mail.Ru - Нежелательная информация
Eobot - IDOR on
Twitter $280 XSS via Fabrico Account Name
Mail.Ru $500 Ошибка фильтрации - Various Low level Vulnerabilities
Mail.Ru - Flash XSS на $150 SMPT Protection not used, I can hijack your email server.
Twitter $420 Bad extended ascii handling in HTTP 301 redirects of
Twitter - Options Method Enabled
Twitter - Option Method Enabled on web server
HackerOne $500 File Name Enumeration
InVision - Password reset tokens is valid after changing the password by logging in the account
Uzbey - test
Twitter - Flaw in valid password policy.
Uzbey - Test
Uzbey - Test
Twitter $1,400 DOM Cross-Site Scripting ( XSS )
InVision $300 Backup of wordpress configuration file found. Leaking database users/passwords
Slack $500 a stored xss in slack integration
HackerOne - Enumeration/Guess of Private (Invited) Programs
WP API - MD5 used for Key-Auth signatures
Twitter $1,680 URGENT - Subdomain Takeover on due to unclaimed domain pointing to AWS
99designs - Source Code Disclosure (PHP)
Mail.Ru $200 OpenSSL HeartBleed (CVE-2014-0160)
Twitter $280 XSS in
HackerOne - Content Spoofing via reports
The Internet $3,000 Drupal 7 pre auth sql injection and remote code execution
Twitter $140 Singup Page HTML Injection Vulnerability
Mail.Ru - Авторизуюсь от имени любого пользователя
RelateIQ $500 PoodleBleed
Flash $5,000 Adobe Flash Player Out-of-Bound Read/Write Vulnerability
HackerOne $1,000 Ability to see common response titles of other teams (limited)
Localize - files likes of is public
Twitter - Creating Unauthorized Audience Lists
Bookfresh - Reflected XSS on
concrete5 - Weak random number generator used in concrete/authentication/concrete/controller.php
WP API $50 Cryptographic Side Channel in OAuth Library - Timing Attack Side-Channel on API Token Verification - Weak Random Number Generator for Auth Tokens
Twitter $420 Unauthorized Tweeting on behalf of Account Owners
Khan Academy - Sql injection And XSS
Twitter $560 Improper Verification of email address while saving Account Settings
RelateIQ $250 Relateiq SSLv3 deprecated protocol vulnerability.
Localize - PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
Bookfresh - Missing Function Level Access Control in /cindex.php/widget/customize/
Flash $2,000 Adobe Flash Player MP4 Use-After-Free Vulnerability
Coinbase $100 New Device confirmation tokens are not properly validated.
99designs - CSRF to connect attacker's twitter account to logged in victims account
concrete5 - Stored XSS in concrete5
Square $250 CSRF on adding a calendar event
Square $500 square google calendar integration CSRF, parameter not checking properly)
Mail.Ru - Выполнение кода PHP через FastCGI
Square $500 CSRF on adding clients
The Internet $20,000 GNU Bourne-Again Shell (Bash) 'Shellshock' Vulnerability
Twitter $280 Profile Pic padding (Length-hiding) fails due to use of GZIP
HackerOne $500 homograph attack. IDNs displayed in unicode in bug reports and on external link warning page
IRCCloud $300 Unvalidated Channel names causes IRC Command Injection
Square $250 Privilege Escalation
WePay $350 Horizontal Privilege Escalation
Twitter $1,120 XSS | video-js metadata
HackerOne $500 No email verification on username change
Twitter $1,120 XSS
Sucuri $250 Usage of HTTP for exporting graph data as images
Square $250 Redirect while opening link in new tabs
Coinbase $100 Credit Card Validation Issue
Twitter - Twitter Flight SSL 2.0 deprecated protocol vulnerability.
HackerOne - "early preview" programs disclosure
HackerOne $500 Redirect FILTER bypass in report/comment
Mail.Ru $500 XSS via message id
Phabricator - Content Spoofing through URL
IRCCloud - Weak password policy
Mavenlink - Email field filtering problem.
