Unikrn |
$200 |
HTML injection in email in unikrn.com |
Rockstar Games |
$500 |
dom based xss in http://www.rockstargames.com/GTAOnline/ (Fix bypass) |
Legal Robot |
$20 |
No length limit in invite_code can cause server degradation |
Legal Robot |
$20 |
CSP script-src includes "unsafe-inline" |
Legal Robot |
$20 |
Improper validation of parameters while creating issues |
Legal Robot |
$100 |
Update any profile |
Legal Robot |
$20 |
first name and last name restrictions bypass |
Legal Robot |
$20 |
TabNabbing issue (due to taget=_blank) |
Legal Robot |
$20 |
Incorrect error message |
Legal Robot |
$20 |
Incorrect email content when disabling 2FA |
Legal Robot |
$20 |
Lengthy manual entry of 2FA secret |
Trello |
$128 |
A CRLF injection into the redirect URL of https://trello.com/1/authorize can be used to cause a denial of service when later redirected to |
Quora |
$500 |
[Quora Android] Possible to steal arbitrary files from mobile device |
Snapchat |
$5,000 |
RCE/LFI on test Jenkins instance due to improper authentication flow |
Legal Robot |
$40 |
Code injection |
Legal Robot |
$20 |
User enumeration from failed login error message |
Brave Software |
$200 |
URL Spoof / Brave Shield Bypass |
Legal Robot |
$20 |
Change password logic inversion |
Legal Robot |
$20 |
Profile fields validation bypass |
Legal Robot |
$20 |
Profile shows incorrect account creation date |
Rockstar Games |
$500 |
dom based xss in https://www.rockstargames.com/GTAOnline/ |
Bitvise |
$100 |
The POODLE attack (SSLv3 supported) |
Unikrn |
$50 |
Escaping images directory in S3 bucket when saving new avatar, using Path Traversal in filename |
Boozt Fashion AB |
$60 |
Password reset token issue |
Legal Robot |
$20 |
[Cross-domain Referer leakage] Password reset token leakage via referer |
Automattic |
$225 |
XSS Vulnerability in WooCommerce Product Vendors plugin |
Rockstar Games |
$600 |
CSRF Vulnerability allows attackers to steal SocialClub private token. |
Legal Robot |
$20 |
Token leakage by referrer header & analytics |
Zomato |
$500 |
Restaurant payment information leakage |
Unikrn |
$40 |
Flash CSRF: Update Ad Frequency %: [cp-ng.pinion.gg] |
Zomato |
$100 |
Length extension attack leading to HTML injection |
Legal Robot |
$20 |
No notification on change password feature |
Legal Robot |
$20 |
Meta characters are not filtered into full name on profile page |
Legal Robot |
$20 |
Pages don't render in old browsers like IE11 |
Legal Robot |
$60 |
Missing Issuer parameter on TOTP 2FA |
Moneybird |
$50 |
Stored XSS at Moneybird |
Legal Robot |
$20 |
[New Feature] Password history check |
TTS Bug Bounty |
$150 |
The Federalsit session cookie (federalist.sid) is not properly invalidated - backdoor access to the account is possible |
Legal Robot |
$20 |
User enumeration |
Legal Robot |
$20 |
Password complexity ignores empty spaces |
Legal Robot |
$60 |
Users with 2FA can have multiple sessions |
Legal Robot |
$20 |
Account profile shows encryption recovery box for all users |
Legal Robot |
$60 |
Enhancement: email confirmation for 2FA recovery |
Legal Robot |
$20 |
Intercom chat session information persists after logout |
Legal Robot |
$60 |
2FA Error Handling on Google Authenticator |
Legal Robot |
$90 |
2FA user enumeration via password reset |
Legal Robot |
$40 |
Password complexity not evenly enforced |
Legal Robot |
$90 |
Missing link to 2FA recovery code |
Legal Robot |
$90 |
Missing link to TOTP manual enroll option |
Legal Robot |
$60 |
Non-functional 2FA recovery codes |
TTS Bug Bounty |
$150 |
Race condition on the Federalist API endpoints can lead to the Denial of Service attack |
Zomato |
$50 |
Posting to Twitter CSRF on php/post_twitter_authenticate.php |
Grabtaxi Holdings Pte Ltd |
$1,000 |
Git repository found |
Twitter |
$10,080 |
XXE on sms-be-vip.twitter.com in SXMP Processor |
Coinbase |
$100 |
Information disclosure same issue #176002 |
Grabtaxi Holdings Pte Ltd |
$200 |
[parcel.grab.com] DOM XSS at /assets/bower_components/lodash/perf/ |
HackerOne ★ |
$1,500 |
Reading redacted data via hackbot's answers |
Grabtaxi Holdings Pte Ltd |
$200 |
Dom based xss affecting all pages from https://www.grab.com/. |
Zomato |
$250 |
Bypass OTP verification when placing Order |
VK.com |
$100 |
Узнать название частной группы и ее аватарку по видеоролику. |
Zomato |
$500 |
[█████████] Hardcoded credentials in Android App |
Twitter |
$420 |
Open Redirect |
Snapchat |
$250 |
[spectacles.com] Bypassing quantity limit in orders |
Coinbase |
$100 |
Captcha Bypass in Coinbase SignUp Form |
Rockstar Games |
$500 |
Reflected XSS via Double Encoding |
Zomato |
$300 |
SQL Injection, exploitable in boolean mode |
TTS Bug Bounty |
$350 |
[IDOR] The authenticated user can restart website build or view build logs on any another Federalist account |
TTS Bug Bounty |
$300 |
The user, who was deleted from Github Organization, still can access all functions of federalist, in case he didn't do logout |
Zomato |
$1,000 |
Login to any account with the emailaddress |
TTS Bug Bounty |
$300 |
Double Stored Cross-Site scripting in the admin panel |
shopify-scripts ★ |
$800 |
Use after free in mruby-mpdecimal |
Apache httpd (IBB) |
$1,500 |
Apache HTTP Request Parsing Whitespace Defects CVE-2016-8743 |
Shopify |
$500 |
IDOR [partners.shopify.com] - User with ONLY Manage apps permission is able to get shops info and staff names from inside the shop |
RubyGems |
$1,000 |
Installing a crafted gem package may create or overwrite files CVE-2017-0901 |
Rockstar Games |
$1,000 |
XSS in http://www.rockstargames.com/theballadofgaytony/js/jquery.base.js |
VK.com |
$100 |
Нет маркера на добавление песни в плейлист пользователя |
shopify-scripts ★ |
$800 |
Null pointer dereference with send/method_missing |
Maximum |
$50 |
Open redirect on https://werkenbijdefensie.nl/ |
Pornhub |
$500 |
Stored XSS in the any user profile using website link |
Apache httpd (IBB) |
$1,500 |
ap_find_token() Buffer Overread CVE-2017-7668 |
Starbucks |
$2,000 |
Possible subdomain takeover at openapi.starbucks.com |
Rockstar Games |
$500 |
flash injection in http://www.rockstargames.com/IV/imgPlayer/imageEmbed.swf |
Python (IBB) |
$500 |
Unsafe arithmetic in PyString_DecodeEscape |
Pornhub |
$750 |
pornhub.com/user/welcome/basicinfo nickname field is vulnerable on xss |
Shopify |
$500 |
Stored XSS in *.myshopify.com |
Maximum |
$350 |
Open Redirect & Information Disclosure [mijn.werkenbijdefensie.nl] |
Mail.Ru |
$100 |
BruteForce Any [My.com] Account Credentials. |
Automattic |
$800 |
SSRF and local file disclosure in https://wordpress.com/media/videos/ via FFmpeg HLS processing |
Snapchat |
$500 |
CRLF Injection at vpn.bitstrips.com |
MapsMarker.com e.U. |
$20 |
Cross-site Scripting (XSS) in /updates-pro/archive/ |
ToyTalk |
$200 |
Host Header Injection and Cache Poisoning |
Perl (IBB) |
$500 |
heap-buffer-overflow (READ of size 61) in Perl_re_intuit_start() |
Rockstar Games |
$250 |
Control characters incorrectly handled on Crew Status Update |
Keybase |
$500 |
Universal Cross-Site Scripting in Keybase Chrome extension |
Shopify |
$5,000 |
XSS on $shop$.myshopify.com/admin/ and partners.shopify.com via whitelist bypass in SVG icon for sales channel applications |
Perl (IBB) |
$500 |
heap-buffer-overflow (READ of size 11) in Perl 5.25.x |
Snapchat |
$15,000 |
Open prod Jenkins instance |
Rockstar Games |
$1,000 |
Stored XSS in profile activity feed messages |
Rockstar Games |
$1,000 |
Stored XSS in snapmatic comments |
Shopify |
$3,000 |
XSS on any Shopify shop via abuse of the HTML5 structured clone algorithm in postMessage listener on "/:id/digital_wallets/dialog" |
VK.com |
$100 |
CSRF на сброс ключа трансляции. |
Legal Robot |
$20 |
Domain takeover (legalrobot.co.za) |
WordPress |
$275 |
DOM Based XSS In mercantile.wordpress.org |
WordPress |
$275 |
Stored self-XSS in mercantile.wordpress.org checkout |
Mail.Ru |
$150 |
XSS в портальной навигации |
HackerOne ★ |
$10,000 |
WannaCrypt “Killswitch” |
Mail.Ru |
$500 |
Xss в https://e.mail.ru/ |
Pornhub |
$250 |
Partial disclosure of Private Videos through data-mediabook attribute information leak |
Discourse |
$256 |
Any authenticated user can download full list of users, including email |
Discourse |
$64 |
SSRF in upload IMG through URL |
Paragon Initiative Enterprises |
$50 |
Directory Disclose,Email Disclose Zendmail vulnerability |
Maximum |
$50 |
Cross-site Scripting (XSS) on [maximum.nl] |
Trello |
$256 |
Cross-Site Scripting on Trello's iPhone App |
Instacart |
$150 |
Reverse Tab-nabbing at www.instacart.com/store/partner_recipe?recipe_url= |
Instacart |
$100 |
XSS at in instacart.com/store/partner_recipe |
shopify-scripts ★ |
$100 |
Heap Overflow in fiber_switch triggered from Fiber.transfer |
Dashlane |
$100 |
[https://www.dashlane.com] Test Panel Disclosure |
Maximum |
$300 |
IDOR in editing courses |
Mail.Ru |
$500 |
Xss в https://e.mail.ru/ |
Harvest |
$300 |
[platform.harvestapp.com] Reflected XSS in Error Message via URL parameters |
Ubiquiti Networks |
$100 |
HTML Injection on airlink.ubnt.com |
VK.com |
$1,000 |
local file disclosure via FFmpeg hls processing |
Shopify |
$2,000 |
Reflected XSS in <any>.myshopify.com through theme preview |
HackerOne ★ |
$500 |
HackerOne reports escalation to JIRA is CSRF vulnerable |
RubyGems |
$500 |
Escape sequence injection in "summary" field CVE-2017-0899 |
Paragon Initiative Enterprises |
$50 |
Cross-site-Scripting |
shopify-scripts ★ |
$200 |
OP_SCALL in LHS of a OP_ASGN resulting in arbitrary memory write |
HackerOne ★ |
$1,000 |
Changing Victim's JIRA Integration Settings Through Multiple Bugs |
Dashlane |
$350 |
Throttling Bypass - ws1.dashlane.com |
Dashlane |
$300 |
Extract Billing admin email address using random team id |
Mapbox |
$300 |
Node modules path disclosure due to lack of error handling |
Uber ★ |
$2,000 |
phone number exposure for riders/drivers given email/uuid |
VK.com |
$100 |
Посмотреть видеоролики, которые пользователь когда-либо скидывал в ЛС. |
Uber ★ |
$8,500 |
SAML Authentication Bypass on uchat.uberinternal.com |
Phabricator |
$300 |
IRC-Bot exposes information |
Mapbox |
$500 |
Open Aws Amazon S3 Buckets |
Pornhub |
$350 |
Mixed Reflected-Stored XSS on pornhub.com (without user interaction) in the playlist playing section |
shopify-scripts ★ |
$800 |
heap-use-after-free in mrb_vm_exec - vm.c:1247 |
ICQ |
$1,000 |
Дубликат: https://hackerone.com/reports/219171 (доступ к аккаунту, через сброс пароля) |
WordPress |
$150 |
Stored but [SELF] XSS in mercantile.wordpress.org |
shopify-scripts ★ |
$100 |
heap use after free in fiber_switch |
WordPress |
$387.50 |
Reflected XSS at https://da.wordpress.org/themes/?s= via "s=" parameter |
The Internet |
$500 |
Mercurial can be tricked into granting authorized users access to the Python debugger CVE-2017-9462 |
Trello |
$128 |
Malicious file can be hidden as Card Attachment or Card Cover image |
WordPress |
$275 |
XSS in the search bar of mercantile.wordpress.org |
YouPorn |
$250 |
DOM-based XSS on youporn.com (main page) |
OpenSSL (IBB) |
$500 |
Excessive allocation of memory in dtls1_preprocess_fragment() (CVE-2016-6308) CVE-2016-6308 |
OpenSSL (IBB) |
$500 |
Excessive allocation of memory in tls_get_message_header() (CVE-2016-6307) CVE-2016-6307 |
OpenSSL (IBB) |
$500 |
Certificate message OOB reads (CVE-2016-6306) CVE-2016-6306 |
OpenSSL (IBB) |
$500 |
OOB read in TS_OBJ_print_bio() (CVE-2016-2180) CVE-2016-2180 |
OpenSSL (IBB) |
$500 |
OOB write in BN_bn2dec() (CVE-2016-2182) CVE-2016-2182 |
OpenSSL (IBB) |
$500 |
Malformed SHA512 ticket DoS (CVE-2016-6302) CVE-2016-6302 |
OpenSSL (IBB) |
$500 |
OOB write in MDC2_Update() (CVE-2016-6303) CVE-2016-6303 |
ok.ru |
$300 |
Blind SQL Injection |
shopify-scripts ★ |
$800 |
Null pointer dereferences in kh_copy_mt |
Twitter |
$560 |
HTTP 401 response injection on "amp.twimg.com/amplify-web-player/prod/source.html" through "image_src" parameter |
shopify-scripts ★ |
$800 |
heap-buffer-overflow (read outside of buffer) in mrb_vm_exec() |
Open-Xchange |
$200 |
Critical : View/Edit access to private appointments of calendar folder by read only user (Vertical privilege escalation) |
Open-Xchange |
$200 |
Unauthorized access to attachments details of Private Calendar appointments (Access control issue) |
Mavenlink |
$50 |
Tabnabbing via Window.Opener @Mavenlink |
Ubiquiti Networks |
$100 |
Expired SSL certificate |
Algolia |
$200 |
[GitHub Extension] Unsanitised HTML leading to XSS on GitHub.com |
HackerOne ★ |
$750 |
Race condition leads to duplicate payouts |
HackerOne ★ |
$500 |
Subdomain takeover #4 at info.hacker.one |
shopify-scripts ★ |
$100 |
mirb only: stack-buffer-overflow (OOB write) in main() |
Maximum |
$25 |
XSS |
VK.com |
$100 |
api.vk.com отдаёт в ответ HTML авторизированную страницу vk.com |
Dovecot |
$600 |
Dovecot authentication is vulnerable to timing attacks. |
shopify-scripts ★ |
$100 |
Invalid Pointer reference in L_RESCUE |
Harvest |
$400 |
Client can redirect payment, causing payment discrepancy between Harvest and PayPal |
Uber ★ |
$5,000 |
Authentication bypass on auth.uber.com via subdomain takeover of saostatic.uber.com |
Twitter |
$280 |
[██████████.gnip.com] .htpasswd disclosure |
Open-Xchange |
$200 |
Resend invitation to members by Read only user(Privilege Escalation) |
VK.com |
$2,000 |
Возможность взлома любого пользователя, не использующего двухфакторной аутентификации, через получения кода восстановления на чужой номер. |
Ubiquiti Networks |
$150 |
XSS |
Ubiquiti Networks |
$500 |
[dev-unifi-go.ubnt.com] Insecure CORS, Stealing Cookies |
shopify-scripts ★ |
$100 |
SIGABRT in sym_validate_len - symbol.c:44 |
Coinbase |
$100 |
[buy.coinbase.com]Content Injection |
shopify-scripts ★ |
$800 |
Invalid pointer dereference in OP_ENTER |
shopify-scripts ★ |
$800 |
SIGSEGV in array_copy - array.c:71 |
Twitter |
$560 |
[Gnip Blogs] Reflected XSS via "plupload.flash.swf" component vulnerable to SOME |
Kaspersky Lab |
$400 |
In App purchase Hack |
Automattic |
$500 |
An Automattic employee's GitHub personal access token exposed in Travis CI build logs |
shopify-scripts ★ |
$800 |
Null pointer dereference in OP_ENTER |
Starbucks |
$500 |
Stored XSS in comments on https://www.starbucks.co.uk/blog/* |
RubyGems |
$1,000 |
Request Hijacking Vulnerability in RubyGems 2.6.11 and earlier CVE-2017-0902 |
Shopify |
$1,000 |
XSS in $shop$.myshopify.com/admin/ via twine template injection in "Shopify.API.Modal.input" method when using a malicious app |
Shopify |
$800 |
XSS in $shop$.myshopify.com/admin/ via "Button Objects" in malicious app |
shopify-scripts ★ |
$800 |
kh_put_iv SEGFAULT - mruby 1.2.0 |
Maximum |
$300 |
Possible to view and takeover other user's education and courses @ mijn.werkenbijdefensie.nl |
Maximum |
$150 |
Possible to unsubscribe from activities using CSRF @ mijn.werkenbijdefensie.nl |
HackerOne ★ |
$1,000 |
Subdomain takeover #3 at info.hacker.one |
shopify-scripts ★ |
$100 |
SIGSEGV in mrb_vm_exec |
shopify-scripts ★ |
$800 |
SIGSEGV in mrb_str_inum |
Mail.Ru |
$750 |
Stored XSS in e.mail.ru (payload affect multiple users) |
shopify-scripts ★ |
$800 |
Heap Buffer Overflow in mrb_hash_keys |
OpenSSL (IBB) |
$2,500 |
OCSP Status Request extension unbounded memory growth (CVE-2016-6304) |
Nextcloud |
$450 |
Reflected XSS in error pages (NC-SA-2017-008) CVE-2017-0891 |
Pornhub |
$250 |
Reflected XSS in login redirection module |
Phabricator |
$750 |
Phabricator is vulnerable to padding oracle attacks and chosen-ciphertext attacks. |
shopify-scripts ★ |
$800 |
SIGABRT - in free |
shopify-scripts ★ |
$800 |
heap use-after-free in mrb_vm_exec() |
shopify-scripts ★ |
$800 |
Crash in ary_concat() |
Shopify |
$500 |
Full access at an internal service of Shopify |
Pornhub |
$500 |
Blind Stored XSS against Pornhub employees using Amateur Model Program |
shopify-scripts ★ |
$800 |
Null pointer dereferences in mrb_get_args |
shopify-scripts ★ |
$800 |
SIGABRT in mrb_debug_info_append_file |
shopify-scripts ★ |
$800 |
Null pointer dereference in mrb_class |
shopify-scripts ★ |
$300 |
Garbage collector crash |
HackerOne ★ |
$2,000 |
A HackerOne employee's GitHub personal access token exposed in Travis CI build logs |
shopify-scripts ★ |
$800 |
SIGSEGV in mrb_class |
ownCloud |
$150 |
HTML Injection in Owncloud |
Twitter |
$2,520 |
CSRF on Periscope Web OAuth authorization endpoint |
VK.com |
$200 |
Подмена SSL-сертификата для любой группы в секции Управление группой->Работа с API неавторизированным пользователем. |
Ubiquiti Networks |
$6,000 |
Ability to log in as any user without authentication if █████████ is empty |
Brave Software |
$100 |
[iOS] URL can be replaceState by blob URL in iOS Brave |
shopify-scripts ★ |
$800 |
SIGSEGV in mrb_vm_exec |
HackerOne ★ |
$500 |
Report invitation links not restricted to any existing user |
Rockstar Games |
$350 |
Profile bio at rockstar is accepting control characters |
shopify-scripts ★ |
$800 |
Null pointer dereference in ary_concat |
Shopify |
$500 |
Stored passive XSS at scheduled posts (kitcrm.com) |
shopify-scripts ★ |
$100 |
SIGABRT - mirb - Double Free |
Rockstar Games |
$350 |
Login form on non-HTTPS page |
Trello |
$768 |
Rate limiting of incorrect Two Factor Authentication codes not enforced |
shopify-scripts ★ |
$800 |
Null pointer dereferences in ary_concat |
Yelp |
$100 |
Clickjacking Vulnerability found on Yelp |
Shopify |
$1,500 |
Stored XSS in [shop].myshopify.com/admin/orders/[id] |
Discourse |
$512 |
Admin Command Injection via username in user_archive ExportCsvFile |
BrickFTP |
$600 |
File access controls incorrectly enforced for files shared via QuickLink - Unshared files can be accessed |
shopify-scripts ★ |
$800 |
SIGABRT - mirb and mruby |
Phabricator |
$600 |
Differential "Show Raw File" feature exposes generated files to unauthorised users |
Legal Robot |
$60 |
Token leakage by referrer |
shopify-scripts ★ |
$800 |
SIGSEGV - mrb_obj_value |
Discourse |
$512 |
Arbitrary Local-File Read from Admin - Restore From Backup due to Symlinks |
shopify-scripts ★ |
$800 |
Use-after-free leading to an invalid pointer dereference |
shopify-scripts ★ |
$100 |
SIGSEGV in str_buf_cat |
Nextcloud |
$250 |
DOM XSS vulnerability in search dialogue (NC-SA-2017-007) CVE-2017-0890 |
Legal Robot |
$40 |
Password reset form ignores email field |
shopify-scripts ★ |
$800 |
SIGABRT in only mirb |
HackerOne ★ |
$750 |
IE 11 Self-XSS on Jira Integration Preview Base Link |
Imgur |
$5,000 |
RCE by command line argument injection to `gm convert` in `/edit/process?a=crop` |
shopify-scripts ★ |
$800 |
SIGSEGV - kh_get_n2s - in /src/symbol.c:37 |
shopify-scripts ★ |
$100 |
sprintf gem - format string combined attack |
shopify-scripts ★ |
$800 |
Null pointer dereference in mrb_class |
shopify-scripts ★ |
$800 |
SIGSEGV - mrb_yield_with_class |
Algolia |
$100 |
An “algobot”-s GitHub access token was leaked |
Moneybird |
$50 |
Stored Cross Site Scripting in Customer Name |
Shopify |
$500 |
Stealing users' facebook access tokens - kitcrm.com |
Rockstar Games |
$150 |
Source Code Disclosure (CGI) |
Gratipay |
$1 |
Inadequate/dangerous jQuery behavior |
VK.com |
