Public HackerOne bug reports.

Show All Bugs

Team Bounty Title
Unikrn $200 HTML injection in email in unikrn.com
Rockstar Games $500 dom based xss in http://www.rockstargames.com/GTAOnline/ (Fix bypass)
Legal Robot $20 No length limit in invite_code can cause server degradation
Legal Robot $20 CSP script-src includes "unsafe-inline"
Legal Robot $20 Improper validation of parameters while creating issues
Legal Robot $100 Update any profile
Legal Robot $20 first name and last name restrictions bypass
Legal Robot $20 TabNabbing issue (due to taget=_blank)
Legal Robot $20 Incorrect error message
Legal Robot $20 Incorrect email content when disabling 2FA
Legal Robot $20 Lengthy manual entry of 2FA secret
Trello $128 A CRLF injection into the redirect URL of https://trello.com/1/authorize can be used to cause a denial of service when later redirected to
Quora $500 [Quora Android] Possible to steal arbitrary files from mobile device
Snapchat $5,000 RCE/LFI on test Jenkins instance due to improper authentication flow
Legal Robot $40 Code injection
Legal Robot $20 User enumeration from failed login error message
Brave Software $200 URL Spoof / Brave Shield Bypass
Legal Robot $20 Change password logic inversion
Legal Robot $20 Profile fields validation bypass
Legal Robot $20 Profile shows incorrect account creation date
Rockstar Games $500 dom based xss in https://www.rockstargames.com/GTAOnline/
Bitvise $100 The POODLE attack (SSLv3 supported)
Unikrn $50 Escaping images directory in S3 bucket when saving new avatar, using Path Traversal in filename
Boozt Fashion AB $60 Password reset token issue
Legal Robot $20 [Cross-domain Referer leakage] Password reset token leakage via referer
Automattic $225 XSS Vulnerability in WooCommerce Product Vendors plugin
Rockstar Games $600 CSRF Vulnerability allows attackers to steal SocialClub private token.
Legal Robot $20 Token leakage by referrer header & analytics
Zomato $500 Restaurant payment information leakage
Unikrn $40 Flash CSRF: Update Ad Frequency %: [cp-ng.pinion.gg]
Zomato $100 Length extension attack leading to HTML injection
Legal Robot $20 No notification on change password feature
Legal Robot $20 Meta characters are not filtered into full name on profile page
Legal Robot $20 Pages don't render in old browsers like IE11
Legal Robot $60 Missing Issuer parameter on TOTP 2FA
Moneybird $50 Stored XSS at Moneybird
Legal Robot $20 [New Feature] Password history check
TTS Bug Bounty $150 The Federalsit session cookie (federalist.sid) is not properly invalidated - backdoor access to the account is possible
Legal Robot $20 User enumeration
Legal Robot $20 Password complexity ignores empty spaces
Legal Robot $60 Users with 2FA can have multiple sessions
Legal Robot $20 Account profile shows encryption recovery box for all users
Legal Robot $60 Enhancement: email confirmation for 2FA recovery
Legal Robot $20 Intercom chat session information persists after logout
Legal Robot $60 2FA Error Handling on Google Authenticator
Legal Robot $90 2FA user enumeration via password reset
Legal Robot $40 Password complexity not evenly enforced
Legal Robot $90 Missing link to 2FA recovery code
Legal Robot $90 Missing link to TOTP manual enroll option
Legal Robot $60 Non-functional 2FA recovery codes
TTS Bug Bounty $150 Race condition on the Federalist API endpoints can lead to the Denial of Service attack
Zomato $50 Posting to Twitter CSRF on php/post_twitter_authenticate.php
Grabtaxi Holdings Pte Ltd $1,000 Git repository found
Twitter $10,080 XXE on sms-be-vip.twitter.com in SXMP Processor
Coinbase $100 Information disclosure same issue #176002
Grabtaxi Holdings Pte Ltd $200 [parcel.grab.com] DOM XSS at /assets/bower_components/lodash/perf/
HackerOne $1,500 Reading redacted data via hackbot's answers
Grabtaxi Holdings Pte Ltd $200 Dom based xss affecting all pages from https://www.grab.com/.
Zomato $250 Bypass OTP verification when placing Order
VK.com $100 Узнать название частной группы и ее аватарку по видеоролику.
Zomato $500 [█████████] Hardcoded credentials in Android App
Twitter $420 Open Redirect
Snapchat $250 [spectacles.com] Bypassing quantity limit in orders
Coinbase $100 Captcha Bypass in Coinbase SignUp Form
Rockstar Games $500 Reflected XSS via Double Encoding
Zomato $300 SQL Injection, exploitable in boolean mode
TTS Bug Bounty $350 [IDOR] The authenticated user can restart website build or view build logs on any another Federalist account
TTS Bug Bounty $300 The user, who was deleted from Github Organization, still can access all functions of federalist, in case he didn't do logout
Zomato $1,000 Login to any account with the emailaddress
TTS Bug Bounty $300 Double Stored Cross-Site scripting in the admin panel
shopify-scripts $800 Use after free in mruby-mpdecimal
Apache httpd (IBB) $1,500 Apache HTTP Request Parsing Whitespace Defects CVE-2016-8743
Shopify $500 IDOR [partners.shopify.com] - User with ONLY Manage apps permission is able to get shops info and staff names from inside the shop
RubyGems $1,000 Installing a crafted gem package may create or overwrite files CVE-2017-0901
Rockstar Games $1,000 XSS in http://www.rockstargames.com/theballadofgaytony/js/jquery.base.js
VK.com $100 Нет маркера на добавление песни в плейлист пользователя
shopify-scripts $800 Null pointer dereference with send/method_missing
Maximum $50 Open redirect on https://werkenbijdefensie.nl/
Pornhub $500 Stored XSS in the any user profile using website link
Apache httpd (IBB) $1,500 ap_find_token() Buffer Overread CVE-2017-7668
Starbucks $2,000 Possible subdomain takeover at openapi.starbucks.com
Rockstar Games $500 flash injection in http://www.rockstargames.com/IV/imgPlayer/imageEmbed.swf
Python (IBB) $500 Unsafe arithmetic in PyString_DecodeEscape
Pornhub $750 pornhub.com/user/welcome/basicinfo nickname field is vulnerable on xss
Shopify $500 Stored XSS in *.myshopify.com
Maximum $350 Open Redirect & Information Disclosure [mijn.werkenbijdefensie.nl]
Mail.Ru $100 BruteForce Any [My.com] Account Credentials.
Automattic $800 SSRF and local file disclosure in https://wordpress.com/media/videos/ via FFmpeg HLS processing
Snapchat $500 CRLF Injection at vpn.bitstrips.com
MapsMarker.com e.U. $20 Cross-site Scripting (XSS) in /updates-pro/archive/
ToyTalk $200 Host Header Injection and Cache Poisoning
Perl (IBB) $500 heap-buffer-overflow (READ of size 61) in Perl_re_intuit_start()
Rockstar Games $250 Control characters incorrectly handled on Crew Status Update
Keybase $500 Universal Cross-Site Scripting in Keybase Chrome extension
Shopify $5,000 XSS on $shop$.myshopify.com/admin/ and partners.shopify.com via whitelist bypass in SVG icon for sales channel applications
Perl (IBB) $500 heap-buffer-overflow (READ of size 11) in Perl 5.25.x
Snapchat $15,000 Open prod Jenkins instance
Rockstar Games $1,000 Stored XSS in profile activity feed messages
Rockstar Games $1,000 Stored XSS in snapmatic comments
Shopify $3,000 XSS on any Shopify shop via abuse of the HTML5 structured clone algorithm in postMessage listener on "/:id/digital_wallets/dialog"
VK.com $100 CSRF на сброс ключа трансляции.
Legal Robot $20 Domain takeover (legalrobot.co.za)
WordPress $275 DOM Based XSS In mercantile.wordpress.org
WordPress $275 Stored self-XSS in mercantile.wordpress.org checkout
Mail.Ru $150 XSS в портальной навигации
HackerOne $10,000 WannaCrypt “Killswitch”
Mail.Ru $500 Xss в https://e.mail.ru/
Pornhub $250 Partial disclosure of Private Videos through data-mediabook attribute information leak
Discourse $256 Any authenticated user can download full list of users, including email
Discourse $64 SSRF in upload IMG through URL
Paragon Initiative Enterprises $50 Directory Disclose,Email Disclose Zendmail vulnerability
Maximum $50 Cross-site Scripting (XSS) on [maximum.nl]
Trello $256 Cross-Site Scripting on Trello's iPhone App
Instacart $150 Reverse Tab-nabbing at www.instacart.com/store/partner_recipe?recipe_url=
Instacart $100 XSS at in instacart.com/store/partner_recipe
shopify-scripts $100 Heap Overflow in fiber_switch triggered from Fiber.transfer
Dashlane $100 [https://www.dashlane.com] Test Panel Disclosure
Maximum $300 IDOR in editing courses
Mail.Ru $500 Xss в https://e.mail.ru/
Harvest $300 [platform.harvestapp.com] Reflected XSS in Error Message via URL parameters
Ubiquiti Networks $100 HTML Injection on airlink.ubnt.com
VK.com $1,000 local file disclosure via FFmpeg hls processing
Shopify $2,000 Reflected XSS in <any>.myshopify.com through theme preview
HackerOne $500 HackerOne reports escalation to JIRA is CSRF vulnerable
RubyGems $500 Escape sequence injection in "summary" field CVE-2017-0899
Paragon Initiative Enterprises $50 Cross-site-Scripting
shopify-scripts $200 OP_SCALL in LHS of a OP_ASGN resulting in arbitrary memory write
HackerOne $1,000 Changing Victim's JIRA Integration Settings Through Multiple Bugs
Dashlane $350 Throttling Bypass - ws1.dashlane.com
Dashlane $300 Extract Billing admin email address using random team id
Mapbox $300 Node modules path disclosure due to lack of error handling
Uber $2,000 phone number exposure for riders/drivers given email/uuid
VK.com $100 Посмотреть видеоролики, которые пользователь когда-либо скидывал в ЛС.
Uber $8,500 SAML Authentication Bypass on uchat.uberinternal.com
Phabricator $300 IRC-Bot exposes information
Mapbox $500 Open Aws Amazon S3 Buckets
Pornhub $350 Mixed Reflected-Stored XSS on pornhub.com (without user interaction) in the playlist playing section
shopify-scripts $800 heap-use-after-free in mrb_vm_exec - vm.c:1247
ICQ $1,000 Дубликат: https://hackerone.com/reports/219171 (доступ к аккаунту, через сброс пароля)
WordPress $150 Stored but [SELF] XSS in mercantile.wordpress.org
shopify-scripts $100 heap use after free in fiber_switch
WordPress $387.50 Reflected XSS at https://da.wordpress.org/themes/?s= via "s=" parameter
The Internet $500 Mercurial can be tricked into granting authorized users access to the Python debugger CVE-2017-9462
Trello $128 Malicious file can be hidden as Card Attachment or Card Cover image
WordPress $275 XSS in the search bar of mercantile.wordpress.org
YouPorn $250 DOM-based XSS on youporn.com (main page)
OpenSSL (IBB) $500 Excessive allocation of memory in dtls1_preprocess_fragment() (CVE-2016-6308) CVE-2016-6308
OpenSSL (IBB) $500 Excessive allocation of memory in tls_get_message_header() (CVE-2016-6307) CVE-2016-6307
OpenSSL (IBB) $500 Certificate message OOB reads (CVE-2016-6306) CVE-2016-6306
OpenSSL (IBB) $500 OOB read in TS_OBJ_print_bio() (CVE-2016-2180) CVE-2016-2180
OpenSSL (IBB) $500 OOB write in BN_bn2dec() (CVE-2016-2182) CVE-2016-2182
OpenSSL (IBB) $500 Malformed SHA512 ticket DoS (CVE-2016-6302) CVE-2016-6302
OpenSSL (IBB) $500 OOB write in MDC2_Update() (CVE-2016-6303) CVE-2016-6303
ok.ru $300 Blind SQL Injection
shopify-scripts $800 Null pointer dereferences in kh_copy_mt
Twitter $560 HTTP 401 response injection on "amp.twimg.com/amplify-web-player/prod/source.html" through "image_src" parameter
shopify-scripts $800 heap-buffer-overflow (read outside of buffer) in mrb_vm_exec()
Open-Xchange $200 Critical : View/Edit access to private appointments of calendar folder by read only user (Vertical privilege escalation)
Open-Xchange $200 Unauthorized access to attachments details of Private Calendar appointments (Access control issue)
Mavenlink $50 Tabnabbing via Window.Opener @Mavenlink
Ubiquiti Networks $100 Expired SSL certificate
Algolia $200 [GitHub Extension] Unsanitised HTML leading to XSS on GitHub.com
HackerOne $750 Race condition leads to duplicate payouts
HackerOne $500 Subdomain takeover #4 at info.hacker.one
shopify-scripts $100 mirb only: stack-buffer-overflow (OOB write) in main()
Maximum $25 XSS
VK.com $100 api.vk.com отдаёт в ответ HTML авторизированную страницу vk.com
Dovecot $600 Dovecot authentication is vulnerable to timing attacks.
shopify-scripts $100 Invalid Pointer reference in L_RESCUE
Harvest $400 Client can redirect payment, causing payment discrepancy between Harvest and PayPal
Uber $5,000 Authentication bypass on auth.uber.com via subdomain takeover of saostatic.uber.com
Twitter $280 [██████████.gnip.com] .htpasswd disclosure
Open-Xchange $200 Resend invitation to members by Read only user(Privilege Escalation)
VK.com $2,000 Возможность взлома любого пользователя, не использующего двухфакторной аутентификации, через получения кода восстановления на чужой номер.
Ubiquiti Networks $150 XSS
Ubiquiti Networks $500 [dev-unifi-go.ubnt.com] Insecure CORS, Stealing Cookies
shopify-scripts $100 SIGABRT in sym_validate_len - symbol.c:44
Coinbase $100 [buy.coinbase.com]Content Injection
shopify-scripts $800 Invalid pointer dereference in OP_ENTER
shopify-scripts $800 SIGSEGV in array_copy - array.c:71
Twitter $560 [Gnip Blogs] Reflected XSS via "plupload.flash.swf" component vulnerable to SOME
Kaspersky Lab $400 In App purchase Hack
Automattic $500 An Automattic employee's GitHub personal access token exposed in Travis CI build logs
shopify-scripts $800 Null pointer dereference in OP_ENTER
Starbucks $500 Stored XSS in comments on https://www.starbucks.co.uk/blog/*
RubyGems $1,000 Request Hijacking Vulnerability in RubyGems 2.6.11 and earlier CVE-2017-0902
Shopify $1,000 XSS in $shop$.myshopify.com/admin/ via twine template injection in "Shopify.API.Modal.input" method when using a malicious app
Shopify $800 XSS in $shop$.myshopify.com/admin/ via "Button Objects" in malicious app
shopify-scripts $800 kh_put_iv SEGFAULT - mruby 1.2.0
Maximum $300 Possible to view and takeover other user's education and courses @ mijn.werkenbijdefensie.nl
Maximum $150 Possible to unsubscribe from activities using CSRF @ mijn.werkenbijdefensie.nl
HackerOne $1,000 Subdomain takeover #3 at info.hacker.one
shopify-scripts $100 SIGSEGV in mrb_vm_exec
shopify-scripts $800 SIGSEGV in mrb_str_inum
Mail.Ru $750 Stored XSS in e.mail.ru (payload affect multiple users)
shopify-scripts $800 Heap Buffer Overflow in mrb_hash_keys
OpenSSL (IBB) $2,500 OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
Nextcloud $450 Reflected XSS in error pages (NC-SA-2017-008) CVE-2017-0891
Pornhub $250 Reflected XSS in login redirection module
Phabricator $750 Phabricator is vulnerable to padding oracle attacks and chosen-ciphertext attacks.
shopify-scripts $800 SIGABRT - in free
shopify-scripts $800 heap use-after-free in mrb_vm_exec()
shopify-scripts $800 Crash in ary_concat()
Shopify $500 Full access at an internal service of Shopify
Pornhub $500 Blind Stored XSS against Pornhub employees using Amateur Model Program
shopify-scripts $800 Null pointer dereferences in mrb_get_args
shopify-scripts $800 SIGABRT in mrb_debug_info_append_file
shopify-scripts $800 Null pointer dereference in mrb_class
shopify-scripts $300 Garbage collector crash
HackerOne $2,000 A HackerOne employee's GitHub personal access token exposed in Travis CI build logs
shopify-scripts $800 SIGSEGV in mrb_class
ownCloud $150 HTML Injection in Owncloud
Twitter $2,520 CSRF on Periscope Web OAuth authorization endpoint
VK.com $200 Подмена SSL-сертификата для любой группы в секции Управление группой->Работа с API неавторизированным пользователем.