Twitter $420 iOS App can establish Facetime calls without user's permission
Ruby on Rails $1,500 Active Record SQL Injection Vulnerability Affecting PostgreSQL CVE-2014-3483
Ruby on Rails $1,500 Active Record SQL Injection Vulnerability Affecting PostgreSQL CVE-2014-3482
PHP $2,500 SPL ArrayObject/SPLObjectStorage Unserialization Type Confusion Vulnerabilities CVE-2014-3515
Twitter $1,400 Cross site scripting on
HackerOne $500 Window Opener Property Bug
Twitter $1,400 Stored xss
Square $2,000 malicious file upload
Flash $1,000 Flash Local Sandbox Bypass CVE-2014-0554
GlassWire - Clickjacking: X-Frame-Options header missing
Phabricator - Content spoofing
Twitter $1,400 xss
Square $400 Reflected XSS in widget script thru cookie
Twitter $2,800 Delete Credit Cards from any Twitter Account in [New Vulnerability]
Square $1,000 Reflected XSS in
Square $750 Editing Client Details of other People
Twitter $140 Missing Rate Limiting on
The Internet $3,000 open redirect in rfc6749
Mail.Ru $1,337 XSS via .eml file
WePay $350 Critical : Account removing using CSRF attack
Square - XSS on bookfresh
Twitter $140 Full path disclosure at
Slack - HTTP Strict Transport Policy not enabled on newly made accounts
Phabricator - Password Policy issue
Square $2,000 CRITICAL Account takeover via AngularJS template injection in
Django $1,000 CSRF protection bypass on any Django powered site via Google Analytics
Square $500 XSS in Client Past Activity
ExpressionEngine - Stored Cross-Site Scripting Vulnerability in /admin.php?/cp/admin_system/general_configuration
HackerOne - Notification of previous signed out user leakage.
Mavenlink - DNS load balancing not enabled
WePay - CSRF (Make email primary) may lead to account compromise
CloudFlare - Apache mod_negotiation filename bruteforcing
Square $250 Open Redirect [FreshBook]
Square $500 XSS [BookFresh]
HackerOne $100 Change Any username and profile link in hackerone - [] CRLF Injection / Insecure nginx configuration
CloudFlare - User can request for password reset link without giving his website, eventhough he have it - SMTP protection not used (please read carefully )
Phabricator $400 Open redirection on
Twitter - HTML form without CSRF protection at - openssh-server Forced Command Handling Information Disclosure Vulnerability on - Reflected XSS -
Mail.Ru - Не уверен, что этому место на периметре:,,,
concrete5 - broken authentication
Twitter - User's DM won't deleted after logout from Twitter for iOS (
Mail.Ru $150 Странное поведение SMS
Secret - Broken Authentication and Session Management
Mail.Ru - Version Disclosure (NginX)
HackerOne $500 Redirect while opening links in new tabs
Phabricator $300 Forgot Password Issue
Square - CSRF login
Square $1,500 Blind SQL injection in
Uzbey - SQL Injection
Uzbey - XSS in 3rd party plugin (not affecting Uzbey's users)
Phabricator - Password Reset Links Not Expiring
Twitter - Broken authentication and invalidated email address leads to account takeover
Automattic - Open Redirect in WordPress Feed Statistics {Affected All Versions}
Slack $200 Content Spoofing all Integrations in
Twitter - Password reset link not validated.
Yahoo! - Blind Sql Injection
IRCCloud - Bruteforce protection not enabled on the login page
Slack $100 Content spoofing at Stripe Integrations
Mavenlink $50 privilege escalation
Mavenlink - Cookies are not cleared from Server side on Logout
Mavenlink $200 Flash XSS on swfupload.swf showing at
Mavenlink $50 Clickjacking
HackerOne - Account Hijacking (Only rare case scenario)
Mavenlink $100 Login CSRF
Phabricator - Back - Refresh - Attack To Obtain User Credentials
Coinbase $1,000 Invoice Details activate JS that filled in
The Internet $3,000 rsync hash collisions may allow an attacker to corrupt or modify files
Apache httpd $500 moderate: mod_deflate denial of service CVE-2014-0118
Mail.Ru $150 File upload XSS using Content-Type header
Python $1,500 integer overflow in 'buffer' type allows reading memory
WePay - oauth redirect uri validation bug leads to open redirect and account compromise
Mail.Ru $1,000 File upload "Chapito" circus
Mail.Ru - HTTP Header Injection
Mail.Ru $100 Подделываем j2me app-descriptor
DigitalSellz - USER Account is not being deleted after user "Delete Account" from DASHBOARD
DigitalSellz - Verbose SQL error messages
ExpressionEngine - Cross Site Scripting (Stored)
HackerOne - No option to logout concurrent sessions
Twitter - password sent over HTTP
Automattic - Missing HSTS header in
Automattic - Missing HSTS header in
RelateIQ $100 Cross-site Scripting in mailing (username)
Envoy - Authentication Bypass - Host header is not Validated resulting in Redirect
Envoy - Delete visitor from IPAD with fullname which contains JS results XSS
HackerOne - Session Hijacking attack (Different Scenario)
Envoy - Too much sensitive information in GET
Envoy - Stored XSS on adding locations
Envoy - Stored XSS on sign_up page
Uzbey - Missing "size check" on files to upload could make memory leaks.