$200 |
Написать от имени любого пользователя на его стене, если он перейдет по ссылке. https://vk.com/al_video.php |
shopify-scripts ★ |
$800 |
Null pointer dereference in 'get_file' |
Rockstar Games |
$350 |
Control Character Injection In Messages |
LocalTapiola |
$100 |
XSS on 3rd party service Localtapiola is using |
Rockstar Games |
$300 |
use of unsafe host header leads to open redirect |
shopify-scripts ★ |
$800 |
Null pointer dereferences from mrb_vm_exec |
Slack |
$850 |
Bypass to postMessage origin validation via FTP |
Rockstar Games |
$150 |
Full path Disclosure in Rockstargames.com/img/global/ |
shopify-scripts ★ |
$800 |
mrb_vm_exec - null ptr dereference |
Rockstar Games |
$150 |
SSLv3 POODLE Vulnerability |
shopify-scripts ★ |
$800 |
Invalid Pointer Reference from OP_RESCUE |
HackerOne ★ |
$500 |
Transitioning a Private Program to Public Does Not Clear Previously Private Updates to Hackers |
shopify-scripts ★ |
$800 |
SIGSEGV - mark_context_stack |
HackerOne ★ |
$100 |
javascript: and mailto: links are allowed in JIRA integration settings |
shopify-scripts ★ |
$800 |
Heap buffer overflow in mruby value_move |
Starbucks |
$250 |
DOM XSS on teavana.com via "pr_zip_location" parameter |
shopify-scripts ★ |
$800 |
Heap buffer overflow with long array assignment |
LocalTapiola |
$264 |
HTML Injection in email from http://www.lahitapiola.fi/henkilo/sivut/tonttutesti |
Ruby |
$500 |
public report - Reproducible - Writable RubyCi Amazon s3 bucket[207053] |
Ruby |
$500 |
Open S3 Bucket WriteAble To Any Aws User |
HackerOne ★ |
$1,000 |
Subdomain takeover #2 at info.hacker.one |
Twitter |
$7,560 |
[URGENT] Opportunity to publish tweets on any twitters account |
BrickFTP |
$100 |
CSRF @ configuration |
Udemy |
$50 |
Subdomain Takeover at Landing.udemy.com |
VK.com |
$100 |
Обход: "Аудиозапись недоступна для прослушивания в Вашем регионе." |
Ubiquiti Networks |
$100 |
Reflected cross-site scripting (XSS) vulnerability in scores.ubnt.com allows attackers to inject arbitrary web script via p parameter. |
shopify-scripts ★ |
$800 |
Null pointer dereference in mark_context_stack |
Lyst |
$100 |
Site configured improperly at subdomain of lyst.co.uk |
shopify-scripts ★ |
$100 |
Memory corrouption in mrb_gc_mark |
LocalTapiola |
$200 |
Brute force unsubscription on /webApp/unsub_sb (viestinta.lahitapiola.fi) |
LocalTapiola |
$50 |
/icons/README is still available on viestinta.lahitapiola.fi |
Perl (IBB) |
$1,000 |
read outside of buffer (heap buffer overflow) in S_regmatch - regexec.c:6057 |
Pornhub |
$50 |
http://ht.pornhub.com/ stored XSS in widget stylesheet |
shopify-scripts ★ |
$800 |
Heap use-after-free in mrb_vm_exec |
Ubiquiti Networks |
$1,000 |
sqli |
Shopify |
$500 |
Subdomain takeover on s3.shopify.com |
Lyst |
$100 |
Mixed Active content issue on https://www.lyst.com |
shopify-scripts ★ |
$100 |
Controlled address leak due to type confusion - ASLR bypass |
HackerOne ★ |
$750 |
Information leakage via CSV when content is valid JavaScript |
Slack |
$3,000 |
Stealing xoxs-tokens using weak postMessage / call-popup redirect to current team domain |
Ruby |
$500 |
Writable RubyCi Amazon s3 bucket |
HackerOne ★ |
$1,500 |
Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP |
Uber ★ |
$2,500 |
SQL injection in 3rd party software Anomali |
Robinhood |
$100 |
Open Redirect located at https://www.robinhood.com/oauth2/authorize/? |
YouPorn |
$100 |
XSS via login cookie |
Starbucks |
$750 |
Persistent CSRF in /GiftCert-AddToBasket prevents purchases on eCommerce sites |
shopify-scripts ★ |
$800 |
Heap Buffer Overflow while processing OP_SEND |
Imgur |
$2,500 |
Remote Code Execution on Git.imgur-dev.com |
shopify-scripts ★ |
$800 |
mruby heap use-after-free |
LocalTapiola |
$50 |
show control page if you insert ' at http://viestinta.lahitapiola.fi/ |
shopify-scripts ★ |
$100 |
Interger overflow in str_substr leading to read/write out of bound memory |
shopify-scripts ★ |
$800 |
Use After Free in mrb_vm_exec |
shopify-scripts ★ |
$800 |
Heap Buffer overflow in mrb_ary_unshift |
shopify-scripts ★ |
$100 |
SIGABRT - method_missing - mark_context_stack |
Zopim |
$50 |
express config leaking stacktrace |
Uber ★ |
$1,500 |
pam-ussh may be tricked into using another logged in user's ssh-agent |
shopify-scripts ★ |
$800 |
A crash when an exception is caught in a caller and the receiver returned from `ensure` |
shopify-scripts ★ |
$100 |
segafult in mruby's sprintf - mrb_str_format |
WordPress |
$350 |
Infrastructure - Photon - SSRF |
shopify-scripts ★ |
$800 |
Heap buffer oveflow with many arguments |
Rockstar Games |
$1,400 |
<- Critical IDOR vulnerability in socialclub allow to insert and delete comments as another user and it discloses sensitive information -> |
LocalTapiola |
$315 |
High server resource usage on captcha (viestinta.lahitapiola.fi) |
shopify-scripts ★ |
$1,000 |
Segmentation fault while printing backtrace |
YouPorn |
$250 |
Reflected XSS in Meta Tag |
YouPorn |
$2,500 |
Time Based SQL-inject in post-parametr login[username] [domain - youporn.com] |
Greenhouse.io |
$100 |
Open Redirect in <customer>.greenhouse.io |
Ubiquiti Networks |
$150 |
AirFibre products vulnerable to HTTP Header injection |
shopify-scripts ★ |
$800 |
forgot to add the patch |
Nextcloud |
$183 |
Calendar and addressbook names disclosed (NC-SA-2017-012) CVE-2017-0895 |
WordPress |
$350 |
Wordpress 4.7.2 - Two XSS in Media Upload when file too large. |
shopify-scripts ★ |
$100 |
SIGSEGV - mrb_vm_exec - line:1312 |
Algolia |
$100 |
Reflected XSS |
YouPorn |
$150 |
Find whether a video has been favourited or not, for any user [via YouPorn Mobile API] |
Pornhub |
$1,500 |
Wordpress Content injection |
Twitter |
$7,560 |
Vine all registered user Private/sensitive information disclosure .[ Ip address/phone no/email and many other informations ] |
HackerOne ★ |
$1,000 |
Subdomain takeover at info.hacker.one |
VK.com |
$400 |
Missing Server Side Rate Limiting can Lead to VK Account Take over |
Mapbox |
$750 |
Public access to objects in AWS S3 bucket |
shopify-scripts ★ |
$800 |
Denial of service (segfault) due to null pointer dereference in mrb_vm_exec |
shopify-scripts ★ |
$800 |
Denial of service (segfault) due to null pointer dereference in mrb_obj_instance_eval |
Pornhub |
$250 |
XSS Vulnerability at https://www.pornhubpremium.com/premium_signup? URL endpoint |
Pornhub |
$250 |
[xss] pornhubpremium.com, /redeem?code= URL endpoint |
Phabricator |
$300 |
User with only Viewing Privilege can send message to Room |
shopify-scripts ★ |
$100 |
Null pointer dereference in mrb_random_initialize |
Instacart |
$100 |
Login with Google Not Authenticated on iOS App |
Ubiquiti Networks |
$600 |
Wordpress directories/files visible to internet |
YouPorn |
$1,000 |
Account hijack via deleted PH account |
shopify-scripts ★ |
$800 |
SIGSEGV - vm.c - line:1214 |
shopify-scripts ★ |
$100 |
Segmentfault at mrb_vm_exec |
shopify-scripts ★ |
$2,000 |
Recursion causing uninitialized memory reads leading to a segfault |
Automattic |
$250 |
cloudup Subdomain Takeover That resolves to Desk.com ( CNAME cloudup.desk.com ) |
LocalTapiola |
$400 |
Single user DOS on selectedLanguage -cookie (yrityspalvelu.lahitapiola.fi) |
Ubiquiti Networks |
$150 |
Can upload files without authentication on AirFibre 3.2 |
OpenSSL (IBB) |
$1,000 |
CVE-2017-3730: Bad (EC)DHE parameters cause a client crash |
LocalTapiola |
$100 |
Enumeration in unsubscribe -function of /omatalousuk (viestinta.lahitapiola.fi) |
Twitter |
$5,040 |
Attacker can get vine repost user all informations even Ip address and location . |
LocalTapiola |
$150 |
Reflected XSS on iltakoulu_varkaus (viestinta.lahitapiola.fi) |
PHP (IBB) |
$500 |
Out of bounds memory read in unserialize() CVE-2016-10161 |
Algolia |
$100 |
[github.algolia.com] DOM Based XSS github-btn.html |
shopify-scripts ★ |
$100 |
heap-use-after-free /home/operac/testafl/mruby/mrubylast/mruby/src/gc.c |
LocalTapiola |
$1,350 |
SQL Injection /webApp/cancel_iltakoulu regId parameter (viestinta.lahitapiola.fi) |
Ubiquiti Networks |
$100 |
[nutty.ubnt.com] DOM Based XSS nuttyapp github-btn.html |
LocalTapiola |
$50 |
CSRF bypass + XSS on verkkopalvelu.tapiola.fi |
Alvosec |
$3 |
Alvocrypt uses a cryptographically insecure PRNG. |
Slack |
$1,000 |
Access of Android protected components via embedded intent |
shopify-scripts ★ |
$100 |
Incorrect code generation with redo inside NODE_RESCUE. |
LocalTapiola |
$1,350 |
SQL Injection on /webApp/lapsuudenturva (viestinta.lahitapiola.fi) |
LocalTapiola |
$350 |
Sql injection on /webApp/sijoituswebinaari (viestinta.lahitapiola.fi) |
LocalTapiola |
$350 |
SQL Injection on /webApp/viivanalle (viestinta.lahitapiola.fi) |
Harvest |
$250 |
Persistent XSS on ForecastApp |
HackerOne ★ |
$500 |
Google Analytics could be used as CSP bypass for data exfiltration on hackerone.com |
shopify-scripts ★ |
$800 |
Aborted - proc.c - line:143 |
Twitter |
$560 |
Clickjacking Periscope.tv on Chrome |
shopify-scripts ★ |
$100 |
SIGABRT - mrb_realloc_simple - gc.c - line:201 |
QIWI |
$150 |
[XSS/pay.qiwi.com] Pay SubDomain Hard-Use XSS |
QIWI |
$250 |
[XSS/3dsecure.qiwi.com] 3DSecure XSS |
Ubiquiti Networks |
$2,000 |
[EdgeSwitch] Web GUI command injection as root with Privilege-1 and Privilege-15 users |
shopify-scripts ★ |
$100 |
Crash in print_backtrace |
Discourse |
$256 |
Stored XSS in posts because of absence of oembed variables values escaping |
Discourse |
$256 |
Stored XSS in topics because of whitelisted_generic engine vulnerability |
shopify-scripts ★ |
$800 |
Null pointer dereference in mrb_str_modify |
shopify-scripts ★ |
$800 |
Still heap overflow in mrb_ary_splice |
shopify-scripts ★ |
$100 |
SIGSEGV - mrb_obj_extend - line:413 |
shopify-scripts ★ |
$800 |
SIGSEGV - mrb_vm_exec - line:1681 |
Discourse |
$256 |
XSS in topics because of bandcamp preview engine vulnerability |
VK.com |
$300 |
SSRF через Share-ботов |
Rockstar Games |
$650 |
[IMP] - Blind XSS in the admin panel for reviewing comments |
Rockstar Games |
$500 |
Ability to post comments to a crew even after getting kicked out |
YouPorn |
$1,000 |
IDOR - Access to private video thumbnails even if video requires password authentication |
VK.com |
$100 |
Возможность смотреть видео рекомендации любого пользователя вконтакте |
Starbucks |
$375 |
Open redirect / Reflected XSS payload in root that affects all your sites (store.starbucks.* / shop.starbucks.* / teavana.com) |
shopify-scripts ★ |
$800 |
Heap Buffer overflow in mrb_funcall_with_block |
HackerOne ★ |
$2,000 |
Disclose any user's private email through API |
Slack |
$200 |
dom xss in https://www.slackatwork.com |
shopify-scripts ★ |
$800 |
Segmentation fault on program counter |
Shopify |
$500 |
apps.shopify.com - CSRF token leakage through Google Analytics |
shopify-scripts ★ |
$800 |
SIGSEGV - mrb_vm_exec - vm.c in line:1272 |
shopify-scripts ★ |
$800 |
SIGSEGV in mrb_vm_exec |
Snapchat |
$250 |
RTLO char allowed in chat |
Instacart |
$100 |
XSS in instacart.com/store/partner_recipe |
PHP (IBB) |
$500 |
Use of uninitialized memory in unserialize() CVE-2017-5340 |
shopify-scripts ★ |
$100 |
Segmentation fault - mrb_gc_mark |
Slack |
$100 |
Subdomain takeover on podcasts.slack-core.com |
Starbucks |
$250 |
SAP Server - default credentials enabled |
Shopify |
$1,000 |
CSRF in all API endpoints when authenticated using HTTP Authentication |
Open-Xchange |
$250 |
Set Cookie Via SVG |
shopify-scripts ★ |
$800 |
Heap overflow due to off-by-one when expanding stack |
shopify-scripts ★ |
$200 |
Heap use-after-free during range creation |
Shopify |
$500 |
Authentication Bypass on monitoring server |
LocalTapiola |
$100 |
OpenSSL Padding Oracle Attack (CVE-2016-2107) on viestinta.lahitapiola.fi |
Yelp |
$100 |
Able to download arbitrary PHP files at yelpblog.com |
Skyport Systems |
$25 |
Nginx version disclosure via forbidden page |
LocalTapiola |
$400 |
Reflected XSS and Open Redirect (verkkopalvelu.lahitapiola.fi) |
shopify-scripts ★ |
$800 |
SIGABRT - mrb_default_allocf |
shopify-scripts ★ |
$800 |
SIGSEGV - kh_resize_iv - Null Deref |
shopify-scripts ★ |
$200 |
Double free of filename after codegen error |
shopify-scripts ★ |
$800 |
attempting double-free using the mruby compiler `mrbc` |
Zendesk |
$2,000 |
a stored xss in web widget chat |
shopify-scripts ★ |
$800 |
Use After Free in str_replace |
shopify-scripts ★ |
$800 |
Null pointer dereference in mrb_str_prepend |
shopify-scripts ★ |
$800 |
mrb_str_modify try to write to memory not marked for writing |
shopify-scripts ★ |
$800 |
SIGSEGV - mrb_check_intern_str() - NullPointer |
WebSummit |
$20 |
Subdomain Takeover at http://gameday.websummit.net |
shopify-scripts ★ |
$1,000 |
Memory disclosure in timegm |
Mapbox |
$1,000 |
Mapbox Android SDK uses Broadcast Receiver instead of Local Broadcast Manager |
shopify-scripts ★ |
$800 |
SIGSEGV Null Pointer mrb_str_concat() |
shopify-scripts ★ |
$100 |
heap-buffer-overflow on mruby |
YouPorn |
$1,000 |
Account takeover via Pornhub Oauth |
LocalTapiola |
$150 |
Creating arbitrary cookies values /cs/CookieServer (www.lahitapiola.fi) |
Discourse |
$128 |
Users can bookmark other user's messages |
shopify-scripts ★ |
$800 |
kh_get_n2s() stack overrun |
shopify-scripts ★ |
$800 |
SIGABRT, SIGSEGV mspace_free() and mrb_default_allocf() |
shopify-scripts ★ |
$800 |
SIGSEGV on mrb_vm_exec() Null Deref |
Harvest |
$300 |
Unauthorised read Access to Expense Receipt of any user in the company(Vertical Privilege escalation) |
shopify-scripts ★ |
$800 |
Heap Overflow in mrb_arb_splice |
shopify-scripts ★ |
$100 |
mrb_vformat() heap overflow could lead to code execution |
shopify-scripts ★ |
$100 |
Integer Overflow in mrb_ary_set |
Discourse |
$256 |
XSS vulnerability on Audio and Video parsers |
Shopify |
$1,000 |
Stored XSS in blog comments through Shopify API |
Shopify |
$500 |
XSS on postal codes |
Badoo |
$280 |
CSRF Attack on (m.badoo.com)deleting account and erasing imported contacts |
Ruby |
$500 |
Buffer underflow in sprintf |
shopify-scripts ★ |
$800 |
SIGSEGV mrb_obj_freeze() Manipulating Register RAX and RSI |
Nextcloud |
$300 |
Limitation of app specific password scope can be bypassed (NC-SA-2017-009) CVE-2017-0892 |
shopify-scripts ★ |
$800 |
SIGSEGV on mruby mrb_get_args() |
Discourse |
$256 |
XSS Vulnerability on Image link parser |
Discourse |
$256 |
DOM Based XSS in Discourse Search |
shopify-scripts ★ |
$1,000 |
Incorrect code generation when result of NODE_NEGATE is not used |
Pornhub |
$1,000 |
XSS vulnerability using GIF tags |
Legal Robot |
$20 |
Password complexity requirements not enforced |
LocalTapiola |
$1,350 |
SQL Injection on /webApp/sijoitustalousuk email-parameter + potential lack of CSRF Token (viestinta.lahitapiola.fi) |
LocalTapiola |
$450 |
Reflected XSS and Open Redirect in several parameters (viestinta.lahitapiola.fi) |
Twitter |
$1,680 |
CRLF and XSS stored on ton.twitter.com |
shopify-scripts ★ |
$100 |
Invalid memory access in `mrb_str_format` |
Twitter |
$140 |
Sub Domain Takeover at mk.prd.vine.co |
Uber ★ |
$2,500 |
Authorization issue in Google G Suite allows DoS through HTTP redirect |
LocalTapiola |
$1,350 |
SQL Injection in lapsuudenturva (viestinta.lahitapiola.fi) |
LocalTapiola |
$50 |
Reflected XSS on sankarikoulutus (viestinta.lahitapiola.fi) |
Shopify |
$500 |
XSS on manually entering Postal codes |
PHP (IBB) |
$500 |
Invalid parameter in memcpy function trough openssl_pbkdf2 |
PHP (IBB) |
$500 |
imagefilltoborder stackoverflow on truecolor images |
Starbucks |
$250 |
Reflected XSS on teavana.com (Locale-Change) |
LocalTapiola |
$1,350 |
SQL Injection in sijoitustalous_peruutus (viestinta.lahitapiola.fi) |
QIWI |
$100 |
[qiwi.com] .bash_history |
LocalTapiola |
$400 |
Open Redirect bypass and cookie leakage on www.lahitapiola.com |
shopify-scripts ★ |
$1,000 |
Segfault when passing invalid values to `values_at` |
Quora |
$150 |
[Android] XSS via start ContentActivity |
Quora |
$300 |
[controlsyou.quora.com] 429 Too Many Requests Error-Page XSS |
HackerOne ★ |
$500 |
Websites opened from reports can change url of report page |
shopify-scripts ★ |
$10,000 |
Certain inputs cause tight C-level recursion leading to process stack overflow |
Shopify |
$500 |
Unauthenticated Stored XSS on <any>.myshopify.com via checkout page |
Pornhub |
$5,000 |
Unsecured DB instance |
Starbucks |
$500 |
Persistent XSS in www.starbucks.com |
HackerOne ★ |
$10,000 |
Information Disclosure in /skills call |
Pornhub |
$750 |
Unsecured Kibana/Elasticsearch instance |
shopify-scripts ★ |
$10,000 |
Buffer overflow in mrb_time_asctime |
shopify-scripts ★ |
$8,000 |
Segmentation fault due to bad memory access in kh_get_mt |
Starbucks |
$150 |
Dom Based Xss DIV.innerHTML parameters store.starbucks* |
Twitter |
$280 |
Vine - overwrite account associated with email via android application |
shopify-scripts ★ |
$10,000 |
Null pointer derefence due to bug in codegen with negation without using value |
Slack |
$500 |
Store XSS |
shopify-scripts ★ |
$10,000 |
Invalid handling of zero-length heredoc identifiers leads to infinite loop in the sandbox |
Starbucks |
$2,000 |
Subdomain takeover on happymondays.starbucks.com due to non-used AWS S3 DNS record |
shopify-scripts ★ |
$10,000 |
Crash: Overwriting NoMethodError with a builtin class crashes/corrupts memory |
Pornhub |
$150 |
Stored XSS on the http://ht.pornhub.com/widgets/ |
Starbucks |
$100 |
Stored XSS in Adress Book (starbucks.com/account/profile) |
Shopify |
$500 |
Stored XSS at 'Buy Button' page |
Phabricator |
$300 |
Fetching binaries (for software installation) over HTTP without verification (RCE as ROOT by MITM) |
Pornhub |
$1,500 |
IDOR - disclosure of private videos - /api_android_v3/getUserVideos |
HackerOne ★ |
$12,500 |
Internal attachments can be exported via "Export as .zip" feature |
shopify-scripts ★ |
$1,000 |
Crash: A call to Symbol.new leads to a crash when inspecting the resulting object |
Ian Dunn |
$25 |
constant cache_page_secret in regolith |
Ian Dunn |
$50 |
unchecked unserialize usages in audit-trail-extension/audit-trail-extension.php |
Ian Dunn |
$25 |
unchecked unserialize usage in WordPress-Functionality-Plugin-Skeleton/functionality-plugin-skeleton.php |
shopify-scripts ★ |
$1,000 |
Invalid memory write caused by incorrect upper bound in array_copy |
Twitter |
$560 |
Twitter for android is exposing user's location to any installed android app |
Gratipay |
$1 |
Incomplete or No Cache-control and Pragma HTTP Header Set |
Shopify |
$500 |
XSS in my.shopify.com in widget |
shopify-scripts ★ |
$8,000 |
Crash: mrb_any_to_s can't handle NilClass, Symbol and Fixnum |
shopify-scripts ★ |
$10,000 |
Crash: Initialize Decimal with itself triggers an assertion |
shopify-scripts ★ |
$1,000 |
Null pointer dereference regression in parse.y |
shopify-scripts ★ |
$18,000 |
Type confusion in wrap_decimal leading to memory corruption |
shopify-scripts ★ |
$20,000 |
Type confusion in mrb_exc_set leading to memory corruption |
shopify-scripts ★ |
$8,000 |
Crash: calling Proc::initialize_copy with a Proc instance where initialize never ran leads to a crash |
shopify-scripts ★ |