Ubiquiti Networks $6,000 Ability to log in as any user without authentication if █████████ is empty
Brave Software $100 [iOS] URL can be replaceState by blob URL in iOS Brave
shopify-scripts $800 SIGSEGV in mrb_vm_exec
HackerOne $500 Report invitation links not restricted to any existing user
Rockstar Games $350 Profile bio at rockstar is accepting control characters
shopify-scripts $800 Null pointer dereference in ary_concat
Shopify $500 Stored passive XSS at scheduled posts (kitcrm.com)
shopify-scripts $100 SIGABRT - mirb - Double Free
Rockstar Games $350 Login form on non-HTTPS page
Trello $768 Rate limiting of incorrect Two Factor Authentication codes not enforced
shopify-scripts $800 Null pointer dereferences in ary_concat
Yelp $100 Clickjacking Vulnerability found on Yelp
Shopify $1,500 Stored XSS in [shop].myshopify.com/admin/orders/[id]
Discourse $512 Admin Command Injection via username in user_archive ExportCsvFile
BrickFTP $600 File access controls incorrectly enforced for files shared via QuickLink - Unshared files can be accessed
shopify-scripts $800 SIGABRT - mirb and mruby
Phabricator $600 Differential "Show Raw File" feature exposes generated files to unauthorised users
Legal Robot $60 Token leakage by referrer
shopify-scripts $800 SIGSEGV - mrb_obj_value
Discourse $512 Arbitrary Local-File Read from Admin - Restore From Backup due to Symlinks
shopify-scripts $800 Use-after-free leading to an invalid pointer dereference
shopify-scripts $100 SIGSEGV in str_buf_cat
Nextcloud $250 DOM XSS vulnerability in search dialogue (NC-SA-2017-007) CVE-2017-0890
Legal Robot $40 Password reset form ignores email field
shopify-scripts $800 SIGABRT in only mirb
HackerOne $750 IE 11 Self-XSS on Jira Integration Preview Base Link
Imgur $5,000 RCE by command line argument injection to `gm convert` in `/edit/process?a=crop`
shopify-scripts $800 SIGSEGV - kh_get_n2s - in /src/symbol.c:37
shopify-scripts $100 sprintf gem - format string combined attack
shopify-scripts $800 Null pointer dereference in mrb_class
shopify-scripts $800 SIGSEGV - mrb_yield_with_class
Algolia $100 An “algobot”-s GitHub access token was leaked
Moneybird $50 Stored Cross Site Scripting in Customer Name
Shopify $500 Stealing users' facebook access tokens - kitcrm.com
Rockstar Games $150 Source Code Disclosure (CGI)
Gratipay $1 Inadequate/dangerous jQuery behavior
VK.com $200 Написать от имени любого пользователя на его стене, если он перейдет по ссылке. https://vk.com/al_video.php
shopify-scripts $800 Null pointer dereference in 'get_file'
Rockstar Games $350 Control Character Injection In Messages
LocalTapiola $100 XSS on 3rd party service Localtapiola is using
Rockstar Games $300 use of unsafe host header leads to open redirect
shopify-scripts $800 Null pointer dereferences from mrb_vm_exec
Slack $850 Bypass to postMessage origin validation via FTP
Rockstar Games $150 Full path Disclosure in Rockstargames.com/img/global/
shopify-scripts $800 mrb_vm_exec - null ptr dereference
Rockstar Games $150 SSLv3 POODLE Vulnerability
shopify-scripts $800 Invalid Pointer Reference from OP_RESCUE
HackerOne $500 Transitioning a Private Program to Public Does Not Clear Previously Private Updates to Hackers
shopify-scripts $800 SIGSEGV - mark_context_stack
HackerOne $100 javascript: and mailto: links are allowed in JIRA integration settings
shopify-scripts $800 Heap buffer overflow in mruby value_move
Starbucks $250 DOM XSS on teavana.com via "pr_zip_location" parameter
shopify-scripts $800 Heap buffer overflow with long array assignment
LocalTapiola $264 HTML Injection in email from http://www.lahitapiola.fi/henkilo/sivut/tonttutesti
Ruby $500 public report - Reproducible - Writable RubyCi Amazon s3 bucket[207053]
Ruby $500 Open S3 Bucket WriteAble To Any Aws User
HackerOne $1,000 Subdomain takeover #2 at info.hacker.one
Twitter $7,560 [URGENT] Opportunity to publish tweets on any twitters account
BrickFTP $100 CSRF @ configuration
Udemy $50 Subdomain Takeover at Landing.udemy.com
VK.com $100 Обход: "Аудиозапись недоступна для прослушивания в Вашем регионе."
Ubiquiti Networks $100 Reflected cross-site scripting (XSS) vulnerability in scores.ubnt.com allows attackers to inject arbitrary web script via p parameter.
shopify-scripts $800 Null pointer dereference in mark_context_stack
Lyst $100 Site configured improperly at subdomain of lyst.co.uk
shopify-scripts $100 Memory corrouption in mrb_gc_mark
LocalTapiola $200 Brute force unsubscription on /webApp/unsub_sb (viestinta.lahitapiola.fi)
LocalTapiola $50 /icons/README is still available on viestinta.lahitapiola.fi
Perl (IBB) $1,000 read outside of buffer (heap buffer overflow) in S_regmatch - regexec.c:6057
Pornhub $50 http://ht.pornhub.com/ stored XSS in widget stylesheet
shopify-scripts $800 Heap use-after-free in mrb_vm_exec
Ubiquiti Networks $1,000 sqli
Shopify $500 Subdomain takeover on s3.shopify.com
Lyst $100 Mixed Active content issue on https://www.lyst.com
shopify-scripts $100 Controlled address leak due to type confusion - ASLR bypass
HackerOne $750 Information leakage via CSV when content is valid JavaScript
Slack $3,000 Stealing xoxs-tokens using weak postMessage / call-popup redirect to current team domain
Ruby $500 Writable RubyCi Amazon s3 bucket
HackerOne $1,500 Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP
Uber $2,500 SQL injection in 3rd party software Anomali
Robinhood $100 Open Redirect located at https://www.robinhood.com/oauth2/authorize/?
YouPorn $100 XSS via login cookie
Starbucks $750 Persistent CSRF in /GiftCert-AddToBasket prevents purchases on eCommerce sites
shopify-scripts $800 Heap Buffer Overflow while processing OP_SEND
Imgur $2,500 Remote Code Execution on Git.imgur-dev.com
shopify-scripts $800 mruby heap use-after-free
LocalTapiola $50 show control page if you insert ' at http://viestinta.lahitapiola.fi/
shopify-scripts $100 Interger overflow in str_substr leading to read/write out of bound memory
shopify-scripts $800 Use After Free in mrb_vm_exec
shopify-scripts $800 Heap Buffer overflow in mrb_ary_unshift
shopify-scripts $100 SIGABRT - method_missing - mark_context_stack
Zopim $50 express config leaking stacktrace
Uber $1,500 pam-ussh may be tricked into using another logged in user's ssh-agent
shopify-scripts $800 A crash when an exception is caught in a caller and the receiver returned from `ensure`
shopify-scripts $100 segafult in mruby's sprintf - mrb_str_format
WordPress $350 Infrastructure - Photon - SSRF
shopify-scripts $800 Heap buffer oveflow with many arguments
Rockstar Games $1,400 <- Critical IDOR vulnerability in socialclub allow to insert and delete comments as another user and it discloses sensitive information ->
LocalTapiola $315 High server resource usage on captcha (viestinta.lahitapiola.fi)
shopify-scripts $1,000 Segmentation fault while printing backtrace
YouPorn $250 Reflected XSS in Meta Tag
YouPorn $2,500 Time Based SQL-inject in post-parametr login[username] [domain - youporn.com]
Greenhouse.io $100 Open Redirect in <customer>.greenhouse.io
Ubiquiti Networks $150 AirFibre products vulnerable to HTTP Header injection
shopify-scripts $800 forgot to add the patch
Nextcloud $183 Calendar and addressbook names disclosed (NC-SA-2017-012) CVE-2017-0895
WordPress $350 Wordpress 4.7.2 - Two XSS in Media Upload when file too large.
shopify-scripts $100 SIGSEGV - mrb_vm_exec - line:1312
Algolia $100 Reflected XSS
YouPorn $150 Find whether a video has been favourited or not, for any user [via YouPorn Mobile API]
Pornhub $1,500 Wordpress Content injection
Twitter $7,560 Vine all registered user Private/sensitive information disclosure .[ Ip address/phone no/email and many other informations ]
HackerOne $1,000 Subdomain takeover at info.hacker.one
VK.com $400 Missing Server Side Rate Limiting can Lead to VK Account Take over
Mapbox $750 Public access to objects in AWS S3 bucket
shopify-scripts $800 Denial of service (segfault) due to null pointer dereference in mrb_vm_exec
shopify-scripts $800 Denial of service (segfault) due to null pointer dereference in mrb_obj_instance_eval
Pornhub $250 XSS Vulnerability at https://www.pornhubpremium.com/premium_signup? URL endpoint
Pornhub $250 [xss] pornhubpremium.com, /redeem?code= URL endpoint
Phabricator $300 User with only Viewing Privilege can send message to Room
shopify-scripts $100 Null pointer dereference in mrb_random_initialize
Instacart $100 Login with Google Not Authenticated on iOS App
Ubiquiti Networks $600 Wordpress directories/files visible to internet
YouPorn $1,000 Account hijack via deleted PH account
shopify-scripts $800 SIGSEGV - vm.c - line:1214
shopify-scripts $100 Segmentfault at mrb_vm_exec
shopify-scripts $2,000 Recursion causing uninitialized memory reads leading to a segfault
Automattic $250 cloudup Subdomain Takeover That resolves to Desk.com ( CNAME cloudup.desk.com )
LocalTapiola $400 Single user DOS on selectedLanguage -cookie (yrityspalvelu.lahitapiola.fi)
Ubiquiti Networks $150 Can upload files without authentication on AirFibre 3.2
OpenSSL (IBB) $1,000 CVE-2017-3730: Bad (EC)DHE parameters cause a client crash
LocalTapiola $100 Enumeration in unsubscribe -function of /omatalousuk (viestinta.lahitapiola.fi)
Twitter $5,040 Attacker can get vine repost user all informations even Ip address and location .
LocalTapiola $150 Reflected XSS on iltakoulu_varkaus (viestinta.lahitapiola.fi)
PHP (IBB) $500 Out of bounds memory read in unserialize() CVE-2016-10161
Algolia $100 [github.algolia.com] DOM Based XSS github-btn.html
shopify-scripts $100 heap-use-after-free /home/operac/testafl/mruby/mrubylast/mruby/src/gc.c
LocalTapiola $1,350 SQL Injection /webApp/cancel_iltakoulu regId parameter (viestinta.lahitapiola.fi)
Ubiquiti Networks $100 [nutty.ubnt.com] DOM Based XSS nuttyapp github-btn.html
LocalTapiola $50 CSRF bypass + XSS on verkkopalvelu.tapiola.fi
Alvosec $3 Alvocrypt uses a cryptographically insecure PRNG.
Slack $1,000 Access of Android protected components via embedded intent
shopify-scripts $100 Incorrect code generation with redo inside NODE_RESCUE.
LocalTapiola $1,350 SQL Injection on /webApp/lapsuudenturva (viestinta.lahitapiola.fi)
LocalTapiola $350 Sql injection on /webApp/sijoituswebinaari (viestinta.lahitapiola.fi)
LocalTapiola $350 SQL Injection on /webApp/viivanalle (viestinta.lahitapiola.fi)
Harvest $250 Persistent XSS on ForecastApp
HackerOne $500 Google Analytics could be used as CSP bypass for data exfiltration on hackerone.com
shopify-scripts $800 Aborted - proc.c - line:143
Twitter $560 Clickjacking Periscope.tv on Chrome
shopify-scripts $100 SIGABRT - mrb_realloc_simple - gc.c - line:201
QIWI $150 [XSS/pay.qiwi.com] Pay SubDomain Hard-Use XSS
QIWI $250 [XSS/3dsecure.qiwi.com] 3DSecure XSS
Ubiquiti Networks $2,000 [EdgeSwitch] Web GUI command injection as root with Privilege-1 and Privilege-15 users
shopify-scripts $100 Crash in print_backtrace
Discourse $256 Stored XSS in posts because of absence of oembed variables values escaping
Discourse $256 Stored XSS in topics because of whitelisted_generic engine vulnerability
shopify-scripts $800 Null pointer dereference in mrb_str_modify
shopify-scripts $800 Still heap overflow in mrb_ary_splice
shopify-scripts $100 SIGSEGV - mrb_obj_extend - line:413
shopify-scripts $800 SIGSEGV - mrb_vm_exec - line:1681
Discourse $256 XSS in topics because of bandcamp preview engine vulnerability
VK.com $300 SSRF через Share-ботов
Rockstar Games $650 [IMP] - Blind XSS in the admin panel for reviewing comments
Rockstar Games $500 Ability to post comments to a crew even after getting kicked out
YouPorn $1,000 IDOR - Access to private video thumbnails even if video requires password authentication
VK.com $100 Возможность смотреть видео рекомендации любого пользователя вконтакте
Starbucks $375 Open redirect / Reflected XSS payload in root that affects all your sites (store.starbucks.* / shop.starbucks.* / teavana.com)
shopify-scripts $800 Heap Buffer overflow in mrb_funcall_with_block
HackerOne $2,000 Disclose any user's private email through API
Slack $200 dom xss in https://www.slackatwork.com
shopify-scripts $800 Segmentation fault on program counter
Shopify $500 apps.shopify.com - CSRF token leakage through Google Analytics
shopify-scripts $800 SIGSEGV - mrb_vm_exec - vm.c in line:1272
shopify-scripts $800 SIGSEGV in mrb_vm_exec
Snapchat $250 RTLO char allowed in chat
Instacart $100 XSS in instacart.com/store/partner_recipe
PHP (IBB) $500 Use of uninitialized memory in unserialize() CVE-2017-5340
shopify-scripts $100 Segmentation fault - mrb_gc_mark
Slack $100 Subdomain takeover on podcasts.slack-core.com
Starbucks $250 SAP Server - default credentials enabled
Shopify $1,000 CSRF in all API endpoints when authenticated using HTTP Authentication
Open-Xchange $250 Set Cookie Via SVG
shopify-scripts $800 Heap overflow due to off-by-one when expanding stack
shopify-scripts $200 Heap use-after-free during range creation
Shopify $500 Authentication Bypass on monitoring server
LocalTapiola $100 OpenSSL Padding Oracle Attack (CVE-2016-2107) on viestinta.lahitapiola.fi
Yelp $100 Able to download arbitrary PHP files at yelpblog.com
Skyport Systems $25 Nginx version disclosure via forbidden page
LocalTapiola $400 Reflected XSS and Open Redirect (verkkopalvelu.lahitapiola.fi)
shopify-scripts $800 SIGABRT - mrb_default_allocf
shopify-scripts $800 SIGSEGV - kh_resize_iv - Null Deref
shopify-scripts $200 Double free of filename after codegen error
shopify-scripts $800 attempting double-free using the mruby compiler `mrbc`
Zendesk $2,000 a stored xss in web widget chat
shopify-scripts $800 Use After Free in str_replace
shopify-scripts $800 Null pointer dereference in mrb_str_prepend
shopify-scripts $800 mrb_str_modify try to write to memory not marked for writing
shopify-scripts $800 SIGSEGV - mrb_check_intern_str() - NullPointer
WebSummit $20 Subdomain Takeover at http://gameday.websummit.net
shopify-scripts $1,000 Memory disclosure in timegm
Mapbox $1,000 Mapbox Android SDK uses Broadcast Receiver instead of Local Broadcast Manager
shopify-scripts $800 SIGSEGV Null Pointer mrb_str_concat()
shopify-scripts $100 heap-buffer-overflow on mruby
YouPorn $1,000 Account takeover via Pornhub Oauth
LocalTapiola $150 Creating arbitrary cookies values /cs/CookieServer (www.lahitapiola.fi)
Discourse $128 Users can bookmark other user's messages
shopify-scripts $800 kh_get_n2s() stack overrun
shopify-scripts $800 SIGABRT, SIGSEGV mspace_free() and mrb_default_allocf()
shopify-scripts $800 SIGSEGV on mrb_vm_exec() Null Deref
Harvest $300 Unauthorised read Access to Expense Receipt of any user in the company(Vertical Privilege escalation)
shopify-scripts $800 Heap Overflow in mrb_arb_splice
shopify-scripts $100 mrb_vformat() heap overflow could lead to code execution
shopify-scripts $100 Integer Overflow in mrb_ary_set
Discourse $256 XSS vulnerability on Audio and Video parsers
Shopify $1,000 Stored XSS in blog comments through Shopify API
Shopify $500 XSS on postal codes
Badoo $280 CSRF Attack on (m.badoo.com)deleting account and erasing imported contacts
Ruby $500 Buffer underflow in sprintf
shopify-scripts $800 SIGSEGV mrb_obj_freeze() Manipulating Register RAX and RSI
Nextcloud $300 Limitation of app specific password scope can be bypassed (NC-SA-2017-009) CVE-2017-0892
shopify-scripts $800 SIGSEGV on mruby mrb_get_args()
Discourse $256 XSS Vulnerability on Image link parser
Discourse $256 DOM Based XSS in Discourse Search
shopify-scripts $1,000 Incorrect code generation when result of NODE_NEGATE is not used
Pornhub $1,000 XSS vulnerability using GIF tags
Legal Robot $20 Password complexity requirements not enforced
LocalTapiola $1,350 SQL Injection on /webApp/sijoitustalousuk email-parameter + potential lack of CSRF Token (viestinta.lahitapiola.fi)
LocalTapiola $450 Reflected XSS and Open Redirect in several parameters (viestinta.lahitapiola.fi)
Twitter $1,680 CRLF and XSS stored on ton.twitter.com
shopify-scripts $100 Invalid memory access in `mrb_str_format`
Twitter $140 Sub Domain Takeover at mk.prd.vine.co
Uber $2,500 Authorization issue in Google G Suite allows DoS through HTTP redirect
LocalTapiola $1,350 SQL Injection in lapsuudenturva (viestinta.lahitapiola.fi)
LocalTapiola $50 Reflected XSS on sankarikoulutus (viestinta.lahitapiola.fi)
Shopify $500 XSS on manually entering Postal codes
PHP (IBB) $500 Invalid parameter in memcpy function trough openssl_pbkdf2
PHP (IBB) $500 imagefilltoborder stackoverflow on truecolor images
Starbucks $250 Reflected XSS on teavana.com (Locale-Change)
LocalTapiola $1,350 SQL Injection in sijoitustalous_peruutus (viestinta.lahitapiola.fi)
QIWI $100 [qiwi.com] .bash_history
LocalTapiola $400 Open Redirect bypass and cookie leakage on www.lahitapiola.com
shopify-scripts $1,000 Segfault when passing invalid values to `values_at`
Quora $150 [Android] XSS via start ContentActivity
Quora $300 [controlsyou.quora.com] 429 Too Many Requests Error-Page XSS
HackerOne $500 Websites opened from reports can change url of report page
shopify-scripts $10,000 Certain inputs cause tight C-level recursion leading to process stack overflow
Shopify $500 Unauthenticated Stored XSS on <any>.myshopify.com via checkout page
Pornhub $5,000 Unsecured DB instance
Starbucks $500 Persistent XSS in www.starbucks.com
HackerOne $10,000 Information Disclosure in /skills call
Pornhub $750 Unsecured Kibana/Elasticsearch instance
shopify-scripts $10,000 Buffer overflow in mrb_time_asctime
shopify-scripts $8,000 Segmentation fault due to bad memory access in kh_get_mt
Starbucks $150 Dom Based Xss DIV.innerHTML parameters store.starbucks*
Twitter $280 Vine - overwrite account associated with email via android application
shopify-scripts $10,000 Null pointer derefence due to bug in codegen with negation without using value
Slack $500 Store XSS
shopify-scripts $10,000 Invalid handling of zero-length heredoc identifiers leads to infinite loop in the sandbox
Starbucks $2,000 Subdomain takeover on happymondays.starbucks.com due to non-used AWS S3 DNS record
shopify-scripts $10,000 Crash: Overwriting NoMethodError with a builtin class crashes/corrupts memory
Pornhub $150 Stored XSS on the http://ht.pornhub.com/widgets/
Starbucks $100 Stored XSS in Adress Book (starbucks.com/account/profile)
Shopify $500 Stored XSS at 'Buy Button' page
Phabricator $300 Fetching binaries (for software installation) over HTTP without verification (RCE as ROOT by MITM)
Pornhub $1,500 IDOR - disclosure of private videos - /api_android_v3/getUserVideos
HackerOne $12,500 Internal attachments can be exported via "Export as .zip" feature
shopify-scripts $1,000 Crash: A call to Symbol.new leads to a crash when inspecting the resulting object
Ian Dunn $25 constant cache_page_secret in regolith
Ian Dunn $50 unchecked unserialize usages in audit-trail-extension/audit-trail-extension.php
Ian Dunn $25 unchecked unserialize usage in WordPress-Functionality-Plugin-Skeleton/functionality-plugin-skeleton.php
shopify-scripts $1,000 Invalid memory write caused by incorrect upper bound in array_copy
Twitter $560 Twitter for android is exposing user's location to any installed android app
Gratipay $1 Incomplete or No Cache-control and Pragma HTTP Header Set
Shopify $500 XSS in my.shopify.com in widget
shopify-scripts $8,000 Crash: mrb_any_to_s can't handle NilClass, Symbol and Fixnum
shopify-scripts $10,000 Crash: Initialize Decimal with itself triggers an assertion
shopify-scripts $1,000 Null pointer dereference regression in parse.y
shopify-scripts $18,000 Type confusion in wrap_decimal leading to memory corruption
shopify-scripts $20,000 Type confusion in mrb_exc_set leading to memory corruption
shopify-scripts $8,000 Crash: calling Proc::initialize_copy with a Proc instance where initialize never ran leads to a crash
shopify-scripts $1,000 Read after free in mrb_vm_exec with OP_ARYCAT reading R(B)
shopify-scripts $8,000 Denial of service due to invalid memory access in mrb_ary_concat
Slack $1,000 Eavesdropping on private Slack calls
shopify-scripts $8,000 mruby-time: Crash host with uninitialized Time obj
LocalTapiola $50 Disclosure of IBM Websphere page
LocalTapiola $450 XSS and open redirect in verkkopalvelu.lahitapiola.fi
Pornhub $520 Race Condition Vulnerability On Pornhubpremium.com
WordPress $350 [Buddypress] Arbitrary File Deletion through bp_avatar_set
LocalTapiola $100 SMTP configuration vulnerability viestinta.lahitapiola.fi
shopify-scripts $8,000 Segmentation fault when a Ruby method is invoked by a C method via Object#send
shopify-scripts $8,000 Null target_class DoS
shopify-scripts $10,000 Segfault and/or potential unwanted (byte)code execution with "break" and "||=" inside a loop
VK.com $500 Возможность провести DoS атаку от имени vk.com сервера
shopify-scripts $8,000 SIGSEGV on mruby's mark_tbl() (Invalid memory access)
shopify-scripts $8,000 SIGSEGV on mruby mrb_str_modify() (Invalid memory access)
Boozt Fashion AB $200 Email link poisoning / Host header attack
shopify-scripts $10,000 Broken handling of maximum number of method call arguments leads to segfault
Badoo $140 Email Spoofing
HackerOne $10,000 Partial disclosure of report activity through new "Export as .zip" feature
shopify-scripts $10,000 Null pointer dereference due to TOCTTOU bug in mrb_time_initialize
LocalTapiola $60 Option method enabled (viestinta.lahitapiola.fi)
Python (IBB) $500 Type confusion in FutureIter_throw() which may potentially lead to an arbitrary code execution
PortSwigger Web Security $350 XSS in IE11 on portswigger.net via Flash
Pornhub $200 Reflected cross-site scripting (XSS) vulnerability in pornhub.com allows attackers to inject arbitrary web script or HTML.