Uzbey - IFXSS (image filename XSS) by creating a new Photo Gallery
Localize - PHP PDOException and Full Path Disclosure
Mail.Ru - XSS через Referer
Mail.Ru - XSS
Secret - ClientId gives away platform (iOS/Android) from which a secret was posted.
Mail.Ru $3,000 Possibility to attach any mobile number to any email
Sandbox Escape $5,000 .NET Type Traversal Vulnerability CVE-2014-0257
Sandbox Escape - OSX ATS memory corruption may lead to App Sandbox bypass CVE-2014-1262
Sandbox Escape - OSX ATS arbitrary free issue may lead to App Sandbox bypass CVE-2014-1255
HackerOne - Email changing
WePay $100 Unauthorized Access via Join Email Link
Factlink - XSS 01 on
DC Compendium $25 Multiple Full Path Disclosure (FPD) Vulnerability on domain
RelateIQ $190 Resubmitted with POC #18685 Password reset CSRF
Phabricator $1,000 XSS in editor by any user
WePay $150 CSRF on email address operations. Also performing unintended operations.
Automattic - Top 10 2013-A2-Broken Authentication and Session Management -
WePay $500 Session Fixation
jsDelivr - HSTS Policy not enabled on
DC Compendium $50 Backend source code disclosure on 404 pages
jsDelivr - Using nmap revealing sensitive information
jsDelivr - XSS
jsDelivr - Directory Traversal at
DC Compendium $25 source code disclosure
Yahoo! $250 Yahoo! Reflected XSS
DC Compendium $25 XSS on Home page
DC Compendium $25 Error page Cross-site scripting
DC Compendium - Forward Secrecy is disable
DC Compendium - Login CSRF
DC Compendium $25 Clickjacking: X-Frame-Options header missing
HackerOne $100 Denial of Service
Faceless - Tap Jacking Attack on Button Tags
The Internet $6,000 LZ4 Core CVE-2014-4611
Factlink - Click-Jacking due to missing X-frame header
Uzbey - Mass invitation send
IRCCloud $500 Reflected XSS in Pastebin-view
Uzbey - Information Disclosure (phpinfo())
HackerOne - Account takeover
Yahoo! $50 Default /docs folder of PHPBB3 installation on
Uzbey - Price Manipulation
Phabricator $300 Broken Authentication and Session Management
Uzbey - Flash Content-Type Sniffing Vulnerability
HackerOne $100 Category- Broken Authentication and Session Management (leads to account compromise if some conditions are met)
Mail.Ru - SVN наружу торчит
Uzbey - Email Flooding Vuln
Uzbey - Clickjacking at
Uzbey - HTML Form Without CSRF Protection Vulnerability
Uzbey - Breach Attack Vulnerability
Uzbey - Cross site scripting in type parameter
Uzbey - CMS Information Disclosure
Uzbey - email field doesn't filtered against XSS
Uzbey - Language version disclosure in response header
Uzbey - All Active user sessions should be destroyed when user change his password!