$1,000 |
Read after free in mrb_vm_exec with OP_ARYCAT reading R(B) |
shopify-scripts ★ |
$8,000 |
Denial of service due to invalid memory access in mrb_ary_concat |
Slack |
$1,000 |
Eavesdropping on private Slack calls |
shopify-scripts ★ |
$8,000 |
mruby-time: Crash host with uninitialized Time obj |
LocalTapiola |
$50 |
Disclosure of IBM Websphere page |
LocalTapiola |
$450 |
XSS and open redirect in verkkopalvelu.lahitapiola.fi |
Pornhub |
$520 |
Race Condition Vulnerability On Pornhubpremium.com |
WordPress |
$350 |
[Buddypress] Arbitrary File Deletion through bp_avatar_set |
LocalTapiola |
$100 |
SMTP configuration vulnerability viestinta.lahitapiola.fi |
shopify-scripts ★ |
$8,000 |
Segmentation fault when a Ruby method is invoked by a C method via Object#send |
shopify-scripts ★ |
$8,000 |
Null target_class DoS |
shopify-scripts ★ |
$10,000 |
Segfault and/or potential unwanted (byte)code execution with "break" and "||=" inside a loop |
VK.com |
$500 |
Возможность провести DoS атаку от имени vk.com сервера |
shopify-scripts ★ |
$8,000 |
SIGSEGV on mruby's mark_tbl() (Invalid memory access) |
shopify-scripts ★ |
$8,000 |
SIGSEGV on mruby mrb_str_modify() (Invalid memory access) |
Boozt Fashion AB |
$200 |
Email link poisoning / Host header attack |
shopify-scripts ★ |
$10,000 |
Broken handling of maximum number of method call arguments leads to segfault |
Badoo |
$140 |
Email Spoofing |
HackerOne ★ |
$10,000 |
Partial disclosure of report activity through new "Export as .zip" feature |
shopify-scripts ★ |
$10,000 |
Null pointer dereference due to TOCTTOU bug in mrb_time_initialize |
LocalTapiola |
$60 |
Option method enabled (viestinta.lahitapiola.fi) |
Python (IBB) |
$500 |
Type confusion in FutureIter_throw() which may potentially lead to an arbitrary code execution |
PortSwigger Web Security |
$350 |
XSS in IE11 on portswigger.net via Flash |
Pornhub |
$200 |
Reflected cross-site scripting (XSS) vulnerability in pornhub.com allows attackers to inject arbitrary web script or HTML. |
Udemy |
$300 |
Completed Compromise & Source Code Disclosure via Exposed Jenkins Dashboard at https://jenkins101.udemy.com |
shopify-scripts ★ |
$8,000 |
SIGSEV on mrb_ary_splice |
Imgur |
$250 |
Stored xss in ALBUM DESCRIPTION |
shopify-scripts ★ |
$10,000 |
Range constructor type confusion DoS |
shopify-scripts ★ |
$20,000 |
TOCTTOU bug in mrb_str_setbyte leading the memory corruption |
shopify-scripts ★ |
$18,000 |
Struct type confusion RCE |
shopify-scripts ★ |
$10,000 |
SIGSEGV when invalid argument on remove_method |
shopify-scripts ★ |
$20,000 |
DoS: type confusion in mrb_no_method_error |
Udemy |
$200 |
Jenkins |
LocalTapiola |
$150 |
Multiple Reflected XSS /webApp/lahti (viestinta.lahitapiola.fi) |
shopify-scripts ★ |
$10,000 |
Segfault in mruby, mruby_engine and the parent MRI Ruby due to null pointer dereference |
LocalTapiola |
$350 |
SQL Injection /webApp/sijoitustalous_peruutus locId parameter (viestinta.lahitapiola.fi) |
VK.com |
$1,500 |
Stored XSS в личных сообщениях |
LocalTapiola |
$264 |
HTML Injection in email /webApp/lahti (viestinta.lahitapiola.fi) |
LocalTapiola |
$350 |
SQL Injection /webApp/oma_conf ctx parameter (viestinta.lahitapiola.fi) |
LocalTapiola |
$60 |
Poodle attack SSLv3 Support (viestinta.lahitapiola.fi) |
Twitter |
$1,120 |
[IDOR][translate.twitter.com] Opportunity to change any comment at the forum |
shopify-scripts ★ |
$8,000 |
Undefined method_missing null pointer dereference |
shopify-scripts ★ |
$10,000 |
Range#initialize_copy null pointer dereference |
shopify-scripts ★ |
$10,000 |
NULL pointer dereference when parsing ternary operators |
Ubiquiti Networks |
$500 |
Subdomain Takeover (moderator.ubnt.com) |
LocalTapiola |
$100 |
Error Page Content Spoofing or Text Injection (viestinta.lahitapiola.fi) |
shopify-scripts ★ |
$20,000 |
Use after free vulnerability in mruby Array#to_h causing DOS possible RCE |
shopify-scripts ★ |
$2,000 |
Memory disclosure in mruby String#lines method |
shopify-scripts ★ |
$8,000 |
Denial of Service in mruby due to null pointer dereference |
Coinbase |
$100 |
Window.opener bug at www.coinbase.com |
shopify-scripts ★ |
$10,000 |
Exception cause SIGABRT |
Legal Robot |
$40 |
Password reset access control |
shopify-scripts ★ |
$8,000 |
ruby DoS https://www.mruby.science |
Legal Robot |
$40 |
Missing restriction on string size in profile fields |
Yelp |
$300 |
X.509 certificate validation fails on international vanity domains |
VK.com |
$300 |
SSRF (open) - via GET request |
Trello |
$2,048 |
Stealing power up private tokens (trello, twitter, github...) |
Zopim |
$100 |
Android SDK - CREATE_REQUEST broascast is unprotected |
Open-Xchange |
$500 |
Reflected Cross-Site Scripting due to vulnerable Flash component (Flashmediaelement.swf) |
Open-Xchange |
$100 |
Selecting encryption for email with drive attachment overrides the drive email password |
LocalTapiola |
$100 |
Suspicious browser fingerprinting(?) scripts on http://www.lahitapiola.fi/ redirector |
LocalTapiola |
$1,560 |
SQL Injection on /webApp/omatalousuk (viestinta.lahitapiola.fi) |
Blockchain |
$100 |
Information disclosure at https://blockchain.atlassian.net |
Open-Xchange |
$666 |
Tab nabbing via window.opener |
Open-Xchange |
$300 |
Stored XSS in Template Documents |
Blockchain |
$400 |
Reflected XSS on blockchain.info |
VK.com |
$1,000 |
Новый 2FA Bypass |
LocalTapiola |
$400 |
Open Redirect (verkkopalvelu.lahitapiola.fi) |
Blockchain |
$50 |
server version dislosure |
Ubiquiti Networks |
$500 |
Stored XSS in community.ubnt.com |
Imgur |
$5,000 |
Unauthenticated Docker registry |
Nextcloud |
$50 |
Content Spoofing in "files" app CVE-2017-0888 |
Yelp |
$500 |
CSRF on signup endpoint (auto-api.yelp.com) |
Badoo |
$280 |
Leave inaccessible messaging system with a message (https://us1.badoo.com) |
Badoo |
$260 |
Arbitrary modification value "session" (Cookie) in badoo.com |
Instacart |
$100 |
Access private list metadata |
Uber ★ |
$1,000 |
ability to retrieve a user's phone-number/email for a given inviteCode |
InVision |
$300 |
CORS Man-in-the-Middle account compromise |
Shopify |
$1,500 |
Misconfiguration in Two Factor Authorisation |
Twitter |
$280 |
SSRF in https://cards-dev.twitter.com/validator |
QIWI |
$300 |
Раскрытие баланса на //kopilka.qiwi.com |
Harvest |
$250 |
Stored XSS in Restoring Archived Tasks |
Starbucks |
$375 |
CSRF exploit | Adding/Editing comment of wishlist items (teavana.com - Wishlist-Comments) |
Starbucks |
$150 |
CSRF vulnerability in saving payment card on store.starbucks.com (COBilling -AddCreditCard) |
Badoo |
$140 |
Unvalidated redirect on team.badoo.com |
LocalTapiola |
$588 |
Lahitapiola´s customer names send to 3rd party |
Starbucks |
$375 |
Reflected XSS by exploiting CSRF vulnerability on teavana.com wishlist comment module. (wishlist-comments) |
Starbucks |
$250 |
CSRF: add item to victim's cart automatically (starbucks.com - updatecart) |
LocalTapiola |
$750 |
Email Server Compromised at secure.lahitapiola.fi |
Mindoktor |
$2,000 |
XSS at endpoint clinic.mindoktor.se in flash cookie |
Mindoktor |
$300 |
Storing sensitive information on cookie post-registration |
Coinbase |
$200 |
Authentication Issue |
Brave Software |
$50 |
[ios] Address bar spoofing in Brave for iOS |
Harvest |
$100 |
Editing a project (LIMITED) |
Twitter |
$2,520 |
Cross-site scripting (reflected) |
itBit Exchange |
$1,000 |
Round error issue -> produce money for free |
Brave Software |
$100 |
Denial of service attack(window object) on brave browser |
Shopify |
$500 |
race condition in adding team members |
Brave Software |
$50 |
Denial of service attack on Brave Browser. |
Coinbase |
$100 |
Information disclosure of user by email using buy widget |
Brave Software |
$100 |
Access to local file system using javascript |
Brave Software |
$200 |
[iOS/Android] Address Bar Spoofing Vulnerability |
Brave Software |
$100 |
Address Bar Spoofing - Already resolved - Retroactive report |
Brave Software |
$150 |
URI Obfuscation |
Shopify |
$2,000 |
Able to Login deactivated staff account in shopify app mobile |
Twitter |
$140 |
Full Path Disclosure at 27.prd.vine.co |
Trello |
$256 |
Can run arbitrary script on em.trello.com |
Brave Software |
$50 |
[website] Script injection in newsletter signup https://brave.com/brave_youth_program_signup.html |
Brave Software |
$50 |
2 Directory Listing on ledger.brave.com & vault-staging.brave.com |
PHP (IBB) |
$500 |
memcpy negative parameter _bc_new_num_ex |
PHP (IBB) |
$500 |
memcpy negative size parameter in php_resolve_path |
PHP (IBB) |
$500 |
Write out-of-bounds at number_format |
Brave Software |
$100 |
Homograph attack |
Shopify |
$500 |
[ecommerce.shopify.com] Invalidated redirection |
Python (IBB) |
$1,000 |
chain.__setstate__ Type Confusion |
Uber ★ |
$1,000 |
Subdomain takeover on rider.uber.com due to non-existent distribution on Cloudfront |
Slack |
$700 |
Information Disclosure on stun.screenhero.com |
WePay |
$200 |
Enumeration of registered email addresses using bruteforce search on userIds |
Sucuri |
$500 |
Administrator Access to grafana instance logstash2.sucuri.net with default credentials |
Yelp |
$500 |
Requesting Show CheckIn Alert for Non Friend User |
Harvest |
$150 |
Linking Invoice to uninvited project. |
Trello |
$128 |
XSS on blog.trello.com |
Twitter |
$1,260 |
View liked twits of private account via publish.twitter.com |
Badoo |
$140 |
No rate-limit in SERVER_SECURITY_CHECK |
BrickFTP |
$250 |
Existence of Folder path by guessing the path through response |
Nextcloud |
$250 |
Filename enumeration && DoS |
Twitter |
$560 |
Circumventing the Twitter account lockout process [ACCOUNT TAKEOVER] |
Harvest |
$300 |
Cookie Injection at 'harvestapp.com' |
Trello |
$128 |
Full Sub Domain Takeover at help.trello.com. |
Zopim |
$150 |
Full Sub Domain Takeover at wx.zopim.net |
Slack |
$500 |
CSRF in github integration |
PHP (IBB) |
$1,000 |
Buffer overflow in HTTP parse_hostinfo(), parse_userinfo() and parse_scheme() |
ok.ru |
$100 |
web.xml configuration file disclosure |
Instacart |
$150 |
Full access to any list |
Boozt Fashion AB |
$400 |
Git available containing passwords. |
Romit |
$513 |
[CRITICAL]-Taking over entire subdomain of romit.io |
Uber ★ |
$10,000 |
password reset token leaking allowed for ATO of an Uber account |
Legal Robot |
$40 |
Bypass 8 chars password complexity with 6 chars only due to insecure password reset functionaliy |
Snapchat |
$250 |
Bypassing "You've requested your data the maximum number of times today." + "Please Verify an email address with snapchat to continue" |
Rockstar Games |
$500 |
DOM based reflected XSS in rockstargames.com/newswire/tags through cross domain ajax request |
Shopify |
$500 |
password less login token expiration issue |
Starbucks |
$750 |
out of date disqus shortname usage in the web app source code |
Shopify |
$500 |
Add signature to transactions without any permission |
Udemy |
$50 |
Content Spoofing in udemy |
WebSummit |
$40 |
Subdomain take over signup.websummit |
LocalTapiola |
$50 |
Reflected XSS in LTContactFormReceiver (/cs/Satellite) |
Automattic |
$100 |
Follow Button XSS |
Python (IBB) |
$1,500 |
LZMADecompressor.decompress Use After Free |
PHP (IBB) |
$500 |
Heap overflow caused by type confusion vulnerability in merge_param() |
Legal Robot |
$20 |
Information Disclosure on rate limit defense mechanism |
Ubiquiti Networks |
$500 |
Authentication bypass on sso.ubnt.com via subdomain takeover of ping.ubnt.com |
InVision |
$150 |
CRITICAL Any █████ of any screen can be removed by anyone! |
Legal Robot |
$20 |
Near-duplicate accounts allowed with ignored email mutations |
Algolia |
$100 |
No rate limit for Referral Program |
Maximum |
$75 |
Facebook and twitter page claimed of maximum.com [important] |
LocalTapiola |
$18,000 |
Oracle Webcenter Sites administrative and hi-privilege access available directly from the internet (/cs/Satellite) |
HackerOne ★ |
$500 |
Bypass rate limiting on /users/password (possibly site-wide rate limit bypass?) |
Trello |
$128 |
SSRF in account webhook (through API) |
Mail.Ru |
$300 |
Time-based sql-injection на https://puzzle.mail.ru |
Slack |
$400 |
Email information leakage for certain addresses |
Shopify |
$500 |
Open redirect in bulk edit |
Imgur |
$100 |
Stored XSS in albums on http://m.imgur.com/ |
Nextcloud |
$750 |
Bypass permissions |
Twitter |
$2,100 |
Twitter iOS fails to validate server certificate and sends oauth token |
Coinbase |
$100 |
Information leakage on https://docs.gdax.com |
IRCCloud |
$50 |
Exposed, outdated nginx server (v1.4.6) potentially vulnerable to heap-based buffer overflow & RCE |
Snapchat |
$250 |
Incoming email hijacking on sc-cdn.net |
Uber ★ |
$500 |
Users can falsely declare their own Uber account info on the monthly billing application |
Shopify |
$500 |
Deleted Post and Administrative Function Access in eCommerce Forum |
Boozt Fashion AB |
$80 |
Make victim buy in attacker's account without any idea - http://www.booztlet.com/ |
Python |
$1,000 |
msilib.OpenDatabase Type Confusion |
Pornhub |
$750 |
Unsecured Grafana instance |
Pornhub |
$750 |
Disclosure of private photos/albums - http://www.pornhub.com/album/show_image_box |
Yelp |
$200 |
Bybass The Closing of the account and logged again to your account |
Eobot |
$12 |
No password length restriction |
Boozt Fashion AB |
$120 |
XSS |
VK.com |
$1,050 |
Второй способ обхода 2FA |
Shopify |
$500 |
XSS in SHOPIFY: Unsanitized Supplier Name can lead to XSS in Transfers Timeline |
Twitter |
$560 |
leaking Digits OAuth authorization to third party websites |
Shopify |
$500 |
Unsanitized Location Name in POS Channel can lead to XSS in Orders Timeline |
Boozt Fashion AB |
$80 |
Instance of Apache Vulnerable to Several Issues |
Boozt Fashion AB |
$120 |
Potential Subdomain Takeover Possible |
Yelp |
$100 |
Self-XSS via location cookie city field when getting suggestions for a new location |
Boozt Fashion AB |
$250 |
xss in Theme http://bztfashion.booztx.com |
Keybase |
$100 |
Denial of Service through set_preference.json |
Ruby |
$200 |
Arbitrary heap overread in strscan on 32 bit Ruby, patch included |
OpenSSL |
$500 |
SSLv2 doesn't block disabled ciphers (CVE-2015-3197) |
OpenSSL |
$2,500 |
Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800) |
Yelp |
$500 |
Verification of E-Mail address possible on https://biz.yelp.com/login and https://biz.yelp.com/forgot |
Boozt Fashion AB |
$60 |
PHP info page disclosure on http://www.day.dk/ |
Harvest |
$500 |
Invoices can be added to any retainers - even closs-platform |
Slack |
$500 |
Rate-limit bypass |
Mindoktor |
$500 |
Vulnerable Mobile Phone configuration |
Nextcloud |
$500 |
Reflected XSS in Gallery App CVE-2016-9466 |
Harvest |
$250 |
XSS on expenses attachments |
Open-Xchange |
$300 |
OX (Guard): Stored Cross-Site Scripting via Email Attachment |
Instacart |
$50 |
Seemingly sensitive information at /api/v2/zones |
Python |
$1,000 |
urllib HTTP header injection CVE-2016-5699 |
Shopify |
$500 |
Access to Splunk via shard3-db2.ec2.shopify.com endpoint |
Shopify |
$500 |
Open redirect allows changing iframe content in *.myshopify.com/admin/themes/<id>/editor |
LocalTapiola |
$400 |
Open redirection protection bypass (/cs/Satellite) |
Algolia |
$100 |
Hyperlink Injection in Friend Invitation Emails |
LocalTapiola |
$400 |
SQL Injection on `/cs/Satellite` path |
Legal Robot |
$60 |
Validation bypass on user profile |
Ian Dunn |
$50 |
CSV Injection in Camptix |
Twitter |
$5,040 |
[Studio.twitter.com] See someone else pics |
LocalTapiola |
$100 |
Oracle WebCenter Sites Support Tools available and Information disclosure (/cs/Satellite) |
LocalTapiola |
$50 |
Reflected XSS in www.lahitapiola.fi (/cs/Satellite) using Oracle WebCenter -page |
Harvest |
$150 |
CSRF bypass on Submit Time sheet for Approval |
Harvest |
$150 |
Project Manager can approve pending reports(Access control Issue) |
Unikrn |
$400 |
Urgent: Server side template injection via Smarty template allows for RCE |
QIWI |
$150 |
[qiwi.com] Information Disclosure |
QIWI |
$150 |
[ibank.qiwi.ru] UI Redressing via Request-URI |
Legal Robot |
$20 |
Possible content spoofing due to missing error page |
Nextcloud |
$100 |
Reflected Self-XSS Vulnerability in the Comment section of Files Information |
Slack |
$2,500 |
Snooping into messages via email service |
Legal Robot |
$20 |
unsecured legalrobot.co.uk assets |
VK.com |
$1,000 |
Обход 2ух-шаговой авторизации / 2FA Bypass |
Legal Robot |
$20 |
Legal | Application is Missing CSP(Content Security Policy) Header |
Legal Robot |
$20 |
CORS (Cross-Origin Resource Sharing) |
Legal Robot |
$20 |
Information Disclosure in AWS S3 Bucket |
Legal Robot |
$120 |
User Information leak allows user to bypass email verification. |
Legal Robot |
$120 |
User Information sent to client through websockets |
Instacart |
$100 |
WordPress Authentication Denial of Service |
Dropbox |
$1,458 |
Subtile Code Injection Vulnerability in Dropbox for Windows |
Uber ★ |
$100 |
Stealing users password (Limited Scenario) |
Slack |
$750 |
Code Injection in Slack's Windows Desktop Client leads to Privilege Escalation |
Instacart |
$150 |
Fetch private list metadata and any user's personal name |
Uber ★ |
$5,000 |
Changing paymentProfileUuid when booking a trip allows free rides |
Shopify |
$500 |
Open Redirect possible in https://www.shopify.com/admin/ |
Harvest |
$500 |
Possible to steal any protected files on Android |
Bime |
$150 |
Subdomain takeover at ws.bimedb.com due to unclaimed Amazon S3 bucket |
Instacart |
$50 |
READ .svg files by changing .svg into .png extension |
Harvest |
$150 |
Extracting private info of estimates. |
Ian Dunn |
$100 |
Bypass fix in https://hackerone.com/reports/151516 report. |
Ian Dunn |
$50 |
Bypassing CSV injection using new line charcter |
Coinbase |
$300 |
window.opener is leaking to external domains upon redirect on Safari |
Instacart |
$150 |
Brute force login and bypass locked account restrictions via iOS app |
Shopify |
$500 |
[apps.shopify.com] Open Redirect |
Snapchat |
$400 |
[render.bitstrips.com] Stored XSS via an incorrect avatar property value |
Instacart |
$150 |
Issues with uploading list images |
Shopify |
$500 |
Open CouchDB on experiments.ec2.shopify.com:5984 |
HackerOne ★ |
$500 |
Information leakage of private program |
Shopify |
$500 |
Open redirect using checkout_url |
HackerOne ★ |
$500 |
Requesting Mediation possible on reports that are too old for mediation |
QIWI |
$950 |
[qiwi.com] Oauth захват аккаунта |
LocalTapiola |
$3,000 |
Blind Stored XSS Against Lahitapiola Employees - Session and Information leakage |
Slack |
$1,000 |
Stored XSS(Cross Site Scripting) In Slack App Name |
Harvest |
$150 |
Unauthorized read access to Invoices by PM (Access control Issues) |
Harvest |
$150 |
Unauthorized access to all the actions of invoices by PM (Access control Issues) |
Harvest |
$100 |
PM can delete payment of any invoice in company (Access control Issue) |
Harvest |
$100 |
Record payment for any invoice by PM (Access control Issue) |
Harvest |
$100 |
PM can delete the company logo image (Vertical Privilege Escalation ) |