Udemy $300 Completed Compromise & Source Code Disclosure via Exposed Jenkins Dashboard at https://jenkins101.udemy.com
shopify-scripts $8,000 SIGSEV on mrb_ary_splice
Imgur $250 Stored xss in ALBUM DESCRIPTION
shopify-scripts $10,000 Range constructor type confusion DoS
shopify-scripts $20,000 TOCTTOU bug in mrb_str_setbyte leading the memory corruption
shopify-scripts $18,000 Struct type confusion RCE
shopify-scripts $10,000 SIGSEGV when invalid argument on remove_method
shopify-scripts $20,000 DoS: type confusion in mrb_no_method_error
Udemy $200 Jenkins
LocalTapiola $150 Multiple Reflected XSS /webApp/lahti (viestinta.lahitapiola.fi)
shopify-scripts $10,000 Segfault in mruby, mruby_engine and the parent MRI Ruby due to null pointer dereference
LocalTapiola $350 SQL Injection /webApp/sijoitustalous_peruutus locId parameter (viestinta.lahitapiola.fi)
VK.com $1,500 Stored XSS в личных сообщениях
LocalTapiola $264 HTML Injection in email /webApp/lahti (viestinta.lahitapiola.fi)
LocalTapiola $350 SQL Injection /webApp/oma_conf ctx parameter (viestinta.lahitapiola.fi)
LocalTapiola $60 Poodle attack SSLv3 Support (viestinta.lahitapiola.fi)
Twitter $1,120 [IDOR][translate.twitter.com] Opportunity to change any comment at the forum
shopify-scripts $8,000 Undefined method_missing null pointer dereference
shopify-scripts $10,000 Range#initialize_copy null pointer dereference
shopify-scripts $10,000 NULL pointer dereference when parsing ternary operators
Ubiquiti Networks $500 Subdomain Takeover (moderator.ubnt.com)
LocalTapiola $100 Error Page Content Spoofing or Text Injection (viestinta.lahitapiola.fi)
shopify-scripts $20,000 Use after free vulnerability in mruby Array#to_h causing DOS possible RCE
shopify-scripts $2,000 Memory disclosure in mruby String#lines method
shopify-scripts $8,000 Denial of Service in mruby due to null pointer dereference
Coinbase $100 Window.opener bug at www.coinbase.com
shopify-scripts $10,000 Exception cause SIGABRT
Legal Robot $40 Password reset access control
shopify-scripts $8,000 ruby DoS https://www.mruby.science
Legal Robot $40 Missing restriction on string size in profile fields
Yelp $300 X.509 certificate validation fails on international vanity domains
VK.com $300 SSRF (open) - via GET request
Trello $2,048 Stealing power up private tokens (trello, twitter, github...)
Zopim $100 Android SDK - CREATE_REQUEST broascast is unprotected
Open-Xchange $500 Reflected Cross-Site Scripting due to vulnerable Flash component (Flashmediaelement.swf)
Open-Xchange $100 Selecting encryption for email with drive attachment overrides the drive email password
LocalTapiola $100 Suspicious browser fingerprinting(?) scripts on http://www.lahitapiola.fi/ redirector
LocalTapiola $1,560 SQL Injection on /webApp/omatalousuk (viestinta.lahitapiola.fi)
Blockchain $100 Information disclosure at https://blockchain.atlassian.net
Open-Xchange $666 Tab nabbing via window.opener
Open-Xchange $300 Stored XSS in Template Documents
Blockchain $400 Reflected XSS on blockchain.info
VK.com $1,000 Новый 2FA Bypass
LocalTapiola $400 Open Redirect (verkkopalvelu.lahitapiola.fi)
Blockchain $50 server version dislosure
Ubiquiti Networks $500 Stored XSS in community.ubnt.com
Imgur $5,000 Unauthenticated Docker registry
Nextcloud $50 Content Spoofing in "files" app CVE-2017-0888
Yelp $500 CSRF on signup endpoint (auto-api.yelp.com)
Badoo $280 Leave inaccessible messaging system with a message (https://us1.badoo.com)
Badoo $260 Arbitrary modification value "session" (Cookie) in badoo.com
Instacart $100 Access private list metadata
Uber $1,000 ability to retrieve a user's phone-number/email for a given inviteCode
InVision $300 CORS Man-in-the-Middle account compromise
Shopify $1,500 Misconfiguration in Two Factor Authorisation
Twitter $280 SSRF in https://cards-dev.twitter.com/validator
QIWI $300 Раскрытие баланса на //kopilka.qiwi.com
Harvest $250 Stored XSS in Restoring Archived Tasks
Starbucks $375 CSRF exploit | Adding/Editing comment of wishlist items (teavana.com - Wishlist-Comments)
Starbucks $150 CSRF vulnerability in saving payment card on store.starbucks.com (COBilling -AddCreditCard)
Badoo $140 Unvalidated redirect on team.badoo.com
LocalTapiola $588 Lahitapiola´s customer names send to 3rd party
Starbucks $375 Reflected XSS by exploiting CSRF vulnerability on teavana.com wishlist comment module. (wishlist-comments)
Starbucks $250 CSRF: add item to victim's cart automatically (starbucks.com - updatecart)
LocalTapiola $750 Email Server Compromised at secure.lahitapiola.fi
Mindoktor $2,000 XSS at endpoint clinic.mindoktor.se in flash cookie
Mindoktor $300 Storing sensitive information on cookie post-registration
Coinbase $200 Authentication Issue
Brave Software $50 [ios] Address bar spoofing in Brave for iOS
Harvest $100 Editing a project (LIMITED)
Twitter $2,520 Cross-site scripting (reflected)
itBit Exchange $1,000 Round error issue -> produce money for free
Brave Software $100 Denial of service attack(window object) on brave browser
Shopify $500 race condition in adding team members
Brave Software $50 Denial of service attack on Brave Browser.
Coinbase $100 Information disclosure of user by email using buy widget
Brave Software $100 Access to local file system using javascript
Brave Software $200 [iOS/Android] Address Bar Spoofing Vulnerability
Brave Software $100 Address Bar Spoofing - Already resolved - Retroactive report
Brave Software $150 URI Obfuscation
Shopify $2,000 Able to Login deactivated staff account in shopify app mobile
Twitter $140 Full Path Disclosure at 27.prd.vine.co
Trello $256 Can run arbitrary script on em.trello.com
Brave Software $50 [website] Script injection in newsletter signup https://brave.com/brave_youth_program_signup.html
Brave Software $50 2 Directory Listing on ledger.brave.com & vault-staging.brave.com
PHP (IBB) $500 memcpy negative parameter _bc_new_num_ex
PHP (IBB) $500 memcpy negative size parameter in php_resolve_path
PHP (IBB) $500 Write out-of-bounds at number_format
Brave Software $100 Homograph attack
Shopify $500 [ecommerce.shopify.com] Invalidated redirection
Python (IBB) $1,000 chain.__setstate__ Type Confusion
Uber $1,000 Subdomain takeover on rider.uber.com due to non-existent distribution on Cloudfront
Slack $700 Information Disclosure on stun.screenhero.com
WePay $200 Enumeration of registered email addresses using bruteforce search on userIds
Sucuri $500 Administrator Access to grafana instance logstash2.sucuri.net with default credentials
Yelp $500 Requesting Show CheckIn Alert for Non Friend User
Harvest $150 Linking Invoice to uninvited project.
Trello $128 XSS on blog.trello.com
Twitter $1,260 View liked twits of private account via publish.twitter.com
Badoo $140 No rate-limit in SERVER_SECURITY_CHECK
BrickFTP $250 Existence of Folder path by guessing the path through response
Nextcloud $250 Filename enumeration && DoS
Twitter $560 Circumventing the Twitter account lockout process [ACCOUNT TAKEOVER]
Harvest $300 Cookie Injection at 'harvestapp.com'
Trello $128 Full Sub Domain Takeover at help.trello.com.
Zopim $150 Full Sub Domain Takeover at wx.zopim.net
Slack $500 CSRF in github integration
PHP (IBB) $1,000 Buffer overflow in HTTP parse_hostinfo(), parse_userinfo() and parse_scheme()
ok.ru $100 web.xml configuration file disclosure
Instacart $150 Full access to any list
Boozt Fashion AB $400 Git available containing passwords.
Romit $513 [CRITICAL]-Taking over entire subdomain of romit.io
Uber $10,000 password reset token leaking allowed for ATO of an Uber account
Legal Robot $40 Bypass 8 chars password complexity with 6 chars only due to insecure password reset functionaliy
Snapchat $250 Bypassing "You've requested your data the maximum number of times today." + "Please Verify an email address with snapchat to continue"
Rockstar Games $500 DOM based reflected XSS in rockstargames.com/newswire/tags through cross domain ajax request
Shopify $500 password less login token expiration issue
Starbucks $750 out of date disqus shortname usage in the web app source code
Shopify $500 Add signature to transactions without any permission
Udemy $50 Content Spoofing in udemy
WebSummit $40 Subdomain take over signup.websummit
LocalTapiola $50 Reflected XSS in LTContactFormReceiver (/cs/Satellite)
Automattic $100 Follow Button XSS
Python (IBB) $1,500 LZMADecompressor.decompress Use After Free
PHP (IBB) $500 Heap overflow caused by type confusion vulnerability in merge_param()
Legal Robot $20 Information Disclosure on rate limit defense mechanism
Ubiquiti Networks $500 Authentication bypass on sso.ubnt.com via subdomain takeover of ping.ubnt.com
InVision $150 CRITICAL Any █████ of any screen can be removed by anyone!
Legal Robot $20 Near-duplicate accounts allowed with ignored email mutations
Algolia $100 No rate limit for Referral Program
Maximum $75 Facebook and twitter page claimed of maximum.com [important]
LocalTapiola $18,000 Oracle Webcenter Sites administrative and hi-privilege access available directly from the internet (/cs/Satellite)
HackerOne $500 Bypass rate limiting on /users/password (possibly site-wide rate limit bypass?)
Trello $128 SSRF in account webhook (through API)
Mail.Ru $300 Time-based sql-injection на https://puzzle.mail.ru
Slack $400 Email information leakage for certain addresses
Shopify $500 Open redirect in bulk edit
Imgur $100 Stored XSS in albums on http://m.imgur.com/
Nextcloud $750 Bypass permissions
Twitter $2,100 Twitter iOS fails to validate server certificate and sends oauth token
Coinbase $100 Information leakage on https://docs.gdax.com
IRCCloud $50 Exposed, outdated nginx server (v1.4.6) potentially vulnerable to heap-based buffer overflow & RCE
Snapchat $250 Incoming email hijacking on sc-cdn.net
Uber $500 Users can falsely declare their own Uber account info on the monthly billing application
Shopify $500 Deleted Post and Administrative Function Access in eCommerce Forum
Boozt Fashion AB $80 Make victim buy in attacker's account without any idea - http://www.booztlet.com/
Python $1,000 msilib.OpenDatabase Type Confusion
Pornhub $750 Unsecured Grafana instance
Pornhub $750 Disclosure of private photos/albums - http://www.pornhub.com/album/show_image_box
Yelp $200 Bybass The Closing of the account and logged again to your account
Eobot $12 No password length restriction
Boozt Fashion AB $120 XSS
VK.com $1,050 Второй способ обхода 2FA
Shopify $500 XSS in SHOPIFY: Unsanitized Supplier Name can lead to XSS in Transfers Timeline
Twitter $560 leaking Digits OAuth authorization to third party websites
Shopify $500 Unsanitized Location Name in POS Channel can lead to XSS in Orders Timeline
Boozt Fashion AB $80 Instance of Apache Vulnerable to Several Issues
Boozt Fashion AB $120 Potential Subdomain Takeover Possible
Yelp $100 Self-XSS via location cookie city field when getting suggestions for a new location
Boozt Fashion AB $250 xss in Theme http://bztfashion.booztx.com
Keybase $100 Denial of Service through set_preference.json
Ruby $200 Arbitrary heap overread in strscan on 32 bit Ruby, patch included
OpenSSL $500 SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
OpenSSL $2,500 Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
Yelp $500 Verification of E-Mail address possible on https://biz.yelp.com/login and https://biz.yelp.com/forgot
Boozt Fashion AB $60 PHP info page disclosure on http://www.day.dk/
Harvest $500 Invoices can be added to any retainers - even closs-platform
Slack $500 Rate-limit bypass
Mindoktor $500 Vulnerable Mobile Phone configuration
Nextcloud $500 Reflected XSS in Gallery App CVE-2016-9466
Harvest $250 XSS on expenses attachments
Open-Xchange $300 OX (Guard): Stored Cross-Site Scripting via Email Attachment
Instacart $50 Seemingly sensitive information at /api/v2/zones
Python $1,000 urllib HTTP header injection CVE-2016-5699
Shopify $500 Access to Splunk via shard3-db2.ec2.shopify.com endpoint
Shopify $500 Open redirect allows changing iframe content in *.myshopify.com/admin/themes/<id>/editor
LocalTapiola $400 Open redirection protection bypass (/cs/Satellite)
Algolia $100 Hyperlink Injection in Friend Invitation Emails
LocalTapiola $400 SQL Injection on `/cs/Satellite` path
Legal Robot $60 Validation bypass on user profile
Ian Dunn $50 CSV Injection in Camptix
Twitter $5,040 [Studio.twitter.com] See someone else pics
LocalTapiola $100 Oracle WebCenter Sites Support Tools available and Information disclosure (/cs/Satellite)
LocalTapiola $50 Reflected XSS in www.lahitapiola.fi (/cs/Satellite) using Oracle WebCenter -page
Harvest $150 CSRF bypass on Submit Time sheet for Approval
Harvest $150 Project Manager can approve pending reports(Access control Issue)
Unikrn $400 Urgent: Server side template injection via Smarty template allows for RCE
QIWI $150 [qiwi.com] Information Disclosure
QIWI $150 [ibank.qiwi.ru] UI Redressing via Request-URI
Legal Robot $20 Possible content spoofing due to missing error page
Nextcloud $100 Reflected Self-XSS Vulnerability in the Comment section of Files Information
Slack $2,500 Snooping into messages via email service
Legal Robot $20 unsecured legalrobot.co.uk assets
VK.com $1,000 Обход 2ух-шаговой авторизации / 2FA Bypass
Legal Robot $20 Legal | Application is Missing CSP(Content Security Policy) Header
Legal Robot $20 CORS (Cross-Origin Resource Sharing)
Legal Robot $20 Information Disclosure in AWS S3 Bucket
Legal Robot $120 User Information leak allows user to bypass email verification.
Legal Robot $120 User Information sent to client through websockets
Instacart $100 WordPress Authentication Denial of Service
Dropbox $1,458 Subtile Code Injection Vulnerability in Dropbox for Windows
Uber $100 Stealing users password (Limited Scenario)
Slack $750 Code Injection in Slack's Windows Desktop Client leads to Privilege Escalation
Instacart $150 Fetch private list metadata and any user's personal name
Uber $5,000 Changing paymentProfileUuid when booking a trip allows free rides
Shopify $500 Open Redirect possible in https://www.shopify.com/admin/
Harvest $500 Possible to steal any protected files on Android
Bime $150 Subdomain takeover at ws.bimedb.com due to unclaimed Amazon S3 bucket
Instacart $50 READ .svg files by changing .svg into .png extension
Harvest $150 Extracting private info of estimates.
Ian Dunn $100 Bypass fix in https://hackerone.com/reports/151516 report.
