Public HackerOne bug reports.

Show All Bugs

Team Bounty Title
Unikrn $200 HTML injection in email in
Rockstar Games $500 dom based xss in (Fix bypass)
Legal Robot $20 No length limit in invite_code can cause server degradation
Legal Robot $20 CSP script-src includes "unsafe-inline"
Legal Robot $20 Improper validation of parameters while creating issues
Legal Robot $100 Update any profile
Legal Robot $20 first name and last name restrictions bypass
Legal Robot $20 TabNabbing issue (due to taget=_blank)
Legal Robot $20 Incorrect error message
Legal Robot $20 Incorrect email content when disabling 2FA
Legal Robot $20 Lengthy manual entry of 2FA secret
Trello $128 A CRLF injection into the redirect URL of can be used to cause a denial of service when later redirected to
Quora $500 [Quora Android] Possible to steal arbitrary files from mobile device
Snapchat $5,000 RCE/LFI on test Jenkins instance due to improper authentication flow
Legal Robot $40 Code injection
Legal Robot $20 User enumeration from failed login error message
Brave Software $200 URL Spoof / Brave Shield Bypass
Legal Robot $20 Change password logic inversion
Legal Robot $20 Profile fields validation bypass
Legal Robot $20 Profile shows incorrect account creation date
Rockstar Games $500 dom based xss in
Bitvise $100 The POODLE attack (SSLv3 supported)
Unikrn $50 Escaping images directory in S3 bucket when saving new avatar, using Path Traversal in filename
Boozt Fashion AB $60 Password reset token issue
Legal Robot $20 [Cross-domain Referer leakage] Password reset token leakage via referer
Automattic $225 XSS Vulnerability in WooCommerce Product Vendors plugin
Rockstar Games $600 CSRF Vulnerability allows attackers to steal SocialClub private token.
Legal Robot $20 Token leakage by referrer header & analytics
Zomato $500 Restaurant payment information leakage
Unikrn $40 Flash CSRF: Update Ad Frequency %: []
Zomato $100 Length extension attack leading to HTML injection
Legal Robot $20 No notification on change password feature
Legal Robot $20 Meta characters are not filtered into full name on profile page
Legal Robot $20 Pages don't render in old browsers like IE11
Legal Robot $60 Missing Issuer parameter on TOTP 2FA
Moneybird $50 Stored XSS at Moneybird
Legal Robot $20 [New Feature] Password history check
TTS Bug Bounty $150 The Federalsit session cookie (federalist.sid) is not properly invalidated - backdoor access to the account is possible
Legal Robot $20 User enumeration
Legal Robot $20 Password complexity ignores empty spaces
Legal Robot $60 Users with 2FA can have multiple sessions
Legal Robot $20 Account profile shows encryption recovery box for all users
Legal Robot $60 Enhancement: email confirmation for 2FA recovery
Legal Robot $20 Intercom chat session information persists after logout
Legal Robot $60 2FA Error Handling on Google Authenticator
Legal Robot $90 2FA user enumeration via password reset
Legal Robot $40 Password complexity not evenly enforced
Legal Robot $90 Missing link to 2FA recovery code
Legal Robot $90 Missing link to TOTP manual enroll option
Legal Robot $60 Non-functional 2FA recovery codes
TTS Bug Bounty $150 Race condition on the Federalist API endpoints can lead to the Denial of Service attack
Zomato $50 Posting to Twitter CSRF on php/post_twitter_authenticate.php
Grabtaxi Holdings Pte Ltd $1,000 Git repository found
Twitter $10,080 XXE on in SXMP Processor
Coinbase $100 Information disclosure same issue #176002
Grabtaxi Holdings Pte Ltd $200 [] DOM XSS at /assets/bower_components/lodash/perf/
HackerOne $1,500 Reading redacted data via hackbot's answers
Grabtaxi Holdings Pte Ltd $200 Dom based xss affecting all pages from
Zomato $250 Bypass OTP verification when placing Order $100 Узнать название частной группы и ее аватарку по видеоролику.
Zomato $500 [█████████] Hardcoded credentials in Android App
Twitter $420 Open Redirect
Snapchat $250 [] Bypassing quantity limit in orders
Coinbase $100 Captcha Bypass in Coinbase SignUp Form
Rockstar Games $500 Reflected XSS via Double Encoding
Zomato $300 SQL Injection, exploitable in boolean mode
TTS Bug Bounty $350 [IDOR] The authenticated user can restart website build or view build logs on any another Federalist account
TTS Bug Bounty $300 The user, who was deleted from Github Organization, still can access all functions of federalist, in case he didn't do logout
Zomato $1,000 Login to any account with the emailaddress
TTS Bug Bounty $300 Double Stored Cross-Site scripting in the admin panel
shopify-scripts $800 Use after free in mruby-mpdecimal
Apache httpd (IBB) $1,500 Apache HTTP Request Parsing Whitespace Defects CVE-2016-8743
Shopify $500 IDOR [] - User with ONLY Manage apps permission is able to get shops info and staff names from inside the shop
RubyGems $1,000 Installing a crafted gem package may create or overwrite files CVE-2017-0901
Rockstar Games $1,000 XSS in $100 Нет маркера на добавление песни в плейлист пользователя
shopify-scripts $800 Null pointer dereference with send/method_missing
Maximum $50 Open redirect on
Pornhub $500 Stored XSS in the any user profile using website link
Apache httpd (IBB) $1,500 ap_find_token() Buffer Overread CVE-2017-7668
Starbucks $2,000 Possible subdomain takeover at
Rockstar Games $500 flash injection in
Python (IBB) $500 Unsafe arithmetic in PyString_DecodeEscape
Pornhub $750 nickname field is vulnerable on xss
Shopify $500 Stored XSS in *
Maximum $350 Open Redirect & Information Disclosure []
Mail.Ru $100 BruteForce Any [] Account Credentials.
Automattic $800 SSRF and local file disclosure in via FFmpeg HLS processing
Snapchat $500 CRLF Injection at e.U. $20 Cross-site Scripting (XSS) in /updates-pro/archive/
ToyTalk $200 Host Header Injection and Cache Poisoning
Perl (IBB) $500 heap-buffer-overflow (READ of size 61) in Perl_re_intuit_start()
Rockstar Games $250 Control characters incorrectly handled on Crew Status Update
Keybase $500 Universal Cross-Site Scripting in Keybase Chrome extension
Shopify $5,000 XSS on $shop$ and via whitelist bypass in SVG icon for sales channel applications
Perl (IBB) $500 heap-buffer-overflow (READ of size 11) in Perl 5.25.x
Snapchat $15,000 Open prod Jenkins instance
Rockstar Games $1,000 Stored XSS in profile activity feed messages
Rockstar Games $1,000 Stored XSS in snapmatic comments
Shopify $3,000 XSS on any Shopify shop via abuse of the HTML5 structured clone algorithm in postMessage listener on "/:id/digital_wallets/dialog" $100 CSRF на сброс ключа трансляции.