Starbucks |
$150 |
Improper Validation on Cancel Link Redirect |
HackerOne ★ |
$1,000 |
Hacker.One Subdomain Takeover |
Harvest |
$250 |
PM with can Set up email for invoices and estimates (Access control Issue) |
Binary.com |
$75 |
Cross site scripting |
Instacart |
$100 |
Hyperlink Injection in Friend Invitation Emails |
Ubiquiti Networks |
$150 |
[scores.ubnt.com] DOM based XSS at form.html |
Mapbox |
$750 |
Blind XSS in mapbox.com/contact |
Shopify |
$1,000 |
(BYPASS) Open redirect and XSS in supporthiring.shopify.com |
Trello |
$1,024 |
File access using image tragick |
HackerOne ★ |
$500 |
Non-secure requests are not automatically upgraded to HTTPS |
Instacart |
$250 |
shopper login_code's can be brute forced |
Twitter |
$560 |
reverb.twitter.com redirects to vulnerable reverb.guru |
Shopify |
$500 |
Access to Splunk at https://apt.ec2.shopify.com:8089 |
Instacart |
$100 |
Image Upload Path Disclosure |
Instacart |
$150 |
Host Header Injection/Redirection in: https://www.instacart.com/ |
Instacart |
$50 |
Server side request forgery on image upload for lists |
Instacart |
$75 |
Missing rel=noreferrer tag allows link in list to change url of currently open tab |
Instacart |
$200 |
Race Condition in Redeeming Coupons |
Instacart |
$100 |
Cross-Site Request Forgery (CSRF) |
Instacart |
$150 |
Stored XSS |
Instacart |
$50 |
CSRF To change Email Notification Settings |
Shopify |
$500 |
(FULL PATH DISCLOSURE) Unknown MySQL server host 'shardm-reader.chi2.shopify.io' |
HackerOne ★ |
$500 |
Disclosure of external users invited to a specific report |
SecNews |
$300 |
Querying private posts and changing post meta |
Gratipay |
$1 |
Avoid "resend verification email" confusion |
Ubiquiti Networks |
$500 |
IDOR Causing Deletion of any account |
Uber ★ |
$10,000 |
Reading Emails in Uber Subdomains |
Algolia |
$400 |
Unauthorized team members can leak information and see all API calls through /1/admin/* endpoints, even after they have been removed. |
Algolia |
$100 |
Stored XSS from Display Settings triggered on Save and viewing realtime search demo |
Algolia |
$100 |
Stored xss |
Algolia |
$100 |
Stored XSS triggered by json key during UI generation |
Open-Xchange |
$1,000 |
OX (Guard): Stored Cross-Site Scripting via Incoming Email |
Slack |
$500 |
CSRF - Add optional two factor mobile number |
Shopify |
$500 |
Staff member can delete Private Apps |
ownCloud |
$100 |
Arbitrary Code Injection in ownCloud’s Windows Client |
Shopify |
$500 |
(BYPASS) Open Redirect after login at http://ecommerce.shopify.com |
Twitter |
$1,120 |
Stealing User emails by clickjacking cards.twitter.com/xxx/xxx |
Gratipay |
$1 |
Content Spoofing/Text Injection |
Nextcloud |
$50 |
More content spoofing through dir param in the files app |
Uber ★ |
$3,000 |
Missing authorization checks leading to the exposure of ubernihao.com administrator accounts |
Snapchat |
$3,000 |
Subdomain takeover on http://fastly.sc-cdn.net/ |
Shopify |
$500 |
Delete/modify your own comment after limited access(IDOR) |
Harvest |
$150 |
Opportunity to set arbitrary cookies |
Moneybird |
$50 |
[Stored Cross-Site-Scripting] When search about Incoming ( Manual Jurnal ) |
Shopify |
$1,000 |
Unauthorized access to Zookeeper on http://locutus-zk3.ec2.shopify.com:2181 |
Uber ★ |
$500 |
Blind OOB XXE At "http://ubermovement.com/" |
Nextcloud |
$100 |
IDOR - Disable sharing CVE-2016-9464 |
Twitter |
$1,120 |
csp bypass + xss |
Rockstar Games |
$500 |
Reflected XSS via #tags= while using a callback in newswire http://www.rockstargames.com/newswire |
Ian Dunn |
$50 |
Multiple XSS in Camptix Event Ticketing Plugin |
Harvest |
$500 |
Project Disclosure of all Harvest Instances |
Harvest |
$1,000 |
Leak of all project names and all user names , even across applications |
Harvest |
$350 |
Users enumeration is possible through cycling through recurring[client_id] argument value. |
Harvest |
$350 |
Stored XSS on invoice, executing on any subdomain |
Harvest |
$250 |
CSRF token fixation in Sign in with Google |
Harvest |
$1,000 |
S3 bucket takeover due to proxy.harvestfiles.com |
Harvest |
$100 |
Cross-Site Request Forgery (CSRF) |
Dashlane |
$100 |
Missing Access Control(IDOR) To Know LinkedAccounts |
PHP |
$500 |
NULL Pointer Dereference in exif_process_user_comment |
PHP |
$1,000 |
Out of bound read in exif_process_IFD_in_MAKERNOTE |
Uber ★ |
$5,000 |
Stored XSS on developer.uber.com via admin account compromise |
Rockstar Games |
$750 |
CSRF in 'set.php' via age causes stored XSS on 'get.php' - http://www.rockstargames.com/php/videoplayer_cache/get.php' |
Algolia |
$100 |
No Rate Limit In Inviting Similar Contact Multiple Times |
Ian Dunn |
$375 |
CSV Injection at Camptix Event Ticketing |
ownCloud |
$50 |
ownCloud 2.2.2.6192 DLL Hijacking Vulnerability |
Uber ★ |
$2,000 |
[IODR] Get business trip via organization id |
Uber ★ |
$3,000 |
Get organization info base on uuid |
Slack |
$500 |
Creating Post on a restricted channel |
Automattic |
$300 |
[bbPress] Stored XSS in any forum post. |
Dropbox |
$729 |
SSRF allows access to internal services like Ganglia |
Shopify |
$1,500 |
Stealing livechat token and using it to chat as the user - user information disclosure |
QIWI |
$200 |
Xss on billing |
Uber ★ |
$1,000 |
newsroom.uber.com is vulnerable to 'SOME' XSS attack via plupload.flash.swf |
Shopify |
$500 |
https://windsor.shopify.com/ takeover |
Twitter |
$420 |
Html Injection and Possible XSS in sms-be-vip.twitter.com |
Uber ★ |
$4,000 |
SQL Injection on sctrack.email.uber.com.cn |
IRCCloud |
$500 |
Cross Site Scripting(XSS) on IRCCloud Badges Page (using Parameter Pollution) |
Bime |
$1,000 |
Attacker can access graphic representation of every query |
Bime |
$1,000 |
Urgent: attacker can access every data source on Bime |
Nextcloud |
$50 |
Content (Text) Injection at NextCloud Server 9.0.52 - via http://custom_nextcloud_url/remote.php/dav/files/ CVE-2016-9468 |
Uber ★ |
$2,250 |
Subdomain takeover of translate.uber.com, de.uber.com and fr.uber.com |
WordPress |
$1,337 |
CSRF to add admin [wordpress] |
Legal Robot |
$40 |
AWS S3 website can't serve security headers, may allow clickjacking |
Whisper |
$100 |
Stored XSS in wis.pr |
Ubiquiti Networks |
$185 |
Reflected Xss in AirMax [Nanostation Loco M2] |
Algolia |
$100 |
Stored xss |
Slack |
$500 |
a stored xss issue in https://files.slack.com |
Maximum |
$20 |
Application error message |
Phabricator |
$600 |
HTML in Diffusion not escaped in certain circumstances |
Paragon Initiative Enterprises |
$50 |
Stored XSS using SVG |
Slack |
$500 |
"a stored xss issue in share post menu" |
Maximum |
$20 |
Microsoft IIS tilde directory enumeration |
Legal Robot |
$100 |
Subdomain takeover at api.legalrobot.com due to non-used domain in Modulus.io. |
Pornhub |
$1,500 |
[idor] Unauthorized Read access to all the private posts(Including Photos,Videos,Gifs) |
Paragon Initiative Enterprises |
$25 |
Stored XSS in comments |
Paragon Initiative Enterprises |
$50 |
Stored Cross-Site-Scripting in CMS Airship's authors profiles |
Keybase |
$350 |
Register multiple users using one invitation (race condition) |
VK.com |
$100 |
Паблики: Модератор паблика может удалять добавленные редакторами материалы с таймером на публикацию. |
Uber ★ |
$1,000 |
Wordpress Vulnerabilities in transparencyreport.uber.com and eng.uber.com domains |
Slack |
$1,500 |
Source code leakage through GIT web access at host '52.91.137.42' |
HackerOne ★ |
$500 |
Know undisclosed Bounty Amount when Bounty Statistics are enabled. |
Badoo |
$140 |
Change contents of the careers iframe in https://corp.badoo.com/jobs |
Moneybird |
$25 |
Logging out any user |
Coinbase |
$100 |
Application error message |
Slack |
$100 |
Generate new Test token |
Slack |
$100 |
User can start call in a channel of an unpaid account |
The Internet |
$500 |
ntpd: read_mru_list() does inadequate incoming packet checks CVE-2016-7434 |
Maximum |
$20 |
The POODLE attack (SSLv3 supported) |
Maximum |
$20 |
RC4 cipher suites detected |
HackerOne ★ |
$500 |
Race Conditions in Popular reports feature. |
LocalTapiola |
$150 |
Mixed Active Scripting Issue on https://www.lahitapiola.fi |
Pornhub |
$500 |
RCE Possible Via Video Manager Export using @ character in Video Title |
PHP |
$1,000 |
ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize |
PHP |
$1,000 |
Use After Free Vulnerability in PHP's GC algorithm and unserialize |
Nextcloud |
$100 |
Read-only share recipient can restore old versions of file |
Nextcloud |
$250 |
Uploading files to a folder where invited user don't have any EDIT privilege |
Algolia |
$100 |
2-factor authentication bypass |
Vimeo |
$600 |
Downloading password protected / restricted videos |
Nextcloud |
$50 |
Nextcloud server software: Content Spoofing |
Nextcloud |
$350 |
Share owner has no possibility to list all existing derived shares |
Nextcloud |
$750 |
Stored XSS on Share-popup of a directory's Gallery-view |
Uber ★ |
$7,000 |
xss in https://www.uber.com |
Ubiquiti Networks |
$1,000 |
Subdomain takeover on partners.ubnt.com due to non-used CloudFront DNS entry |
Uber ★ |
$1,500 |
Bulk UUID enumeration via invite codes |
Ubiquiti Networks |
$150 |
[account-global.ubnt.com] CRLF Injection |
Ian Dunn |
$50 |
Stored XSS from ticket messages in admin table in SupportFlow |
Ian Dunn |
$50 |
Stored XSS in SupportFlow Ticket Subject |
Python |
$1,000 |
CVE-2016-0772 - python: smtplib StartTLS stripping attack |
Sucuri |
$250 |
[support.sucuri.net] CRLF Injection |
Sucuri |
$250 |
SSRF in sitecheck.sucuri.net |
Mail.Ru |
$150 |
[townwars.mail.ru] Time-Based SQL Injection |
Uber ★ |
$750 |
Brute-Forcing invite codes in partners.uber.com |
bitaccess |
$200 |
EXTREMELY URGENT: Missing control of bitcoin amount when selling bitcoin allows a user to withdraw any amount of money, unrestricted. |
Ruby |
$500 |
StringIO strio_getline() can divulge arbitrary memory |
HackerOne ★ |
$500 |
All information is not removed from published reports |
Instacart |
$100 |
Authorization Bypass in Delivery Chat Logs |
The Internet |
$7,500 |
Insufficient shell characters filtering leads to (potentially remote) code execution (CVE-2016-3714) |
Slack |
$500 |
File upload over private IM channel |
Uber ★ |
$10,000 |
Change any Uber user's password through /rt/users/passwordless-signup - Account Takeover (critical) |
Badoo |
$280 |
Получение оригинала скрытого изображения |
Shopify |
$3,000 |
Authentication Bypass on Icinga monitoring server |
Shopify |
$1,500 |
Potentially Sensitive Information on GitHub |
Mail.Ru |
$250 |
Mail.ru for Android Content Provider Vulnerability |
Mapbox |
$500 |
XSS on www.mapbox.com/authorize/ because of open redirect at /core/oauth/auth |
Mapbox |
$500 |
XSS on www.mapbox.com/authorize |
Gratipay |
$40 |
upgrade Aspen on inside.gratipay.com to pick up CR injection fix |
drchrono |
$50 |
Information Disclosure |
Python |
$500 |
Heap corruption via Python 2.7.11 IOBase readline() |
Uber ★ |
$750 |
xss vulnerability in http://ubermovement.com/community/daniel |
drchrono |
$50 |
Bug Report |
Moneybird |
$50 |
[STORED XSS] in debtor reports of ,,invoices'' |
WePay |
$250 |
Invited users can modify and/or remove account owner |
Shopify |
$500 |
Fetching external resources through svg images |
LocalTapiola |
$100 |
DOM XSS bypassing in Regional Office -selector |
Pornhub |
$10,000 |
[RCE] Unserialize to XXE - file disclosure on ams.upload.pornhub.com |
Twitter |
$560 |
Information Disclosure through .DS_Store in ██████████ |
Mail.Ru |
$150 |
[tidaltrek.mail.ru] SQL Injection |
OpenSSL |
$500 |
CVE-2016-2177 Undefined pointer arithmetic in SSL code |
Pornhub |
$1,500 |
(Pornhub & Youporn & Brazzers ANDROID APP) : Upload Malicious APK / Overrite Existing APK / Android BackOffice Access |
VK.com |
$1,500 |
XSS в upload.php |
drchrono |
$50 |
User with no permissions can create, edit, delete favorite prescriptions /erx/ |
Slack |
$200 |
[Screenhero] Subdomain takeover |
Ubiquiti Networks |
$125 |
Stored XSS in unifi.ubnt.com |
Pornhub |
$20,000 |
[phpobject in cookie] Remote shell/command execution |
Pornhub |
$1,000 |
Private Photo Disclosure - /user/stream_photo_attach?load=album&id= endpoint |
drchrono |
$50 |
Bypassing Password Reset |
GlassWire |
$25 |
Bypass GlassWire's monitoring of Hosts file |
HackerOne ★ |
$500 |
Able to remove the admin access of my program |
drchrono |
$50 |
User with no permissions can access full wdcalendar feed |
drchrono |
$50 |
Stored XSS via AngularJS Injection |
Ubiquiti Networks |
$260 |
Open Redirect in unifi.ubnt.com [Controller Finder] |
drchrono |
$50 |
[CRITICAL] CSRF leading to account take over |
Mail.Ru |
$150 |
Code source discloure & ability to get database information "SQL injection" in [townwars.mail.ru] |
Zendesk |
$100 |
XSS in zendesk.com/product/ |
drchrono |
$100 |
Angular injection in the profile name of onpatient |
drchrono |
$50 |
Template stored XSS |
drchrono |
$50 |
node.drchrono.com - Information Disclosure and Windows Host Exposed |
drchrono |
$50 |
Ngnix Server version disclosure |
Starbucks |
$4,000 |
Parameter Manipulation allowed for editing the shipping address for other user’s teavana.com subscriptions. |
Starbucks |
$6,000 |
Parameter Manipulation allowed for viewing of other user’s teavana.com orders |
drchrono |
$50 |
Bypass password complexity requirements on passsword reset page |
drchrono |
$100 |
Security Issue : CSRF Token Design Flaw |
Mail.Ru |
$150 |
[tidaltrek.mail.ru] SQL Injection |
Mail.Ru |
$100 |
[my.mail.ru] HTML injection в письмах от myadmin@corp.mail.ru |
Starbucks |
$375 |
www.starbucks.co.uk Reflected XSS via utm_source parameter |
Mail.Ru |
$160 |
[upload-X.my.mail.ru] /uploadphoto Insecure Direct Object References |
Slack |
$500 |
Open Redirect on slack.com |
Gratipay |
$10 |
configure a redirect URI for Facebook OAuth |
Binary.com |
$50 |
CJ vulnerability in subdomain |
Trello |
$128 |
XSS in Jetpack Plugin |
LocalTapiola |
$100 |
Exploiting Secure Shell (SSH) on mobilelt.lahitapiola.fi |
Phabricator |
$300 |
Passphrase credential lock bypass |
Ubiquiti Networks |
$2,750 |
Read-Only user can execute arbitraty shell commands on AirOS |
Automattic |
$500 |
WordPress core stored XSS via attachment file name |
Badoo |
$280 |
Ability to collect users' ids that have visited a specific web page with malicious code |
LocalTapiola |
$300 |
Persistent XSS at verkkopalvelu.tapiola.fi using spoofed React element and React v.0.13.3 |
Uber ★ |
$7,000 |
OneLogin authentication bypass on WordPress sites via XMLRPC |
Pornhub |
$750 |
[idor] Profile Admin can pin any other user's post on his stream wall |
LocalTapiola |
$100 |
Remote Code Execution in NovaStor NovaBACKUP DataCenter backup software (Hiback) |
Pornhub |
$1,000 |
SSRF & XSS (W3 Total Cache) |
LocalTapiola |
$300 |
Abusing and Hacking the SMTP Server secure.lahitapiola.fi |
WP API |
$100 |
Missing access control exposing detailed information on all users |
Pornhub |
$1,000 |
[IDOR] Deleting other users comment |
Pornhub |
$150 |
Same-Origin Method Execution bug in plupload.flash.swf on /insights |
OpenSSL |
$1,000 |
Bleichenbacher oracle in SSLv2 (CVE-2016-0704) |
OpenSSL |
$2,500 |
Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703) |
Pornhub |
$5,000 |
Weak user aunthentication on mobile application - I just broken userKey secret password |
Pornhub |
$1,500 |
[stored xss, pornhub.com] stream post function |
Pornhub |
$250 |
XSS Reflected incategories*p |
Pornhub |
$250 |
XSS ReflectedGET /*embed_player*? |
Mail.Ru |
$150 |
SQL Injection |
Pornhub |
$1,500 |
[IDOR] post to anyone even if their stream is restricted to friends only |
Pornhub |
$100 |
CSV Macro injection in Video Manager (CEMI) |
Vimeo |
$600 |
All Vimeo Private videos disclosure via Authorization Bypass |
LocalTapiola |
$100 |
Amazon Bucket Accessible (http://inpref.s3.amazonaws.com/) |
Sucuri |
$500 |
CRLF/HTTP header injection www.sucuri.net |
ok.ru |
$500 |
Xss in m.ok.ru |
OpenSSL |
$2,500 |
Padding oracle in AES-NI CBC MAC check (CVE-2016-2107) |
Ubiquiti Networks |
$1,000 |
Source code disclosure on https://107.23.69.180 |
Uber ★ |
$8,000 |
[CRITICAL] -- Complete Account Takeover |
Gratipay |
$1 |
don't leak server version of grtp.co in error pages |
Moneybird |
$50 |
Reflected XSS in Backend search |
Vimeo |
$750 |
CSRF on Vimeo via cross site flashing leading to info disclosure and private videos go public |
Mapbox |
$400 |
Denial of service in account statistics endpoint |
Uber ★ |
$10,000 |
OneLogin authentication bypass on WordPress sites |
Moneybird |
$100 |
Employees with Any Permissions Can Create App with Full Permissions and Perform any API Action |
OpenSSL |
$500 |
EBCDIC overread (CVE-2016-2176) |
OpenSSL |
$500 |
EVP_EncryptUpdate overflow (CVE-2016-2106) |
OpenSSL |
$500 |
EVP_EncodeUpdate overflow (CVE-2016-2105) |
Romit |
$50 |
Session Fixation |
Moneybird |
$25 |
information disclose |
Shopify |
$500 |
View all deleted comments and rating of any app . |
Uber ★ |
$5,000 |
Multiple vulnerabilities in a WordPress plugin at drive.uber.com |
LocalTapiola |
$400 |
Possibly big authorization problem in Lähitapiola´s varainhoito |
Mapbox |
$1,000 |
Reflected cross-site scripting (XSS) on api.tiles.mapbox.com |
LocalTapiola |
$100 |
HTTP status code manipluation & java stack trace |
LocalTapiola |
$5,000 |
Blind Stored XSS Against Lahitapiola Employees - Session and Information leakage |
PHP |
$1,500 |
Integer overflow in ZipArchive::getFrom* |
HackerOne ★ |
$2,500 |
RCE in profile picture upload |
OpenSSL |
$500 |
ASN.1 BIO excessive memory allocation (CVE-2016-2109) |
Mail.Ru |
$250 |
XSS с помощью специально сформированного файла. |
Shopify |
$500 |
staff memeber can install apps even if have limitied access |
Automattic |
$1,337 |
WordPress SOME bug in plupload.flash.swf leading to RCE |
Automattic |
$1,337 |
WordPress Flash XSS in *flashmediaelement.swf* |
Zendesk |
$250 |
XSS In /zuora/ functionality |
LocalTapiola |
$100 |
Content Spoofing or Text Injection (404 error page injection) |
Algolia |
$500 |
RCE on facebooksearch.algolia.com |
Uber ★ |
$2,000 |
Reflected XSS via Livefyre Media Wall in newsroom.uber.com |
Automattic |
$75 |
XSS on www.wordpress.com |
Moneybird |
$25 |
Content Spoofing In Moneybird |
Udemy |
$50 |
Stored XSS at Udemy |
Slack |
$1,000 |
Stored XSS on team.slack.com using new Markdown editor of posts inside the Editing mode and using javascript-URIs |
Zendesk |
$500 |
[HIGH RISK] CSRF could potentially delete a zendesk subdomain. |
Moneybird |
$50 |
Open Redirect vulnerability in moneybird.com |
Zendesk |
$100 |
AWS S3 bucket writable for authenticated aws user |
Uber ★ |
$7,500 |
Stored XSS in developer.uber.com |
Twitter |
$840 |
[Critical] - Steal OAuth Tokens |
Coinbase |
$100 |
User's legal name could be changed despite front end controls being disabled |
Automattic |
$75 |
Akismet Several CSRF vulnerabilities |
ownCloud |
$150 |
Open Redirector via (apps/files_pdfviewer) for un-authenticated users. |
Gratipay |
$1 |
bring grtp.co up to A grade on SSLLabs |
Moneybird |
$50 |
Stored XSS in Financial Account executing in Bank tab |
Moneybird |
$100 |
Malicious File Upload |