Ian Dunn $50 Bypassing CSV injection using new line charcter
Coinbase $300 window.opener is leaking to external domains upon redirect on Safari
Instacart $150 Brute force login and bypass locked account restrictions via iOS app
Shopify $500 [apps.shopify.com] Open Redirect
Snapchat $400 [render.bitstrips.com] Stored XSS via an incorrect avatar property value
Instacart $150 Issues with uploading list images
Shopify $500 Open CouchDB on experiments.ec2.shopify.com:5984
HackerOne $500 Information leakage of private program
Shopify $500 Open redirect using checkout_url
HackerOne $500 Requesting Mediation possible on reports that are too old for mediation
QIWI $950 [qiwi.com] Oauth захват аккаунта
LocalTapiola $3,000 Blind Stored XSS Against Lahitapiola Employees - Session and Information leakage
Slack $1,000 Stored XSS(Cross Site Scripting) In Slack App Name
Harvest $150 Unauthorized read access to Invoices by PM (Access control Issues)
Harvest $150 Unauthorized access to all the actions of invoices by PM (Access control Issues)
Harvest $100 PM can delete payment of any invoice in company (Access control Issue)
Harvest $100 Record payment for any invoice by PM (Access control Issue)
Harvest $100 PM can delete the company logo image (Vertical Privilege Escalation )
Starbucks $150 Improper Validation on Cancel Link Redirect
HackerOne $1,000 Hacker.One Subdomain Takeover
Harvest $250 PM with can Set up email for invoices and estimates (Access control Issue)
Binary.com $75 Cross site scripting
Instacart $100 Hyperlink Injection in Friend Invitation Emails
Ubiquiti Networks $150 [scores.ubnt.com] DOM based XSS at form.html
Mapbox $750 Blind XSS in mapbox.com/contact
Shopify $1,000 (BYPASS) Open redirect and XSS in supporthiring.shopify.com
Trello $1,024 File access using image tragick
HackerOne $500 Non-secure requests are not automatically upgraded to HTTPS
Instacart $250 shopper login_code's can be brute forced
Twitter $560 reverb.twitter.com redirects to vulnerable reverb.guru
Shopify $500 Access to Splunk at https://apt.ec2.shopify.com:8089
Instacart $100 Image Upload Path Disclosure
Instacart $150 Host Header Injection/Redirection in: https://www.instacart.com/
Instacart $50 Server side request forgery on image upload for lists
Instacart $75 Missing rel=noreferrer tag allows link in list to change url of currently open tab
Instacart $200 Race Condition in Redeeming Coupons
Instacart $100 Cross-Site Request Forgery (CSRF)
Instacart $150 Stored XSS
Instacart $50 CSRF To change Email Notification Settings
Shopify $500 (FULL PATH DISCLOSURE) Unknown MySQL server host 'shardm-reader.chi2.shopify.io'
HackerOne $500 Disclosure of external users invited to a specific report
SecNews $300 Querying private posts and changing post meta
Gratipay $1 Avoid "resend verification email" confusion
Ubiquiti Networks $500 IDOR Causing Deletion of any account
Uber $10,000 Reading Emails in Uber Subdomains
Algolia $400 Unauthorized team members can leak information and see all API calls through /1/admin/* endpoints, even after they have been removed.
Algolia $100 Stored XSS from Display Settings triggered on Save and viewing realtime search demo
Algolia $100 Stored xss
Algolia $100 Stored XSS triggered by json key during UI generation
Open-Xchange $1,000 OX (Guard): Stored Cross-Site Scripting via Incoming Email
Slack $500 CSRF - Add optional two factor mobile number
Shopify $500 Staff member can delete Private Apps
ownCloud $100 Arbitrary Code Injection in ownCloud’s Windows Client
Shopify $500 (BYPASS) Open Redirect after login at http://ecommerce.shopify.com
Twitter $1,120 Stealing User emails by clickjacking cards.twitter.com/xxx/xxx
Gratipay $1 Content Spoofing/Text Injection
Nextcloud $50 More content spoofing through dir param in the files app
Uber $3,000 Missing authorization checks leading to the exposure of ubernihao.com administrator accounts
Snapchat $3,000 Subdomain takeover on http://fastly.sc-cdn.net/
Shopify $500 Delete/modify your own comment after limited access(IDOR)
Harvest $150 Opportunity to set arbitrary cookies
Moneybird $50 [Stored Cross-Site-Scripting] When search about Incoming ( Manual Jurnal )
Shopify $1,000 Unauthorized access to Zookeeper on http://locutus-zk3.ec2.shopify.com:2181
Uber $500 Blind OOB XXE At "http://ubermovement.com/"
Nextcloud $100 IDOR - Disable sharing CVE-2016-9464
Twitter $1,120 csp bypass + xss
Rockstar Games $500 Reflected XSS via #tags= while using a callback in newswire http://www.rockstargames.com/newswire
Ian Dunn $50 Multiple XSS in Camptix Event Ticketing Plugin
Harvest $500 Project Disclosure of all Harvest Instances
Harvest $1,000 Leak of all project names and all user names , even across applications
Harvest $350 Users enumeration is possible through cycling through recurring[client_id] argument value.
Harvest $350 Stored XSS on invoice, executing on any subdomain
Harvest $250 CSRF token fixation in Sign in with Google
Harvest $1,000 S3 bucket takeover due to proxy.harvestfiles.com
Harvest $100 Cross-Site Request Forgery (CSRF)
Dashlane $100 Missing Access Control(IDOR) To Know LinkedAccounts
PHP $500 NULL Pointer Dereference in exif_process_user_comment
PHP $1,000 Out of bound read in exif_process_IFD_in_MAKERNOTE
Uber $5,000 Stored XSS on developer.uber.com via admin account compromise
Rockstar Games $750 CSRF in 'set.php' via age causes stored XSS on 'get.php' - http://www.rockstargames.com/php/videoplayer_cache/get.php'
Algolia $100 No Rate Limit In Inviting Similar Contact Multiple Times
Ian Dunn $375 CSV Injection at Camptix Event Ticketing
ownCloud $50 ownCloud 2.2.2.6192 DLL Hijacking Vulnerability
Uber $2,000 [IODR] Get business trip via organization id
Uber $3,000 Get organization info base on uuid
Slack $500 Creating Post on a restricted channel
Automattic $300 [bbPress] Stored XSS in any forum post.
Dropbox $729 SSRF allows access to internal services like Ganglia
Shopify $1,500 Stealing livechat token and using it to chat as the user - user information disclosure
QIWI $200 Xss on billing
Uber $1,000 newsroom.uber.com is vulnerable to 'SOME' XSS attack via plupload.flash.swf
Shopify $500 https://windsor.shopify.com/ takeover
Twitter $420 Html Injection and Possible XSS in sms-be-vip.twitter.com
Uber $4,000 SQL Injection on sctrack.email.uber.com.cn
IRCCloud $500 Cross Site Scripting(XSS) on IRCCloud Badges Page (using Parameter Pollution)
Bime $1,000 Attacker can access graphic representation of every query
Bime $1,000 Urgent: attacker can access every data source on Bime
Nextcloud $50 Content (Text) Injection at NextCloud Server 9.0.52 - via http://custom_nextcloud_url/remote.php/dav/files/ CVE-2016-9468
Uber $2,250 Subdomain takeover of translate.uber.com, de.uber.com and fr.uber.com
WordPress $1,337 CSRF to add admin [wordpress]
Legal Robot $40 AWS S3 website can't serve security headers, may allow clickjacking
Whisper $100 Stored XSS in wis.pr
Ubiquiti Networks $185 Reflected Xss in AirMax [Nanostation Loco M2]
Algolia $100 Stored xss
Slack $500 a stored xss issue in https://files.slack.com
Maximum $20 Application error message
Phabricator $600 HTML in Diffusion not escaped in certain circumstances
Paragon Initiative Enterprises $50 Stored XSS using SVG
Slack $500 "a stored xss issue in share post menu"
Maximum $20 Microsoft IIS tilde directory enumeration
Legal Robot $100 Subdomain takeover at api.legalrobot.com due to non-used domain in Modulus.io.
Pornhub $1,500 [idor] Unauthorized Read access to all the private posts(Including Photos,Videos,Gifs)
Paragon Initiative Enterprises $25 Stored XSS in comments
Paragon Initiative Enterprises $50 Stored Cross-Site-Scripting in CMS Airship's authors profiles
Keybase $350 Register multiple users using one invitation (race condition)
VK.com $100 Паблики: Модератор паблика может удалять добавленные редакторами материалы с таймером на публикацию.
Uber $1,000 Wordpress Vulnerabilities in transparencyreport.uber.com and eng.uber.com domains
Slack $1,500 Source code leakage through GIT web access at host '52.91.137.42'
HackerOne $500 Know undisclosed Bounty Amount when Bounty Statistics are enabled.
Badoo $140 Change contents of the careers iframe in https://corp.badoo.com/jobs
Moneybird $25 Logging out any user
Coinbase $100 Application error message
Slack $100 Generate new Test token
Slack $100 User can start call in a channel of an unpaid account
The Internet $500 ntpd: read_mru_list() does inadequate incoming packet checks CVE-2016-7434
Maximum $20 The POODLE attack (SSLv3 supported)
Maximum $20 RC4 cipher suites detected
HackerOne $500 Race Conditions in Popular reports feature.
LocalTapiola $150 Mixed Active Scripting Issue on https://www.lahitapiola.fi
Pornhub $500 RCE Possible Via Video Manager Export using @ character in Video Title
PHP $1,000 ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize
PHP $1,000 Use After Free Vulnerability in PHP's GC algorithm and unserialize
Nextcloud $100 Read-only share recipient can restore old versions of file
Nextcloud $250 Uploading files to a folder where invited user don't have any EDIT privilege
Algolia $100 2-factor authentication bypass
Vimeo $600 Downloading password protected / restricted videos
Nextcloud $50 Nextcloud server software: Content Spoofing
Nextcloud $350 Share owner has no possibility to list all existing derived shares
Nextcloud $750 Stored XSS on Share-popup of a directory's Gallery-view
Uber $7,000 xss in https://www.uber.com
Ubiquiti Networks $1,000 Subdomain takeover on partners.ubnt.com due to non-used CloudFront DNS entry
Uber $1,500 Bulk UUID enumeration via invite codes
Ubiquiti Networks $150 [account-global.ubnt.com] CRLF Injection
Ian Dunn $50 Stored XSS from ticket messages in admin table in SupportFlow
Ian Dunn $50 Stored XSS in SupportFlow Ticket Subject
Python $1,000 CVE-2016-0772 - python: smtplib StartTLS stripping attack
Sucuri $250 [support.sucuri.net] CRLF Injection
Sucuri $250 SSRF in sitecheck.sucuri.net
Mail.Ru $150 [townwars.mail.ru] Time-Based SQL Injection
Uber $750 Brute-Forcing invite codes in partners.uber.com
bitaccess $200 EXTREMELY URGENT: Missing control of bitcoin amount when selling bitcoin allows a user to withdraw any amount of money, unrestricted.
Ruby $500 StringIO strio_getline() can divulge arbitrary memory
HackerOne $500 All information is not removed from published reports
Instacart $100 Authorization Bypass in Delivery Chat Logs
The Internet $7,500 Insufficient shell characters filtering leads to (potentially remote) code execution (CVE-2016-3714)
Slack $500 File upload over private IM channel
Uber $10,000 Change any Uber user's password through /rt/users/passwordless-signup - Account Takeover (critical)
Badoo $280 Получение оригинала скрытого изображения
Shopify $3,000 Authentication Bypass on Icinga monitoring server
Shopify $1,500 Potentially Sensitive Information on GitHub
Mail.Ru $250 Mail.ru for Android Content Provider Vulnerability
Mapbox $500 XSS on www.mapbox.com/authorize/ because of open redirect at /core/oauth/auth
Mapbox $500 XSS on www.mapbox.com/authorize
Gratipay $40 upgrade Aspen on inside.gratipay.com to pick up CR injection fix
drchrono $50 Information Disclosure
Python $500 Heap corruption via Python 2.7.11 IOBase readline()
Uber $750 xss vulnerability in http://ubermovement.com/community/daniel
drchrono $50 Bug Report
Moneybird $50 [STORED XSS] in debtor reports of ,,invoices''
WePay $250 Invited users can modify and/or remove account owner
Shopify $500 Fetching external resources through svg images
LocalTapiola $100 DOM XSS bypassing in Regional Office -selector
Pornhub $10,000 [RCE] Unserialize to XXE - file disclosure on ams.upload.pornhub.com
Twitter $560 Information Disclosure through .DS_Store in ██████████
Mail.Ru $150 [tidaltrek.mail.ru] SQL Injection
OpenSSL $500 CVE-2016-2177 Undefined pointer arithmetic in SSL code
Pornhub $1,500 (Pornhub & Youporn & Brazzers ANDROID APP) : Upload Malicious APK / Overrite Existing APK / Android BackOffice Access
VK.com $1,500 XSS в upload.php
drchrono $50 User with no permissions can create, edit, delete favorite prescriptions /erx/
Slack $200 [Screenhero] Subdomain takeover
Ubiquiti Networks $125 Stored XSS in unifi.ubnt.com
Pornhub $20,000 [phpobject in cookie] Remote shell/command execution
Pornhub $1,000 Private Photo Disclosure - /user/stream_photo_attach?load=album&id= endpoint
drchrono $50 Bypassing Password Reset
GlassWire $25 Bypass GlassWire's monitoring of Hosts file
HackerOne $500 Able to remove the admin access of my program
drchrono $50 User with no permissions can access full wdcalendar feed
drchrono $50 Stored XSS via AngularJS Injection
Ubiquiti Networks $260 Open Redirect in unifi.ubnt.com [Controller Finder]
drchrono $50 [CRITICAL] CSRF leading to account take over
Mail.Ru $150 Code source discloure & ability to get database information "SQL injection" in [townwars.mail.ru]
Zendesk $100 XSS in zendesk.com/product/
drchrono $100 Angular injection in the profile name of onpatient
drchrono $50 Template stored XSS
drchrono $50 node.drchrono.com - Information Disclosure and Windows Host Exposed
drchrono $50 Ngnix Server version disclosure
Starbucks $4,000 Parameter Manipulation allowed for editing the shipping address for other user’s teavana.com subscriptions.
Starbucks $6,000 Parameter Manipulation allowed for viewing of other user’s teavana.com orders
drchrono $50 Bypass password complexity requirements on passsword reset page
drchrono $100 Security Issue : CSRF Token Design Flaw
Mail.Ru $150 [tidaltrek.mail.ru] SQL Injection
Mail.Ru $100 [my.mail.ru] HTML injection в письмах от myadmin@corp.mail.ru
Starbucks $375 www.starbucks.co.uk Reflected XSS via utm_source parameter
Mail.Ru $160 [upload-X.my.mail.ru] /uploadphoto Insecure Direct Object References
Slack $500 Open Redirect on slack.com
Gratipay $10 configure a redirect URI for Facebook OAuth
Binary.com $50 CJ vulnerability in subdomain
Trello $128 XSS in Jetpack Plugin
LocalTapiola $100 Exploiting Secure Shell (SSH) on mobilelt.lahitapiola.fi
Phabricator $300 Passphrase credential lock bypass
Ubiquiti Networks $2,750 Read-Only user can execute arbitraty shell commands on AirOS
Automattic $500 WordPress core stored XSS via attachment file name
Badoo $280 Ability to collect users' ids that have visited a specific web page with malicious code
LocalTapiola $300 Persistent XSS at verkkopalvelu.tapiola.fi using spoofed React element and React v.0.13.3
Uber $7,000 OneLogin authentication bypass on WordPress sites via XMLRPC
Pornhub $750 [idor] Profile Admin can pin any other user's post on his stream wall
LocalTapiola $100 Remote Code Execution in NovaStor NovaBACKUP DataCenter backup software (Hiback)
Pornhub $1,000 SSRF & XSS (W3 Total Cache)
LocalTapiola $300 Abusing and Hacking the SMTP Server secure.lahitapiola.fi
WP API $100 Missing access control exposing detailed information on all users
Pornhub $1,000 [IDOR] Deleting other users comment
Pornhub $150 Same-Origin Method Execution bug in plupload.flash.swf on /insights
OpenSSL $1,000 Bleichenbacher oracle in SSLv2 (CVE-2016-0704)
OpenSSL $2,500 Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703)
Pornhub $5,000 Weak user aunthentication on mobile application - I just broken userKey secret password
Pornhub $1,500 [stored xss, pornhub.com] stream post function
Pornhub $250 XSS Reflected incategories*p
Pornhub $250 XSS ReflectedGET /*embed_player*?
Mail.Ru $150 SQL Injection
Pornhub $1,500 [IDOR] post to anyone even if their stream is restricted to friends only
Pornhub $100 CSV Macro injection in Video Manager (CEMI)
Vimeo $600 All Vimeo Private videos disclosure via Authorization Bypass
LocalTapiola $100 Amazon Bucket Accessible (http://inpref.s3.amazonaws.com/)
Sucuri $500 CRLF/HTTP header injection www.sucuri.net
ok.ru $500 Xss in m.ok.ru
OpenSSL $2,500 Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
Ubiquiti Networks $1,000 Source code disclosure on https://107.23.69.180
Uber $8,000 [CRITICAL] -- Complete Account Takeover
Gratipay $1 don't leak server version of grtp.co in error pages
Moneybird $50 Reflected XSS in Backend search
Vimeo $750 CSRF on Vimeo via cross site flashing leading to info disclosure and private videos go public
Mapbox $400 Denial of service in account statistics endpoint
Uber $10,000 OneLogin authentication bypass on WordPress sites
Moneybird $100 Employees with Any Permissions Can Create App with Full Permissions and Perform any API Action
OpenSSL $500 EBCDIC overread (CVE-2016-2176)
OpenSSL $500 EVP_EncryptUpdate overflow (CVE-2016-2106)
OpenSSL $500 EVP_EncodeUpdate overflow (CVE-2016-2105)
Romit $50 Session Fixation
Moneybird $25 information disclose
Shopify $500 View all deleted comments and rating of any app .
Uber $5,000 Multiple vulnerabilities in a WordPress plugin at drive.uber.com
LocalTapiola $400 Possibly big authorization problem in Lähitapiola´s varainhoito
Mapbox $1,000 Reflected cross-site scripting (XSS) on api.tiles.mapbox.com
LocalTapiola $100 HTTP status code manipluation & java stack trace
LocalTapiola $5,000 Blind Stored XSS Against Lahitapiola Employees - Session and Information leakage
PHP $1,500 Integer overflow in ZipArchive::getFrom*
HackerOne $2,500 RCE in profile picture upload
OpenSSL $500 ASN.1 BIO excessive memory allocation (CVE-2016-2109)
Mail.Ru $250 XSS с помощью специально сформированного файла.
Shopify $500 staff memeber can install apps even if have limitied access
Automattic $1,337 WordPress SOME bug in plupload.flash.swf leading to RCE
Automattic $1,337 WordPress Flash XSS in *flashmediaelement.swf*
Zendesk $250 XSS In /zuora/ functionality
LocalTapiola $100 Content Spoofing or Text Injection (404 error page injection)
Algolia $500 RCE on facebooksearch.algolia.com
Uber $2,000 Reflected XSS via Livefyre Media Wall in newsroom.uber.com
Automattic $75 XSS on www.wordpress.com
Moneybird $25 Content Spoofing In Moneybird
Udemy $50 Stored XSS at Udemy
Slack $1,000 Stored XSS on team.slack.com using new Markdown editor of posts inside the Editing mode and using javascript-URIs
Zendesk $500 [HIGH RISK] CSRF could potentially delete a zendesk subdomain.