Uzbey - Cross-site scripting vulnerability detected
Uzbey - Missing HSTS (Strict Transport Security)
Uzbey - Album image XSS
Uzbey - SQL injection, time zoom script, tile ID
Uzbey - SQL injection, tile ID - Found clickjacking vulnerability
Slack $100 Password Policy issue (Weak Protect)
HackerOne - Cache leads to Privacy leaks
Mail.Ru - HTTP Header Injection
Mail.Ru $400 SMS spam with custom content
Slack $100 Open Redirect login account
Coinbase - 2FA settings allowed to be changed with no delay/freeze on funds
RelateIQ $250 SSRF (Portscan) via Register Function (Custom Server)
RelateIQ $200 Failed Certificate Validation On Custom Server (Register)
Automattic - User Enumeration and Guessable User Account Attack on WORDPRESS
Mail.Ru - Cross Site Scripting
Yahoo! $200 Yahoo Sports Fantasy Golf (Join Public Group)
Phabricator $300 Abusing daemon logs for Privilege escalation under certain scenarios - Facilitation of XSS attacks through supporting the HTTP TRACE method (cross-site tracing)
The Internet $5,000 Multiple issues in looking-glass software (aka from web to BGP injections)
Phabricator $600 Abusing VCS control on phabricator - Wordpress readme.html / X-Powered-By-Header (low crit) - Report: Wordpress Bug!‏‏‏ - Directory Listing - OPTIONS method is enabled - Information disclosure : Web Server Version Details - Admin interface accessible externally
Localize - PHP PDOException and Full Path Disclosure
Mavenlink $50 Non Validation of session after password reset
Mail.Ru - Раскрытие полного серверного пути
HackerOne $100 Session not invalidated after password reset
Automattic - Process of changing email address and password does not asks old Password.
Mail.Ru $150 SQL Injection on
Localize - Bug on registration as new Translator user
Mail.Ru - Reflected XSS
Mail.Ru - Перечисление каталогов за счёт уязвимости в IIS
FanFootage - Cookie fixation
FanFootage - Same user name and uuid for multiple user names
FanFootage - Reporting Bugs
Factlink - Criptographic Issue: Strisct Transport Security with not good max age..(TOO SHORT!)
Mail.Ru - [] CRLF Injection / Insecure nginx configuration
FanFootage - Session Token is not Verified while changing Account Setting's which Result In account Takeover
FanFootage - NO CSRF token found on user details update
Coinbase $1,000 Leaking CSRF token over HTTP resulting in CSRF protection bypass
Flash $3,000 Flash Sandbox Bypass CVE-2014-0535
Mail.Ru - Flash XSS in
Yahoo! - Open Redirect via Request-URI
Mail.Ru - Flash XSS in
Twitter - Cookie not marked as secure.
Mavenlink $100 Password reset token not expiring
Twitter - XSS vulnerability in video player page
Twitter - Captcha bypass with extension at
Twitter - [ /] CSRF protection bypass
Automattic - Serving Transitions From: HTTP Protocol (not secure)
WePay - Typical form vulnerable to csrf attack
Factlink - Anonymous Proxy and IP leak
WePay - CSRF & Nonce Token Weak Implementation
WePay $300 Open Redirect
WePay - Sensitive settings need Re authentication
Mavenlink $50 Clickjacking at main website
Mavenlink $50 Login password guessing attack
WePay $100 Session fixation in
Mavenlink - The web application discloses version details of the underlying Platform / Server
Mavenlink - Clickjacking & CSRF attack can be done at
Mail.Ru - Flash XSS -
Factlink - Password reset link doesn't expire.
Automattic - - DOM based XSS.
Automattic - Self XSS
InVision - Sensitive information in cookies
Yahoo! - Multiple vulnerabilities
Twitter - and are vulnerable to CRIME attack
Twitter - Token remains alive ever after logging out!
Slack $300 SSRF on
Slack - Remote file Inclusion - RFI in upload
Mail.Ru - XSS in "About Video"
Mail.Ru $300 SSRF
Automattic $250 privilege escalation
Automattic - information disclosure
Twitter - CSRF in
Automattic - XSS on gravatar
HackerOne $100 Potential denial of service in
Automattic - xss in
Automattic - logout csrf
Automattic - xss in
Factlink - Meta characters not filtered on signup
Factlink - Proxy service crash DoS
Factlink - X/Csrf token problem
IRCCloud - Missing Character Restriction
IRCCloud - Password type input with auto-complete enabled
Factlink - Session not expired on logout
Factlink - Sign up CSRF
Factlink - Password Complexity very low.