Legal Robot $20 Domain takeover (
WordPress $275 DOM Based XSS In
WordPress $275 Stored self-XSS in checkout
Mail.Ru $150 XSS в портальной навигации
HackerOne $10,000 WannaCrypt “Killswitch”
Mail.Ru $500 Xss в
Pornhub $250 Partial disclosure of Private Videos through data-mediabook attribute information leak
Discourse $256 Any authenticated user can download full list of users, including email
Discourse $64 SSRF in upload IMG through URL
Paragon Initiative Enterprises $50 Directory Disclose,Email Disclose Zendmail vulnerability
Maximum $50 Cross-site Scripting (XSS) on []
Trello $256 Cross-Site Scripting on Trello's iPhone App
Instacart $150 Reverse Tab-nabbing at
Instacart $100 XSS at in
shopify-scripts $100 Heap Overflow in fiber_switch triggered from Fiber.transfer
Dashlane $100 [] Test Panel Disclosure
Maximum $300 IDOR in editing courses
Mail.Ru $500 Xss в
Harvest $300 [] Reflected XSS in Error Message via URL parameters
Ubiquiti Networks $100 HTML Injection on $1,000 local file disclosure via FFmpeg hls processing
Shopify $2,000 Reflected XSS in <any> through theme preview
HackerOne $500 HackerOne reports escalation to JIRA is CSRF vulnerable
RubyGems $500 Escape sequence injection in "summary" field CVE-2017-0899
Paragon Initiative Enterprises $50 Cross-site-Scripting
shopify-scripts $200 OP_SCALL in LHS of a OP_ASGN resulting in arbitrary memory write
HackerOne $1,000 Changing Victim's JIRA Integration Settings Through Multiple Bugs
Dashlane $350 Throttling Bypass -
Dashlane $300 Extract Billing admin email address using random team id
Mapbox $300 Node modules path disclosure due to lack of error handling
Uber $2,000 phone number exposure for riders/drivers given email/uuid $100 Посмотреть видеоролики, которые пользователь когда-либо скидывал в ЛС.
Uber $8,500 SAML Authentication Bypass on
Phabricator $300 IRC-Bot exposes information
Mapbox $500 Open Aws Amazon S3 Buckets
Pornhub $350 Mixed Reflected-Stored XSS on (without user interaction) in the playlist playing section
shopify-scripts $800 heap-use-after-free in mrb_vm_exec - vm.c:1247
ICQ $1,000 Дубликат: (доступ к аккаунту, через сброс пароля)
WordPress $150 Stored but [SELF] XSS in
shopify-scripts $100 heap use after free in fiber_switch
WordPress $387.50 Reflected XSS at via "s=" parameter
The Internet $500 Mercurial can be tricked into granting authorized users access to the Python debugger CVE-2017-9462
Trello $128 Malicious file can be hidden as Card Attachment or Card Cover image
WordPress $275 XSS in the search bar of
YouPorn $250 DOM-based XSS on (main page)
OpenSSL (IBB) $500 Excessive allocation of memory in dtls1_preprocess_fragment() (CVE-2016-6308) CVE-2016-6308
OpenSSL (IBB) $500 Excessive allocation of memory in tls_get_message_header() (CVE-2016-6307) CVE-2016-6307
OpenSSL (IBB) $500 Certificate message OOB reads (CVE-2016-6306) CVE-2016-6306
OpenSSL (IBB) $500 OOB read in TS_OBJ_print_bio() (CVE-2016-2180) CVE-2016-2180
OpenSSL (IBB) $500 OOB write in BN_bn2dec() (CVE-2016-2182) CVE-2016-2182
OpenSSL (IBB) $500 Malformed SHA512 ticket DoS (CVE-2016-6302) CVE-2016-6302
OpenSSL (IBB) $500 OOB write in MDC2_Update() (CVE-2016-6303) CVE-2016-6303 $300 Blind SQL Injection
shopify-scripts $800 Null pointer dereferences in kh_copy_mt
Twitter $560 HTTP 401 response injection on "" through "image_src" parameter
shopify-scripts $800 heap-buffer-overflow (read outside of buffer) in mrb_vm_exec()
Open-Xchange $200 Critical : View/Edit access to private appointments of calendar folder by read only user (Vertical privilege escalation)
Open-Xchange $200 Unauthorized access to attachments details of Private Calendar appointments (Access control issue)
Mavenlink $50 Tabnabbing via Window.Opener @Mavenlink
Ubiquiti Networks $100 Expired SSL certificate
Algolia $200 [GitHub Extension] Unsanitised HTML leading to XSS on
HackerOne $750 Race condition leads to duplicate payouts
HackerOne $500 Subdomain takeover #4 at
shopify-scripts $100 mirb only: stack-buffer-overflow (OOB write) in main()
Maximum $25 XSS $100 отдаёт в ответ HTML авторизированную страницу
Dovecot $600 Dovecot authentication is vulnerable to timing attacks.
shopify-scripts $100 Invalid Pointer reference in L_RESCUE
Harvest $400 Client can redirect payment, causing payment discrepancy between Harvest and PayPal
Uber $5,000 Authentication bypass on via subdomain takeover of
Twitter $280 [██████████] .htpasswd disclosure
Open-Xchange $200 Resend invitation to members by Read only user(Privilege Escalation) $2,000 Возможность взлома любого пользователя, не использующего двухфакторной аутентификации, через получения кода восстановления на чужой номер.
Ubiquiti Networks $150 XSS
Ubiquiti Networks $500 [] Insecure CORS, Stealing Cookies
shopify-scripts $100 SIGABRT in sym_validate_len - symbol.c:44
Coinbase $100 []Content Injection
shopify-scripts $800 Invalid pointer dereference in OP_ENTER
shopify-scripts $800 SIGSEGV in array_copy - array.c:71
Twitter $560 [Gnip Blogs] Reflected XSS via "plupload.flash.swf" component vulnerable to SOME
Kaspersky Lab $400 In App purchase Hack
Automattic $500 An Automattic employee's GitHub personal access token exposed in Travis CI build logs
shopify-scripts $800 Null pointer dereference in OP_ENTER
Starbucks $500 Stored XSS in comments on*
RubyGems $1,000 Request Hijacking Vulnerability in RubyGems 2.6.11 and earlier CVE-2017-0902
Shopify $1,000 XSS in $shop$ via twine template injection in "Shopify.API.Modal.input" method when using a malicious app
Shopify $800 XSS in $shop$ via "Button Objects" in malicious app
shopify-scripts $800 kh_put_iv SEGFAULT - mruby 1.2.0
Maximum $300 Possible to view and takeover other user's education and courses @
Maximum $150 Possible to unsubscribe from activities using CSRF @
HackerOne $1,000 Subdomain takeover #3 at
shopify-scripts $100 SIGSEGV in mrb_vm_exec
shopify-scripts $800 SIGSEGV in mrb_str_inum
Mail.Ru $750 Stored XSS in (payload affect multiple users)
shopify-scripts $800 Heap Buffer Overflow in mrb_hash_keys
OpenSSL (IBB) $2,500 OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
Nextcloud $450 Reflected XSS in error pages (NC-SA-2017-008) CVE-2017-0891
Pornhub $250 Reflected XSS in login redirection module
Phabricator $750 Phabricator is vulnerable to padding oracle attacks and chosen-ciphertext attacks.
shopify-scripts $800 SIGABRT - in free
shopify-scripts $800 heap use-after-free in mrb_vm_exec()
shopify-scripts $800 Crash in ary_concat()
Shopify $500 Full access at an internal service of Shopify
Pornhub $500 Blind Stored XSS against Pornhub employees using Amateur Model Program
shopify-scripts $800 Null pointer dereferences in mrb_get_args
shopify-scripts $800 SIGABRT in mrb_debug_info_append_file
shopify-scripts $800 Null pointer dereference in mrb_class
shopify-scripts $300 Garbage collector crash
HackerOne $2,000 A HackerOne employee's GitHub personal access token exposed in Travis CI build logs
shopify-scripts $800 SIGSEGV in mrb_class
ownCloud $150 HTML Injection in Owncloud
Twitter $2,520 CSRF on Periscope Web OAuth authorization endpoint $200 Подмена SSL-сертификата для любой группы в секции Управление группой->Работа с API неавторизированным пользователем.