Ubiquiti Networks |
$275 |
Reflected XSS in scores.ubnt.com |
Moneybird |
$150 |
XXE issue |
Moneybird |
$25 |
Stored XSS thru SVG upload |
bitaccess |
$50 |
BYASSING OTP Verification |
Moneybird |
$50 |
CSV Injection with the CSV export feature |
Trello |
$128 |
Cross site scripting in blog.trello.com |
Slack |
$2,000 |
Authentication bypass leads to sensitive data exposure (token+secret) |
Zendesk |
$50 |
Stored XSS on [your_zendesk].zendesk.com in Facebook Channel |
Python |
$500 |
Python 2.7 strop.replace Integer Overflow |
Twitter |
$700 |
xss in DM group name in twitter |
Twitter |
$700 |
niche s3 buckets are readable/writeable/deleteable by authorized AWS users |
Automattic |
$75 |
CPU utilization 99% on visiting wordpress site url & open redirect found |
LocalTapiola |
$300 |
The PdfServlet-functionality used by the "Tee vakuutustodistus" allows injection of custom PDF-content via CSRF-attack |
LocalTapiola |
$400 |
Cookie-based client-side denial-of-service to all of the Lähitapiola domains |
Gratipay |
$10 |
Send email asynchronously |
Algolia |
$100 |
No rate-limit in Two factor Authentication leads to bypass using bruteforce attack |
Ubiquiti Networks |
$1,500 |
Read-Only user can execute arbitraty shell commands on AirOS |
Trello |
$1,536 |
Payments informations are sent to the webhook when a team changes its visibility |
OpenSSL |
$1,000 |
BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193) |
Gratipay |
$10 |
fix bug in username restriction |
Snapchat |
$1,000 |
Administrator access to a Django Administration Panel on *.sc-corp.net via bruteforced credentials |
InVision |
$400 |
CRITICAL : Delete Boards Admin's ( or any other user ) comment. ( IDOR ) |
HackerOne ★ |
$2,500 |
AWS S3 bucket writeable for authenticated aws users |
Gratipay |
$1 |
Limit email address length |
Uber ★ |
$5,000 |
Stored XSS on newsroom.uber.com admin panel / Stream WordPress plugin |
Uber ★ |
$250 |
Easy spam with USE My PHONE Feature |
HackerOne ★ |
$1,500 |
Web Authentication Endpoint Credentials Brute-Force Vulnerability |
Badoo |
$852 |
[CRITICAL] Full account takeover using CSRF |
HackerOne ★ |
$500 |
New hacktivity view discloses report IDs of non-public reports |
HackerOne ★ |
$500 |
New hacktivity view discloses report IDs of non-public reports |
PHP |
$1,000 |
php_snmp_error() Format String Vulnerability |
Uber ★ |
$5,000 |
Information regarding trips from other users |
Uber ★ |
$5,000 |
Possibility to get private email using UUID |
Twitter |
$280 |
XSS using javascript:alert(8007) |
Uber ★ |
$3,000 |
Possible to View Driver Waybill via Driver UUID |
LocalTapiola |
$100 |
www.lahitapiola.fi DOM XSS by choosing regional company |
Uber ★ |
$3,000 |
Stored XSS in archive.uber.com Due to Injection of Javascript:alert(0) |
Coinbase |
$1,000 |
Sending payments via QR code does not require confirmation |
Shopify |
$500 |
XSS on https://app.shopify.com/ |
Coinbase |
$500 |
Email leak in transcations in Android app |
Trello |
$1,024 |
If a team is public, the web socket receives data about the Team visible boards |
LocalTapiola |
$1,000 |
Posting modified information in 'Investment section' will cause unintended information change in verkkopalvelu.tapiola.fi |
Uber ★ |
$500 |
CBC "cut and paste" attack may cause Open Redirect(even XSS) |
Uber ★ |
$750 |
XSS In archive.uber.com Due to Mime Sniffing in IE |
Uber ★ |
$1,000 |
CSV Injection in business.uber.com |
Uber ★ |
$2,000 |
Stored XSS in drive.uber.com WordPress admin panel |
Gratipay |
$10 |
prevent content spoofing on /~username/emails/verify.html |
Uber ★ |
$10,000 |
uber.com may RCE by Flask Jinja2 Template Injection |
Uber ★ |
$3,000 |
SQL injection in Wordpress Plugin Huge IT Video Gallery at https://drive.uber.com/frmarketplace/ |
Uber ★ |
$3,000 |
Reflected XSS via Unvalidated / Open Redirect in uber.com |
Uber ★ |
$5,000 |
Possibility to brute force invite codes in riders.uber.com |
Uber ★ |
$3,000 |
Dom Based Xss |
Uber ★ |
$500 |
Estimation of a Lower Bound on Number of Uber Drivers via Enumeration |
Mapbox |
$1,000 |
XSS (cross-site scripting) on www.mapbox.com/maki |
Uber ★ |
$3,000 |
Avoiding Surge Pricing |
Uber ★ |
$2,000 |
Bypassing Uber Partner's 3 Cancel Limit |
Uber ★ |
$3,000 |
Lack of rate limiting on get.uber.com leads to enumeration of promotion codes and estimation of a lower bound on the number of Uber drivers |
Uber ★ |
$3,000 |
SQLi in love.uber.com |
Uber ★ |
$1,500 |
Lack of CNAME/A Record Trimming Pointing Uber Domains to Insecure Non-Uber AWS Instances/Sites |
Uber ★ |
$3,000 |
XSS in getrush.uber.com |
Uber ★ |
$3,000 |
Reflected XSS on developer.uber.com via Angular template injection |
Uber ★ |
$500 |
Open Redirect in m.uber.com |
Gratipay |
$1 |
Hijacking user session by forcing the use of invalid HTTPs Certificate on images.gratipay.com |
HackerOne ★ |
$1,500 |
External programs revealing info |
HackerOne ★ |
$500 |
Websites opened from reports can change url of report page |
Shopify |
$500 |
Bypassed password authentication before enabling OTP verification |
HackerOne ★ |
$500 |
Disclosure of private programs that have an "external" page on HackerOne |
Shopify |
$500 |
Stored XSS via "Free Shipping" option (Discounts) |
Imgur |
$100 |
XSS via React element spoofing |
HackerOne ★ |
$500 |
CSV Injection via the CSV export feature |
Shopify |
$1,500 |
Shopify GitHub Login and Password exposed all private source code might be available. |
Trello |
$768 |
Using WebSocket I can always access organization data even if I am removed |
Gratipay |
$1 |
auto-logout after 20 minutes |
Gratipay |
$1 |
Cookie Does Not Contain The "secure" Attribute |
Gratipay |
$1 |
suppress version in Server header on gratipay.com or grtp.co |
HackerOne ★ |
$500 |
SECURITY: Referencing previous Reports attachment_IDs on new Reports via Draft_Sync DELETES Attachments |
HackerOne ★ |
$500 |
Mediation link can be accepted by other users |
LocalTapiola |
$500 |
CSRF allows attacker to delete item from customer's "Postilaatikko" |
Shopify |
$500 |
XSS on hardware.shopify.com |
HackerOne ★ |
$1,000 |
Edit Auto Response Messages |
Mail.Ru |
$200 |
bgplay.mail.ru |
Shopify |
$500 |
Stored XSS in https://checkout.shopify.com/ |
Imgur |
$5,000 |
Local file read in image editor |
Mapbox |
$200 |
Mapbox API Access Token with No Scope Can Read Styles |
Ubiquiti Networks |
$1,300 |
Shell Injection via Web Management Console (dl-fw.cgi) |
Vimeo |
$100 |
Private, embeddable videos leaks data through Facebook & Open Graph |
PHP |
$1,000 |
Buffer overflow in HTTP url parsing functions |
Badoo |
$850 |
Account Takeover |
LocalTapiola |
$400 |
CRLF injection in https://verkkopalvelu.lahitapiola.fi/ |
Badoo |
$427 |
Broken Authentication on Badoo |
Bime |
$150 |
Subdomain takeover due to unclaimed Amazon S3 bucket on a2.bime.io |
Bime |
$250 |
SSRF issue |
Gratipay |
$1 |
don't serve hidden files from Nginx |
Pornhub |
$250 |
Public Facing Barracuda Login |
OpenSSL |
$500 |
BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797) |
Pornhub |
$2,500 |
Unprotected Memcache Installation running |
Pornhub |
$50 |
HTTP Track/Trace Method Enabled |
Twitter |
$1,120 |
DOMXSS in Tweetdeck |
Mail.Ru |
$150 |
By pass admin panel [conference.mail.ru] |
Mail.Ru |
$150 |
By pass admin panel [seminars.mail.ru] |
Ubiquiti Networks |
$1,500 |
Read-Only user can execute arbitraty shell commands on AirOS |
Udemy |
$150 |
Session Takeover vulnerability |
Shopify |
$500 |
xss in the all widgets of shopifyapps.com |
Uber ★ |
$500 |
Open Redirection on Uber.com |
HackerOne ★ |
$500 |
User with Read-Only permissions can edit the Internal comment Activities on Bug Reports After Revoke the team access permissions |
Twitter |
$280 |
Sub-Domain Takeover |
InVision |
$500 |
CRITICAL Stored XSS in https://projects.invisionapp.com |
Udemy |
$150 |
Able to view others' gifts on /gift/share URL, giftId is predictable, and easy to manipulate |
Coinbase |
$500 |
Misconfiguration in 2 factor allows sensitive data expose |
Twitter |
$2,520 |
Tweet Deck XSS- Persistent- Group DM name |
HackerOne ★ |
$500 |
Distinguish EP+Private vs Private programs in HackerOne |
Algolia |
$1,000 |
API Key added for one Indices works for all other indices too. |
OpenSSL |
$500 |
CVE-2016-0799 memory issues in BIO_*printf functions |
HackerOne ★ |
$500 |
User with Read-Only permissions can manually public disclosure the report |
Shopify |
$500 |
File name and folder enumeration. |
Coinbase |
$200 |
XSSI (Cross Site Script Inclusion) |
HackerOne ★ |
$500 |
CSV Injection at the CSV export feature |
QIWI |
$150 |
Content Spoofing in mango.qiwi.com |
VK.com |
$100 |
Дорк |
Mail.Ru |
$500 |
Admin panel access restrictions bypass [poll.mail.ru/admin/] |
Gratipay |
$1 |
limit number of images in statement |
Zendesk |
$50 |
Stored XSS via Angular Expression injection on developer.zendesk.com |
Gratipay |
$1 |
strengthen Diffie-Hellman (DH) key exchange parameters in grtp.co |
Shopify |
$500 |
XSS in Draft Orders in Timeline i SHOPIFY Admin Site! |
Gratipay |
$1 |
stop serving grtp.co over HTTP |
Gratipay |
$10 |
DMARC is misconfigured for grtp.co |
Uber ★ |
$3,000 |
Reflected XSS on Uber.com careers |
Gratipay |
$10 |
Prevent content spoofing on /~username/emails/verify.html |
Gratipay |
$2 |
SPF/DKIM/DMARC for aspen.io |
Mail.Ru |
$250 |
SSRF на element.mail.ru |
Gratipay |
$2 |
SPF/DKIM/DMARC for grtp.co |
Gratipay |
$1 |
limit HTTP methods on other domains |
Gratipay |
$10 |
Email Forgery through Mandrillapp SPF |
Uber ★ |
$250 |
Multiple Vulnerabilities (Including SQLi) in love.uber.com |
Uber ★ |
$3,000 |
XSS @ love.uber.com |
Gratipay |
$10 |
No Valid SPF Records. |
HackerOne ★ |
$500 |
Increase number of bugs by sending duplicate of your own valid report |
Zopim |
$100 |
Chat History CSV Export Excel Injection Vulnerability |
Legal Robot |
$20 |
SSL Issue on legalrobot.com |
HackerOne ★ |
$500 |
Private Program Disclosure in /:handle/settings/allow_report_submission.json endpoint |
VK.com |
$200 |
vk.com/login.php |
Legal Robot |
$20 |
SPF Issue |
Legal Robot |
$120 |
Remote Code Execution (upload) |
Mail.Ru |
$600 |
VERY DANGEROUS XSS STORED inside emails |
Mail.Ru |
$150 |
[3k.mail.ru] SQL Injection |
Ubiquiti Networks |
$1,000 |
Auth bypass on directory.corp.ubnt.com |
Slack |
$100 |
an xss issue in https://hunter22.slack.com/help/requests/793043 |
Gratipay |
$1 |
The POODLE attack (SSLv3 supported) for https://grtp.co/ |
WePay |
$150 |
2-step Verification bypass |
Python |
$1,000 |
Type confusion in partial.setstate, partial_repr, partial_call leads to memory corruption, reliable control flow hijack |
Sucuri |
$500 |
Manipulating of Sucuri.net (List Subscription) Emails (HTML/Script Injection) |
HackerOne ★ |
$500 |
Private Program Disclosure in /:handle/reports/draft.json endpoint |
HackerOne ★ |
$5,000 |
Private program activity timeline information disclosure |
Shopify |
$500 |
XSS on hardware.shopify.com |
Imgur |
$1,000 |
SSRF / Local file enumeration / DoS due to improper handling of certain file formats by ffmpeg |
Imgur |
$800 |
SSRF and local file read in video to gif converter |
Legal Robot |
$20 |
Rate limiting on Email confirmation link |
Imgur |
$2,000 |
SSRF in https://imgur.com/vidgif/url |
Paragon Initiative Enterprises |
$50 |
Full Path Disclosure |
Mail.Ru |
$300 |
[orsotenslimselfie.lady.mail.ru] SQL Injection |
Gratipay |
$10 |
prevent content spoofing on /search |
Gratipay |
$5 |
SPF DNS Record |
Keybase |
$50 |
Content spoofing due to the improper behavior of the not-found meesage |
HackerOne ★ |
$500 |
Putting link inside link in markdown |
Keybase |
$350 |
Race conditions can be used to bypass invitation limit |
Keybase |
$250 |
Remote Server Restart Lead to Denial of Service by only one Request. |
Mapbox |
$200 |
Content Spoofing and Local Redirect in Mapbox Studio |
VK.com |
$2,500 |
Внедрение внешних сущностей в функционале импорта пользователей YouTrack |
Shopify |
$500 |
CSRF on https://shopify.com/plus |
Twitter |
$2,520 |
Bypassing Digits web authentication's host validation with HPP |
Snapchat |
$1,000 |
Subdomain takeover in http://support.scan.me pointing to Zendesk (a Snapchat acquisition) |
Keybase |
$250 |
Remote Server Restart Lead to Denial of Server by only one Request. |
OpenSSL |
$2,500 |
OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701) |
Paragon Initiative Enterprises |
$50 |
Open-redirect on paragonie.com |
HackerOne ★ |
$500 |
Multiple issues with Markdown and URL parsing |
withinsecurity |
$250 |
WordPress Failure Notice page will generate arbitrary hyperlinks |
HackerOne ★ |
$500 |
Unintended HTML inclusion as a result of https://hackerone.com/reports/110578 |
Mail.Ru |
$300 |
[afisha.mail.ru] SQL Injection |
Coinbase |
$1,000 |
Session Issue Maybe Can lead to huge loss [CRITICAL] |
Binary.com |
$250 |
Full takeover of some binary.com sub domains |
Bime |
$100 |
The JDBC driver used by the Vertica connector allows to create files on the backends |
Bime |
$1,000 |
SSRF in the Connector Designer (REST and Elastic Search) |
Bime |
$750 |
XXE in the Connector Designer |
HackerOne ★ |
$500 |
Interstitial redirect bypass / open redirect in https://hackerone.com/zendesk_session |
Mail.Ru |
$150 |
[allods.my.com] SSRF / XSPA |
Zendesk |
$100 |
[CRITICAL] HTML injection issue leading to account take over |
withinsecurity |
$250 |
Error Page Text Injection #106350 |
Imgur |
$50 |
Big Bug in SSL : breach compression attack (CVE-2013-3587) affect imgur.com |
Shopify |
$500 |
Full access to Amazon S3 bucket containing AWS CloudTrail logs |
Automattic |
$75 |
XSS at wordpress.com |
Shopify |
$500 |
www.shopify.com XSS via third-party script |
Trello |
$1,152 |
DOM based XSS via Wistia embedding |
VK.com |
$100 |
Checking whether user liked the media or not even when you are blocked |
Vimeo |
$100 |
Legacy API exposes private video titles |
Automattic |
$75 |
XSS at www.woothemes.com |
Pornhub |
$1,500 |
[ssrf] libav vulnerable during conversion of uploaded videos |
Shopify |
$500 |
Attach Pinterest account - no State/CSRF parameter in Oauth Call back |
Shopify |
$500 |
Twitter Disconnect CSRF |
HackerOne ★ |
$500 |
CSV Injection via the CSV export feature |
withinsecurity |
$250 |
Content Spoofing OR Text Injection in https://withinsecurity.com |
Gratipay |
$15 |
Sub Domian Take over |
Automattic |
$250 |
Internal GET SSRF via CSRF with Press This scan feature |
ownCloud |
$250 |
Information Exposure Through Directory Listing CVE-2016-1499 |
HackerOne ★ |
$500 |
HTML injection can lead to data theft |
Twitter |
$5,040 |
Bypassing Digits bridge origin validation |
Perl |
$1,000 |
Perl 5.22 VDir::MapPathA/W Out-of-bounds Reads and Buffer Over-reads |
Phabricator |
$300 |
Extended policy checks are buggy |
Udemy |
$25 |
CSRF in Udemy.com |
Coinbase |
$200 |
Direct URL access to completed reports |
Ubiquiti Networks |
$500 |
Subdomain Takeover in http://assets.goubiquiti.com/ |
HackerOne ★ |
$500 |
User with Read-Only permissions can request/approve public disclosure |
Mail.Ru |
$150 |
[parapa.mail.ru] SQL Injection |
PHP |
$1,000 |
Use After Free in sortWithSortKeys() |
Gratipay |
$5 |
HTTP trace method is enabled |
Twitter |
$2,520 |
Bypassing callback_url validation on Digits |
ownCloud |
$350 |
Exploiting unauthenticated encryption mode |
Ubiquiti Networks |
$150 |
Reflected File Download in community.ubnt.com/restapi/ |
VK.com |
$500 |
API: Bug in method auth.signup , дающий возможность бесконечно звонить |
Mail.Ru |
$150 |
[cfire.mail.ru] Time Based SQL Injection |
Mail.Ru |
$500 |
reflected in xss |
HackerOne ★ |
$500 |
Team Member(s) associated with a Group have Read-only permission (Post internal comments) can post comment to all the participants |
WePay |
$100 |
Unauthenticated Stored XSS in API Panel |
Automattic |
$50 |
Possible Timing Side-Channel in XMLRPC Verification |
GlassWire |
$100 |
GlassWireSetup.exe subject to EXE planting attack |
Imgur |
$150 |
XSS in imgur mobile 3 |
Imgur |
$150 |
XSS in imgur mobile |
Shopify |
$500 |
Stored XSS in /admin/orders |
VK.com |
$100 |
Добавление в меню сообщества без ведома пользователя (нажатия пользователем) |
Zendesk |
$500 |
Stored XSS in comments |
Shopify |
$500 |
Strored Cross Site Scripting |
PHP |
$1,000 |
Format string vulnerability in zend_throw_or_error() |
Shopify |
$500 |
HTTP-Response-Splitting on v.shopify.com |
Maximum |
$20 |
Application error message |
Coinbase |
$100 |
Race condition allowing user to review app multiple times |
withinsecurity |
$250 |
text injection can be used in phishing 404 page should not include attacker text |
Algolia |
$100 |
text injection can be used in phishing 404 page should not include attacker text |
HackerOne ★ |
$500 |
Improve signals in reputation |
Shopify |
$500 |
Reflective XSS on wholesale.shopify.com |
HackerOne ★ |
$500 |
Team Member(s) associated with a Custom Group Created with 'Program Managment' only permissions can Comments on Bug Reports |
Shopify |
$500 |
"Remember me" token generated when "Remember me" box unchecked |
GlassWire |
$100 |
DLL Hijacking Vulnerability in GlassWireSetup.exe |
HackerOne ★ |
$500 |
Parameter pollution in social sharing buttons |
HackerOne ★ |
$500 |
Know whether private program for company exist or not |
LeaseWeb |
$100 |
DOM Based XSS in Checkout |
Shopify |
$500 |
many xss in widgets.shopifyapps.com |
Pornhub |
$50 |
[crossdomain.xml] Dangerous Flash Cross-Domain Policy |
Pornhub |
$250 |
PornIQ Reflected Cross-Site Scripting |
Imgur |
$150 |
risk of having secure=false in a crossdomain.xml |
Instacart |
$100 |
Cookie-Based Injection |
Square Open Source |
$2,000 |
Unsafe usage of Ruby string interpolation enabling command injection in git-fastclone |
Shopify |
$500 |
CSRF in Connecting Pinterest Account |
Instacart |
$100 |
Cross-Site Scripting Reflected On Main Domain |
Zopim |
$100 |
[status.zopim.com] Open Redirect |
Automattic |
$75 |
XSS on codex.wordpress.org |
Coinbase |
$200 |
HTML injection in apps user review |
QIWI |
$200 |
[rubm.qiwi.com] Yui charts.swf XSS |
Square Open Source |
$2,000 |
git-fastclone allows arbitrary command execution through usage of ext remote URLs in submodules |
Shopify |
$1,000 |
shopifyapps.com XSS on sales channels via currency formatting |
Slack |
$1,000 |
Trick make all fixed open redirect links vulnerable again |
Python |
$500 |
tokenizer crash when processing undecodable source code |
Python |
$1,000 |
PyFloat_FromString & PyNumber_Long Buffer Over-reads |
PHP |
$500 |
Memory Corruption in phar_parse_tarfile when entry filename starts with null CVE-2015-4021 |
PHP |
$500 |
invalid pointer free() in phar_tar_process_metadata() CVE-2015-3307 |
Python |
$500 |
use after free in load_newobj_ex |
Python |
$500 |
array.fromstring Use After Free |
Python |
$1,000 |
bytearray.find Buffer Over-read |
Python |
$500 |
hotshot pack_string Heap Buffer Overflow |
Python |
$500 |
audioop.adpcm2lin Buffer Over-read |
Python |
$500 |
audioop.lin2adpcm Buffer Over-read |
PHP |
$500 |
Files extracted from archive may be placed outside of destination directory CVE-2015-6833 |
PHP |
$1,500 |
Multiple Use After Free Vulnerabilites in unserialize() CVE-2015-6831 |