Factlink - Missing SPF for and
Factlink - Leaking of password reset token through referer
Factlink - Login CSRF using Twitter oauth
Factlink - Url Redirection
Factlink - HTML5 cross-origin resource sharing
Factlink - Click jacking
Khan Academy - Unchecking hidden parameter is vulnerable to XSS-attack
Mail.Ru $1,000 sources disclosure
Sandbox Escape $10,000 Linux PI futex self-requeue bug CVE-2014-3153
Mail.Ru - XSS
Khan Academy - CRLF Injection
Mail.Ru - XSS
Mail.Ru - XSS
IRCCloud $100 Host Header Injection -
Khan Academy - Suffix of url-path is vulnerable to XSS-attack
Localize - full path disclosure from false language
Mail.Ru - ( Password type input with auto-complete enabled
Mail.Ru $500 XSS in login form
Secret - secret app for iOS and android is sending some info over HTTP
Urban Dictionary - Open URL Redirection
Urban Dictionary - Open Redirection
Mail.Ru - Reflected XSS (IE6-IE8)
Localize - missing sender policy framework (SPF)
HackerOne - Improper filtering of classes used in codeblocks in Markdown
Mail.Ru - Reflected XSS in User-Agent
Mail.Ru - Раскрытие путей сервера за счёт неопределённого индекса в сценарии /home/
HackerOne - Spamming any user from Reset Password Function
Yahoo! $100 Testing for user enumeration (OWASP‐AT‐002) -
Yahoo! $50 Authorization issue on
Faceless - Account hijacking possible through ADB backup feature - X-Content-Type-Options header missing
Mail.Ru $500 XSS in a file or folder name
Mail.Ru $700 XXE and SSRF on
Secret - Content Sniffing not disabled
Flash $7,500 Adobe Flash Player FileReference Use-after-Free Vulnerability CVE-2014-0538
ReddAPI - Content Sniffing not disabled
ReddAPI - Browser cross-site scripting filter misconfiguration
ReddAPI - Strict Transport Security Misconfiguration
Kadira - API keys being cached
Respondly - XSS in the input
InVision - Multiple Upload Vulnerability !File Upload + File Inclusion (Access Not Forbidden)
Kadira - Undeletable File
Kadira - MISSING SPF (Sender Policy Framework) for
Python $1,500 Python vulnerability: reading arbitrary process memory CVE-2014-4616 - Login password guessing attack
Yahoo! -
CloudFlare - CSRF and No password requirement in this URL Billing Info
Yahoo! - TESTING FOR REFLECTED CROSS SITE SCRIPTING (OWASP‐DV‐001) - SSH Port Wide Open - HTTP Strict Transport Security (HSTS) Policy Not Enabled
Mail.Ru $150 Stored XSS on
Mail.Ru $300 Stored XSS on
Mail.Ru $250 SQL injection
CloudFlare - Password reset threshold not set
Musopen - Port 22 Open/Banner visible on
Ian Dunn - Path Disclosure Vulnerability
Coinbase - Simultaneous Session Logon : Improper Session Management
Hubdia - Subscribe User bug
Musopen - USERNAME Related Issue!
Yahoo! $250 Infrastructure and Application Admin Interfaces (OWASP‐CM‐007)
Mail.Ru $400 XSS in (Limited use)
4chan - Login panel brute force attack
Meteor - Open Url Reditection After authentication
4chan - XSS in settings
CloudFlare - Bug Report
Mail.Ru - Content Spoofing vulnerability in mobile
Yahoo! - Authentication Bypass due to Session Mismanagement
CloudFlare - User's data leak
Coinbase $100 CSRF in function "Set as primary" on accounts page
99designs $400 report a reflected XSS
99designs - Reflected XSS in
Yahoo! - Yahoo! Messenger v11.5.0.228 emoticons.xml shortcut Value Handling Stack-Based Buffer Overflow
99designs - Insecure transition from HTTP to HTTPS in form post
99designs - Server leaks version number
Localize - XSS in Team Only Area
Coinbase $100 CSRF on "Set as primary" option on the accounts page
Coinbase $1,000 Bypassing 2FA for BTC transfers
Mail.Ru $150 SQL inj
C2FO - All Active user sessions should be destroyed when user change his password!
The Internet $3,000 Bypassing Same Origin Policy With JSONP APIs and Flash
Slack $500 Stored XSS in (integrations)
RelateIQ - Old Sessions remain valid after the password change.
Mail.Ru - Persistent XSS in
HackerOne - Flooding mailbox of user
Mail.Ru $150 SQL
Mail.Ru $150 SQL inj
Mail.Ru - Login without SSL-Protection
HackerOne $100 All Active user sessions should be deleted when user change his password!
Mail.Ru $200 Time based sql injection
Mail.Ru $200 SQL injection [дырка в движке форума]
OkCupid - XSS Vulnerability Found!