Moneybird $50 Open Redirect vulnerability in moneybird.com
Zendesk $100 AWS S3 bucket writable for authenticated aws user
Uber $7,500 Stored XSS in developer.uber.com
Twitter $840 [Critical] - Steal OAuth Tokens
Coinbase $100 User's legal name could be changed despite front end controls being disabled
Automattic $75 Akismet Several CSRF vulnerabilities
ownCloud $150 Open Redirector via (apps/files_pdfviewer) for un-authenticated users.
Gratipay $1 bring grtp.co up to A grade on SSLLabs
Moneybird $50 Stored XSS in Financial Account executing in Bank tab
Moneybird $100 Malicious File Upload
Ubiquiti Networks $275 Reflected XSS in scores.ubnt.com
Moneybird $150 XXE issue
Moneybird $25 Stored XSS thru SVG upload
bitaccess $50 BYASSING OTP Verification
Moneybird $50 CSV Injection with the CSV export feature
Trello $128 Cross site scripting in blog.trello.com
Slack $2,000 Authentication bypass leads to sensitive data exposure (token+secret)
Zendesk $50 Stored XSS on [your_zendesk].zendesk.com in Facebook Channel
Python $500 Python 2.7 strop.replace Integer Overflow
Twitter $700 xss in DM group name in twitter
Twitter $700 niche s3 buckets are readable/writeable/deleteable by authorized AWS users
Automattic $75 CPU utilization 99% on visiting wordpress site url & open redirect found
LocalTapiola $300 The PdfServlet-functionality used by the "Tee vakuutustodistus" allows injection of custom PDF-content via CSRF-attack
LocalTapiola $400 Cookie-based client-side denial-of-service to all of the Lähitapiola domains
Gratipay $10 Send email asynchronously
Algolia $100 No rate-limit in Two factor Authentication leads to bypass using bruteforce attack
Ubiquiti Networks $1,500 Read-Only user can execute arbitraty shell commands on AirOS
Trello $1,536 Payments informations are sent to the webhook when a team changes its visibility
OpenSSL $1,000 BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
Gratipay $10 fix bug in username restriction
Snapchat $1,000 Administrator access to a Django Administration Panel on *.sc-corp.net via bruteforced credentials
InVision $400 CRITICAL : Delete Boards Admin's ( or any other user ) comment. ( IDOR )
HackerOne $2,500 AWS S3 bucket writeable for authenticated aws users
Gratipay $1 Limit email address length
Uber $5,000 Stored XSS on newsroom.uber.com admin panel / Stream WordPress plugin
Uber $250 Easy spam with USE My PHONE Feature
HackerOne $1,500 Web Authentication Endpoint Credentials Brute-Force Vulnerability
Badoo $852 [CRITICAL] Full account takeover using CSRF
HackerOne $500 New hacktivity view discloses report IDs of non-public reports
HackerOne $500 New hacktivity view discloses report IDs of non-public reports
PHP $1,000 php_snmp_error() Format String Vulnerability
Uber $5,000 Information regarding trips from other users
Uber $5,000 Possibility to get private email using UUID
Twitter $280 XSS using javascript:alert(8007)
Uber $3,000 Possible to View Driver Waybill via Driver UUID
LocalTapiola $100 www.lahitapiola.fi DOM XSS by choosing regional company
Uber $3,000 Stored XSS in archive.uber.com Due to Injection of Javascript:alert(0)
Coinbase $1,000 Sending payments via QR code does not require confirmation
Shopify $500 XSS on https://app.shopify.com/
Coinbase $500 Email leak in transcations in Android app
Trello $1,024 If a team is public, the web socket receives data about the Team visible boards
LocalTapiola $1,000 Posting modified information in 'Investment section' will cause unintended information change in verkkopalvelu.tapiola.fi
Uber $500 CBC "cut and paste" attack may cause Open Redirect(even XSS)
Uber $750 XSS In archive.uber.com Due to Mime Sniffing in IE
Uber $1,000 CSV Injection in business.uber.com
Uber $2,000 Stored XSS in drive.uber.com WordPress admin panel
Gratipay $10 prevent content spoofing on /~username/emails/verify.html
Uber $10,000 uber.com may RCE by Flask Jinja2 Template Injection
Uber $3,000 SQL injection in Wordpress Plugin Huge IT Video Gallery at https://drive.uber.com/frmarketplace/
Uber $3,000 Reflected XSS via Unvalidated / Open Redirect in uber.com
Uber $5,000 Possibility to brute force invite codes in riders.uber.com
Uber $3,000 Dom Based Xss
Uber $500 Estimation of a Lower Bound on Number of Uber Drivers via Enumeration
Mapbox $1,000 XSS (cross-site scripting) on www.mapbox.com/maki
Uber $3,000 Avoiding Surge Pricing
Uber $2,000 Bypassing Uber Partner's 3 Cancel Limit
Uber $3,000 Lack of rate limiting on get.uber.com leads to enumeration of promotion codes and estimation of a lower bound on the number of Uber drivers
Uber $3,000 SQLi in love.uber.com
Uber $1,500 Lack of CNAME/A Record Trimming Pointing Uber Domains to Insecure Non-Uber AWS Instances/Sites
Uber $3,000 XSS in getrush.uber.com
Uber $3,000 Reflected XSS on developer.uber.com via Angular template injection
Uber $500 Open Redirect in m.uber.com
Gratipay $1 Hijacking user session by forcing the use of invalid HTTPs Certificate on images.gratipay.com
HackerOne $1,500 External programs revealing info
HackerOne $500 Websites opened from reports can change url of report page
Shopify $500 Bypassed password authentication before enabling OTP verification
HackerOne $500 Disclosure of private programs that have an "external" page on HackerOne
Shopify $500 Stored XSS via "Free Shipping" option (Discounts)
Imgur $100 XSS via React element spoofing
HackerOne $500 CSV Injection via the CSV export feature
Shopify $1,500 Shopify GitHub Login and Password exposed all private source code might be available.
Trello $768 Using WebSocket I can always access organization data even if I am removed
Gratipay $1 auto-logout after 20 minutes
Gratipay $1 Cookie Does Not Contain The "secure" Attribute
Gratipay $1 suppress version in Server header on gratipay.com or grtp.co
HackerOne $500 SECURITY: Referencing previous Reports attachment_IDs on new Reports via Draft_Sync DELETES Attachments
HackerOne $500 Mediation link can be accepted by other users
LocalTapiola $500 CSRF allows attacker to delete item from customer's "Postilaatikko"
Shopify $500 XSS on hardware.shopify.com
HackerOne $1,000 Edit Auto Response Messages
Mail.Ru $200 bgplay.mail.ru
Shopify $500 Stored XSS in https://checkout.shopify.com/
Imgur $5,000 Local file read in image editor
Mapbox $200 Mapbox API Access Token with No Scope Can Read Styles
Ubiquiti Networks $1,300 Shell Injection via Web Management Console (dl-fw.cgi)
Vimeo $100 Private, embeddable videos leaks data through Facebook & Open Graph
PHP $1,000 Buffer overflow in HTTP url parsing functions
Badoo $850 Account Takeover
LocalTapiola $400 CRLF injection in https://verkkopalvelu.lahitapiola.fi/
Badoo $427 Broken Authentication on Badoo
Bime $150 Subdomain takeover due to unclaimed Amazon S3 bucket on a2.bime.io
Bime $250 SSRF issue
Gratipay $1 don't serve hidden files from Nginx
Pornhub $250 Public Facing Barracuda Login
OpenSSL $500 BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
Pornhub $2,500 Unprotected Memcache Installation running
Pornhub $50 HTTP Track/Trace Method Enabled
Twitter $1,120 DOMXSS in Tweetdeck
Mail.Ru $150 By pass admin panel [conference.mail.ru]
Mail.Ru $150 By pass admin panel [seminars.mail.ru]
Ubiquiti Networks $1,500 Read-Only user can execute arbitraty shell commands on AirOS
Udemy $150 Session Takeover vulnerability
Shopify $500 xss in the all widgets of shopifyapps.com
Uber $500 Open Redirection on Uber.com
HackerOne $500 User with Read-Only permissions can edit the Internal comment Activities on Bug Reports After Revoke the team access permissions
Twitter $280 Sub-Domain Takeover
InVision $500 CRITICAL Stored XSS in https://projects.invisionapp.com
Udemy $150 Able to view others' gifts on /gift/share URL, giftId is predictable, and easy to manipulate
Coinbase $500 Misconfiguration in 2 factor allows sensitive data expose
Twitter $2,520 Tweet Deck XSS- Persistent- Group DM name
HackerOne $500 Distinguish EP+Private vs Private programs in HackerOne
Algolia $1,000 API Key added for one Indices works for all other indices too.
OpenSSL $500 CVE-2016-0799 memory issues in BIO_*printf functions
HackerOne $500 User with Read-Only permissions can manually public disclosure the report
Shopify $500 File name and folder enumeration.
Coinbase $200 XSSI (Cross Site Script Inclusion)
HackerOne $500 CSV Injection at the CSV export feature
QIWI $150 Content Spoofing in mango.qiwi.com
VK.com $100 Дорк
Mail.Ru $500 Admin panel access restrictions bypass [poll.mail.ru/admin/]
Gratipay $1 limit number of images in statement
Zendesk $50 Stored XSS via Angular Expression injection on developer.zendesk.com
Gratipay $1 strengthen Diffie-Hellman (DH) key exchange parameters in grtp.co
Shopify $500 XSS in Draft Orders in Timeline i SHOPIFY Admin Site!
Gratipay $1 stop serving grtp.co over HTTP
Gratipay $10 DMARC is misconfigured for grtp.co
Uber $3,000 Reflected XSS on Uber.com careers
Gratipay $10 Prevent content spoofing on /~username/emails/verify.html
Gratipay $2 SPF/DKIM/DMARC for aspen.io
Mail.Ru $250 SSRF на element.mail.ru
Gratipay $2 SPF/DKIM/DMARC for grtp.co
Gratipay $1 limit HTTP methods on other domains
Gratipay $10 Email Forgery through Mandrillapp SPF
Uber $250 Multiple Vulnerabilities (Including SQLi) in love.uber.com
Uber $3,000 XSS @ love.uber.com
Gratipay $10 No Valid SPF Records.
HackerOne $500 Increase number of bugs by sending duplicate of your own valid report
Zopim $100 Chat History CSV Export Excel Injection Vulnerability
Legal Robot $20 SSL Issue on legalrobot.com
HackerOne $500 Private Program Disclosure in /:handle/settings/allow_report_submission.json endpoint
VK.com $200 vk.com/login.php
Legal Robot $20 SPF Issue
Legal Robot $120 Remote Code Execution (upload)
Mail.Ru $600 VERY DANGEROUS XSS STORED inside emails
Mail.Ru $150 [3k.mail.ru] SQL Injection
Ubiquiti Networks $1,000 Auth bypass on directory.corp.ubnt.com
Slack $100 an xss issue in https://hunter22.slack.com/help/requests/793043
Gratipay $1 The POODLE attack (SSLv3 supported) for https://grtp.co/
WePay $150 2-step Verification bypass
Python $1,000 Type confusion in partial.setstate, partial_repr, partial_call leads to memory corruption, reliable control flow hijack
Sucuri $500 Manipulating of Sucuri.net (List Subscription) Emails (HTML/Script Injection)
HackerOne $500 Private Program Disclosure in /:handle/reports/draft.json endpoint
HackerOne $5,000 Private program activity timeline information disclosure
Shopify $500 XSS on hardware.shopify.com
Imgur $1,000 SSRF / Local file enumeration / DoS due to improper handling of certain file formats by ffmpeg
Imgur $800 SSRF and local file read in video to gif converter
Legal Robot $20 Rate limiting on Email confirmation link
Imgur $2,000 SSRF in https://imgur.com/vidgif/url
Paragon Initiative Enterprises $50 Full Path Disclosure
Mail.Ru $300 [orsotenslimselfie.lady.mail.ru] SQL Injection
Gratipay $10 prevent content spoofing on /search
Gratipay $5 SPF DNS Record
Keybase $50 Content spoofing due to the improper behavior of the not-found meesage
HackerOne $500 Putting link inside link in markdown
Keybase $350 Race conditions can be used to bypass invitation limit
Keybase $250 Remote Server Restart Lead to Denial of Service by only one Request.
Mapbox $200 Content Spoofing and Local Redirect in Mapbox Studio
VK.com $2,500 Внедрение внешних сущностей в функционале импорта пользователей YouTrack
Shopify $500 CSRF on https://shopify.com/plus
Twitter $2,520 Bypassing Digits web authentication's host validation with HPP
Snapchat $1,000 Subdomain takeover in http://support.scan.me pointing to Zendesk (a Snapchat acquisition)
Keybase $250 Remote Server Restart Lead to Denial of Server by only one Request.
OpenSSL $2,500 OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701)
Paragon Initiative Enterprises $50 Open-redirect on paragonie.com
HackerOne $500 Multiple issues with Markdown and URL parsing
withinsecurity $250 WordPress Failure Notice page will generate arbitrary hyperlinks
HackerOne $500 Unintended HTML inclusion as a result of https://hackerone.com/reports/110578
Mail.Ru $300 [afisha.mail.ru] SQL Injection
Coinbase $1,000 Session Issue Maybe Can lead to huge loss [CRITICAL]
Binary.com $250 Full takeover of some binary.com sub domains
Bime $100 The JDBC driver used by the Vertica connector allows to create files on the backends
Bime $1,000 SSRF in the Connector Designer (REST and Elastic Search)
Bime $750 XXE in the Connector Designer
HackerOne $500 Interstitial redirect bypass / open redirect in https://hackerone.com/zendesk_session
Mail.Ru $150 [allods.my.com] SSRF / XSPA
Zendesk $100 [CRITICAL] HTML injection issue leading to account take over
withinsecurity $250 Error Page Text Injection #106350
Imgur $50 Big Bug in SSL : breach compression attack (CVE-2013-3587) affect imgur.com
Shopify $500 Full access to Amazon S3 bucket containing AWS CloudTrail logs
Automattic $75 XSS at wordpress.com
Shopify $500 www.shopify.com XSS via third-party script
Trello $1,152 DOM based XSS via Wistia embedding
VK.com $100 Checking whether user liked the media or not even when you are blocked
Vimeo $100 Legacy API exposes private video titles
Automattic $75 XSS at www.woothemes.com
Pornhub $1,500 [ssrf] libav vulnerable during conversion of uploaded videos
Shopify $500 Attach Pinterest account - no State/CSRF parameter in Oauth Call back
Shopify $500 Twitter Disconnect CSRF
HackerOne $500 CSV Injection via the CSV export feature
withinsecurity $250 Content Spoofing OR Text Injection in https://withinsecurity.com
Gratipay $15 Sub Domian Take over
Automattic $250 Internal GET SSRF via CSRF with Press This scan feature
ownCloud $250 Information Exposure Through Directory Listing CVE-2016-1499
HackerOne $500 HTML injection can lead to data theft
Twitter $5,040 Bypassing Digits bridge origin validation
Perl $1,000 Perl 5.22 VDir::MapPathA/W Out-of-bounds Reads and Buffer Over-reads
Phabricator $300 Extended policy checks are buggy
Udemy $25 CSRF in Udemy.com
Coinbase $200 Direct URL access to completed reports
Ubiquiti Networks $500 Subdomain Takeover in http://assets.goubiquiti.com/
HackerOne $500 User with Read-Only permissions can request/approve public disclosure
Mail.Ru $150 [parapa.mail.ru] SQL Injection
PHP $1,000 Use After Free in sortWithSortKeys()
Gratipay $5 HTTP trace method is enabled
Twitter $2,520 Bypassing callback_url validation on Digits
ownCloud $350 Exploiting unauthenticated encryption mode
Ubiquiti Networks $150 Reflected File Download in community.ubnt.com/restapi/
VK.com $500 API: Bug in method auth.signup , дающий возможность бесконечно звонить
Mail.Ru $150 [cfire.mail.ru] Time Based SQL Injection
Mail.Ru $500 reflected in xss
HackerOne $500 Team Member(s) associated with a Group have Read-only permission (Post internal comments) can post comment to all the participants
WePay $100 Unauthenticated Stored XSS in API Panel
Automattic $50 Possible Timing Side-Channel in XMLRPC Verification
GlassWire $100 GlassWireSetup.exe subject to EXE planting attack
Imgur $150 XSS in imgur mobile 3
Imgur $150 XSS in imgur mobile
Shopify $500 Stored XSS in /admin/orders
VK.com $100 Добавление в меню сообщества без ведома пользователя (нажатия пользователем)
Zendesk $500 Stored XSS in comments
Shopify $500 Strored Cross Site Scripting
PHP $1,000 Format string vulnerability in zend_throw_or_error()
Shopify $500 HTTP-Response-Splitting on v.shopify.com
Maximum $20 Application error message
Coinbase $100 Race condition allowing user to review app multiple times
withinsecurity $250 text injection can be used in phishing 404 page should not include attacker text
Algolia $100 text injection can be used in phishing 404 page should not include attacker text
HackerOne $500 Improve signals in reputation
Shopify $500 Reflective XSS on wholesale.shopify.com
HackerOne $500 Team Member(s) associated with a Custom Group Created with 'Program Managment' only permissions can Comments on Bug Reports
Shopify $500 "Remember me" token generated when "Remember me" box unchecked
GlassWire $100 DLL Hijacking Vulnerability in GlassWireSetup.exe
HackerOne $500 Parameter pollution in social sharing buttons
HackerOne $500 Know whether private program for company exist or not
LeaseWeb $100 DOM Based XSS in Checkout
Shopify $500 many xss in widgets.shopifyapps.com
Pornhub $50 [crossdomain.xml] Dangerous Flash Cross-Domain Policy
Pornhub $250 PornIQ Reflected Cross-Site Scripting
Imgur $150 risk of having secure=false in a crossdomain.xml
Instacart $100 Cookie-Based Injection
Square Open Source $2,000 Unsafe usage of Ruby string interpolation enabling command injection in git-fastclone
Shopify $500 CSRF in Connecting Pinterest Account
Instacart $100 Cross-Site Scripting Reflected On Main Domain
Zopim $100 [status.zopim.com] Open Redirect
Automattic $75 XSS on codex.wordpress.org
Coinbase $200 HTML injection in apps user review
QIWI $200 [rubm.qiwi.com] Yui charts.swf XSS
Square Open Source $2,000 git-fastclone allows arbitrary command execution through usage of ext remote URLs in submodules
Shopify $1,000 shopifyapps.com XSS on sales channels via currency formatting
Slack $1,000 Trick make all fixed open redirect links vulnerable again
Python $500 tokenizer crash when processing undecodable source code
Python $1,000 PyFloat_FromString & PyNumber_Long Buffer Over-reads
PHP $500 Memory Corruption in phar_parse_tarfile when entry filename starts with null CVE-2015-4021
PHP $500 invalid pointer free() in phar_tar_process_metadata() CVE-2015-3307
Python $500 use after free in load_newobj_ex
Python $500 array.fromstring Use After Free
Python $1,000 bytearray.find Buffer Over-read
Python $500 hotshot pack_string Heap Buffer Overflow
Python $500 audioop.adpcm2lin Buffer Over-read
Python $500 audioop.lin2adpcm Buffer Over-read
PHP $500 Files extracted from archive may be placed outside of destination directory CVE-2015-6833
PHP $1,500 Multiple Use After Free Vulnerabilites in unserialize() CVE-2015-6831
PHP $1,000 Arbitrary code execution in str_ireplace function CVE-2015-6527
PHP $1,000 Dangling pointer in the unserialization of ArrayObject items CVE-2015-6832
PHP $500 curl_setopt_array() type confusion
The Internet $1,000 libcurl duphandle read out of bounds CVE-2014-3707
PHP $500 heap buffer overflow in enchant_broker_request_dict() CVE-2014-9705
PHP $500 Integer overflow in unserialize() (32-bits only) CVE-2014-3669
PHP $500 AddressSanitizer reports a global buffer overflow in mkgmtime() function CVE-2014-3668
PHP $1,500 SOAP serialize_function_call() type confusion / RCE CVE-2015-6836
PHP $500 zend_throw_or_error() format string vulnerability
PHP $1,000 Uninitialized pointer in phar_make_dirstream CVE-2015-7804
PHP $1,000 Buffer over-read in exif_read_data with TIFF IFD tag
PHP $500 Null pointer deref (segfault) in spl_autoload via ob_start
PHP $500 null pointer deref (segfault) in zend_eval_const_expr
PHP $500 Mem out-of-bounds write (segfault) in ZEND_ASSIGN_DIV_SPEC_CV_UNUSED_HANDLER
Python $1,000 Python deque.index() uninitialized memory
Python $500 Python scan_eol() Buffer Over-read
Python $500 time_strftime() Buffer Over-read
Python $500 Python xmlparse_setattro() Type Confusion
PHP $500 Use after free vulnerability in unserialize() with GMP
PHP $500 Use After Free Vulnerability in session deserializer CVE-2015-6835
PHP $1,000 Use After Free Vulnerability in unserialize() CVE-2015-6834
PHP $1,000 Use After Free Vulnerability in unserialize() with SplObjectStorage CVE-2015-6834
PHP $1,000 Use After Free Vulnerability in unserialize() with SplDoublyLinkedList CVE-2015-6834
Python $500 Python 3.3 - 3.5 product_setstate() Out-of-bounds Read
Ruby $1,500 Request Hijacking Vulnerability In RubyGems 2.4.6 And Earlier CVE-2015-3900
Python $500 Integer overflow in _Unpickler_Read
Apache httpd $500 mod_lua: Crash in websockets PING handling CVE-2015-0228
PHP $500 Null pointer dereference in phar_get_fp_offset() CVE-2015-7803
HackerOne $2,500 CSRF possible when SOP Bypass/UXSS is available
Shopify $500 Open Redirect at *.myshopify.com/account/login?checkout_url=
Shopify $500 [CSRF] Install premium themes
Algolia $100 Stored XSS in name selection
ok.ru $500 Обход защиты от csrf-ок в m.ok.ru
withinsecurity $250 content injection
ok.ru $500 Same-Origin Policy Bypass #2
ok.ru $500 Same-Origin Policy bypass on main domain - ok.ru
Zendesk $500 [CRITICAL] CSRF leading to account take over
Sucuri $250 XSS Vuln in Sucuri Security - Auditing, Malware Scanner
Binary.com $75 Cookie bug
Shopify $500 Open redirect using theme install
Ubiquiti Networks $200 account.ubnt.com CSRF
Shopify $500 XSS in creating tweets
Maximum $20 RC4 cipher suites detected
Maximum $10 SSL certificate invalid date
Maximum $40 RC4 cipher suites detected
Automattic $75 Remove anyone's pic gravtar
Pornhub $250 Reflected Cross-Site Scripting on French subdomain
Twitter $140 Subdomain Expired
InVision $300 Stored Cross-Site Scripting on █████████ (with small user interaction)
Uber $500 Drivers can change profile picture
Shopify $500 An administrator without any permission is able to get order notifications using his APNS Token.