Ubiquiti Networks $6,000 Ability to log in as any user without authentication if █████████ is empty
Brave Software $100 [iOS] URL can be replaceState by blob URL in iOS Brave
shopify-scripts $800 SIGSEGV in mrb_vm_exec
HackerOne $500 Report invitation links not restricted to any existing user
Rockstar Games $350 Profile bio at rockstar is accepting control characters
shopify-scripts $800 Null pointer dereference in ary_concat
Shopify $500 Stored passive XSS at scheduled posts (
shopify-scripts $100 SIGABRT - mirb - Double Free
Rockstar Games $350 Login form on non-HTTPS page
Trello $768 Rate limiting of incorrect Two Factor Authentication codes not enforced
shopify-scripts $800 Null pointer dereferences in ary_concat
Yelp $100 Clickjacking Vulnerability found on Yelp
Shopify $1,500 Stored XSS in [shop][id]
Discourse $512 Admin Command Injection via username in user_archive ExportCsvFile
BrickFTP $600 File access controls incorrectly enforced for files shared via QuickLink - Unshared files can be accessed
shopify-scripts $800 SIGABRT - mirb and mruby
Phabricator $600 Differential "Show Raw File" feature exposes generated files to unauthorised users
Legal Robot $60 Token leakage by referrer
shopify-scripts $800 SIGSEGV - mrb_obj_value
Discourse $512 Arbitrary Local-File Read from Admin - Restore From Backup due to Symlinks
shopify-scripts $800 Use-after-free leading to an invalid pointer dereference
shopify-scripts $100 SIGSEGV in str_buf_cat
Nextcloud $250 DOM XSS vulnerability in search dialogue (NC-SA-2017-007) CVE-2017-0890
Legal Robot $40 Password reset form ignores email field
shopify-scripts $800 SIGABRT in only mirb
HackerOne $750 IE 11 Self-XSS on Jira Integration Preview Base Link
Imgur $5,000 RCE by command line argument injection to `gm convert` in `/edit/process?a=crop`
shopify-scripts $800 SIGSEGV - kh_get_n2s - in /src/symbol.c:37
shopify-scripts $100 sprintf gem - format string combined attack
shopify-scripts $800 Null pointer dereference in mrb_class
shopify-scripts $800 SIGSEGV - mrb_yield_with_class
Algolia $100 An “algobot”-s GitHub access token was leaked
Moneybird $50 Stored Cross Site Scripting in Customer Name
Shopify $500 Stealing users' facebook access tokens -
Rockstar Games $150 Source Code Disclosure (CGI)
Gratipay $1 Inadequate/dangerous jQuery behavior $200 Написать от имени любого пользователя на его стене, если он перейдет по ссылке.
shopify-scripts $800 Null pointer dereference in 'get_file'
Rockstar Games $350 Control Character Injection In Messages
LocalTapiola $100 XSS on 3rd party service Localtapiola is using
Rockstar Games $300 use of unsafe host header leads to open redirect
shopify-scripts $800 Null pointer dereferences from mrb_vm_exec
Slack $850 Bypass to postMessage origin validation via FTP
Rockstar Games $150 Full path Disclosure in
shopify-scripts $800 mrb_vm_exec - null ptr dereference
Rockstar Games $150 SSLv3 POODLE Vulnerability
shopify-scripts $800 Invalid Pointer Reference from OP_RESCUE
HackerOne $500 Transitioning a Private Program to Public Does Not Clear Previously Private Updates to Hackers
shopify-scripts $800 SIGSEGV - mark_context_stack
HackerOne $100 javascript: and mailto: links are allowed in JIRA integration settings
shopify-scripts $800 Heap buffer overflow in mruby value_move
Starbucks $250 DOM XSS on via "pr_zip_location" parameter
shopify-scripts $800 Heap buffer overflow with long array assignment
LocalTapiola $264 HTML Injection in email from
Ruby $500 public report - Reproducible - Writable RubyCi Amazon s3 bucket[207053]
Ruby $500 Open S3 Bucket WriteAble To Any Aws User
HackerOne $1,000 Subdomain takeover #2 at
Twitter $7,560 [URGENT] Opportunity to publish tweets on any twitters account
BrickFTP $100 CSRF @ configuration
Udemy $50 Subdomain Takeover at $100 Обход: "Аудиозапись недоступна для прослушивания в Вашем регионе."
Ubiquiti Networks $100 Reflected cross-site scripting (XSS) vulnerability in allows attackers to inject arbitrary web script via p parameter.
shopify-scripts $800 Null pointer dereference in mark_context_stack
Lyst $100 Site configured improperly at subdomain of
shopify-scripts $100 Memory corrouption in mrb_gc_mark
LocalTapiola $200 Brute force unsubscription on /webApp/unsub_sb (
LocalTapiola $50 /icons/README is still available on
Perl (IBB) $1,000 read outside of buffer (heap buffer overflow) in S_regmatch - regexec.c:6057
Pornhub $50 stored XSS in widget stylesheet
shopify-scripts $800 Heap use-after-free in mrb_vm_exec
Ubiquiti Networks $1,000 sqli
Shopify $500 Subdomain takeover on
Lyst $100 Mixed Active content issue on
shopify-scripts $100 Controlled address leak due to type confusion - ASLR bypass
HackerOne $750 Information leakage via CSV when content is valid JavaScript
Slack $3,000 Stealing xoxs-tokens using weak postMessage / call-popup redirect to current team domain
Ruby $500 Writable RubyCi Amazon s3 bucket
HackerOne $1,500 Stealing contact form data on using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP
Uber $2,500 SQL injection in 3rd party software Anomali
Robinhood $100 Open Redirect located at
YouPorn $100 XSS via login cookie
Starbucks $750 Persistent CSRF in /GiftCert-AddToBasket prevents purchases on eCommerce sites
shopify-scripts $800 Heap Buffer Overflow while processing OP_SEND
Imgur $2,500 Remote Code Execution on
shopify-scripts $800 mruby heap use-after-free
LocalTapiola $50 show control page if you insert ' at
shopify-scripts $100 Interger overflow in str_substr leading to read/write out of bound memory
shopify-scripts $800 Use After Free in mrb_vm_exec
shopify-scripts $800 Heap Buffer overflow in mrb_ary_unshift
shopify-scripts $100 SIGABRT - method_missing - mark_context_stack
Zopim $50 express config leaking stacktrace
Uber $1,500 pam-ussh may be tricked into using another logged in user's ssh-agent
shopify-scripts $800 A crash when an exception is caught in a caller and the receiver returned from `ensure`
shopify-scripts $100 segafult in mruby's sprintf - mrb_str_format
WordPress $350 Infrastructure - Photon - SSRF
shopify-scripts $800 Heap buffer oveflow with many arguments
Rockstar Games $1,400 <- Critical IDOR vulnerability in socialclub allow to insert and delete comments as another user and it discloses sensitive information ->
LocalTapiola $315 High server resource usage on captcha (
shopify-scripts $1,000 Segmentation fault while printing backtrace
YouPorn $250 Reflected XSS in Meta Tag
YouPorn $2,500 Time Based SQL-inject in post-parametr login[username] [domain -] $100 Open Redirect in <customer>
Ubiquiti Networks $150 AirFibre products vulnerable to HTTP Header injection
shopify-scripts $800 forgot to add the patch
Nextcloud $183 Calendar and addressbook names disclosed (NC-SA-2017-012) CVE-2017-0895
WordPress $350 Wordpress 4.7.2 - Two XSS in Media Upload when file too large.
