Public Automattic bug reports.

Team Bounty Title
Automattic $225 XSS Vulnerability in WooCommerce Product Vendors plugin
Automattic $800 SSRF and local file disclosure in https://wordpress.com/media/videos/ via FFmpeg HLS processing
Automattic $500 An Automattic employee's GitHub personal access token exposed in Travis CI build logs
Automattic $250 cloudup Subdomain Takeover That resolves to Desk.com ( CNAME cloudup.desk.com )
Automattic $100 Follow Button XSS
Automattic $300 [bbPress] Stored XSS in any forum post.
Automattic $500 WordPress core stored XSS via attachment file name
Automattic $1,337 WordPress SOME bug in plupload.flash.swf leading to RCE
Automattic $1,337 WordPress Flash XSS in *flashmediaelement.swf*
Automattic $75 XSS on www.wordpress.com
Automattic $75 Akismet Several CSRF vulnerabilities
Automattic $75 CPU utilization 99% on visiting wordpress site url & open redirect found
Automattic $75 XSS at wordpress.com
Automattic $75 XSS at www.woothemes.com
Automattic $250 Internal GET SSRF via CSRF with Press This scan feature
Automattic $50 Possible Timing Side-Channel in XMLRPC Verification
Automattic $75 XSS on codex.wordpress.org
Automattic $75 Remove anyone's pic gravtar
Automattic $75 CSV Injection in polldaddy.com
Automattic $50 WooCommerce: Support Ticket indirect object reference
Automattic $100 XSS in WordPress
Automattic $100 Verification code issues for Two-Step Authentication
Automattic - Open Redirect in WordPress Feed Statistics {Affected All Versions}
Automattic - Missing HSTS header in https://app.simplenote.com
Automattic - Missing HSTS header in https://public-api.wordpress.com
Automattic - Top 10 2013-A2-Broken Authentication and Session Management - wordpress.com
Automattic - User Enumeration and Guessable User Account Attack on WORDPRESS
Automattic - Process of changing email address and password does not asks old Password.
Automattic - Serving Transitions From: HTTP Protocol (not secure)
Automattic - genericons.com - DOM based XSS.
Automattic - http://jetpack.me/ Self XSS
Automattic $250 privilege escalation
Automattic - information disclosure
Automattic - XSS on gravatar
Automattic - xss in simperium.com
Automattic - logout csrf app.simplenote.com/logout
Automattic - xss in app.simplenote.com
Automattic - https://polldaddy.com storage.swf XSS
Automattic - HTML form without CSRF protection
Automattic - Session Cookie without Secure flag set
Automattic - Session Cookie without Secure flag set
Automattic - Simplenote Silverlight cross-domain policy misconfiguration