CloudFlare - Threat control information leak
Slack $500 Stored XSS Found
Localize - Full Path Disclosure (FPD) in
StopTheHacker - Reflected cross site scripting in login page
Yahoo! - Loadbalancer + URI XSS #3
CloudFlare - Security issue with your "bag" script
Automattic - storage.swf XSS
Ian Dunn - PHP and Wordpress version disclosure
Ian Dunn - Multiple Path Disclosure
HackerOne $100 Anti-MIME-Sniffing header X-Content-Type-Options header has not been set.
Respondly - OAuth Bug
Ian Dunn $25 Xss in CampTix Event Ticketing
Ian Dunn $25 Stored XSS in all fields in Basic Google Maps Placemarks Settings
Mail.Ru $250 Home page reflected XSS
Localize - Full Path Disclosure (FPD) in
StopTheHacker - XSS 1
StopTheHacker - XSS Reflected -
Respondly - Full Path Disclosure
Mail.Ru - Unproper usage of Mobile Number that will lead to Information Disclosure
Localize - Atttacker can send "Invitation Request" to a Project that is not even created yet!
Mail.Ru - No CSRF token used in Phone Verification POST
CloudFlare - Cookie missing the Secure flag
CloudFlare - Flash-based XSS in subdomain
Localize - Criptographic Issue: Strisct Transport Security with not good max age..(TOO SHORT!)
Respondly - No Bruteforce Protection
CloudFlare - System Status Update CSRF
CloudFlare - XSS -
CloudFlare - Apache Multiviews are enabled
StopTheHacker - XSS in Stopthehacker support
CloudFlare - csrf on password change functionality
Mail.Ru $150 localStorage не чистится после выхода
StopTheHacker - CSRF - Disabling orders at
CloudFlare - Cross-site scripting 2
CloudFlare - Content spoofing /CSRF at
Mail.Ru - Admin panel of is acccessible publicly
CloudFlare - jplayer.swf Cross-site scripting
StopTheHacker - Information Disclosure (FPD) -
CloudFlare - CSRF in Cloudflare login
Respondly - Deleting team members
Mail.Ru $150 Clickjacking
Mail.Ru - Reflected XSS
Mail.Ru - Clicjacking on Login panel
Mail.Ru - Xss On
Mail.Ru - - Flash Based XSS
Yahoo! $300 information disclosure (LOAD BALANCER + URI XSS)
Yahoo! $500 - XSS (STORED)
OkCupid - Reflected XSS on
Localize - Projects Watch or Notifications Settings Change Via CSRF
Respondly - Allowed method disclosure
Localize - No Wildcard DNS
Localize - Private Project Access Request Invitation Sent Via CSRF
Localize - Private Project Access Request Accpeted Via CSRF
Localize - Group Deletion Via CSRF
Localize - Group Creation Via CSRF
Localize - OPTIONS Method Enabled
Localize - Deleting groups in any project without permission
Localize - Making groups in any project without permission
Localize - infinite number of new project creation!
Localize - Full Path Disclosure / Info Disclosure in Importing XML Section!
Localize - Full Path Disclosure / Info Disclosure in Creating New Group
Localize - Full Path Disclosure (FPD) in
HackerOne $100 Password Reset Bug
Localize - Numerous open ports/services - readable .htaccess
Localize - X-Content-Type-Options header missing
Localize - Apache Documentation
Respondly - X-Content-Type-Options header missing
Localize - Possible sensitive files
Localize - Login page password-guessing attack
Localize - Full Path Disclosure (2)
Respondly - XSS via Email Link
Localize - XSS in password
Localize - Full Path Disclosure
Respondly - HTTP Strict transport security policy not enabled
Localize - Sensitive file
Localize - CSRF in adding phrase.
Localize - Password type input with auto-complete enabled
Localize - User credentials are sent in clear text
Respondly - DNS Misconfiguration
Respondly - x-frame options-sameorigin warning
Localize - A Serious Bug on SIGNUP Process!
Secret - Login CSRF in
HackerOne $150 Issue with remember_user_token
Localize - Information Disclosure (Directory Structure)
HackerOne - Arbitrary file uploads to Amazon WS.
Respondly - Clickjacking - changing role
Localize - Apache2 /icons/ folder accessible
Localize - Assigning a non-existing role to user causes exception when opening project page
Respondly - XSS via Email
Respondly - Find, private notes Cross-site scripting.