Twitter $560 xss in link items (mopub.com)
Yelp $1,500 Access to internal CMS containing private Data
Imgur $5,500 Imgur dev environments facing the Internet
Twitter $560 URGENT : NICHE.co Account Take Over Vulnerability
Coinbase $5,000 Stored-XSS in https://www.coinbase.com/
Twitter $560 Add tweet to collection CSRF
Pornhub $250 Cross Site Scripting - On Mouse Over, Blog page
Pornhub $250 [xss, pornhub.com] /user/[username], multiple parameters
HackerOne $1,000 Pre-generation of 2FA secret/backup codes seems like an unnecessary risk
QIWI $100 Open Redirect in meeting.qiwi.com
Coinbase $500 Transactions visible on Unconfirmed devices
Algolia $200 User with limited access to Index configuration can rename the Index
drchrono $100 Request Accepts without X-CSRFToken [ Header - Cookie ]
HackerOne $500 Limited CSRF bypass.
drchrono $100 CSRF Add Album On onpatient.com
Boozt Fashion AB $100 Reflected XSS on www.boozt.com
Badoo $153 Open redirect helps to steal Facebook access_token
Uber $1,000 Mass Assignment Vulnerability in partners.uber.com
Shopify $500 deleted staff member can add his amazon marketplace web services account to the store.
Algolia $100 an xss issue
Shopify $500 [CSRF] Activate PayPal Express Checkout
QIWI $3,137 XML External Entity (XXE) in qiwi.com + waf bypass
Mapbox $1,000 XSS in L.mapbox.shareControl in mapbox.js
Slack $100 RC4 cipher suites detected on status.slack.com
Shopify $1,000 S3 Buckets open to the world thanks to 'Authenticated Users' ACL
Shopify $500 Apps can access 'channels' beta api
Binary.com $50 Email Verification Link can be Used as Password Reset Link!
Twitter $280 Urgent : Disclosure of all the apps with hash ID in mopub through API request (Authentication bypass)
QIWI $200 XSS Reflected in test.qiwi.ru
Shopify $1,500 'Limited' RCE in certain places where Liquid is accepted
Binary.com $300 login to any user's cashier account and full account information disclosure
itBit Exchange $100 No password length restriction denial of service
Algolia $100 Stored XSS on https://www.algolia.com/realtime-search-demo/*
HackerOne $2,500 Cross-domain AJAX request
Imgur $150 XSS m.imgur.com
Slack $100 Reflected Self-XSS in Slack
Twitter $1,120 File Upload XSS in image uploading of App in mopub
Slack $200 File upload XSS (Java applet) on http://slackatwork.com/
Shopify $500 List of devices is accessible regardless of the account limitations
Twitter $280 Following a User After Favoriting Actually Follows Another User (related to #95243)
Shopify $500 SVG parser loads external resources on image upload
Shopify $500 Staff members with no permission can access to the files, uploaded by the administrator
Mail.Ru $300 Potential SSRF in sales.mail.ru
ok.ru $250 Multiple critical vulnerabilities in Odnoklassniki Android application
HackerOne $1,000 HTTP header injection in info.hackerone.com allows setting cookies for hackerone.com
HackerOne $2,500 Send AJAX request to external domain
Twitter $1,120 Can see private tweets via keyword searches on tweetdeck
Shopify $500 An administrator without the 'Settings' permission is able to see payment gateways
Shopify $500 A 'Full access' administrator is able to see the shop owners user details
Shopify $500 Staff members with no permission to access domains can access them.
Keybase $50 Un-handled exception leads to Information Disclosure
Badoo $310 crossdomain.xml too permissive on eu1.badoo.com, us1.badoo.com, etc.
Snapchat $1,500 Password Reset - query param overrides postdata
Shopify $500 Missing of csrf protection
Imgur $50 Persistent XSS in https://p.imgur.com/albumview.gif and http://p.imgur.com/imageview.gif / post statistics
Slack $500 Stored XSS in Slack (weird, trial and error)
Vimeo $250 XSS on player.vimeo.com without user interaction and vimeo.com with user interaction
Binary.com $75 Http Response Splitting - Validate link
itBit Exchange $50 user-agent Content spoofing
Mail.Ru $300 [api.allodsteam.com] Authentication Data
Binary.com $50 Cross Site Scripting
Shopify $500 Privilege escalation and circumvention of permission to limited access user
Imgur $250 Persistent XSS in image title
Twitter $280 CSRF on cards API
Twitter $5,040 IDOR- Activate Mopub on different organizations- steal api token- Fabric.io
Shopify $500 Unauthorized access to any Store Admin's First & Last name
Twitter $280 Following a User Actually Follows Another User
Twitter $280 XSS in the "Poll" Feature on Twitter.com
Shopify $500 Reflected XSS in cart at hardware.shopify.com
Shopify $4,000 Paid account can review\download any invoice of any other shop
Whisper $30 SMS Invite Form Abuse
Whisper $30 Host Header Injection/Redirection
Shopify $500 Some S3 Buckets are world readable (and one is world writeable)
Zopim $1,000 Cross-site Scripting in all Zopim
Shopify $1,500 Arbitrary read on s3://shopify-delivery-app-storage/files
Shopify $2,500 Unauthorized access to all collections, products, pages from other stores
Shopify $500 Bypassing password requirement during deletion of accout
Shopify $2,000 Arbitrary write on s3://shopify-delivery-app-storage/files
Shopify $500 Missing authorization check on dashboard overviews
Shopify $500 get users information without full access
Shopify $1,000 Unauthenticated access to details of hidden products in any shop via title emuneration
Shopify $500 First & Last Name Disclosure of any Shopify Store Admin
WePay $100 Subdomain Takeover in http://staging.wepay.com/ pointing to Fastly
VK.com $100 Способ узнать имя человека и ВУЗ удаленной страницы
Shopify $2,000 unauthorized access to all collections name
Coinbase $100 SPF records not found
Shopify $500 Accessing Payments page and adding payment methods with limited access accounts
Badoo $456 Tokens from services like Facebook can be stolen
Shopify $2,500 unauthorized access to all customers first and last name
Automattic $75 CSV Injection in polldaddy.com
Trello $128 CSV Injection
Shopify $500 customers password hash leak!!!!
Uber $100 Issue with Password reset functionality
Trello $256 Normal User can add new users to group
Imgur $1,600 Server Side Request Forgery In Video to GIF Functionality
Imgur $50 Crossdomain.xml settings on api.imgur.com too open
Automattic $50 WooCommerce: Support Ticket indirect object reference
Imgur $50 Reflected Flash XSS using swfupload.swf with an epileptic reloading to bypass the button-event
Imgur $50 "Sign me out everywhere" does not work for desktop sessions
IRCCloud $500 Inadequate input validation on API endpoint leading to self denial of service and increased system load.
Zendesk $50 Content Spoofing
Shopify $1,000 change Login Services settings without owner access
Shopify $1,000 create staff member without owner access
Shopify $500 Privilege escalation vulnerability
Coinbase $100 User email enumuration using Gmail
Zopim $100 CSV Excel Macro Injection Vulnerability in export chat logs
Twitter $280 Tweetdeck (twitter owned app) not revoked
VK.com $500 CSRF в получении резервных токенов+framing , приводящие к компроментации 2fa
Zendesk $100 CSV Excel Macro Injection Vulnerability in export customer tickets
Zendesk $100 Cross-site Scripting https://www.zendesk.com/product/pricing/
Slack $100 Self-XSS in posts by formatting text as code
Mail.Ru $500 XSS: https://light.mail.ru/compose, https://m.mail.ru/compose/[id]/reply при ответе на специальным образом сформированное письмо
Twitter $2,520 Multiple DOMXSS on Amplify Web Player
Vimeo $200 XSS when using captions/subtitles on video player based on Flash (requires user interaction)
Phabricator $300 Information leakage through Graphviz blocks
Vimeo $100 XSS on vimeo.com | "Search within these results" feature (requires user interaction)
Vimeo $1,500 XSS on vimeo.com/home after other user follows you
Udemy $100 XSS Vulnerability
Vimeo $200 Stored XSS on vimeo.com and player.vimeo.com
Coinbase $100 OAUTH pemission set as true= lead to authorize malicious application
ownCloud $25 Full Path Disclosure CVE-2016-1501
Shopify $500 www.shopify.com XSS on blog pages via sharing buttons
Twitter $2,520 XSS on OAuth authorize/authenticate endpoint
Keybase $500 [keybase.io] Open Redirect
Anghami $100 [CRITICAL] Login To Any Account Linked With Google+ With Email Only
Anghami $300 [https://www.anghami.com/updatemailinfo/] Sql Injection
Phabricator $450 Multiple so called 'type juggling' attacks. Most notably PhabricatorUser::validateCSRFToken() is 'bypassable' in certain cases.
Romit $250 IDOR on remoing Share
Vimeo $100 Reflected XSS on vimeo.com/musicstore
Vimeo $500 Stored XSS on player.vimeo.com
Mail.Ru $150 XSS at af.attachmail.ru
InVision $400 Deleting a Project for which the user is not owner but a normal member
Shopify $500 XSS https://www.shopify.com/signup
ownCloud $25 Full Path Disclosure CVE-2016-1501
Zopim $100 [API ISSUE] agents can Create agents even after they are disabled !
InVision $100 Content Spoofing - Signout Warning Page
Pornhub $100 [reflected xss, pornhub.com] /blog, any
Pornhub $50 Cross Site Scripting – Album Page
Zendesk $500 Stored XSS in comments
Hired $420 Stored XSS in Company Name
Shopify $500 Self XSS in chat.
Automattic $100 XSS in WordPress
Gratipay $1 Possible SQL injection on "Jump to twitter"
Shopify $500 XSS https://delivery.shopifyapps.com/ (Digital Downloads App in myshopify.com)
Ruby on Rails $2,000 Potential XSS on sanitize/Rails::Html::WhiteListSanitizer
InVision $100 Reflective XSS in projects.invisionapp.com
HackerOne $500 Internal bounty and swag details disclosed as part of JSON response
HackerOne $500 Private Program and bounty details disclosed as part of JSON search response
HackerOne $500 Number of invited researchers disclosed as part of JSON search response
VK.com $500 Внедрение произвольного javascript-сценария в функционале просмотра изображений мобильной версии сайта
QIWI $500 Открытый доступ к корпоративным данным.
Slack $1,000 OSX slack:// protocol handler javascript injection
Flox $25 Content spoofing through Referel header
ok.ru $300 Доступ к чужим групповым беседам.
ok.ru $150 Critical : Access to group videos where videos are restricted for all users(Broken authentication )
Udemy $50 information disclosure
ok.ru $200 Доступ к чужим приватным фотографиям (3) через обложку видео
Mail.Ru $150 Time-Based Blind SQL Injection Attacks
ok.ru $500 (URGENT!) Покупка OK дешевле, чем он стоит
Mail.Ru $150 Cross site scripting
ok.ru $200 Stored XSS в имени песни (2) на платёжном гейте.
ok.ru $100 Покупка=>скачка песен, которые не предназначены для продажи
ok.ru $150 Покупка песни дешевле, чем она стоит.
ok.ru $150 xss in group
ok.ru $100 cross siite scripting in the blog
ok.ru $500 SSRF/XSPA в форме загрузки видео по URL
Shopify $1,000 TCP Source Port Pass Firewall
ok.ru $100 http://217.20.144.201 privilege escalation in apache tomcat SessionEample-script
Keybase $100 Full path disclosure at https://keybase.io/_/api/1.0/invitation_request.json
WordPoints $25 Weak Cryptographic Hash
Mavenlink $25 Open/Unvalidated Redirect Issue
Keybase $250 Content Sniffing not disabled
Romit $250 GA code not verified on the server side allows sending Verification Documents on behalf of another user
Keybase $250 No rate limiting for sensitive actions (like "forgot password") enables user enumeration
Keybase $500 Stealing CSRF Tokens
Keybase $500 SMTP protection not used
Zaption $25 Open redirect filter bypass
Zaption $25 Using GET method for account login with CSRF token leaking to external sites Via Referer.
Zaption $50 XSS - Gallery Search Listing
Zendesk $200 Stored Cross site scripting In developer.zendesk.com
Romit $250 No rate limit which leads to "Users information Disclosure" including verfification documents etc.
HackerOne $500 Accessing title of the report of which you are marked as duplicate
QIWI $100 Session Cookie without HttpOnly and secure flag set
Mapbox $500 Disclosure of map information
Zendesk $50 Error stack trace enabled
Romit $250 Potential for financial loss, negative Values for "Buy fee" and "Sell Fee"
Ubiquiti Networks $500 Yet another Buffer Overflow in PHP of the AirMax Products
Ubiquiti Networks $500 Other Buffer Overflow in PHP of the AirMax Products
Udemy $150 Extremely high Course rating values could be set in order to make really high Average rating of the course. Negative values could be set to.
Shopify $3,000 Attention! Remote Code Execution at http://wpt.ec2.shopify.com/
Shopify $500 Reflected XSS in chat
Ubiquiti Networks $250 Buffer Overflow in PHP of the AirMax Products
Ubiquiti Networks $18,000 Arbritrary file Upload on AirMax
Python $1,000 Integer overflow in _json_encode_unicode leads to crash
Python $500 Integer overflow in _pickle.c
Python $1,000 Python: imageop Unsafe Arithmetic
PHP $500 PHP yaml_parse/yaml_parse_file/yaml_parse_url Unsafe Deserialization
PHP $1,500 PHP yaml_parse/yaml_parse_file/yaml_parse_url Double Free
PHP $500 str_repeat() sign mismatch based memory corruption
Python $500 Multiple type confusions in unicode error handlers
Python $500 Use after free in get_filter
Python $1,500 Multiple use after free bugs in json encoding
Python $1,500 Multiple use after free bugs in heapq module
Python $1,500 Multiple use after free bugs in element module
Python $500 Tokenizer crash when processing undecodable source code
PHP $500 php_stream_url_wrap_http_ex() type-confusion vulnerability
PHP $500 Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER
PHP $500 Type Confusion Vulnerability in SoapClient
PHP $1,500 Use after free vulnerability in unserialize() with DateInterval
The Internet $3,000 libcurl: URL request injection CVE-2014-8150
OpenSSL $2,500 Malformed ECParameters causes infinite loop CVE-2015-1788
PHP $1,500 Integer overflow in ftp_genlist() resulting in heap overflow CVE-2015-4022
PHP $1,500 ZIP Integer Overflow leads to writing past heap boundary CVE-2015-2331
PHP $1,000 Buffer Over-read in unserialize when parsing Phar CVE-2015-2783
PHP $1,000 Buffer Over flow when parsing tar/zip/phar in phar_set_inode CVE-2015-3329
OpenSSL $500 X509_to_X509_REQ NULL pointer deref CVE-2015-0288
PHP $1,500 Use After Free Vulnerability in unserialize() CVE-2015-2787
PHP $500 out of bounds read crashes php-cgi CVE-2014-9427
HackerOne $500 CSV Injection with the CVS export feature
VK.com $300 Уязвимость Создание фотографий без ведома пользователей
Pornhub $5,000 Unauthenticated access to Content Management System - www1.pornhubpremium.com
Shopify $500 XSS at Bulk editing ProductVariants
Pornhub $2,500 Multiple endpoints are vulnerable to XML External Entity injection (XXE)
Pornhub $10,000 Publicly exposed SVN repository, ht.pornhub.com
Hired $250 URGENT - Subdomain Takeover on be.hired.com. due to unclaimed domain pointing to Heroku.com
Shopify $500 XSS in Myshopify Admin Site in DISCOUNTS
VK.com $250 Отвязываем Twitter от любого профиля вк ! + несколько багов по дизайну
Automattic $100 Verification code issues for Two-Step Authentication
VK.com $100 Issue in the implementation of captcha and race condition
Shopify $1,000 Bypass access restrictions from API
InVision $150 Enumeration and Guessable Email (OWASP-AT-002)T hrough Login Form
Shopify $500 SSRF via 'Insert Image' feature of Products/Collections/Frontpage
Mail.Ru $160 [my.mail.ru] CRLF Injection
Shopify $500 SSRF via 'Add Image from URL' feature
VK.com $200 Уязвимость получения всех номеров телефонов вк (по совместительству логинов профилей)
Shopify $500 Expire User Sessions in Admin Site does not expire user session in Shopify Application in IOS
Mail.Ru $200 Possible xWork classLoader RCE: shared.mail.ru
Shopify $500 XSS at Bulk editing products
Shopify $500 XSS at importing Product List
Sandbox Escape $3,000 Microsoft Internet Explorer ActiveX Broker Allows EPM Bypass
Legal Robot $20 - Guessing registered users in legalrobot.com
Shopify $500 [www.*.myshopify.com] CRLF Injection
Legal Robot $20 No valid SPF record
HackerOne $500 mailto: link injection on https://hackerone.com/directory
Mail.Ru $250 [s.mail.ru] CRLF Injection
VK.com $200 Уязвимость в Указание мест на фото + фича + хакинг
HackerOne $500 Invitation is not properly cancelled while inviting to bug reports.