shopify-scripts $100 SIGSEGV - mrb_vm_exec - line:1312
Algolia $100 Reflected XSS
YouPorn $150 Find whether a video has been favourited or not, for any user [via YouPorn Mobile API]
Pornhub $1,500 Wordpress Content injection
Twitter $7,560 Vine all registered user Private/sensitive information disclosure .[ Ip address/phone no/email and many other informations ]
HackerOne $1,000 Subdomain takeover at $400 Missing Server Side Rate Limiting can Lead to VK Account Take over
Mapbox $750 Public access to objects in AWS S3 bucket
shopify-scripts $800 Denial of service (segfault) due to null pointer dereference in mrb_vm_exec
shopify-scripts $800 Denial of service (segfault) due to null pointer dereference in mrb_obj_instance_eval
Pornhub $250 XSS Vulnerability at URL endpoint
Pornhub $250 [xss], /redeem?code= URL endpoint
Phabricator $300 User with only Viewing Privilege can send message to Room
shopify-scripts $100 Null pointer dereference in mrb_random_initialize
Instacart $100 Login with Google Not Authenticated on iOS App
Ubiquiti Networks $600 Wordpress directories/files visible to internet
YouPorn $1,000 Account hijack via deleted PH account
shopify-scripts $800 SIGSEGV - vm.c - line:1214
shopify-scripts $100 Segmentfault at mrb_vm_exec
shopify-scripts $2,000 Recursion causing uninitialized memory reads leading to a segfault
Automattic $250 cloudup Subdomain Takeover That resolves to ( CNAME )
LocalTapiola $400 Single user DOS on selectedLanguage -cookie (
Ubiquiti Networks $150 Can upload files without authentication on AirFibre 3.2
OpenSSL (IBB) $1,000 CVE-2017-3730: Bad (EC)DHE parameters cause a client crash
LocalTapiola $100 Enumeration in unsubscribe -function of /omatalousuk (
Twitter $5,040 Attacker can get vine repost user all informations even Ip address and location .
LocalTapiola $150 Reflected XSS on iltakoulu_varkaus (
PHP (IBB) $500 Out of bounds memory read in unserialize() CVE-2016-10161
Algolia $100 [] DOM Based XSS github-btn.html
shopify-scripts $100 heap-use-after-free /home/operac/testafl/mruby/mrubylast/mruby/src/gc.c
LocalTapiola $1,350 SQL Injection /webApp/cancel_iltakoulu regId parameter (
Ubiquiti Networks $100 [] DOM Based XSS nuttyapp github-btn.html
LocalTapiola $50 CSRF bypass + XSS on
Alvosec $3 Alvocrypt uses a cryptographically insecure PRNG.
Slack $1,000 Access of Android protected components via embedded intent
shopify-scripts $100 Incorrect code generation with redo inside NODE_RESCUE.
LocalTapiola $1,350 SQL Injection on /webApp/lapsuudenturva (
LocalTapiola $350 Sql injection on /webApp/sijoituswebinaari (
LocalTapiola $350 SQL Injection on /webApp/viivanalle (
Harvest $250 Persistent XSS on ForecastApp
HackerOne $500 Google Analytics could be used as CSP bypass for data exfiltration on
shopify-scripts $800 Aborted - proc.c - line:143
Twitter $560 Clickjacking on Chrome
shopify-scripts $100 SIGABRT - mrb_realloc_simple - gc.c - line:201
QIWI $150 [XSS/] Pay SubDomain Hard-Use XSS
QIWI $250 [XSS/] 3DSecure XSS
Ubiquiti Networks $2,000 [EdgeSwitch] Web GUI command injection as root with Privilege-1 and Privilege-15 users
shopify-scripts $100 Crash in print_backtrace
Discourse $256 Stored XSS in posts because of absence of oembed variables values escaping
Discourse $256 Stored XSS in topics because of whitelisted_generic engine vulnerability
shopify-scripts $800 Null pointer dereference in mrb_str_modify
shopify-scripts $800 Still heap overflow in mrb_ary_splice
shopify-scripts $100 SIGSEGV - mrb_obj_extend - line:413
shopify-scripts $800 SIGSEGV - mrb_vm_exec - line:1681
Discourse $256 XSS in topics because of bandcamp preview engine vulnerability $300 SSRF через Share-ботов
Rockstar Games $650 [IMP] - Blind XSS in the admin panel for reviewing comments
Rockstar Games $500 Ability to post comments to a crew even after getting kicked out
YouPorn $1,000 IDOR - Access to private video thumbnails even if video requires password authentication $100 Возможность смотреть видео рекомендации любого пользователя вконтакте
Starbucks $375 Open redirect / Reflected XSS payload in root that affects all your sites (store.starbucks.* / shop.starbucks.* /
shopify-scripts $800 Heap Buffer overflow in mrb_funcall_with_block
HackerOne $2,000 Disclose any user's private email through API
Slack $200 dom xss in
shopify-scripts $800 Segmentation fault on program counter
Shopify $500 - CSRF token leakage through Google Analytics
shopify-scripts $800 SIGSEGV - mrb_vm_exec - vm.c in line:1272
shopify-scripts $800 SIGSEGV in mrb_vm_exec
Snapchat $250 RTLO char allowed in chat
Instacart $100 XSS in
PHP (IBB) $500 Use of uninitialized memory in unserialize() CVE-2017-5340
shopify-scripts $100 Segmentation fault - mrb_gc_mark
Slack $100 Subdomain takeover on
Starbucks $250 SAP Server - default credentials enabled
Shopify $1,000 CSRF in all API endpoints when authenticated using HTTP Authentication
Open-Xchange $250 Set Cookie Via SVG
shopify-scripts $800 Heap overflow due to off-by-one when expanding stack
shopify-scripts $200 Heap use-after-free during range creation
Shopify $500 Authentication Bypass on monitoring server
LocalTapiola $100 OpenSSL Padding Oracle Attack (CVE-2016-2107) on
Yelp $100 Able to download arbitrary PHP files at
Skyport Systems $25 Nginx version disclosure via forbidden page
LocalTapiola $400 Reflected XSS and Open Redirect (
shopify-scripts $800 SIGABRT - mrb_default_allocf
shopify-scripts $800 SIGSEGV - kh_resize_iv - Null Deref
shopify-scripts $200 Double free of filename after codegen error
shopify-scripts $800 attempting double-free using the mruby compiler `mrbc`
Zendesk $2,000 a stored xss in web widget chat
shopify-scripts $800 Use After Free in str_replace
shopify-scripts $800 Null pointer dereference in mrb_str_prepend
shopify-scripts $800 mrb_str_modify try to write to memory not marked for writing
shopify-scripts $800 SIGSEGV - mrb_check_intern_str() - NullPointer
WebSummit $20 Subdomain Takeover at
shopify-scripts $1,000 Memory disclosure in timegm
Mapbox $1,000 Mapbox Android SDK uses Broadcast Receiver instead of Local Broadcast Manager
shopify-scripts $800 SIGSEGV Null Pointer mrb_str_concat()
shopify-scripts $100 heap-buffer-overflow on mruby
YouPorn $1,000 Account takeover via Pornhub Oauth
LocalTapiola $150 Creating arbitrary cookies values /cs/CookieServer (
Discourse $128 Users can bookmark other user's messages
shopify-scripts $800 kh_get_n2s() stack overrun
shopify-scripts $800 SIGABRT, SIGSEGV mspace_free() and mrb_default_allocf()
shopify-scripts $800 SIGSEGV on mrb_vm_exec() Null Deref