PHP |
$1,000 |
Arbitrary code execution in str_ireplace function CVE-2015-6527 |
PHP |
$1,000 |
Dangling pointer in the unserialization of ArrayObject items CVE-2015-6832 |
PHP |
$500 |
curl_setopt_array() type confusion |
The Internet |
$1,000 |
libcurl duphandle read out of bounds CVE-2014-3707 |
PHP |
$500 |
heap buffer overflow in enchant_broker_request_dict() CVE-2014-9705 |
PHP |
$500 |
Integer overflow in unserialize() (32-bits only) CVE-2014-3669 |
PHP |
$500 |
AddressSanitizer reports a global buffer overflow in mkgmtime() function CVE-2014-3668 |
PHP |
$1,500 |
SOAP serialize_function_call() type confusion / RCE CVE-2015-6836 |
PHP |
$500 |
zend_throw_or_error() format string vulnerability |
PHP |
$1,000 |
Uninitialized pointer in phar_make_dirstream CVE-2015-7804 |
PHP |
$1,000 |
Buffer over-read in exif_read_data with TIFF IFD tag |
PHP |
$500 |
Null pointer deref (segfault) in spl_autoload via ob_start |
PHP |
$500 |
null pointer deref (segfault) in zend_eval_const_expr |
PHP |
$500 |
Mem out-of-bounds write (segfault) in ZEND_ASSIGN_DIV_SPEC_CV_UNUSED_HANDLER |
Python |
$1,000 |
Python deque.index() uninitialized memory |
Python |
$500 |
Python scan_eol() Buffer Over-read |
Python |
$500 |
time_strftime() Buffer Over-read |
Python |
$500 |
Python xmlparse_setattro() Type Confusion |
PHP |
$500 |
Use after free vulnerability in unserialize() with GMP |
PHP |
$500 |
Use After Free Vulnerability in session deserializer CVE-2015-6835 |
PHP |
$1,000 |
Use After Free Vulnerability in unserialize() CVE-2015-6834 |
PHP |
$1,000 |
Use After Free Vulnerability in unserialize() with SplObjectStorage CVE-2015-6834 |
PHP |
$1,000 |
Use After Free Vulnerability in unserialize() with SplDoublyLinkedList CVE-2015-6834 |
Python |
$500 |
Python 3.3 - 3.5 product_setstate() Out-of-bounds Read |
Ruby |
$1,500 |
Request Hijacking Vulnerability In RubyGems 2.4.6 And Earlier CVE-2015-3900 |
Python |
$500 |
Integer overflow in _Unpickler_Read |
Apache httpd |
$500 |
mod_lua: Crash in websockets PING handling CVE-2015-0228 |
PHP |
$500 |
Null pointer dereference in phar_get_fp_offset() CVE-2015-7803 |
HackerOne ★ |
$2,500 |
CSRF possible when SOP Bypass/UXSS is available |
Shopify |
$500 |
Open Redirect at *.myshopify.com/account/login?checkout_url= |
Shopify |
$500 |
[CSRF] Install premium themes |
Algolia |
$100 |
Stored XSS in name selection |
ok.ru |
$500 |
Обход защиты от csrf-ок в m.ok.ru |
withinsecurity |
$250 |
content injection |
ok.ru |
$500 |
Same-Origin Policy Bypass #2 |
ok.ru |
$500 |
Same-Origin Policy bypass on main domain - ok.ru |
Zendesk |
$500 |
[CRITICAL] CSRF leading to account take over |
Sucuri |
$250 |
XSS Vuln in Sucuri Security - Auditing, Malware Scanner |
Binary.com |
$75 |
Cookie bug |
Shopify |
$500 |
Open redirect using theme install |
Ubiquiti Networks |
$200 |
account.ubnt.com CSRF |
Shopify |
$500 |
XSS in creating tweets |
Maximum |
$20 |
RC4 cipher suites detected |
Maximum |
$10 |
SSL certificate invalid date |
Maximum |
$40 |
RC4 cipher suites detected |
Automattic |
$75 |
Remove anyone's pic gravtar |
Pornhub |
$250 |
Reflected Cross-Site Scripting on French subdomain |
Twitter |
$140 |
Subdomain Expired |
InVision |
$300 |
Stored Cross-Site Scripting on █████████ (with small user interaction) |
Uber ★ |
$500 |
Drivers can change profile picture |
Shopify |
$500 |
An administrator without any permission is able to get order notifications using his APNS Token. |
Twitter |
$560 |
xss in link items (mopub.com) |
Yelp |
$1,500 |
Access to internal CMS containing private Data |
Imgur |
$5,500 |
Imgur dev environments facing the Internet |
Twitter |
$560 |
URGENT : NICHE.co Account Take Over Vulnerability |
Coinbase |
$5,000 |
Stored-XSS in https://www.coinbase.com/ |
Twitter |
$560 |
Add tweet to collection CSRF |
Pornhub |
$250 |
Cross Site Scripting - On Mouse Over, Blog page |
Pornhub |
$250 |
[xss, pornhub.com] /user/[username], multiple parameters |
HackerOne ★ |
$1,000 |
Pre-generation of 2FA secret/backup codes seems like an unnecessary risk |
QIWI |
$100 |
Open Redirect in meeting.qiwi.com |
Coinbase |
$500 |
Transactions visible on Unconfirmed devices |
Algolia |
$200 |
User with limited access to Index configuration can rename the Index |
drchrono |
$100 |
Request Accepts without X-CSRFToken [ Header - Cookie ] |
HackerOne ★ |
$500 |
Limited CSRF bypass. |
drchrono |
$100 |
CSRF Add Album On onpatient.com |
Boozt Fashion AB |
$100 |
Reflected XSS on www.boozt.com |
Badoo |
$153 |
Open redirect helps to steal Facebook access_token |
Uber ★ |
$1,000 |
Mass Assignment Vulnerability in partners.uber.com |
Shopify |
$500 |
deleted staff member can add his amazon marketplace web services account to the store. |
Algolia |
$100 |
an xss issue |
Shopify |
$500 |
[CSRF] Activate PayPal Express Checkout |
QIWI |
$3,137 |
XML External Entity (XXE) in qiwi.com + waf bypass |
Mapbox |
$1,000 |
XSS in L.mapbox.shareControl in mapbox.js |
Slack |
$100 |
RC4 cipher suites detected on status.slack.com |
Shopify |
$1,000 |
S3 Buckets open to the world thanks to 'Authenticated Users' ACL |
Shopify |
$500 |
Apps can access 'channels' beta api |
Binary.com |
$50 |
Email Verification Link can be Used as Password Reset Link! |
Twitter |
$280 |
Urgent : Disclosure of all the apps with hash ID in mopub through API request (Authentication bypass) |
QIWI |
$200 |
XSS Reflected in test.qiwi.ru |
Shopify |
$1,500 |
'Limited' RCE in certain places where Liquid is accepted |
Binary.com |
$300 |
login to any user's cashier account and full account information disclosure |
itBit Exchange |
$100 |
No password length restriction denial of service |
Algolia |
$100 |
Stored XSS on https://www.algolia.com/realtime-search-demo/* |
HackerOne ★ |
$2,500 |
Cross-domain AJAX request |
Imgur |
$150 |
XSS m.imgur.com |
Slack |
$100 |
Reflected Self-XSS in Slack |
Twitter |
$1,120 |
File Upload XSS in image uploading of App in mopub |
Slack |
$200 |
File upload XSS (Java applet) on http://slackatwork.com/ |
Shopify |
$500 |
List of devices is accessible regardless of the account limitations |
Twitter |
$280 |
Following a User After Favoriting Actually Follows Another User (related to #95243) |
Shopify |
$500 |
SVG parser loads external resources on image upload |
Shopify |
$500 |
Staff members with no permission can access to the files, uploaded by the administrator |
Mail.Ru |
$300 |
Potential SSRF in sales.mail.ru |
ok.ru |
$250 |
Multiple critical vulnerabilities in Odnoklassniki Android application |
HackerOne ★ |
$1,000 |
HTTP header injection in info.hackerone.com allows setting cookies for hackerone.com |
HackerOne ★ |
$2,500 |
Send AJAX request to external domain |
Twitter |
$1,120 |
Can see private tweets via keyword searches on tweetdeck |
Shopify |
$500 |
An administrator without the 'Settings' permission is able to see payment gateways |
Shopify |
$500 |
A 'Full access' administrator is able to see the shop owners user details |
Shopify |
$500 |
Staff members with no permission to access domains can access them. |
Keybase |
$50 |
Un-handled exception leads to Information Disclosure |
Badoo |
$310 |
crossdomain.xml too permissive on eu1.badoo.com, us1.badoo.com, etc. |
Snapchat |
$1,500 |
Password Reset - query param overrides postdata |
Shopify |
$500 |
Missing of csrf protection |
Imgur |
$50 |
Persistent XSS in https://p.imgur.com/albumview.gif and http://p.imgur.com/imageview.gif / post statistics |
Slack |
$500 |
Stored XSS in Slack (weird, trial and error) |
Vimeo |
$250 |
XSS on player.vimeo.com without user interaction and vimeo.com with user interaction |
Binary.com |
$75 |
Http Response Splitting - Validate link |
itBit Exchange |
$50 |
user-agent Content spoofing |
Mail.Ru |
$300 |
[api.allodsteam.com] Authentication Data |
Binary.com |
$50 |
Cross Site Scripting |
Shopify |
$500 |
Privilege escalation and circumvention of permission to limited access user |
Imgur |
$250 |
Persistent XSS in image title |
Twitter |
$280 |
CSRF on cards API |
Twitter |
$5,040 |
IDOR- Activate Mopub on different organizations- steal api token- Fabric.io |
Shopify |
$500 |
Unauthorized access to any Store Admin's First & Last name |
Twitter |
$280 |
Following a User Actually Follows Another User |
Twitter |
$280 |
XSS in the "Poll" Feature on Twitter.com |
Shopify |
$500 |
Reflected XSS in cart at hardware.shopify.com |
Shopify |
$4,000 |
Paid account can review\download any invoice of any other shop |
Whisper |
$30 |
SMS Invite Form Abuse |
Whisper |
$30 |
Host Header Injection/Redirection |
Shopify |
$500 |
Some S3 Buckets are world readable (and one is world writeable) |
Zopim |
$1,000 |
Cross-site Scripting in all Zopim |
Shopify |
$1,500 |
Arbitrary read on s3://shopify-delivery-app-storage/files |
Shopify |
$2,500 |
Unauthorized access to all collections, products, pages from other stores |
Shopify |
$500 |
Bypassing password requirement during deletion of accout |
Shopify |
$2,000 |
Arbitrary write on s3://shopify-delivery-app-storage/files |
Shopify |
$500 |
Missing authorization check on dashboard overviews |
Shopify |
$500 |
get users information without full access |
Shopify |
$1,000 |
Unauthenticated access to details of hidden products in any shop via title emuneration |
Shopify |
$500 |
First & Last Name Disclosure of any Shopify Store Admin |
WePay |
$100 |
Subdomain Takeover in http://staging.wepay.com/ pointing to Fastly |
VK.com |
$100 |
Способ узнать имя человека и ВУЗ удаленной страницы |
Shopify |
$2,000 |
unauthorized access to all collections name |
Coinbase |
$100 |
SPF records not found |
Shopify |
$500 |
Accessing Payments page and adding payment methods with limited access accounts |
Badoo |
$456 |
Tokens from services like Facebook can be stolen |
Shopify |
$2,500 |
unauthorized access to all customers first and last name |
Automattic |
$75 |
CSV Injection in polldaddy.com |
Trello |
$128 |
CSV Injection |
Shopify |
$500 |
customers password hash leak!!!! |
Uber ★ |
$100 |
Issue with Password reset functionality |
Trello |
$256 |
Normal User can add new users to group |
Imgur |
$1,600 |
Server Side Request Forgery In Video to GIF Functionality |
Imgur |
$50 |
Crossdomain.xml settings on api.imgur.com too open |
Automattic |
$50 |
WooCommerce: Support Ticket indirect object reference |
Imgur |
$50 |
Reflected Flash XSS using swfupload.swf with an epileptic reloading to bypass the button-event |
Imgur |
$50 |
"Sign me out everywhere" does not work for desktop sessions |
IRCCloud |
$500 |
Inadequate input validation on API endpoint leading to self denial of service and increased system load. |
Zendesk |
$50 |
Content Spoofing |
Shopify |
$1,000 |
change Login Services settings without owner access |
Shopify |
$1,000 |
create staff member without owner access |
Shopify |
$500 |
Privilege escalation vulnerability |
Coinbase |
$100 |
User email enumuration using Gmail |
Zopim |
$100 |
CSV Excel Macro Injection Vulnerability in export chat logs |
Twitter |
$280 |
Tweetdeck (twitter owned app) not revoked |
VK.com |
$500 |
CSRF в получении резервных токенов+framing , приводящие к компроментации 2fa |
Zendesk |
$100 |
CSV Excel Macro Injection Vulnerability in export customer tickets |
Zendesk |
$100 |
Cross-site Scripting https://www.zendesk.com/product/pricing/ |
Slack |
$100 |
Self-XSS in posts by formatting text as code |
Mail.Ru |
$500 |
XSS: https://light.mail.ru/compose, https://m.mail.ru/compose/[id]/reply при ответе на специальным образом сформированное письмо |
Twitter |
$2,520 |
Multiple DOMXSS on Amplify Web Player |
Vimeo |
$200 |
XSS when using captions/subtitles on video player based on Flash (requires user interaction) |
Phabricator |
$300 |
Information leakage through Graphviz blocks |
Vimeo |
$100 |
XSS on vimeo.com | "Search within these results" feature (requires user interaction) |
Vimeo |
$1,500 |
XSS on vimeo.com/home after other user follows you |
Udemy |
$100 |
XSS Vulnerability |
Vimeo |
$200 |
Stored XSS on vimeo.com and player.vimeo.com |
Coinbase |
$100 |
OAUTH pemission set as true= lead to authorize malicious application |
ownCloud |
$25 |
Full Path Disclosure CVE-2016-1501 |
Shopify |
$500 |
www.shopify.com XSS on blog pages via sharing buttons |
Twitter |
$2,520 |
XSS on OAuth authorize/authenticate endpoint |
Keybase |
$500 |
[keybase.io] Open Redirect |
Anghami |
$100 |
[CRITICAL] Login To Any Account Linked With Google+ With Email Only |
Anghami |
$300 |
[https://www.anghami.com/updatemailinfo/] Sql Injection |
Phabricator |
$450 |
Multiple so called 'type juggling' attacks. Most notably PhabricatorUser::validateCSRFToken() is 'bypassable' in certain cases. |
Romit |
$250 |
IDOR on remoing Share |
Vimeo |
$100 |
Reflected XSS on vimeo.com/musicstore |
Vimeo |
$500 |
Stored XSS on player.vimeo.com |
Mail.Ru |
$150 |
XSS at af.attachmail.ru |
InVision |
$400 |
Deleting a Project for which the user is not owner but a normal member |
Shopify |
$500 |
XSS https://www.shopify.com/signup |
ownCloud |
$25 |
Full Path Disclosure CVE-2016-1501 |
Zopim |
$100 |
[API ISSUE] agents can Create agents even after they are disabled ! |
InVision |
$100 |
Content Spoofing - Signout Warning Page |
Pornhub |
$100 |
[reflected xss, pornhub.com] /blog, any |
Pornhub |
$50 |
Cross Site Scripting – Album Page |
Zendesk |
$500 |
Stored XSS in comments |
Hired |
$420 |
Stored XSS in Company Name |
Shopify |
$500 |
Self XSS in chat. |
Automattic |
$100 |
XSS in WordPress |
Gratipay |
$1 |
Possible SQL injection on "Jump to twitter" |
Shopify |
$500 |
XSS https://delivery.shopifyapps.com/ (Digital Downloads App in myshopify.com) |
Ruby on Rails |
$2,000 |
Potential XSS on sanitize/Rails::Html::WhiteListSanitizer |
InVision |
$100 |
Reflective XSS in projects.invisionapp.com |
HackerOne ★ |
$500 |
Internal bounty and swag details disclosed as part of JSON response |
HackerOne ★ |
$500 |
Private Program and bounty details disclosed as part of JSON search response |
HackerOne ★ |
$500 |
Number of invited researchers disclosed as part of JSON search response |
VK.com |
$500 |
Внедрение произвольного javascript-сценария в функционале просмотра изображений мобильной версии сайта |
QIWI |
$500 |
Открытый доступ к корпоративным данным. |
Slack |
$1,000 |
OSX slack:// protocol handler javascript injection |
Flox |
$25 |
Content spoofing through Referel header |
ok.ru |
$300 |
Доступ к чужим групповым беседам. |
ok.ru |
$150 |
Critical : Access to group videos where videos are restricted for all users(Broken authentication ) |
Udemy |
$50 |
information disclosure |
ok.ru |
$200 |
Доступ к чужим приватным фотографиям (3) через обложку видео |
Mail.Ru |
$150 |
Time-Based Blind SQL Injection Attacks |
ok.ru |
$500 |
(URGENT!) Покупка OK дешевле, чем он стоит |
Mail.Ru |
$150 |
Cross site scripting |
ok.ru |
$200 |
Stored XSS в имени песни (2) на платёжном гейте. |
ok.ru |
$100 |
Покупка=>скачка песен, которые не предназначены для продажи |
ok.ru |
$150 |
Покупка песни дешевле, чем она стоит. |
ok.ru |
$150 |
xss in group |
ok.ru |
$100 |
cross siite scripting in the blog |
ok.ru |
$500 |
SSRF/XSPA в форме загрузки видео по URL |
Shopify |
$1,000 |
TCP Source Port Pass Firewall |
ok.ru |
$100 |
http://217.20.144.201 privilege escalation in apache tomcat SessionEample-script |
Keybase |
$100 |
Full path disclosure at https://keybase.io/_/api/1.0/invitation_request.json |
WordPoints |
$25 |
Weak Cryptographic Hash |
Mavenlink |
$25 |
Open/Unvalidated Redirect Issue |
Keybase |
$250 |
Content Sniffing not disabled |
Romit |
$250 |
GA code not verified on the server side allows sending Verification Documents on behalf of another user |
Keybase |
$250 |
No rate limiting for sensitive actions (like "forgot password") enables user enumeration |
Keybase |
$500 |
Stealing CSRF Tokens |
Keybase |
$500 |
SMTP protection not used |
Zaption |
$25 |
Open redirect filter bypass |
Zaption |
$25 |
Using GET method for account login with CSRF token leaking to external sites Via Referer. |
Zaption |
$50 |
XSS - Gallery Search Listing |
Zendesk |
$200 |
Stored Cross site scripting In developer.zendesk.com |
Romit |
$250 |
No rate limit which leads to "Users information Disclosure" including verfification documents etc. |
HackerOne ★ |
$500 |
Accessing title of the report of which you are marked as duplicate |
QIWI |
$100 |
Session Cookie without HttpOnly and secure flag set |
Mapbox |
$500 |
Disclosure of map information |
Zendesk |
$50 |
Error stack trace enabled |
Romit |
$250 |
Potential for financial loss, negative Values for "Buy fee" and "Sell Fee" |
Ubiquiti Networks |
$500 |
Yet another Buffer Overflow in PHP of the AirMax Products |
Ubiquiti Networks |
$500 |
Other Buffer Overflow in PHP of the AirMax Products |
Udemy |
$150 |
Extremely high Course rating values could be set in order to make really high Average rating of the course. Negative values could be set to. |
Shopify |
$3,000 |
Attention! Remote Code Execution at http://wpt.ec2.shopify.com/ |
Shopify |
$500 |
Reflected XSS in chat |
Ubiquiti Networks |
$250 |
Buffer Overflow in PHP of the AirMax Products |
Ubiquiti Networks |
$18,000 |
Arbritrary file Upload on AirMax |
Python |
$1,000 |
Integer overflow in _json_encode_unicode leads to crash |
Python |
$500 |
Integer overflow in _pickle.c |
Python |
$1,000 |
Python: imageop Unsafe Arithmetic |
PHP |
$500 |
PHP yaml_parse/yaml_parse_file/yaml_parse_url Unsafe Deserialization |
PHP |
$1,500 |
PHP yaml_parse/yaml_parse_file/yaml_parse_url Double Free |
PHP |
$500 |
str_repeat() sign mismatch based memory corruption |
Python |
$500 |
Multiple type confusions in unicode error handlers |
Python |
$500 |
Use after free in get_filter |
Python |
$1,500 |
Multiple use after free bugs in json encoding |
Python |
$1,500 |
Multiple use after free bugs in heapq module |
Python |
$1,500 |
Multiple use after free bugs in element module |
Python |
$500 |
Tokenizer crash when processing undecodable source code |
PHP |
$500 |
php_stream_url_wrap_http_ex() type-confusion vulnerability |
PHP |
$500 |
Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER |
PHP |
$500 |
Type Confusion Vulnerability in SoapClient |
PHP |
$1,500 |
Use after free vulnerability in unserialize() with DateInterval |
The Internet |
$3,000 |
libcurl: URL request injection CVE-2014-8150 |
OpenSSL |
$2,500 |
Malformed ECParameters causes infinite loop CVE-2015-1788 |
PHP |
$1,500 |
Integer overflow in ftp_genlist() resulting in heap overflow CVE-2015-4022 |
PHP |
$1,500 |
ZIP Integer Overflow leads to writing past heap boundary CVE-2015-2331 |
PHP |
$1,000 |
Buffer Over-read in unserialize when parsing Phar CVE-2015-2783 |
PHP |
$1,000 |
Buffer Over flow when parsing tar/zip/phar in phar_set_inode CVE-2015-3329 |
OpenSSL |
$500 |
X509_to_X509_REQ NULL pointer deref CVE-2015-0288 |
PHP |
$1,500 |
Use After Free Vulnerability in unserialize() CVE-2015-2787 |
PHP |
$500 |
out of bounds read crashes php-cgi CVE-2014-9427 |
HackerOne ★ |
$500 |
CSV Injection with the CVS export feature |
VK.com |
$300 |
Уязвимость Создание фотографий без ведома пользователей |