VK.com $500 XSS at http://vk.com on IE using flash files
VK.com $400 Уязвимость приватных записей пользователя (личных)
Coinbase $5,000 OAuth authorization page vulnerable to clickjacking
Mail.Ru $150 Activities are not Protected and able to crash app using other app (Can Malware or third parry app).
VK.com $100 Не достаточная проверка логина скайп
Mapbox $1,000 Stored Cross-Site Scripting in Map Share Page
Legal Robot $20 CSRF
Coinbase $5,000 Big Bug with Vault which i have already reported: Case #606962
Mail.Ru $250 HTML Injection на e.mail.ru
VK.com $500 API: Bug in method auth.validatePhone
Legal Robot $40 Registration bypass using OAuth logical bug
VK.com $100 Able to intercept app Traffic after choosing up the Secured Connection using SSL (HTTPS)
Legal Robot $20 Missing security headers, possible clickjacking
Legal Robot $20 missing SPF for legalrobot.com
Shopify $1,000 Privilege Escalation - A `MEMBER` with no ACCESS to `ORDERS` can still access the orders by using `Order Printer APP`
Romit $50 Cross site scripting
HackerOne $100 Potential denial of service in hackerone.com/<program>/reward_settings
HackerOne $500 Logic error with notifications: user that has left team continues to receive notifications and can not 'clean' this area on account
Mavenlink $100 XSS in https://app.mavenlink.com/workspaces/
HackerOne $500 External URL page bypass
Shopify $500 Bulk Discount App in myshopify.com exposes http://bulkdiscounts.shopifyapps.com vulnerable to XSS
Udemy $150 Multiple sub domain are vulnerable because of leaking full path
Mail.Ru $150 http://tp-dev1.tp.smailru.net/
Mail.Ru $200 tt-mac.i.mail.ru: Quagga 0.99.23.1 (Router) : Default password and default enable password
Shopify $500 XSS in myshopify.com Admin site in TAX Overrides
Udemy $100 XSS on https://www.udemy.com/asset/export.html
Udemy $100 Ability to add pishing links in discusion ," Bypassing uneductional Links add "
Sandbox Escape $3,000 Internet Explorer Enhanced Protected Mode sandbox escape via a broker vulnerability
Udemy $150 leak receipt of another user
Udemy $100 xss on autoserch
Slack $100 Bypass of the SSRF protection (Slack commands, Phabricator integration)
Mail.Ru $400 http://fitter1.i.mail.ru/browser/ торчит Graphite в мир
Mail.Ru $400 store-agent.mail.ru: stacked blind injection
HackerOne $500 Content Spoofing - External Link Warning Page
Udemy $150 teach.udemy.com log poison vulnerability through wordpress debug.log being publically available
Udemy $150 xss profile
HackerOne $500 Reopen Disable Accounts/ Hidden Access After Disable
drchrono $100 Accessing all appointments vulnerability
drchrono $150 Create and Update patients vulnerability
HackerOne $500 Fake URL + Additional vectors for homograph attack
HackerOne $500 Homograph attack
HackerOne $500 Making any Report Failed to load
Dropbox $512 XSS in dropbox main domain
Dropbox $216 Race condition when redeeming coupon codes
Shopify $500 Stored XSS in the Shopify Discussion Forums
Shopify $500 SSL cookie without secure flag set
Shopify $500 Content Spoofing
HackerOne $500 Homograph attack
Whisper $50 Insecure Local Data Storage : Application stores data using a binary sqlite database
Romit $50 HTML injection in email sent by romit.io
Coinbase $100 ByPassing the email Validation Email on Sign up process in mobile apps
Romit $50 Server responds with the server error logs on account creation
Vimeo $500 API: missing invalidation of OAuth2 Authorization Code during access revocation causes authorization bypass
Shopify $500 amazon aws s3 bucket content is public :- http://shopify.com.s3.amazonaws.com/
Shopify $500 XSS in experts.shopify.com
Twitter $280 DOM based cookie bomb
HackerOne $500 Open-redirect on hackerone.com
Shopify $4,000 Notification request disclose private information about other myshopify accounts
Dropbox $512 SSRF vulnerablity in app webhooks
Whisper $30 Missing DMARC record
Shopify $500 XSS on ecommerce.shopify.com
HackerOne $1,000 SPF whitelist of mandrill leads to email forgery
Shopify $500 Invitation issue
Shopify $500 Payment gateway status transferred to Shopify without authentication
Shopify $1,000 Shop admin can change external login services
Shopify $1,000 IDOR expire other user sessions
Dropbox Acquisitions $216 Get email ID of any user on hackpad.com
Shopify $2,000 Shopify android client all API request's response leakage, including access_token, cookie, response header, response body content
Shopify $500 CSRF token fixation in facebook store app that can lead to adding attacker to victim acc
Shopify $1,000 [persistent cross-site scripting] customers can target admins
Shopify $500 Force 500 Internal Server Error on any shop (for one user)
Twitter $280 Fabric.io: Ex-admin of an organization can delete team members
Shopify $500 Open Redirect after login at http://ecommerce.shopify.com
Shopify $500 Authentication Failed Mobile version
Shopify $500 Open redirection in OAuth
drchrono $700 XML Parser Bug: XXE over which leads to RCE
PHP $3,000 Use after free vulnerability in unserialize()
PHP $2,500 SoapClient's __call() type confusion through unserialize()
PHP $2,500 Use after free vulnerability in unserialize() with DateTimeZone
PHP $2,500 Free called on unitialized pointer in exif.c
OpenSSL $3,000 Segmentation fault for invalid PSS parameters
Python $9,000 Multiple Python integer overflows
Shopify $500 Missing spf flags for myshopify.com
Coinbase $1,000 Sandboxed iframes don't show confirmation screen
Mail.Ru $500 e.mail.ru stored XSS in agent via sticker (smile)
Snapchat $100 Captcha Bypass in Snapchat's Geofilter Submission Process
Snapchat $100 Vulnerable to JavaScript injection. (WXS) (Javascript injection)!
Slack $100 Logout any user of same team
Mapbox $1,000 Persistent cross-site scripting (XSS) in map attribution
Shopify $500 Xss in website's link
Twitter $420 Insecure Direct Object Reference - access to other user/group DM's
Twitter $2,800 HTTP Response Splitting (CRLF injection) due to headers overflow
Mapbox $1,000 Stored xss in editor
Dropbox Acquisitions $216 XSS in https://hackpad.com/
Twitter $1,400 XSS in twitter.com/safety/unsafe_link_warning
Phabricator $300 SSRF vulnerability (access to metadata server on EC2 and OpenStack)
Coinbase $100 Blacklist bypass on Callback URLs
Vimeo $250 [URGENT ISSUE] Add or Delete the videos in watch later list of any user .
Phabricator $300 XSS with Time-of-Day Format
Vimeo $250 Share your channel to any user on vimeo without following him
Vimeo $250 Invite any user to your group without even following him
Twitter $420 Insecure direct object reference - have access to deleted DM's
itBit Exchange $200 secretKey for OTP , is getting leaked in response of a delete request !
itBit Exchange $200 confirmation bypass of 2FA devices while they are deleting
Ubiquiti Networks $500 UniFi v3.2.10 Cross-Site Request Forgeries / Referer-Check Bypass
Vimeo $150 Insecure Direct Object References that allows to read any comment (even if it should be private)
Vimeo $500 Insecure Direct Object References in https://vimeo.com/forums
Twitter $3,500 HTTP Response Splitting (CRLF injection) in report_story
HackerOne $500 Open redirect in "Language change".
Caviar $500 Remotely modifying courier Account Details
Vimeo $250 Post in private groups after getting removed
Flash $2,000 Flash Cross Domain Policy Bypass by Using File Upload and Redirection - only in Chrome
Vimeo $250 A user can enhance their videos with paid tracks without buying the track
Whisper $10 CVE-2014-0224 openssl ccs vulnerability
Whisper $100 Bypass pin(4 digit passcode on your android app)
Vimeo $500 A user can post comments on other user's private videos
Vimeo $250 A user can add videos to other user's private groups
Vimeo $250 A user can edit comments even after video comments are disabled
Twitter $560 open redirect sends authenticity_token to any website or (ip address)
Ubiquiti Networks $500 CSRF in login form would led to account takeover
The Internet $7,500 FREAK: Factoring RSA_EXPORT Keys to Impersonate TLS Servers
Twitter $1,400 XSS in original referrer after follow
Romit $50 The csrf token remains same after user logs in
Ruby on Rails $1,000 rails-ujs will send CSRF tokens to other origins
Twitter $560 Twitter Ads Campaign information disclosure through admin without any authentication.
Twitter $1,400 Open Redirect leak of authenticity_token lead to full account take over.
HackerOne $5,000 Improperly validated fields allows injection of arbitrary HTML via spoofed React objects
Vimeo $250 Vimeo + & Vimeo PRO Unautorised Tax bypass
Mail.Ru $300 RCE через JDWP
Yelp $500 Information disclosure - emails disclosed in response > staging.seatme.us
Mail.Ru $150 scfbp.tng.mail.ru: Heartbleed
Mail.Ru $150 HDFS NameNode Public disclosure: http://185.5.139.33:50070/dfshealth.jsp
Todoist $25 Remotely removing credit cards from business accounts!
Todoist $25 Taking over a Business Account Admin
Twitter $1,400 Redirect URL in /intent/ functionality is not properly escaped
HackerOne $500 Team member invitations to sandboxed teams are not invalidated consistently (v2)
The Internet $5,000 Bad Write in TTF font parsing (win32k.sys)
Coinbase $100 open authentication bug
Slack $200 Team admin can add billing contacts
Dropbox Acquisitions $729 Privilege Escalation at invite feature @hackpad.com
Twitter $140 Reporting user's profile by using another people's ID
The Internet $3,000 Heap overflow in H. Spencer’s regex library on 32 bit systems
Romit $50 Email Enumeration (POC)
QIWI $200 [ishop.qiwi.com] XSS + Misconfiguration
Mail.Ru $600 Same Origin Policy bypass
HackerOne $2,000 CSP Bypass: Click handler for links with data-method="post" can cause authenticity_token to be sent off domain
Flash $7,500 Use After Free in Flash MessageChannel.send can cause arbitrary code execution
Flash $10,000 Use after free during the StageVideoAvailabilityEvent can result in arbitrary code execution
Flash $10,000 Race condition in workers may cause an exploitable double free by abusing bytearray.compress()
InVision $200 Javascript Injection
itBit Exchange $50 Leakage of sensitive wallet tokens to third party sites
Flash $2,000 Adobe Flash Player Out-of-Bound Access Vulnerability
Vimeo $250 Red October 1511493148.cloud.vimeo.com
HackerOne $5,000 Markdown parsing issue enables insertion of malicious tags and event handlers
Twitter $560 Twitter Card - Parent Window Redirection
Slack $100 Team admin can change unauthorized team setting (allow_message_deletion)
Slack $200 Team admin can change unauthorized team setting (require_at_for_mention)
Romit $50 Frictionless Transferring of Wallet Ownership
Twitter $1,260 Problem with OAuth
HackerOne $500 Team member invitations to sandboxed teams are not invalidated consistently
HackerOne $500 Insecure Direct Object Reference vulnerability
Whisper $10 Error stack trace
Whisper $25 Directory index and information disclosure
HackerOne $5,000 Vulnerability with the way \ escaped characters in <http://danlec.com> style links are rendered
Vimeo $250 CRITICAL vulnerability - Insecure Direct Object Reference - Unauthorized access to `Videos` of Channel whose privacy is set to `Private`.
Trello $128 [blog.trello.com] CRLF Injection
Trello $64 [trello.com] Open Redirect
Vimeo $100 XSS on Vimeo
itBit Exchange $150 Stored xss in bank name withdraw
Vimeo $100 ftp upload of video allows naming that is not sanitized as the manual naming
itBit Exchange $50 weird bug ! ( missing validation on new email verfication )
HackerOne $500 Improper way of validating a program
itBit Exchange $200 Unsecure data in "device" response - OTP
Vimeo $100 Vimeo Search - XSS Vulnerability [http://vimeo.com/search]
Twitter $140 Insecure Data Storage in Vine Android App
itBit Exchange $50 Email Length Verification
itBit Exchange $500 Notification Emails: IP + Content-Spoofing
Ruby on Rails $500 RCE due to Web Console IP Whitelist bypass in Rails 4.0 and 4.1
Vimeo $1,000 XSS on any site that includes the moogaloop flash player | deprecated embed code
Twitter $140 Flaw in login with twitter to steal Oauth tokens
Mail.Ru $150 Heartbleed: my.com (185.30.178.33) port 1433
Vimeo $1,000 Make API calls on behalf of another user (CSRF protection bypass)
Mail.Ru $150 Hadoop Node available to public
Vimeo $100 CRITICAL full source code/config disclosure for Cameo
Twitter $420 twitter android app Fragment Injection
Vimeo $1,000 abusing Thumbnails(https://vimeo.com/upload/select_thumb) to see a private video
Vimeo $250 Ability to Download Music Tracks Without Paying (Missing permission check on`/musicstore/download`)
Mail.Ru $100 Раскрытие номера мобильного телефона при двухфакторной аутентификации
Vimeo $100 player.vimeo.com - Reflected XSS Vulnerability
Vimeo $1,000 Adding profile picture to anyone on Vimeo
Vimeo $260 Buying ondemand videos that 0.1 and sometimes for free
Python $1,000 PyUnicode_FromFormatV crasher
Ruby on Rails $1,000 Arbitrary file existence disclosure in Action Pack CVE-2014-7829
Twitter $1,120 Fabric.io - an app admin can delete team members from other user apps
Twitter $1,400 fabric.io - app member can make himself an admin
Vimeo $100 APIs for channels allow HTML entities that may cause XSS issue
Vimeo $5,000 Vimeo.com Insecure Direct Object References Reset Password
Vimeo $100 Vimeo.com - reflected xss vulnerability
Vimeo $100 Vimeo.com - Reflected XSS Vulnerability
Uber $500 XSS on partners.uber.com
Flash $1,000 chrome allows POST requests with custom headers using flash + 307 redirect
Twitter $420 URGENT - Subdomain Takeover on users.tweetdeck.com , the same issue of report #32825
Romit $250 stored xss in transaction
Twitter $1,400 HTML/XSS rendered in Android App of Crashlytics through fabric.io
Romit $250 Stored XSS in api key of operator wallet
Romit $100 Error stack trace
Twitter $140 POODLE Bug: 199.16.156.44, 199.16.156.108, mx4.twitter.com
Twitter $280 Open redirection in fabric.io
Mail.Ru $100 No bruteforce protection leads to enumeration of emails in http://e.mail.ru/
Phabricator $500 Phabricator Phame Blog Skins Local File Inclusion
Vimeo $500 [vimeopro.com] CRLF Injection
Phabricator $300 Phabricator Diffusion application allows unauthorized users to delete mirrors
Square $500 Delayed, fraudulent transactions possible with encrypted Square Reader devices due to lack of server-side verification of device transaction counter
Mail.Ru $250 [connect.mail.ru] Memory Disclosure / IE XSS
HackerOne $500 Issue with password change
HackerOne $500 Breaking Bugs as team member
Openfolio $100 xss in /browse/contacts/
Python $6,500 Misc Python bugs (Memory Corruption & Use After Free)
QIWI $150 [qiwi.com] Open Redirect
QIWI $100 Stored xss in agent.qiwi.com
Greenhouse.io $1,000 Subdomain Takeover using blog.greenhouse.io pointing to Hubspot
Eobot $10 XSS in www.eobot.com(IE9 only)
Sucuri $250 Open Redirect in unmask.sucuri.net
InVision $150 CSRF Token in cookies!
Twitter $1,400 [Stored XSS] vine.co - profile page
Coinbase $100 New Device Confirmation, token is valid until not used.
QIWI $1,000 [send.qiwi.ru] Soap-based XXE vulnerability /soapserver/
QIWI $100 [qiwi.com] /oauth/confirm.action XSS
Flash $2,000 Adobe Flash Player MP4 Use-After-Free Vulnerability
Apache httpd $500 mod_proxy_fcgi buffer overflow CVE-2014-3583
HackerOne $500 Logic Issue with Reputation: Boost Reputation Points
QIWI $250 CRLF Injection [ishop.qiwi.com]
QIWI $200 [send.qiwi.ru] XSS at auth?login=
QIWI $200 [static.qiwi.com] XSS proxy.html
Twitter $140 getting emails of users/removing them from victims account [using typical attack]
HackerOne $500 Gain reputation by creating a duplicate of an existing report
PHP $2,500 Locale::parseLocale Double Free
Twitter $280 XSS via Fabrico Account Name
Mail.Ru $500 Ошибка фильтрации
Block.io $150 SMPT Protection not used, I can hijack your email server.