Harvest $300 Unauthorised read Access to Expense Receipt of any user in the company(Vertical Privilege escalation)
shopify-scripts $800 Heap Overflow in mrb_arb_splice
shopify-scripts $100 mrb_vformat() heap overflow could lead to code execution
shopify-scripts $100 Integer Overflow in mrb_ary_set
Discourse $256 XSS vulnerability on Audio and Video parsers
Shopify $1,000 Stored XSS in blog comments through Shopify API
Shopify $500 XSS on postal codes
Badoo $280 CSRF Attack on ( account and erasing imported contacts
Ruby $500 Buffer underflow in sprintf
shopify-scripts $800 SIGSEGV mrb_obj_freeze() Manipulating Register RAX and RSI
Nextcloud $300 Limitation of app specific password scope can be bypassed (NC-SA-2017-009) CVE-2017-0892
shopify-scripts $800 SIGSEGV on mruby mrb_get_args()
Discourse $256 XSS Vulnerability on Image link parser
Discourse $256 DOM Based XSS in Discourse Search
shopify-scripts $1,000 Incorrect code generation when result of NODE_NEGATE is not used
Pornhub $1,000 XSS vulnerability using GIF tags
Legal Robot $20 Password complexity requirements not enforced
LocalTapiola $1,350 SQL Injection on /webApp/sijoitustalousuk email-parameter + potential lack of CSRF Token (
LocalTapiola $450 Reflected XSS and Open Redirect in several parameters (
Twitter $1,680 CRLF and XSS stored on
shopify-scripts $100 Invalid memory access in `mrb_str_format`
Twitter $140 Sub Domain Takeover at
Uber $2,500 Authorization issue in Google G Suite allows DoS through HTTP redirect
LocalTapiola $1,350 SQL Injection in lapsuudenturva (
LocalTapiola $50 Reflected XSS on sankarikoulutus (
Shopify $500 XSS on manually entering Postal codes
PHP (IBB) $500 Invalid parameter in memcpy function trough openssl_pbkdf2
PHP (IBB) $500 imagefilltoborder stackoverflow on truecolor images
Starbucks $250 Reflected XSS on (Locale-Change)
LocalTapiola $1,350 SQL Injection in sijoitustalous_peruutus (
QIWI $100 [] .bash_history
LocalTapiola $400 Open Redirect bypass and cookie leakage on
shopify-scripts $1,000 Segfault when passing invalid values to `values_at`
Quora $150 [Android] XSS via start ContentActivity
Quora $300 [] 429 Too Many Requests Error-Page XSS
HackerOne $500 Websites opened from reports can change url of report page
shopify-scripts $10,000 Certain inputs cause tight C-level recursion leading to process stack overflow
Shopify $500 Unauthenticated Stored XSS on <any> via checkout page
Pornhub $5,000 Unsecured DB instance
Starbucks $500 Persistent XSS in
HackerOne $10,000 Information Disclosure in /skills call
Pornhub $750 Unsecured Kibana/Elasticsearch instance
shopify-scripts $10,000 Buffer overflow in mrb_time_asctime
shopify-scripts $8,000 Segmentation fault due to bad memory access in kh_get_mt
Starbucks $150 Dom Based Xss DIV.innerHTML parameters store.starbucks*
Twitter $280 Vine - overwrite account associated with email via android application
shopify-scripts $10,000 Null pointer derefence due to bug in codegen with negation without using value
Slack $500 Store XSS
shopify-scripts $10,000 Invalid handling of zero-length heredoc identifiers leads to infinite loop in the sandbox
Starbucks $2,000 Subdomain takeover on due to non-used AWS S3 DNS record
shopify-scripts $10,000 Crash: Overwriting NoMethodError with a builtin class crashes/corrupts memory
Pornhub $150 Stored XSS on the
Starbucks $100 Stored XSS in Adress Book (
Shopify $500 Stored XSS at 'Buy Button' page
Phabricator $300 Fetching binaries (for software installation) over HTTP without verification (RCE as ROOT by MITM)
Pornhub $1,500 IDOR - disclosure of private videos - /api_android_v3/getUserVideos
HackerOne $12,500 Internal attachments can be exported via "Export as .zip" feature
shopify-scripts $1,000 Crash: A call to leads to a crash when inspecting the resulting object
Ian Dunn $25 constant cache_page_secret in regolith
Ian Dunn $50 unchecked unserialize usages in audit-trail-extension/audit-trail-extension.php
Ian Dunn $25 unchecked unserialize usage in WordPress-Functionality-Plugin-Skeleton/functionality-plugin-skeleton.php
shopify-scripts $1,000 Invalid memory write caused by incorrect upper bound in array_copy
Twitter $560 Twitter for android is exposing user's location to any installed android app
Gratipay $1 Incomplete or No Cache-control and Pragma HTTP Header Set
Shopify $500 XSS in in widget
shopify-scripts $8,000 Crash: mrb_any_to_s can't handle NilClass, Symbol and Fixnum
shopify-scripts $10,000 Crash: Initialize Decimal with itself triggers an assertion
shopify-scripts $1,000 Null pointer dereference regression in parse.y
shopify-scripts $18,000 Type confusion in wrap_decimal leading to memory corruption
shopify-scripts $20,000 Type confusion in mrb_exc_set leading to memory corruption
shopify-scripts $8,000 Crash: calling Proc::initialize_copy with a Proc instance where initialize never ran leads to a crash
shopify-scripts $1,000 Read after free in mrb_vm_exec with OP_ARYCAT reading R(B)
shopify-scripts $8,000 Denial of service due to invalid memory access in mrb_ary_concat
Slack $1,000 Eavesdropping on private Slack calls
shopify-scripts $8,000 mruby-time: Crash host with uninitialized Time obj
LocalTapiola $50 Disclosure of IBM Websphere page
LocalTapiola $450 XSS and open redirect in
Pornhub $520 Race Condition Vulnerability On
WordPress $350 [Buddypress] Arbitrary File Deletion through bp_avatar_set
LocalTapiola $100 SMTP configuration vulnerability
shopify-scripts $8,000 Segmentation fault when a Ruby method is invoked by a C method via Object#send
shopify-scripts $8,000 Null target_class DoS
shopify-scripts $10,000 Segfault and/or potential unwanted (byte)code execution with "break" and "||=" inside a loop $500 Возможность провести DoS атаку от имени сервера
shopify-scripts $8,000 SIGSEGV on mruby's mark_tbl() (Invalid memory access)
shopify-scripts $8,000 SIGSEGV on mruby mrb_str_modify() (Invalid memory access)
Boozt Fashion AB $200 Email link poisoning / Host header attack
shopify-scripts $10,000 Broken handling of maximum number of method call arguments leads to segfault
Badoo $140 Email Spoofing
HackerOne $10,000 Partial disclosure of report activity through new "Export as .zip" feature
shopify-scripts $10,000 Null pointer dereference due to TOCTTOU bug in mrb_time_initialize
LocalTapiola $60 Option method enabled (
Python (IBB) $500 Type confusion in FutureIter_throw() which may potentially lead to an arbitrary code execution
PortSwigger Web Security $350 XSS in IE11 on via Flash
Pornhub $200 Reflected cross-site scripting (XSS) vulnerability in allows attackers to inject arbitrary web script or HTML.