Localize - No Cross-Site Request Forgery protection at multiple locations
Localize - Uninitialized variable error message leaks information
Localize - Server header - information disclosure
Respondly - Import emails from Gmail are activate XSS
Localize - Business logic Failure - Browser cache management and logout vulnerability.
Localize - Path Disclosure (Info Disclosure) in
Respondly - OAuth open redirect
Respondly - Persistent Cross-site scripting vulnerability settings.
Localize - HTML/Javascript possible in "Discussion" section of reviews
Localize - Full path disclosure
Localize - XSS in
Localize - Unexpected array leaks information about the system
Localize - XSS in invite approval
Localize - XSS in main page (invitation)
Localize - Password Policy
Localize - XSS in main page
Localize - XSS & HTML injection
Localize - Stored XSS
Localize - Change user settings through CSRF
Localize - No BruteForce Protection
Localize - XSS in Groups
Localize - Sign-up Form CSRF
Localize - HTML Form Without CSRF protection
Localize - ClickJacking
Automattic - HTML form without CSRF protection
Automattic - Session Cookie without Secure flag set
Yahoo! $250 readble .htaccess + Source Code Disclosure (+ .SVN repository)
Flash $2,000 Security bypass could lead to information disclosure
Yahoo! $2,500 Local File Include on
Yahoo! - clickjacking on leaving group(flick)
Yahoo! - Unvalidate open url redirection
Automattic - Session Cookie without Secure flag set - OPTIONS method enabled on webserver
Yahoo! $400 - CSRF/email disclosure
Automattic - Simplenote Silverlight cross-domain policy misconfiguration
IRCCloud $100 Login CSRF can be bypassed (Similar approach to previous one).
IRCCloud - Log Out Cross site Request Forgery - Session Cookie without Secure flag set - Clickjacking: X-Frame-Options header missing
IRCCloud $1,000 Dangerous Persistent xss
IRCCloud - Unwanted Spamming Using CSRF [LOGGED IN USER]
Coinbase $100 2 factor authentication design flaw
IRCCloud $100 Host Header is not validated resulting in Open Redirect
IRCCloud - CSRF - Creating accounts
The Internet $7,500 TLS Triple Handshake Attack
Faceless - Bruteforce attack in login panel
Yahoo! $500 XSS in
Yahoo! $250 Bypass of the Clickjacking protection on Flickr using data URL in iframes
IRCCloud - Login page password-guessing attack(Brute-force attack-High).
IRCCloud $500 Persistent Cross Site Scripting within the IRCCloud Pastebin
IRCCloud - CSRF to Account Take Over Bug
IRCCloud - DNS Misconfiguration
IRCCloud - User Account Creation CSRF
IRCCloud $100 iOS application does not destroy session upon logout.
IRCCloud $100 Bug in iOS application which could lead to unauthorised access.
IRCCloud - "SESSION" Cookie without HttpOnly flag set
IRCCloud $100 Missing X-Content-Type-Options
IRCCloud - Session cookie can be leaked over an unencrypted HTTP connection
IRCCloud $500 Full account takeover using CSRF and password reset
IRCCloud $500 Session Token is not Verified while changing Account Setting's which Result In account Takeover
IRCCloud - HTML Form without CSRF protection
IRCCloud $100 Leaking Referrer in Reset Password Link
IRCCloud $100 Bruteforcing irccloud login
IRCCloud $100 Unsecure cookies, cookie flag secure not set
IRCCloud $100 Sign up CSRF
IRCCloud $100 Login CSRF
concrete5 - XSS on [/concrete/concrete/elements/dashboard/sitemap.php]
concrete5 - Cross-Site Scripting in getMarketplacePurchaseFrame
Faceless - Blocking yourself
C2FO - The server supports only older protocols for HTTPS connections
Yahoo! $2,000 Open Proxy,, 4/09/14, #SpringClean
Yahoo! $200 CSRF Token is missing on DELETE message option on
Yahoo! $400 CSRF Token missing on
ReddAPI - No Captcha or rate limit on Login Page
InVision - TLS Renegotiation and Denial of Service Attacks on InVision.
Yahoo! $3,000 REMOTE CODE EXECUTION/LOCAL FILE INCLUSION/XSPA/SSRF, view-source:http://sb*, 4/6/14, #SpringClean
Yahoo! $500 Comment Spoofing at
OpenSSL - TLS heartbeat read overrun CVE-2014-0160
Khan Academy - XSS at