Twitter $420 Bad extended ascii handling in HTTP 301 redirects of t.co
HackerOne $500 File Name Enumeration
Twitter $1,400 DOM Cross-Site Scripting ( XSS )
InVision $300 Backup of wordpress configuration file found. Leaking database users/passwords
Slack $500 a stored xss in slack integration https://onerror.slack.com/services/import
Twitter $1,680 URGENT - Subdomain Takeover on media.vine.co due to unclaimed domain pointing to AWS
Mail.Ru $200 OpenSSL HeartBleed (CVE-2014-0160)
Twitter $280 XSS in fabric.io
The Internet $3,000 Drupal 7 pre auth sql injection and remote code execution
Twitter $140 Singup Page HTML Injection Vulnerability
RelateIQ $500 PoodleBleed
Flash $5,000 Adobe Flash Player Out-of-Bound Read/Write Vulnerability
HackerOne $1,000 Ability to see common response titles of other teams (limited)
WP API $50 Cryptographic Side Channel in OAuth Library
Twitter $420 Unauthorized Tweeting on behalf of Account Owners
Twitter $560 Improper Verification of email address while saving Account Settings
RelateIQ $250 Relateiq SSLv3 deprecated protocol vulnerability.
Flash $2,000 Adobe Flash Player MP4 Use-After-Free Vulnerability
Coinbase $100 New Device confirmation tokens are not properly validated.
Square $250 CSRF on adding a calendar event
Square $500 square google calendar integration CSRF,https://squareup.com/appointments/business/settings(state parameter not checking properly)
Square $500 CSRF on adding clients
The Internet $20,000 GNU Bourne-Again Shell (Bash) 'Shellshock' Vulnerability
Twitter $280 Profile Pic padding (Length-hiding) fails due to use of GZIP
HackerOne $500 homograph attack. IDNs displayed in unicode in bug reports and on external link warning page
IRCCloud $300 Unvalidated Channel names causes IRC Command Injection
Square $250 Privilege Escalation
WePay $350 Horizontal Privilege Escalation
Twitter $1,120 XSS platform.twitter.com | video-js metadata
HackerOne $500 No email verification on username change
Twitter $1,120 XSS platform.twitter.com
Sucuri $250 Usage of HTTP for exporting graph data as images
Square $250 Redirect while opening link in new tabs
Coinbase $100 Credit Card Validation Issue
HackerOne $500 Redirect FILTER bypass in report/comment
Mail.Ru $500 touch.mail.ru XSS via message id
Twitter $420 iOS App can establish Facetime calls without user's permission
Ruby on Rails $1,500 Active Record SQL Injection Vulnerability Affecting PostgreSQL CVE-2014-3483
Ruby on Rails $1,500 Active Record SQL Injection Vulnerability Affecting PostgreSQL CVE-2014-3482
PHP $2,500 SPL ArrayObject/SPLObjectStorage Unserialization Type Confusion Vulnerabilities CVE-2014-3515
Twitter $1,400 Cross site scripting on ads.twitter.com
HackerOne $500 Window Opener Property Bug
Twitter $1,400 Stored xss
Square $2,000 malicious file upload
Flash $1,000 Flash Local Sandbox Bypass CVE-2014-0554
Twitter $1,400 ads.twitter.com xss
Square $400 Reflected XSS in widget script thru cookie
Twitter $2,800 Delete Credit Cards from any Twitter Account in ads.twitter.com [New Vulnerability]
Square $1,000 Reflected XSS in connect.square.com
Square $750 Editing Client Details of other People
Twitter $140 Missing Rate Limiting on https://twitter.com/account/complete
The Internet $3,000 open redirect in rfc6749
Mail.Ru $1,337 XSS via .eml file
WePay $350 Critical : Account removing using CSRF attack
Twitter $140 Full path disclosure at ads.twitter.com
Square $2,000 CRITICAL Account takeover via AngularJS template injection in connect.squareup.com
Django $1,000 CSRF protection bypass on any Django powered site via Google Analytics
Square $500 XSS in Client Past Activity
Square $250 Open Redirect [FreshBook]
Square $500 XSS [BookFresh]
HackerOne $100 Change Any username and profile link in hackerone
Phabricator $400 Open redirection on secure.phabricator.com
Mail.Ru $150 money.mail.ru: Странное поведение SMS
HackerOne $500 Redirect while opening links in new tabs
Phabricator $300 Forgot Password Issue
Square $1,500 Blind SQL injection in www.bookfresh.com
Slack $200 Content Spoofing all Integrations in https://team.slack.com/services/new/
Slack $100 Content spoofing at Stripe Integrations
Mavenlink $50 privilege escalation
Mavenlink $200 Flash XSS on swfupload.swf showing at app.mavenlink.com
Mavenlink $50 Clickjacking
Mavenlink $100 Login CSRF
Coinbase $1,000 Invoice Details activate JS that filled in
The Internet $3,000 rsync hash collisions may allow an attacker to corrupt or modify files
Apache httpd $500 moderate: mod_deflate denial of service CVE-2014-0118
Mail.Ru $150 cloud.mail.ru: File upload XSS using Content-Type header
Python $1,500 integer overflow in 'buffer' type allows reading memory
Mail.Ru $1,000 e.mail.ru: File upload "Chapito" circus
Mail.Ru $100 m.agent.mail.ru: Подделываем j2me app-descriptor
RelateIQ $100 Cross-site Scripting in mailing (username)
Mail.Ru $3,000 Possibility to attach any mobile number to any email
Sandbox Escape $5,000 .NET Type Traversal Vulnerability CVE-2014-0257
WePay $100 Unauthorized Access via Join Email Link
DC Compendium $25 Multiple Full Path Disclosure (FPD) Vulnerability on Dccompendium.com domain
RelateIQ $190 Resubmitted with POC #18685 Password reset CSRF
Phabricator $1,000 XSS in editor by any user
WePay $150 CSRF on email address operations. Also performing unintended operations.
WePay $500 Session Fixation
DC Compendium $50 Backend source code disclosure on 404 pages
DC Compendium $25 source code disclosure
Yahoo! $250 Yahoo! Reflected XSS
DC Compendium $25 XSS on Home page
DC Compendium $25 Error page Cross-site scripting
DC Compendium $25 Clickjacking: X-Frame-Options header missing
HackerOne $100 Denial of Service
The Internet $6,000 LZ4 Core CVE-2014-4611
IRCCloud $500 Reflected XSS in Pastebin-view
Yahoo! $50 Default /docs folder of PHPBB3 installation on gamesnet.yahoo.com
Phabricator $300 Broken Authentication and Session Management
HackerOne $100 Category- Broken Authentication and Session Management (leads to account compromise if some conditions are met)
Slack $100 Password Policy issue (Weak Protect)
Mail.Ru $400 e.mail.ru: SMS spam with custom content
Slack $100 Open Redirect login account
RelateIQ $250 SSRF (Portscan) via Register Function (Custom Server)
RelateIQ $200 Failed Certificate Validation On Custom Server (Register)
Yahoo! $200 Yahoo Sports Fantasy Golf (Join Public Group)
Phabricator $300 Abusing daemon logs for Privilege escalation under certain scenarios
The Internet $5,000 Multiple issues in looking-glass software (aka from web to BGP injections)
Phabricator $600 Abusing VCS control on phabricator
Mavenlink $50 Non Validation of session after password reset
HackerOne $100 Session not invalidated after password reset
Mail.Ru $150 SQL Injection on 11x11.mail.ru
Coinbase $1,000 Leaking CSRF token over HTTP resulting in CSRF protection bypass
Flash $3,000 Flash Sandbox Bypass CVE-2014-0535
Mavenlink $100 Password reset token not expiring
WePay $300 Open Redirect
Mavenlink $50 Clickjacking at https://www.mavenlink.com/ main website
Mavenlink $50 Login password guessing attack
WePay $100 Session fixation in wepay.com
Slack $300 SSRF on https://whitehataudit.slack.com/account/photo
Mail.Ru $300 connect.mail.ru: SSRF
Automattic $250 privilege escalation
HackerOne $100 Potential denial of service in hackerone.com/teams/new
Mail.Ru $1,000 https://217.69.135.63/rb/: money.mail.ru sources disclosure
Sandbox Escape $10,000 Linux PI futex self-requeue bug CVE-2014-3153
IRCCloud $100 Host Header Injection - irccloud.com
Mail.Ru $500 auth.mail.ru: XSS in login form
Yahoo! $100 Testing for user enumeration (OWASP‐AT‐002) - https://gh.bouncer.login.yahoo.com
Yahoo! $50 Authorization issue on creative.yahoo.com
Mail.Ru $500 XSS in a file or folder name
Mail.Ru $700 XXE and SSRF on webmaster.mail.ru
Flash $7,500 Adobe Flash Player FileReference Use-after-Free Vulnerability CVE-2014-0538
Python $1,500 Python vulnerability: reading arbitrary process memory CVE-2014-4616
Mail.Ru $150 Stored XSS on http://cards.mail.ru
Mail.Ru $300 Stored XSS on http://top.mail.ru
Mail.Ru $250 SQL injection update.mail.ru
Yahoo! $250 Infrastructure and Application Admin Interfaces (OWASP‐CM‐007)
Mail.Ru $400 XSS in https://e.mail.ru/cgi-bin/lstatic (Limited use)
Coinbase $100 CSRF in function "Set as primary" on accounts page
99designs $400 report a reflected XSS
Coinbase $100 CSRF on "Set as primary" option on the accounts page
Coinbase $1,000 Bypassing 2FA for BTC transfers
Mail.Ru $150 SQL inj
The Internet $3,000 Bypassing Same Origin Policy With JSONP APIs and Flash
Slack $500 Stored XSS in slack.com (integrations)
Mail.Ru $150 SQL
Mail.Ru $150 SQL inj
HackerOne $100 All Active user sessions should be deleted when user change his password!
Mail.Ru $200 Time based sql injection
Mail.Ru $200 SQL injection [дырка в движке форума]
Slack $500 Stored XSS Found
HackerOne $100 Anti-MIME-Sniffing header X-Content-Type-Options header has not been set.
Ian Dunn $25 Xss in CampTix Event Ticketing
Ian Dunn $25 Stored XSS in all fields in Basic Google Maps Placemarks Settings
Mail.Ru $250 Home page reflected XSS
Mail.Ru $150 localStorage не чистится после выхода
Mail.Ru $150 Clickjacking
Yahoo! $300 information disclosure (LOAD BALANCER + URI XSS)
Yahoo! $500 https://caldav.calendar.yahoo.com/ - XSS (STORED)
HackerOne $100 Password Reset Bug
HackerOne $150 Issue with remember_user_token
Yahoo! $250 readble .htaccess + Source Code Disclosure (+ .SVN repository)
Flash $2,000 Security bypass could lead to information disclosure
Yahoo! $2,500 Local File Include on marketing-dam.yahoo.com
Yahoo! $400 invite1.us2.msg.vip.bf1.yahoo.com/ - CSRF/email disclosure
IRCCloud $100 Login CSRF can be bypassed (Similar approach to previous one).
IRCCloud $1,000 Dangerous Persistent xss
Coinbase $100 2 factor authentication design flaw
IRCCloud $100 Host Header is not validated resulting in Open Redirect
The Internet $7,500 TLS Triple Handshake Attack
Yahoo! $500 XSS in https://hk.user.auctions.yahoo.com
Yahoo! $250 Bypass of the Clickjacking protection on Flickr using data URL in iframes
IRCCloud $500 Persistent Cross Site Scripting within the IRCCloud Pastebin
IRCCloud $100 iOS application does not destroy session upon logout.
IRCCloud $100 Bug in iOS application which could lead to unauthorised access.
IRCCloud $100 Missing X-Content-Type-Options
IRCCloud $500 Full account takeover using CSRF and password reset
IRCCloud $500 Session Token is not Verified while changing Account Setting's which Result In account Takeover
IRCCloud $100 Leaking Referrer in Reset Password Link
IRCCloud $100 Bruteforcing irccloud login
IRCCloud $100 Unsecure cookies, cookie flag secure not set
IRCCloud $100 Sign up CSRF
IRCCloud $100 Login CSRF
Yahoo! $2,000 Open Proxy, http://www.smushit.com/ysmush.it/, 4/09/14, #SpringClean
Yahoo! $200 CSRF Token is missing on DELETE message option on http://baseball.fantasysports.yahoo.com/b1/127146/messages
Yahoo! $400 CSRF Token missing on http://baseball.fantasysports.yahoo.com/b1/127146/messages
Yahoo! $3,000 REMOTE CODE EXECUTION/LOCAL FILE INCLUSION/XSPA/SSRF, view-source:http://sb*.geo.sp1.yahoo.com/, 4/6/14, #SpringClean
Yahoo! $500 Comment Spoofing at http://suggestions.yahoo.com/detail/?prop=directory&fid=97721
Python $1,500 Integer overflow in strop.expandtabs
Flash $2,000 Same Origin Security Bypass Vulnerability CVE-2014-0503
RelateIQ $100 Wildcard DNS in website
HackerOne $150 creating titleless and non-closable bugs
Yahoo! $1,000 Header injection on rmaitrack.ads.vip.bf1.yahoo.com
Yahoo! $250 Cross-origin issue on rmaiauth.ads.vip.bf1.yahoo.com
Yahoo! $300 reflected XSS, http://extprodweb11.cc.gq1.yahoo.com/, 4/8/14, #SpringClean
Yahoo! $500 Significant Information Disclosure/Load balancer access, http://extprodweb11.cc.gq1.yahoo.com/, 4/8/14, #SpringClean
InVision $200 captcha missing
Slack $500 Facebook Takeover using Slack using 302 from files.slack.com with access_token
Slack $300 Stored XSS in Slack.com
HackerOne $100 Marking notifications as read CSRF bug
Coinbase $1,000 Multiple Issues related to registering applications
The Internet $500 Uncontrolled Resource Consumption with XMPP-Layer Compression
Coinbase $100 Coinbase Android Security Vulnerabilities
Yahoo! $100 XSS in Yahoo! Web Analytics
Coinbase $1,000 Coinbase Android Application - Bitcoin Wallet Leaks OAuth Response Code
Yahoo! $800 From Unrestricted File Upload to Remote Command Execution
Nginx $3,000 SPDY heap buffer overflow CVE-2014-0133
Nginx $3,000 SPDY memory corruption CVE-2014-0088
Slack $500 Duplicate of #4550
Slack $500 Stored XSS in Slackbot Direct Messages
Yahoo! $500 Server Side Request Forgery
RelateIQ $100 TRACE disclosure attack may be possible
Yahoo! $250 XSS Vulnerability (my.yahoo.com)
Phabricator $300 Persistent XSS: Editor link
HackerOne $100 Securing sensitive pages from SearchBots
Phabricator $400 OAuth Stealing Attack (New)
Phabricator $300 Control character allowed in username
Phabricator $450 OAuth access_token stealing in Phabricator
Slack $500 flash content type sniff vulnerability in api.slack.com
RelateIQ $100 Captcha Bypass With Extension
Ruby on Rails $1,500 Directory traversal attack in view resolver CVE-2014-0130
Phabricator $300 UnAuthorized Editorial Publishing to Blogs
HackerOne $100 Control Characters Not Stripped From Username on Signup
Yahoo! $1,000 SQL Injection ON HK.Promotion
Slack $500 Reflected Xss
RelateIQ $100 HTML injection in "Invite Collaborators"
Slack $500 Stored XSS in Channel Chat
Slack $100 CSRF vulnerability on https://sehacure.slack.com/account/settings
Slack $500 Stored XSS in username.slack.com
Slack $200 URL redirection flaw
Slack $200 Stored XSS in www.slack-files.com
Yahoo! $100 http://conf.member.yahoo.com configuration file disclosure
HackerOne $500 Weird Bug - Ability to see partial of other user's notification
Slack $100 Slack OAuth2 "redirect_uri" Bypass
Slack $100 Broken Authentication (including Slack OAuth bugs)
Slack $150 Reflective XSS can be triggered in IE
RelateIQ $100 Cross Site Scripting (XSS) - app.relateiq.com
RelateIQ $100 XSRF token problem
RelateIQ $100 Value of JSESSIONID and XSRF token parameter in cookie remains same before and after login
Sandbox Escape $5,000 Win32k Window Handle Vulnerability (EoP) CVE-2014-0262
Phabricator $500 Bypass auth.email-domains (2)
Phabricator $300 Login CSRF using Twitter OAuth
Phabricator $1,000 Bypass auth.email-domains
HackerOne $100 CSS leaks SCSS debug info
Flash $10,000 Flash double free vulnerability leads to code execution CVE-2014-0502
Yahoo! $1,500 XSS on Every sports.yahoo.com page
Flash $2,000 Flash local-with-fileaccess Sandbox Bypass CVE-2014-0508
Yahoo! $1,276 HK.Yahoo.Net Remote Command Execution
Flash $2,000 Handling of jar: URIs bypasses AllowScriptAccess=never CVE-2014-0491
Flash $10,000 Flash type confusion vulnerability leads to code execution CVE-2013-5331
Yahoo! $1,390 Local file inclusion
Yahoo! $3,705 SQLi on http://sports.yahoo.com/nfl/draft
Yahoo! $750 Flickr: Invitations disclosure (resend feature)
HackerOne $100 DNS Misconfiguration
Yahoo! $800 HTML Injection on flickr screename using IOS App
PHP $1,500 PHP Heap Overflow Vulnerability in imagecrop() CVE-2013-7226
Yahoo! $800 XSS in my yahoo
Yahoo! $2,500 Security.allowDomain("*") in SWFs on img.autos.yahoo.com allows data theft from Yahoo Mail (and others)
Sandbox Escape $3,000 Linux 3.4+: arbitrary write with CONFIG_X86_X32 CVE-2014-0038
Yahoo! $1,960 Store XSS Flicker main page
Yahoo! $2,173.75 Cross-site scripting on the main page of flickr by tagging a user.
Yahoo! $677.50 XSS Yahoo Messenger Via Calendar.Yahoo.Com
HackerOne $100 Autocomplete enabled in Paypal preferences
Phabricator $300 Improperly implemented password recovery link functionality
Phabricator $300 Log in a user to another account
HackerOne $100 A password reset page does not properly validate the authenticity token at the server side.
HackerOne $100 Information disclosure (reset password token) and changing the user's password
HackerOne $100 Improper session management
HackerOne $150 Switching the user to the attacker's account
HackerOne $500 Upload profile photo from URL
HackerOne $250 Email spoofing
HackerOne $100 CSRF login
HackerOne $150 Logical issues with account settings
PHP $4,000 PHP openssl_x509_parse() Memory Corruption Vulnerability CVE-2013-6420
The Internet $7,500 TLS Virtual Host Confusion
The Internet $1,500 OpenSSH: Memory corruption in AES-GCM support CVE-2013-4548
Ruby $1,500 Ruby: Heap Overflow in Floating Point Parsing CVE-2013-4164
HackerOne $100 DNS Cache Poisoning
HackerOne $100 Flawed account creation process allows registration of usernames corresponding to existing file names
HackerOne $500 PNG compression DoS
HackerOne $250 GIF flooding
HackerOne $500 Pixel flood attack
HackerOne $100 Session not expired on logout
HackerOne $250 CSP not consistently applied
HackerOne $500 RTL override symbol not stripped from file names
HackerOne $100 Session Management
HackerOne $100 Broken Authentication and session management OWASP A2
HackerOne $100 Real impersonation
HackerOne $500 Missing SPF for hackerone.com