Pornhub |
$5,000 |
Unauthenticated access to Content Management System - www1.pornhubpremium.com |
Shopify |
$500 |
XSS at Bulk editing ProductVariants |
Pornhub |
$2,500 |
Multiple endpoints are vulnerable to XML External Entity injection (XXE) |
Pornhub |
$10,000 |
Publicly exposed SVN repository, ht.pornhub.com |
Hired |
$250 |
URGENT - Subdomain Takeover on be.hired.com. due to unclaimed domain pointing to Heroku.com |
Shopify |
$500 |
XSS in Myshopify Admin Site in DISCOUNTS |
VK.com |
$250 |
Отвязываем Twitter от любого профиля вк ! + несколько багов по дизайну |
Automattic |
$100 |
Verification code issues for Two-Step Authentication |
VK.com |
$100 |
Issue in the implementation of captcha and race condition |
Shopify |
$1,000 |
Bypass access restrictions from API |
InVision |
$150 |
Enumeration and Guessable Email (OWASP-AT-002)T hrough Login Form |
Shopify |
$500 |
SSRF via 'Insert Image' feature of Products/Collections/Frontpage |
Mail.Ru |
$160 |
[my.mail.ru] CRLF Injection |
Shopify |
$500 |
SSRF via 'Add Image from URL' feature |
VK.com |
$200 |
Уязвимость получения всех номеров телефонов вк (по совместительству логинов профилей) |
Shopify |
$500 |
Expire User Sessions in Admin Site does not expire user session in Shopify Application in IOS |
Mail.Ru |
$200 |
Possible xWork classLoader RCE: shared.mail.ru |
Shopify |
$500 |
XSS at Bulk editing products |
Shopify |
$500 |
XSS at importing Product List |
Sandbox Escape |
$3,000 |
Microsoft Internet Explorer ActiveX Broker Allows EPM Bypass |
Legal Robot |
$20 |
- Guessing registered users in legalrobot.com |
Shopify |
$500 |
[www.*.myshopify.com] CRLF Injection |
Legal Robot |
$20 |
No valid SPF record |
HackerOne ★ |
$500 |
mailto: link injection on https://hackerone.com/directory |
Mail.Ru |
$250 |
[s.mail.ru] CRLF Injection |
VK.com |
$200 |
Уязвимость в Указание мест на фото + фича + хакинг |
HackerOne ★ |
$500 |
Invitation is not properly cancelled while inviting to bug reports. |
VK.com |
$500 |
XSS at http://vk.com on IE using flash files |
VK.com |
$400 |
Уязвимость приватных записей пользователя (личных) |
Coinbase |
$5,000 |
OAuth authorization page vulnerable to clickjacking |
Mail.Ru |
$150 |
Activities are not Protected and able to crash app using other app (Can Malware or third parry app). |
VK.com |
$100 |
Не достаточная проверка логина скайп |
Mapbox |
$1,000 |
Stored Cross-Site Scripting in Map Share Page |
Legal Robot |
$20 |
CSRF |
Coinbase |
$5,000 |
Big Bug with Vault which i have already reported: Case #606962 |
Mail.Ru |
$250 |
HTML Injection на e.mail.ru |
VK.com |
$500 |
API: Bug in method auth.validatePhone |
Legal Robot |
$40 |
Registration bypass using OAuth logical bug |
VK.com |
$100 |
Able to intercept app Traffic after choosing up the Secured Connection using SSL (HTTPS) |
Legal Robot |
$20 |
Missing security headers, possible clickjacking |
Legal Robot |
$20 |
missing SPF for legalrobot.com |
Shopify |
$1,000 |
Privilege Escalation - A `MEMBER` with no ACCESS to `ORDERS` can still access the orders by using `Order Printer APP` |
Romit |
$50 |
Cross site scripting |
HackerOne ★ |
$100 |
Potential denial of service in hackerone.com/<program>/reward_settings |
HackerOne ★ |
$500 |
Logic error with notifications: user that has left team continues to receive notifications and can not 'clean' this area on account |
Mavenlink |
$100 |
XSS in https://app.mavenlink.com/workspaces/ |
HackerOne ★ |
$500 |
External URL page bypass |
Shopify |
$500 |
Bulk Discount App in myshopify.com exposes http://bulkdiscounts.shopifyapps.com vulnerable to XSS |
Udemy |
$150 |
Multiple sub domain are vulnerable because of leaking full path |
Mail.Ru |
$150 |
http://tp-dev1.tp.smailru.net/ |
Mail.Ru |
$200 |
tt-mac.i.mail.ru: Quagga 0.99.23.1 (Router) : Default password and default enable password |
Shopify |
$500 |
XSS in myshopify.com Admin site in TAX Overrides |
Udemy |
$100 |
XSS on https://www.udemy.com/asset/export.html |
Udemy |
$100 |
Ability to add pishing links in discusion ," Bypassing uneductional Links add " |
Sandbox Escape |
$3,000 |
Internet Explorer Enhanced Protected Mode sandbox escape via a broker vulnerability |
Udemy |
$150 |
leak receipt of another user |
Udemy |
$100 |
xss on autoserch |
Slack |
$100 |
Bypass of the SSRF protection (Slack commands, Phabricator integration) |
Mail.Ru |
$400 |
http://fitter1.i.mail.ru/browser/ торчит Graphite в мир |
Mail.Ru |
$400 |
store-agent.mail.ru: stacked blind injection |
HackerOne ★ |
$500 |
Content Spoofing - External Link Warning Page |
Udemy |
$150 |
teach.udemy.com log poison vulnerability through wordpress debug.log being publically available |
Udemy |
$150 |
xss profile |
HackerOne ★ |
$500 |
Reopen Disable Accounts/ Hidden Access After Disable |
drchrono |
$100 |
Accessing all appointments vulnerability |
drchrono |
$150 |
Create and Update patients vulnerability |
HackerOne ★ |
$500 |
Fake URL + Additional vectors for homograph attack |
HackerOne ★ |
$500 |
Homograph attack |
HackerOne ★ |
$500 |
Making any Report Failed to load |
Dropbox |
$512 |
XSS in dropbox main domain |
Dropbox |
$216 |
Race condition when redeeming coupon codes |
Shopify |
$500 |
Stored XSS in the Shopify Discussion Forums |
Shopify |
$500 |
SSL cookie without secure flag set |
Shopify |
$500 |
Content Spoofing |
HackerOne ★ |
$500 |
Homograph attack |
Whisper |
$50 |
Insecure Local Data Storage : Application stores data using a binary sqlite database |
Romit |
$50 |
HTML injection in email sent by romit.io |
Coinbase |
$100 |
ByPassing the email Validation Email on Sign up process in mobile apps |
Romit |
$50 |
Server responds with the server error logs on account creation |
Vimeo |
$500 |
API: missing invalidation of OAuth2 Authorization Code during access revocation causes authorization bypass |
Shopify |
$500 |
amazon aws s3 bucket content is public :- http://shopify.com.s3.amazonaws.com/ |
Shopify |
$500 |
XSS in experts.shopify.com |
Twitter |
$280 |
DOM based cookie bomb |
HackerOne ★ |
$500 |
Open-redirect on hackerone.com |
Shopify |
$4,000 |
Notification request disclose private information about other myshopify accounts |
Dropbox |
$512 |
SSRF vulnerablity in app webhooks |
Whisper |
$30 |
Missing DMARC record |
Shopify |
$500 |
XSS on ecommerce.shopify.com |
HackerOne ★ |
$1,000 |
SPF whitelist of mandrill leads to email forgery |
Shopify |
$500 |
Invitation issue |
Shopify |
$500 |
Payment gateway status transferred to Shopify without authentication |
Shopify |
$1,000 |
Shop admin can change external login services |
Shopify |
$1,000 |
IDOR expire other user sessions |
Dropbox Acquisitions |
$216 |
Get email ID of any user on hackpad.com |
Shopify |
$2,000 |
Shopify android client all API request's response leakage, including access_token, cookie, response header, response body content |
Shopify |
$500 |
CSRF token fixation in facebook store app that can lead to adding attacker to victim acc |
Shopify |
$1,000 |
[persistent cross-site scripting] customers can target admins |
Shopify |
$500 |
Force 500 Internal Server Error on any shop (for one user) |
Twitter |
$280 |
Fabric.io: Ex-admin of an organization can delete team members |
Shopify |
$500 |
Open Redirect after login at http://ecommerce.shopify.com |
Shopify |
$500 |
Authentication Failed Mobile version |
Shopify |
$500 |
Open redirection in OAuth |
drchrono |
$700 |
XML Parser Bug: XXE over which leads to RCE |
PHP |
$3,000 |
Use after free vulnerability in unserialize() |
PHP |
$2,500 |
SoapClient's __call() type confusion through unserialize() |
PHP |
$2,500 |
Use after free vulnerability in unserialize() with DateTimeZone |
PHP |
$2,500 |
Free called on unitialized pointer in exif.c |
OpenSSL |
$3,000 |
Segmentation fault for invalid PSS parameters |
Python |
$9,000 |
Multiple Python integer overflows |
Shopify |
$500 |
Missing spf flags for myshopify.com |
Coinbase |
$1,000 |
Sandboxed iframes don't show confirmation screen |
Mail.Ru |
$500 |
e.mail.ru stored XSS in agent via sticker (smile) |
Snapchat |
$100 |
Captcha Bypass in Snapchat's Geofilter Submission Process |
Snapchat |
$100 |
Vulnerable to JavaScript injection. (WXS) (Javascript injection)! |
Slack |
$100 |
Logout any user of same team |
Mapbox |
$1,000 |
Persistent cross-site scripting (XSS) in map attribution |
Shopify |
$500 |
Xss in website's link |
Twitter |
$420 |
Insecure Direct Object Reference - access to other user/group DM's |
Twitter |
$2,800 |
HTTP Response Splitting (CRLF injection) due to headers overflow |
Mapbox |
$1,000 |
Stored xss in editor |
Dropbox Acquisitions |
$216 |
XSS in https://hackpad.com/ |
Twitter |
$1,400 |
XSS in twitter.com/safety/unsafe_link_warning |
Phabricator |
$300 |
SSRF vulnerability (access to metadata server on EC2 and OpenStack) |
Coinbase |
$100 |
Blacklist bypass on Callback URLs |
Vimeo |
$250 |
[URGENT ISSUE] Add or Delete the videos in watch later list of any user . |
Phabricator |
$300 |
XSS with Time-of-Day Format |
Vimeo |
$250 |
Share your channel to any user on vimeo without following him |
Vimeo |
$250 |
Invite any user to your group without even following him |
Twitter |
$420 |
Insecure direct object reference - have access to deleted DM's |
itBit Exchange |
$200 |
secretKey for OTP , is getting leaked in response of a delete request ! |
itBit Exchange |
$200 |
confirmation bypass of 2FA devices while they are deleting |
Ubiquiti Networks |
$500 |
UniFi v3.2.10 Cross-Site Request Forgeries / Referer-Check Bypass |
Vimeo |
$150 |
Insecure Direct Object References that allows to read any comment (even if it should be private) |
Vimeo |
$500 |
Insecure Direct Object References in https://vimeo.com/forums |
Twitter |
$3,500 |
HTTP Response Splitting (CRLF injection) in report_story |
HackerOne ★ |
$500 |
Open redirect in "Language change". |
Caviar |
$500 |
Remotely modifying courier Account Details |
Vimeo |
$250 |
Post in private groups after getting removed |
Flash |
$2,000 |
Flash Cross Domain Policy Bypass by Using File Upload and Redirection - only in Chrome |
Vimeo |
$250 |
A user can enhance their videos with paid tracks without buying the track |
Whisper |
$10 |
CVE-2014-0224 openssl ccs vulnerability |
Whisper |
$100 |
Bypass pin(4 digit passcode on your android app) |
Vimeo |
$500 |
A user can post comments on other user's private videos |
Vimeo |
$250 |
A user can add videos to other user's private groups |
Vimeo |
$250 |
A user can edit comments even after video comments are disabled |
Twitter |
$560 |
open redirect sends authenticity_token to any website or (ip address) |
Ubiquiti Networks |
$500 |
CSRF in login form would led to account takeover |
The Internet |
$7,500 |
FREAK: Factoring RSA_EXPORT Keys to Impersonate TLS Servers |
Twitter |
$1,400 |
XSS in original referrer after follow |
Romit |
$50 |
The csrf token remains same after user logs in |
Ruby on Rails |
$1,000 |
rails-ujs will send CSRF tokens to other origins |
Twitter |
$560 |
Twitter Ads Campaign information disclosure through admin without any authentication. |
Twitter |
$1,400 |
Open Redirect leak of authenticity_token lead to full account take over. |
HackerOne ★ |
$5,000 |
Improperly validated fields allows injection of arbitrary HTML via spoofed React objects |
Vimeo |
$250 |
Vimeo + & Vimeo PRO Unautorised Tax bypass |
Mail.Ru |
$300 |
RCE через JDWP |
Yelp |
$500 |
Information disclosure - emails disclosed in response > staging.seatme.us |
Mail.Ru |
$150 |
scfbp.tng.mail.ru: Heartbleed |
Mail.Ru |
$150 |
HDFS NameNode Public disclosure: http://185.5.139.33:50070/dfshealth.jsp |
Todoist |
$25 |
Remotely removing credit cards from business accounts! |
Todoist |
$25 |
Taking over a Business Account Admin |
Twitter |
$1,400 |
Redirect URL in /intent/ functionality is not properly escaped |
HackerOne ★ |
$500 |
Team member invitations to sandboxed teams are not invalidated consistently (v2) |
The Internet |
$5,000 |
Bad Write in TTF font parsing (win32k.sys) |
Coinbase |
$100 |
open authentication bug |
Slack |
$200 |
Team admin can add billing contacts |
Dropbox Acquisitions |
$729 |
Privilege Escalation at invite feature @hackpad.com |
Twitter |
$140 |
Reporting user's profile by using another people's ID |
The Internet |
$3,000 |
Heap overflow in H. Spencer’s regex library on 32 bit systems |
Romit |
$50 |
Email Enumeration (POC) |
QIWI |
$200 |
[ishop.qiwi.com] XSS + Misconfiguration |
Mail.Ru |
$600 |
Same Origin Policy bypass |
HackerOne ★ |
$2,000 |
CSP Bypass: Click handler for links with data-method="post" can cause authenticity_token to be sent off domain |
Flash |
$7,500 |
Use After Free in Flash MessageChannel.send can cause arbitrary code execution |
Flash |
$10,000 |
Use after free during the StageVideoAvailabilityEvent can result in arbitrary code execution |
Flash |
$10,000 |
Race condition in workers may cause an exploitable double free by abusing bytearray.compress() |
InVision |
$200 |
Javascript Injection |
itBit Exchange |
$50 |
Leakage of sensitive wallet tokens to third party sites |
Flash |
$2,000 |
Adobe Flash Player Out-of-Bound Access Vulnerability |
Vimeo |
$250 |
Red October 1511493148.cloud.vimeo.com |
HackerOne ★ |
$5,000 |
Markdown parsing issue enables insertion of malicious tags and event handlers |
Twitter |
$560 |
Twitter Card - Parent Window Redirection |
Slack |
$100 |
Team admin can change unauthorized team setting (allow_message_deletion) |
Slack |
$200 |
Team admin can change unauthorized team setting (require_at_for_mention) |
Romit |
$50 |
Frictionless Transferring of Wallet Ownership |
Twitter |
$1,260 |
Problem with OAuth |
HackerOne ★ |
$500 |
Team member invitations to sandboxed teams are not invalidated consistently |
HackerOne ★ |
$500 |
Insecure Direct Object Reference vulnerability |
Whisper |
$10 |
Error stack trace |
Whisper |
$25 |
Directory index and information disclosure |
HackerOne ★ |
$5,000 |
Vulnerability with the way \ escaped characters in <http://danlec.com> style links are rendered |
Vimeo |
$250 |
CRITICAL vulnerability - Insecure Direct Object Reference - Unauthorized access to `Videos` of Channel whose privacy is set to `Private`. |
Trello |
$128 |
[blog.trello.com] CRLF Injection |
Trello |
$64 |
[trello.com] Open Redirect |
Vimeo |
$100 |
XSS on Vimeo |
itBit Exchange |
$150 |
Stored xss in bank name withdraw |
Vimeo |
$100 |
ftp upload of video allows naming that is not sanitized as the manual naming |
itBit Exchange |
$50 |
weird bug ! ( missing validation on new email verfication ) |
HackerOne ★ |
$500 |
Improper way of validating a program |
itBit Exchange |
$200 |
Unsecure data in "device" response - OTP |
Vimeo |
$100 |
Vimeo Search - XSS Vulnerability [http://vimeo.com/search] |
Twitter |
$140 |
Insecure Data Storage in Vine Android App |
itBit Exchange |
$50 |
Email Length Verification |
itBit Exchange |
$500 |
Notification Emails: IP + Content-Spoofing |
Ruby on Rails |
$500 |
RCE due to Web Console IP Whitelist bypass in Rails 4.0 and 4.1 |
Vimeo |
$1,000 |
XSS on any site that includes the moogaloop flash player | deprecated embed code |
Twitter |
$140 |
Flaw in login with twitter to steal Oauth tokens |
Mail.Ru |
$150 |
Heartbleed: my.com (185.30.178.33) port 1433 |
Vimeo |
$1,000 |
Make API calls on behalf of another user (CSRF protection bypass) |
Mail.Ru |
$150 |
Hadoop Node available to public |
Vimeo |
$100 |
CRITICAL full source code/config disclosure for Cameo |
Twitter |
$420 |
twitter android app Fragment Injection |
Vimeo |
$1,000 |
abusing Thumbnails(https://vimeo.com/upload/select_thumb) to see a private video |
Vimeo |
$250 |
Ability to Download Music Tracks Without Paying (Missing permission check on`/musicstore/download`) |
Mail.Ru |
$100 |
Раскрытие номера мобильного телефона при двухфакторной аутентификации |
Vimeo |
$100 |
player.vimeo.com - Reflected XSS Vulnerability |
Vimeo |
$1,000 |
Adding profile picture to anyone on Vimeo |
Vimeo |
$260 |
Buying ondemand videos that 0.1 and sometimes for free |
Python |
$1,000 |
PyUnicode_FromFormatV crasher |
Ruby on Rails |
$1,000 |
Arbitrary file existence disclosure in Action Pack CVE-2014-7829 |
Twitter |
$1,120 |
Fabric.io - an app admin can delete team members from other user apps |
Twitter |
$1,400 |
fabric.io - app member can make himself an admin |
Vimeo |
$100 |
APIs for channels allow HTML entities that may cause XSS issue |
Vimeo |
$5,000 |
Vimeo.com Insecure Direct Object References Reset Password |
Vimeo |
$100 |
Vimeo.com - reflected xss vulnerability |
Vimeo |
$100 |
Vimeo.com - Reflected XSS Vulnerability |
Uber ★ |
$500 |
XSS on partners.uber.com |
Flash |
$1,000 |
chrome allows POST requests with custom headers using flash + 307 redirect |
Twitter |
$420 |
URGENT - Subdomain Takeover on users.tweetdeck.com , the same issue of report #32825 |
Romit |
$250 |
stored xss in transaction |
Twitter |
$1,400 |
HTML/XSS rendered in Android App of Crashlytics through fabric.io |
Romit |
$250 |
Stored XSS in api key of operator wallet |
Romit |
$100 |
Error stack trace |
Twitter |
$140 |
POODLE Bug: 199.16.156.44, 199.16.156.108, mx4.twitter.com |
Twitter |
$280 |
Open redirection in fabric.io |
Mail.Ru |
$100 |
No bruteforce protection leads to enumeration of emails in http://e.mail.ru/ |
Phabricator |
$500 |
Phabricator Phame Blog Skins Local File Inclusion |
Vimeo |
$500 |
[vimeopro.com] CRLF Injection |
Phabricator |
$300 |
Phabricator Diffusion application allows unauthorized users to delete mirrors |
Square |
$500 |
Delayed, fraudulent transactions possible with encrypted Square Reader devices due to lack of server-side verification of device transaction counter |
Mail.Ru |
$250 |
[connect.mail.ru] Memory Disclosure / IE XSS |
HackerOne ★ |
$500 |
Issue with password change |
HackerOne ★ |
$500 |
Breaking Bugs as team member |
Openfolio |
$100 |
xss in /browse/contacts/ |
Python |
$6,500 |
Misc Python bugs (Memory Corruption & Use After Free) |
QIWI |
$150 |
[qiwi.com] Open Redirect |
QIWI |
$100 |
Stored xss in agent.qiwi.com |
Greenhouse.io |
$1,000 |
Subdomain Takeover using blog.greenhouse.io pointing to Hubspot |
Eobot |
$10 |
XSS in www.eobot.com(IE9 only) |
Sucuri |
$250 |
Open Redirect in unmask.sucuri.net |
InVision |
$150 |
CSRF Token in cookies! |
Twitter |
$1,400 |
[Stored XSS] vine.co - profile page |
Coinbase |
$100 |
New Device Confirmation, token is valid until not used. |
QIWI |
$1,000 |
[send.qiwi.ru] Soap-based XXE vulnerability /soapserver/ |
QIWI |
$100 |
[qiwi.com] /oauth/confirm.action XSS |
Flash |
$2,000 |
Adobe Flash Player MP4 Use-After-Free Vulnerability |
Apache httpd |
$500 |
mod_proxy_fcgi buffer overflow CVE-2014-3583 |
HackerOne ★ |
$500 |
Logic Issue with Reputation: Boost Reputation Points |
QIWI |
$250 |
CRLF Injection [ishop.qiwi.com] |
QIWI |
$200 |
[send.qiwi.ru] XSS at auth?login= |
QIWI |
$200 |
[static.qiwi.com] XSS proxy.html |
Twitter |
$140 |
getting emails of users/removing them from victims account [using typical attack] |
HackerOne ★ |
$500 |
Gain reputation by creating a duplicate of an existing report |
PHP |
$2,500 |
Locale::parseLocale Double Free |