Udemy $300 Completed Compromise & Source Code Disclosure via Exposed Jenkins Dashboard at
shopify-scripts $8,000 SIGSEV on mrb_ary_splice
Imgur $250 Stored xss in ALBUM DESCRIPTION
shopify-scripts $10,000 Range constructor type confusion DoS
shopify-scripts $20,000 TOCTTOU bug in mrb_str_setbyte leading the memory corruption
shopify-scripts $18,000 Struct type confusion RCE
shopify-scripts $10,000 SIGSEGV when invalid argument on remove_method
shopify-scripts $20,000 DoS: type confusion in mrb_no_method_error
Udemy $200 Jenkins
LocalTapiola $150 Multiple Reflected XSS /webApp/lahti (
shopify-scripts $10,000 Segfault in mruby, mruby_engine and the parent MRI Ruby due to null pointer dereference
LocalTapiola $350 SQL Injection /webApp/sijoitustalous_peruutus locId parameter ( $1,500 Stored XSS в личных сообщениях
LocalTapiola $264 HTML Injection in email /webApp/lahti (
LocalTapiola $350 SQL Injection /webApp/oma_conf ctx parameter (
LocalTapiola $60 Poodle attack SSLv3 Support (
Twitter $1,120 [IDOR][] Opportunity to change any comment at the forum
shopify-scripts $8,000 Undefined method_missing null pointer dereference
shopify-scripts $10,000 Range#initialize_copy null pointer dereference
shopify-scripts $10,000 NULL pointer dereference when parsing ternary operators
Ubiquiti Networks $500 Subdomain Takeover (
LocalTapiola $100 Error Page Content Spoofing or Text Injection (
shopify-scripts $20,000 Use after free vulnerability in mruby Array#to_h causing DOS possible RCE
shopify-scripts $2,000 Memory disclosure in mruby String#lines method
shopify-scripts $8,000 Denial of Service in mruby due to null pointer dereference
Coinbase $100 Window.opener bug at
shopify-scripts $10,000 Exception cause SIGABRT
Legal Robot $40 Password reset access control
shopify-scripts $8,000 ruby DoS
Legal Robot $40 Missing restriction on string size in profile fields
Yelp $300 X.509 certificate validation fails on international vanity domains $300 SSRF (open) - via GET request
Trello $2,048 Stealing power up private tokens (trello, twitter, github...)
Zopim $100 Android SDK - CREATE_REQUEST broascast is unprotected
Open-Xchange $500 Reflected Cross-Site Scripting due to vulnerable Flash component (Flashmediaelement.swf)
Open-Xchange $100 Selecting encryption for email with drive attachment overrides the drive email password
LocalTapiola $100 Suspicious browser fingerprinting(?) scripts on redirector
LocalTapiola $1,560 SQL Injection on /webApp/omatalousuk (
Blockchain $100 Information disclosure at
Open-Xchange $666 Tab nabbing via window.opener
Open-Xchange $300 Stored XSS in Template Documents
Blockchain $400 Reflected XSS on $1,000 Новый 2FA Bypass
LocalTapiola $400 Open Redirect (
Blockchain $50 server version dislosure
Ubiquiti Networks $500 Stored XSS in
Imgur $5,000 Unauthenticated Docker registry
Nextcloud $50 Content Spoofing in "files" app CVE-2017-0888
Yelp $500 CSRF on signup endpoint (
Badoo $280 Leave inaccessible messaging system with a message (
Badoo $260 Arbitrary modification value "session" (Cookie) in
Instacart $100 Access private list metadata
Uber $1,000 ability to retrieve a user's phone-number/email for a given inviteCode
InVision $300 CORS Man-in-the-Middle account compromise
Shopify $1,500 Misconfiguration in Two Factor Authorisation
Twitter $280 SSRF in
QIWI $300 Раскрытие баланса на //
Harvest $250 Stored XSS in Restoring Archived Tasks
Starbucks $375 CSRF exploit | Adding/Editing comment of wishlist items ( - Wishlist-Comments)
Starbucks $150 CSRF vulnerability in saving payment card on (COBilling -AddCreditCard)
Badoo $140 Unvalidated redirect on
LocalTapiola $588 Lahitapiola´s customer names send to 3rd party
Starbucks $375 Reflected XSS by exploiting CSRF vulnerability on wishlist comment module. (wishlist-comments)
Starbucks $250 CSRF: add item to victim's cart automatically ( - updatecart)
LocalTapiola $750 Email Server Compromised at
Mindoktor $2,000 XSS at endpoint in flash cookie
Mindoktor $300 Storing sensitive information on cookie post-registration
Coinbase $200 Authentication Issue
Brave Software $50 [ios] Address bar spoofing in Brave for iOS
Harvest $100 Editing a project (LIMITED)
Twitter $2,520 Cross-site scripting (reflected)
itBit Exchange $1,000 Round error issue -> produce money for free
Brave Software $100 Denial of service attack(window object) on brave browser
Shopify $500 race condition in adding team members
Brave Software $50 Denial of service attack on Brave Browser.
Coinbase $100 Information disclosure of user by email using buy widget
Brave Software $100 Access to local file system using javascript
Brave Software $200 [iOS/Android] Address Bar Spoofing Vulnerability
Brave Software $100 Address Bar Spoofing - Already resolved - Retroactive report
Brave Software $150 URI Obfuscation
Shopify $2,000 Able to Login deactivated staff account in shopify app mobile
Twitter $140 Full Path Disclosure at
Trello $256 Can run arbitrary script on
Brave Software $50 [website] Script injection in newsletter signup
Brave Software $50 2 Directory Listing on &
PHP (IBB) $500 memcpy negative parameter _bc_new_num_ex
PHP (IBB) $500 memcpy negative size parameter in php_resolve_path
PHP (IBB) $500 Write out-of-bounds at number_format
Brave Software $100 Homograph attack
Shopify $500 [] Invalidated redirection
Python (IBB) $1,000 chain.__setstate__ Type Confusion
Uber $1,000 Subdomain takeover on due to non-existent distribution on Cloudfront
Slack $700 Information Disclosure on
WePay $200 Enumeration of registered email addresses using bruteforce search on userIds
Sucuri $500 Administrator Access to grafana instance with default credentials
Yelp $500 Requesting Show CheckIn Alert for Non Friend User
Harvest $150 Linking Invoice to uninvited project.