Twitter |
$280 |
XSS via Fabrico Account Name |
Mail.Ru |
$500 |
Ошибка фильтрации |
Block.io |
$150 |
SMPT Protection not used, I can hijack your email server. |
Twitter |
$420 |
Bad extended ascii handling in HTTP 301 redirects of t.co |
HackerOne ★ |
$500 |
File Name Enumeration |
Twitter |
$1,400 |
DOM Cross-Site Scripting ( XSS ) |
InVision |
$300 |
Backup of wordpress configuration file found. Leaking database users/passwords |
Slack |
$500 |
a stored xss in slack integration https://onerror.slack.com/services/import |
Twitter |
$1,680 |
URGENT - Subdomain Takeover on media.vine.co due to unclaimed domain pointing to AWS |
Mail.Ru |
$200 |
OpenSSL HeartBleed (CVE-2014-0160) |
Twitter |
$280 |
XSS in fabric.io |
The Internet |
$3,000 |
Drupal 7 pre auth sql injection and remote code execution |
Twitter |
$140 |
Singup Page HTML Injection Vulnerability |
RelateIQ |
$500 |
PoodleBleed |
Flash |
$5,000 |
Adobe Flash Player Out-of-Bound Read/Write Vulnerability |
HackerOne ★ |
$1,000 |
Ability to see common response titles of other teams (limited) |
WP API |
$50 |
Cryptographic Side Channel in OAuth Library |
Twitter |
$420 |
Unauthorized Tweeting on behalf of Account Owners |
Twitter |
$560 |
Improper Verification of email address while saving Account Settings |
RelateIQ |
$250 |
Relateiq SSLv3 deprecated protocol vulnerability. |
Flash |
$2,000 |
Adobe Flash Player MP4 Use-After-Free Vulnerability |
Coinbase |
$100 |
New Device confirmation tokens are not properly validated. |
Square |
$250 |
CSRF on adding a calendar event |
Square |
$500 |
square google calendar integration CSRF,https://squareup.com/appointments/business/settings(state parameter not checking properly) |
Square |
$500 |
CSRF on adding clients |
The Internet |
$20,000 |
GNU Bourne-Again Shell (Bash) 'Shellshock' Vulnerability |
Twitter |
$280 |
Profile Pic padding (Length-hiding) fails due to use of GZIP |
HackerOne ★ |
$500 |
homograph attack. IDNs displayed in unicode in bug reports and on external link warning page |
IRCCloud |
$300 |
Unvalidated Channel names causes IRC Command Injection |
Square |
$250 |
Privilege Escalation |
WePay |
$350 |
Horizontal Privilege Escalation |
Twitter |
$1,120 |
XSS platform.twitter.com | video-js metadata |
HackerOne ★ |
$500 |
No email verification on username change |
Twitter |
$1,120 |
XSS platform.twitter.com |
Sucuri |
$250 |
Usage of HTTP for exporting graph data as images |
Square |
$250 |
Redirect while opening link in new tabs |
Coinbase |
$100 |
Credit Card Validation Issue |
HackerOne ★ |
$500 |
Redirect FILTER bypass in report/comment |
Mail.Ru |
$500 |
touch.mail.ru XSS via message id |
Twitter |
$420 |
iOS App can establish Facetime calls without user's permission |
Ruby on Rails |
$1,500 |
Active Record SQL Injection Vulnerability Affecting PostgreSQL CVE-2014-3483 |
Ruby on Rails |
$1,500 |
Active Record SQL Injection Vulnerability Affecting PostgreSQL CVE-2014-3482 |
PHP |
$2,500 |
SPL ArrayObject/SPLObjectStorage Unserialization Type Confusion Vulnerabilities CVE-2014-3515 |
Twitter |
$1,400 |
Cross site scripting on ads.twitter.com |
HackerOne ★ |
$500 |
Window Opener Property Bug |
Twitter |
$1,400 |
Stored xss |
Square |
$2,000 |
malicious file upload |
Flash |
$1,000 |
Flash Local Sandbox Bypass CVE-2014-0554 |
Twitter |
$1,400 |
ads.twitter.com xss |
Square |
$400 |
Reflected XSS in widget script thru cookie |
Twitter |
$2,800 |
Delete Credit Cards from any Twitter Account in ads.twitter.com [New Vulnerability] |
Square |
$1,000 |
Reflected XSS in connect.square.com |
Square |
$750 |
Editing Client Details of other People |
Twitter |
$140 |
Missing Rate Limiting on https://twitter.com/account/complete |
The Internet |
$3,000 |
open redirect in rfc6749 |
Mail.Ru |
$1,337 |
XSS via .eml file |
WePay |
$350 |
Critical : Account removing using CSRF attack |
Twitter |
$140 |
Full path disclosure at ads.twitter.com |
Square |
$2,000 |
CRITICAL Account takeover via AngularJS template injection in connect.squareup.com |
Django |
$1,000 |
CSRF protection bypass on any Django powered site via Google Analytics |
Square |
$500 |
XSS in Client Past Activity |
Square |
$250 |
Open Redirect [FreshBook] |
Square |
$500 |
XSS [BookFresh] |
HackerOne ★ |
$100 |
Change Any username and profile link in hackerone |
Phabricator |
$400 |
Open redirection on secure.phabricator.com |
Mail.Ru |
$150 |
money.mail.ru: Странное поведение SMS |
HackerOne ★ |
$500 |
Redirect while opening links in new tabs |
Phabricator |
$300 |
Forgot Password Issue |
Square |
$1,500 |
Blind SQL injection in www.bookfresh.com |
Slack |
$200 |
Content Spoofing all Integrations in https://team.slack.com/services/new/ |
Slack |
$100 |
Content spoofing at Stripe Integrations |
Mavenlink |
$50 |
privilege escalation |
Mavenlink |
$200 |
Flash XSS on swfupload.swf showing at app.mavenlink.com |
Mavenlink |
$50 |
Clickjacking |
Mavenlink |
$100 |
Login CSRF |
Coinbase |
$1,000 |
Invoice Details activate JS that filled in |
The Internet |
$3,000 |
rsync hash collisions may allow an attacker to corrupt or modify files |
Apache httpd |
$500 |
moderate: mod_deflate denial of service CVE-2014-0118 |
Mail.Ru |
$150 |
cloud.mail.ru: File upload XSS using Content-Type header |
Python |
$1,500 |
integer overflow in 'buffer' type allows reading memory |
Mail.Ru |
$1,000 |
e.mail.ru: File upload "Chapito" circus |
Mail.Ru |
$100 |
m.agent.mail.ru: Подделываем j2me app-descriptor |
RelateIQ |
$100 |
Cross-site Scripting in mailing (username) |
Mail.Ru |
$3,000 |
Possibility to attach any mobile number to any email |
Sandbox Escape |
$5,000 |
.NET Type Traversal Vulnerability CVE-2014-0257 |
WePay |
$100 |
Unauthorized Access via Join Email Link |
DC Compendium |
$25 |
Multiple Full Path Disclosure (FPD) Vulnerability on Dccompendium.com domain |
RelateIQ |
$190 |
Resubmitted with POC #18685 Password reset CSRF |
Phabricator |
$1,000 |
XSS in editor by any user |
WePay |
$150 |
CSRF on email address operations. Also performing unintended operations. |
WePay |
$500 |
Session Fixation |
DC Compendium |
$50 |
Backend source code disclosure on 404 pages |
DC Compendium |
$25 |
source code disclosure |
Yahoo! |
$250 |
Yahoo! Reflected XSS |
DC Compendium |
$25 |
XSS on Home page |
DC Compendium |
$25 |
Error page Cross-site scripting |
DC Compendium |
$25 |
Clickjacking: X-Frame-Options header missing |
HackerOne ★ |
$100 |
Denial of Service |
The Internet |
$6,000 |
LZ4 Core CVE-2014-4611 |
IRCCloud |
$500 |
Reflected XSS in Pastebin-view |
Yahoo! |
$50 |
Default /docs folder of PHPBB3 installation on gamesnet.yahoo.com |
Phabricator |
$300 |
Broken Authentication and Session Management |
HackerOne ★ |
$100 |
Category- Broken Authentication and Session Management (leads to account compromise if some conditions are met) |
Slack |
$100 |
Password Policy issue (Weak Protect) |
Mail.Ru |
$400 |
e.mail.ru: SMS spam with custom content |
Slack |
$100 |
Open Redirect login account |
RelateIQ |
$250 |
SSRF (Portscan) via Register Function (Custom Server) |
RelateIQ |
$200 |
Failed Certificate Validation On Custom Server (Register) |
Yahoo! |
$200 |
Yahoo Sports Fantasy Golf (Join Public Group) |
Phabricator |
$300 |
Abusing daemon logs for Privilege escalation under certain scenarios |
The Internet |
$5,000 |
Multiple issues in looking-glass software (aka from web to BGP injections) |
Phabricator |
$600 |
Abusing VCS control on phabricator |
Mavenlink |
$50 |
Non Validation of session after password reset |
HackerOne ★ |
$100 |
Session not invalidated after password reset |
Mail.Ru |
$150 |
SQL Injection on 11x11.mail.ru |
Coinbase |
$1,000 |
Leaking CSRF token over HTTP resulting in CSRF protection bypass |
Flash |
$3,000 |
Flash Sandbox Bypass CVE-2014-0535 |
Mavenlink |
$100 |
Password reset token not expiring |
WePay |
$300 |
Open Redirect |
Mavenlink |
$50 |
Clickjacking at https://www.mavenlink.com/ main website |
Mavenlink |
$50 |
Login password guessing attack |
WePay |
$100 |
Session fixation in wepay.com |
Slack |
$300 |
SSRF on https://whitehataudit.slack.com/account/photo |
Mail.Ru |
$300 |
connect.mail.ru: SSRF |
Automattic |
$250 |
privilege escalation |
HackerOne ★ |
$100 |
Potential denial of service in hackerone.com/teams/new |
Mail.Ru |
$1,000 |
https://217.69.135.63/rb/: money.mail.ru sources disclosure |
Sandbox Escape |
$10,000 |
Linux PI futex self-requeue bug CVE-2014-3153 |
IRCCloud |
$100 |
Host Header Injection - irccloud.com |
Mail.Ru |
$500 |
auth.mail.ru: XSS in login form |
Yahoo! |
$100 |
Testing for user enumeration (OWASP‐AT‐002) - https://gh.bouncer.login.yahoo.com |
Yahoo! |
$50 |
Authorization issue on creative.yahoo.com |
Mail.Ru |
$500 |
XSS in a file or folder name |
Mail.Ru |
$700 |
XXE and SSRF on webmaster.mail.ru |
Flash |
$7,500 |
Adobe Flash Player FileReference Use-after-Free Vulnerability CVE-2014-0538 |
Python |
$1,500 |
Python vulnerability: reading arbitrary process memory CVE-2014-4616 |
Mail.Ru |
$150 |
Stored XSS on http://cards.mail.ru |
Mail.Ru |
$300 |
Stored XSS on http://top.mail.ru |
Mail.Ru |
$250 |
SQL injection update.mail.ru |
Yahoo! |
$250 |
Infrastructure and Application Admin Interfaces (OWASP‐CM‐007) |
Mail.Ru |
$400 |
XSS in https://e.mail.ru/cgi-bin/lstatic (Limited use) |
Coinbase |
$100 |
CSRF in function "Set as primary" on accounts page |
99designs |
$400 |
report a reflected XSS |
Coinbase |
$100 |
CSRF on "Set as primary" option on the accounts page |
Coinbase |
$1,000 |
Bypassing 2FA for BTC transfers |
Mail.Ru |
$150 |
SQL inj |
The Internet |
$3,000 |
Bypassing Same Origin Policy With JSONP APIs and Flash |
Slack |
$500 |
Stored XSS in slack.com (integrations) |
Mail.Ru |
$150 |
SQL |
Mail.Ru |
$150 |
SQL inj |
HackerOne ★ |
$100 |
All Active user sessions should be deleted when user change his password! |
Mail.Ru |
$200 |
Time based sql injection |
Mail.Ru |
$200 |
SQL injection [дырка в движке форума] |
Slack |
$500 |
Stored XSS Found |
HackerOne ★ |
$100 |
Anti-MIME-Sniffing header X-Content-Type-Options header has not been set. |
Ian Dunn |
$25 |
Xss in CampTix Event Ticketing |
Ian Dunn |
$25 |
Stored XSS in all fields in Basic Google Maps Placemarks Settings |
Mail.Ru |
$250 |
Home page reflected XSS |
Mail.Ru |
$150 |
localStorage не чистится после выхода |
Mail.Ru |
$150 |
Clickjacking |
Yahoo! |
$300 |
information disclosure (LOAD BALANCER + URI XSS) |
Yahoo! |
$500 |
https://caldav.calendar.yahoo.com/ - XSS (STORED) |
HackerOne ★ |
$100 |
Password Reset Bug |
HackerOne ★ |
$150 |
Issue with remember_user_token |
Yahoo! |
$250 |
readble .htaccess + Source Code Disclosure (+ .SVN repository) |
Flash |
$2,000 |
Security bypass could lead to information disclosure |
Yahoo! |
$2,500 |
Local File Include on marketing-dam.yahoo.com |
Yahoo! |
$400 |
invite1.us2.msg.vip.bf1.yahoo.com/ - CSRF/email disclosure |
IRCCloud |
$100 |
Login CSRF can be bypassed (Similar approach to previous one). |
IRCCloud |
$1,000 |
Dangerous Persistent xss |
Coinbase |
$100 |
2 factor authentication design flaw |
IRCCloud |
$100 |
Host Header is not validated resulting in Open Redirect |
The Internet |
$7,500 |
TLS Triple Handshake Attack |
Yahoo! |
$500 |
XSS in https://hk.user.auctions.yahoo.com |
Yahoo! |
$250 |
Bypass of the Clickjacking protection on Flickr using data URL in iframes |
IRCCloud |
$500 |
Persistent Cross Site Scripting within the IRCCloud Pastebin |
IRCCloud |
$100 |
iOS application does not destroy session upon logout. |
IRCCloud |
$100 |
Bug in iOS application which could lead to unauthorised access. |
IRCCloud |
$100 |
Missing X-Content-Type-Options |
IRCCloud |
$500 |
Full account takeover using CSRF and password reset |
IRCCloud |
$500 |
Session Token is not Verified while changing Account Setting's which Result In account Takeover |
IRCCloud |
$100 |
Leaking Referrer in Reset Password Link |
IRCCloud |
$100 |
Bruteforcing irccloud login |
IRCCloud |
$100 |
Unsecure cookies, cookie flag secure not set |
IRCCloud |
$100 |
Sign up CSRF |
IRCCloud |
$100 |
Login CSRF |
Yahoo! |
$2,000 |
Open Proxy, http://www.smushit.com/ysmush.it/, 4/09/14, #SpringClean |
Yahoo! |
$200 |
CSRF Token is missing on DELETE message option on http://baseball.fantasysports.yahoo.com/b1/127146/messages |
Yahoo! |
$400 |
CSRF Token missing on http://baseball.fantasysports.yahoo.com/b1/127146/messages |
Yahoo! |
$3,000 |
REMOTE CODE EXECUTION/LOCAL FILE INCLUSION/XSPA/SSRF, view-source:http://sb*.geo.sp1.yahoo.com/, 4/6/14, #SpringClean |
Yahoo! |
$500 |
Comment Spoofing at http://suggestions.yahoo.com/detail/?prop=directory&fid=97721 |
Python |
$1,500 |
Integer overflow in strop.expandtabs |
Flash |
$2,000 |
Same Origin Security Bypass Vulnerability CVE-2014-0503 |
RelateIQ |
$100 |
Wildcard DNS in website |
HackerOne ★ |
$150 |
creating titleless and non-closable bugs |
Yahoo! |
$1,000 |
Header injection on rmaitrack.ads.vip.bf1.yahoo.com |
Yahoo! |
$250 |
Cross-origin issue on rmaiauth.ads.vip.bf1.yahoo.com |
Yahoo! |
$300 |
reflected XSS, http://extprodweb11.cc.gq1.yahoo.com/, 4/8/14, #SpringClean |
Yahoo! |
$500 |
Significant Information Disclosure/Load balancer access, http://extprodweb11.cc.gq1.yahoo.com/, 4/8/14, #SpringClean |
InVision |
$200 |
captcha missing |
Slack |
$500 |
Facebook Takeover using Slack using 302 from files.slack.com with access_token |
Slack |
$300 |
Stored XSS in Slack.com |
HackerOne ★ |
$100 |
Marking notifications as read CSRF bug |
Coinbase |
$1,000 |
Multiple Issues related to registering applications |
The Internet |
$500 |
Uncontrolled Resource Consumption with XMPP-Layer Compression |
Coinbase |
$100 |
Coinbase Android Security Vulnerabilities |
Yahoo! |
$100 |
XSS in Yahoo! Web Analytics |
Coinbase |
$1,000 |
Coinbase Android Application - Bitcoin Wallet Leaks OAuth Response Code |
Yahoo! |
$800 |
From Unrestricted File Upload to Remote Command Execution |
Nginx |
$3,000 |
SPDY heap buffer overflow CVE-2014-0133 |
Nginx |
$3,000 |
SPDY memory corruption CVE-2014-0088 |
Slack |
$500 |
Duplicate of #4550 |
Slack |
$500 |
Stored XSS in Slackbot Direct Messages |
Yahoo! |
$500 |
Server Side Request Forgery |
RelateIQ |
$100 |
TRACE disclosure attack may be possible |
Yahoo! |
$250 |
XSS Vulnerability (my.yahoo.com) |
Phabricator |
$300 |
Persistent XSS: Editor link |
HackerOne ★ |
$100 |
Securing sensitive pages from SearchBots |
Phabricator |
$400 |
OAuth Stealing Attack (New) |
Phabricator |
$300 |
Control character allowed in username |
Phabricator |
$450 |
OAuth access_token stealing in Phabricator |
Slack |
$500 |
flash content type sniff vulnerability in api.slack.com |
RelateIQ |
$100 |
Captcha Bypass With Extension |
Ruby on Rails |
$1,500 |
Directory traversal attack in view resolver CVE-2014-0130 |
Phabricator |
$300 |
UnAuthorized Editorial Publishing to Blogs |
HackerOne ★ |
$100 |
Control Characters Not Stripped From Username on Signup |
Yahoo! |
$1,000 |
SQL Injection ON HK.Promotion |
Slack |
$500 |
Reflected Xss |
RelateIQ |
$100 |
HTML injection in "Invite Collaborators" |
Slack |
$500 |
Stored XSS in Channel Chat |
Slack |
$100 |
CSRF vulnerability on https://sehacure.slack.com/account/settings |
Slack |
$500 |
Stored XSS in username.slack.com |
Slack |
$200 |
URL redirection flaw |
Slack |
$200 |
Stored XSS in www.slack-files.com |
Yahoo! |
$100 |
http://conf.member.yahoo.com configuration file disclosure |
HackerOne ★ |
$500 |
Weird Bug - Ability to see partial of other user's notification |
Slack |
$100 |
Slack OAuth2 "redirect_uri" Bypass |
Slack |
$100 |
Broken Authentication (including Slack OAuth bugs) |
Slack |
$150 |
Reflective XSS can be triggered in IE |
RelateIQ |
$100 |
Cross Site Scripting (XSS) - app.relateiq.com |
RelateIQ |
$100 |
XSRF token problem |
RelateIQ |
$100 |
Value of JSESSIONID and XSRF token parameter in cookie remains same before and after login |
Sandbox Escape |
$5,000 |
Win32k Window Handle Vulnerability (EoP) CVE-2014-0262 |
Phabricator |
$500 |
Bypass auth.email-domains (2) |
Phabricator |
$300 |
Login CSRF using Twitter OAuth |
Phabricator |
$1,000 |
Bypass auth.email-domains |
HackerOne ★ |
$100 |
CSS leaks SCSS debug info |
Flash |
$10,000 |
Flash double free vulnerability leads to code execution CVE-2014-0502 |
Yahoo! |
$1,500 |
XSS on Every sports.yahoo.com page |
Flash |
$2,000 |
Flash local-with-fileaccess Sandbox Bypass CVE-2014-0508 |
Yahoo! |
$1,276 |
HK.Yahoo.Net Remote Command Execution |
Flash |
$2,000 |
Handling of jar: URIs bypasses AllowScriptAccess=never CVE-2014-0491 |
Flash |
$10,000 |
Flash type confusion vulnerability leads to code execution CVE-2013-5331 |
Yahoo! |
$1,390 |
Local file inclusion |
Yahoo! |
$3,705 |
SQLi on http://sports.yahoo.com/nfl/draft |
Yahoo! |
$750 |
Flickr: Invitations disclosure (resend feature) |
HackerOne ★ |
$100 |
DNS Misconfiguration |
Yahoo! |
$800 |
HTML Injection on flickr screename using IOS App |
PHP |
$1,500 |
PHP Heap Overflow Vulnerability in imagecrop() CVE-2013-7226 |
Yahoo! |
$800 |
XSS in my yahoo |
Yahoo! |
$2,500 |
Security.allowDomain("*") in SWFs on img.autos.yahoo.com allows data theft from Yahoo Mail (and others) |
Sandbox Escape |
$3,000 |
Linux 3.4+: arbitrary write with CONFIG_X86_X32 CVE-2014-0038 |
Yahoo! |
$1,960 |
Store XSS Flicker main page |
Yahoo! |
$2,173.75 |
Cross-site scripting on the main page of flickr by tagging a user. |
Yahoo! |
$677.50 |
XSS Yahoo Messenger Via Calendar.Yahoo.Com |
HackerOne ★ |
$100 |
Autocomplete enabled in Paypal preferences |
Phabricator |
$300 |
Improperly implemented password recovery link functionality |
Phabricator |
$300 |
Log in a user to another account |
HackerOne ★ |
$100 |
A password reset page does not properly validate the authenticity token at the server side. |
HackerOne ★ |
$100 |
Information disclosure (reset password token) and changing the user's password |
HackerOne ★ |
$100 |
Improper session management |
HackerOne ★ |
$150 |
Switching the user to the attacker's account |
HackerOne ★ |
$500 |
Upload profile photo from URL |
HackerOne ★ |
$250 |
Email spoofing |
HackerOne ★ |
$100 |
CSRF login |
HackerOne ★ |
$150 |
Logical issues with account settings |
PHP |
$4,000 |
PHP openssl_x509_parse() Memory Corruption Vulnerability CVE-2013-6420 |
The Internet |
$7,500 |
TLS Virtual Host Confusion |
The Internet |
$1,500 |
OpenSSH: Memory corruption in AES-GCM support CVE-2013-4548 |
Ruby |
$1,500 |
Ruby: Heap Overflow in Floating Point Parsing CVE-2013-4164 |
HackerOne ★ |
$100 |
DNS Cache Poisoning |
HackerOne ★ |
$100 |
Flawed account creation process allows registration of usernames corresponding to existing file names |
HackerOne ★ |
$500 |
PNG compression DoS |
HackerOne ★ |
$250 |
GIF flooding |
HackerOne ★ |
$500 |
Pixel flood attack |
HackerOne ★ |
$100 |
Session not expired on logout |
HackerOne ★ |
$250 |
CSP not consistently applied |
HackerOne ★ |
$500 |
RTL override symbol not stripped from file names |
HackerOne ★ |
$100 |
Session Management |
HackerOne ★ |
$100 |
Broken Authentication and session management OWASP A2 |
HackerOne ★ |
$100 |
Real impersonation |
HackerOne ★ |
$500 |
Missing SPF for hackerone.com |