Trello $128 XSS on
Twitter $1,260 View liked twits of private account via
Badoo $140 No rate-limit in SERVER_SECURITY_CHECK
BrickFTP $250 Existence of Folder path by guessing the path through response
Nextcloud $250 Filename enumeration && DoS
Twitter $560 Circumventing the Twitter account lockout process [ACCOUNT TAKEOVER]
Harvest $300 Cookie Injection at ''
Trello $128 Full Sub Domain Takeover at
Zopim $150 Full Sub Domain Takeover at
Slack $500 CSRF in github integration
PHP (IBB) $1,000 Buffer overflow in HTTP parse_hostinfo(), parse_userinfo() and parse_scheme() $100 web.xml configuration file disclosure
Instacart $150 Full access to any list
Boozt Fashion AB $400 Git available containing passwords.
Romit $513 [CRITICAL]-Taking over entire subdomain of
Uber $10,000 password reset token leaking allowed for ATO of an Uber account
Legal Robot $40 Bypass 8 chars password complexity with 6 chars only due to insecure password reset functionaliy
Snapchat $250 Bypassing "You've requested your data the maximum number of times today." + "Please Verify an email address with snapchat to continue"
Rockstar Games $500 DOM based reflected XSS in through cross domain ajax request
Shopify $500 password less login token expiration issue
Starbucks $750 out of date disqus shortname usage in the web app source code
Shopify $500 Add signature to transactions without any permission
Udemy $50 Content Spoofing in udemy
WebSummit $40 Subdomain take over signup.websummit
LocalTapiola $50 Reflected XSS in LTContactFormReceiver (/cs/Satellite)
Automattic $100 Follow Button XSS
Python (IBB) $1,500 LZMADecompressor.decompress Use After Free
PHP (IBB) $500 Heap overflow caused by type confusion vulnerability in merge_param()
Legal Robot $20 Information Disclosure on rate limit defense mechanism
Ubiquiti Networks $500 Authentication bypass on via subdomain takeover of
InVision $150 CRITICAL Any █████ of any screen can be removed by anyone!
Legal Robot $20 Near-duplicate accounts allowed with ignored email mutations
Algolia $100 No rate limit for Referral Program
Maximum $75 Facebook and twitter page claimed of [important]
LocalTapiola $18,000 Oracle Webcenter Sites administrative and hi-privilege access available directly from the internet (/cs/Satellite)
HackerOne $500 Bypass rate limiting on /users/password (possibly site-wide rate limit bypass?)
Trello $128 SSRF in account webhook (through API)
Mail.Ru $300 Time-based sql-injection на
Slack $400 Email information leakage for certain addresses
Shopify $500 Open redirect in bulk edit
Imgur $100 Stored XSS in albums on
Nextcloud $750 Bypass permissions
Twitter $2,100 Twitter iOS fails to validate server certificate and sends oauth token
Coinbase $100 Information leakage on
IRCCloud $50 Exposed, outdated nginx server (v1.4.6) potentially vulnerable to heap-based buffer overflow & RCE
Snapchat $250 Incoming email hijacking on
Uber $500 Users can falsely declare their own Uber account info on the monthly billing application
Shopify $500 Deleted Post and Administrative Function Access in eCommerce Forum
Boozt Fashion AB $80 Make victim buy in attacker's account without any idea -
Python $1,000 msilib.OpenDatabase Type Confusion
Pornhub $750 Unsecured Grafana instance
Pornhub $750 Disclosure of private photos/albums -
Yelp $200 Bybass The Closing of the account and logged again to your account
Eobot $12 No password length restriction
Boozt Fashion AB $120 XSS $1,050 Второй способ обхода 2FA
Shopify $500 XSS in SHOPIFY: Unsanitized Supplier Name can lead to XSS in Transfers Timeline
Twitter $560 leaking Digits OAuth authorization to third party websites
Shopify $500 Unsanitized Location Name in POS Channel can lead to XSS in Orders Timeline
Boozt Fashion AB $80 Instance of Apache Vulnerable to Several Issues
Boozt Fashion AB $120 Potential Subdomain Takeover Possible
Yelp $100 Self-XSS via location cookie city field when getting suggestions for a new location
Boozt Fashion AB $250 xss in Theme
Keybase $100 Denial of Service through set_preference.json
Ruby $200 Arbitrary heap overread in strscan on 32 bit Ruby, patch included
OpenSSL $500 SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
OpenSSL $2,500 Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
Yelp $500 Verification of E-Mail address possible on and
Boozt Fashion AB $60 PHP info page disclosure on
Harvest $500 Invoices can be added to any retainers - even closs-platform
Slack $500 Rate-limit bypass
Mindoktor $500 Vulnerable Mobile Phone configuration
Nextcloud $500 Reflected XSS in Gallery App CVE-2016-9466
Harvest $250 XSS on expenses attachments
Open-Xchange $300 OX (Guard): Stored Cross-Site Scripting via Email Attachment
Instacart $50 Seemingly sensitive information at /api/v2/zones
Python $1,000 urllib HTTP header injection CVE-2016-5699
Shopify $500 Access to Splunk via endpoint
Shopify $500 Open redirect allows changing iframe content in *<id>/editor
LocalTapiola $400 Open redirection protection bypass (/cs/Satellite)
Algolia $100 Hyperlink Injection in Friend Invitation Emails
LocalTapiola $400 SQL Injection on `/cs/Satellite` path
Legal Robot $60 Validation bypass on user profile
Ian Dunn $50 CSV Injection in Camptix
Twitter $5,040 [] See someone else pics
LocalTapiola $100 Oracle WebCenter Sites Support Tools available and Information disclosure (/cs/Satellite)
LocalTapiola $50 Reflected XSS in (/cs/Satellite) using Oracle WebCenter -page
Harvest $150 CSRF bypass on Submit Time sheet for Approval
Harvest $150 Project Manager can approve pending reports(Access control Issue)
Unikrn $400 Urgent: Server side template injection via Smarty template allows for RCE
QIWI $150 [] Information Disclosure
QIWI $150 [] UI Redressing via Request-URI
Legal Robot $20 Possible content spoofing due to missing error page
Nextcloud $100 Reflected Self-XSS Vulnerability in the Comment section of Files Information
Slack $2,500 Snooping into messages via email service
Legal Robot $20 unsecured assets $1,000 Обход 2ух-шаговой авторизации / 2FA Bypass
Legal Robot $20 Legal | Application is Missing CSP(Content Security Policy) Header
Legal Robot $20 CORS (Cross-Origin Resource Sharing)
Legal Robot $20 Information Disclosure in AWS S3 Bucket
Legal Robot $120 User Information leak allows user to bypass email verification.
Legal Robot $120 User Information sent to client through websockets
Instacart $100 WordPress Authentication Denial of Service
Dropbox $1,458 Subtile Code Injection Vulnerability in Dropbox for Windows
Uber $100 Stealing users password (Limited Scenario)
Slack $750 Code Injection in Slack's Windows Desktop Client leads to Privilege Escalation
Instacart $150 Fetch private list metadata and any user's personal name
Uber $5,000 Changing paymentProfileUuid when booking a trip allows free rides
Shopify $500 Open Redirect possible in
Harvest $500 Possible to steal any protected files on Android
Bime $150 Subdomain takeover at due to unclaimed Amazon S3 bucket
Instacart $50 READ .svg files by changing .svg into .png extension
Harvest $150 Extracting private info of estimates.
Ian Dunn $100 Bypass fix in report.
Ian Dunn $50 Bypassing CSV injection using new line charcter
Coinbase $300 window.opener is leaking to external domains upon redirect on Safari
Instacart $150 Brute force login and bypass locked account restrictions via iOS app
Shopify $500 [] Open Redirect
Snapchat $400 [] Stored XSS via an incorrect avatar property value
Instacart $150 Issues with uploading list images
Shopify $500 Open CouchDB on
HackerOne $500 Information leakage of private program
Shopify $500 Open redirect using checkout_url
HackerOne $500 Requesting Mediation possible on reports that are too old for mediation
QIWI $950 [] Oauth захват аккаунта
LocalTapiola $3,000 Blind Stored XSS Against Lahitapiola Employees - Session and Information leakage
Slack $1,000 Stored XSS(Cross Site Scripting) In Slack App Name
Harvest $150 Unauthorized read access to Invoices by PM (Access control Issues)
Harvest $150 Unauthorized access to all the actions of invoices by PM (Access control Issues)
Harvest $100 PM can delete payment of any invoice in company (Access control Issue)
Harvest $100 Record payment for any invoice by PM (Access control Issue)
Harvest $100 PM can delete the company logo image (Vertical Privilege Escalation )
Starbucks $150 Improper Validation on Cancel Link Redirect
HackerOne $1,000 Hacker.One Subdomain Takeover
Harvest $250 PM with can Set up email for invoices and estimates (Access control Issue) $75 Cross site scripting
Instacart $100 Hyperlink Injection in Friend Invitation Emails
Ubiquiti Networks $150 [] DOM based XSS at form.html
Mapbox $750 Blind XSS in
Shopify $1,000 (BYPASS) Open redirect and XSS in
Trello $1,024 File access using image tragick
HackerOne $500 Non-secure requests are not automatically upgraded to HTTPS
Instacart $250 shopper login_code's can be brute forced
Twitter $560 redirects to vulnerable
Shopify $500 Access to Splunk at
Instacart $100 Image Upload Path Disclosure
Instacart $150 Host Header Injection/Redirection in:
Instacart $50 Server side request forgery on image upload for lists
Instacart $75 Missing rel=noreferrer tag allows link in list to change url of currently open tab
Instacart $200 Race Condition in Redeeming Coupons
Instacart $100 Cross-Site Request Forgery (CSRF)
Instacart $150 Stored XSS
Instacart $50 CSRF To change Email Notification Settings
Shopify $500 (FULL PATH DISCLOSURE) Unknown MySQL server host ''
HackerOne $500 Disclosure of external users invited to a specific report
SecNews $300 Querying private posts and changing post meta
Gratipay $1 Avoid "resend verification email" confusion
Ubiquiti Networks $500 IDOR Causing Deletion of any account
Uber $10,000 Reading Emails in Uber Subdomains
Algolia $400 Unauthorized team members can leak information and see all API calls through /1/admin/* endpoints, even after they have been removed.
Algolia $100 Stored XSS from Display Settings triggered on Save and viewing realtime search demo
Algolia $100 Stored xss
Algolia $100 Stored XSS triggered by json key during UI generation
Open-Xchange $1,000 OX (Guard): Stored Cross-Site Scripting via Incoming Email
Slack $500 CSRF - Add optional two factor mobile number
Shopify $500 Staff member can delete Private Apps
ownCloud $100 Arbitrary Code Injection in ownCloud’s Windows Client
Shopify $500 (BYPASS) Open Redirect after login at
Twitter $1,120 Stealing User emails by clickjacking
Gratipay $1 Content Spoofing/Text Injection
Nextcloud $50 More content spoofing through dir param in the files app
Uber $3,000 Missing authorization checks leading to the exposure of administrator accounts
Snapchat $3,000 Subdomain takeover on
Shopify $500 Delete/modify your own comment after limited access(IDOR)
Harvest $150 Opportunity to set arbitrary cookies
Moneybird $50 [Stored Cross-Site-Scripting] When search about Incoming ( Manual Jurnal )
Shopify $1,000 Unauthorized access to Zookeeper on
Uber $500 Blind OOB XXE At ""
Nextcloud $100 IDOR - Disable sharing CVE-2016-9464
Twitter $1,120 csp bypass + xss
Rockstar Games $500 Reflected XSS via #tags= while using a callback in newswire
Ian Dunn $50 Multiple XSS in Camptix Event Ticketing Plugin
Harvest $500 Project Disclosure of all Harvest Instances
Harvest $1,000 Leak of all project names and all user names , even across applications
Harvest $350 Users enumeration is possible through cycling through recurring[client_id] argument value.
Harvest $350 Stored XSS on invoice, executing on any subdomain
Harvest $250 CSRF token fixation in Sign in with Google
Harvest $1,000 S3 bucket takeover due to
Harvest $100 Cross-Site Request Forgery (CSRF)
Dashlane $100 Missing Access Control(IDOR) To Know LinkedAccounts
PHP $500 NULL Pointer Dereference in exif_process_user_comment
PHP $1,000 Out of bound read in exif_process_IFD_in_MAKERNOTE
Uber $5,000 Stored XSS on via admin account compromise
Rockstar Games $750 CSRF in 'set.php' via age causes stored XSS on 'get.php' -'
Algolia $100 No Rate Limit In Inviting Similar Contact Multiple Times
Ian Dunn $375 CSV Injection at Camptix Event Ticketing
ownCloud $50 ownCloud DLL Hijacking Vulnerability
Uber $2,000 [IODR] Get business trip via organization id
Uber $3,000 Get organization info base on uuid
Slack $500 Creating Post on a restricted channel
Automattic $300 [bbPress] Stored XSS in any forum post.
Dropbox $729 SSRF allows access to internal services like Ganglia
Shopify $1,500 Stealing livechat token and using it to chat as the user - user information disclosure
QIWI $200 Xss on billing
Uber $1,000 is vulnerable to 'SOME' XSS attack via plupload.flash.swf
Shopify $500 takeover
Twitter $420 Html Injection and Possible XSS in
Uber $4,000 SQL Injection on
IRCCloud $500 Cross Site Scripting(XSS) on IRCCloud Badges Page (using Parameter Pollution)
Bime $1,000 Attacker can access graphic representation of every query
Bime $1,000 Urgent: attacker can access every data source on Bime
Nextcloud $50 Content (Text) Injection at NextCloud Server 9.0.52 - via http://custom_nextcloud_url/remote.php/dav/files/ CVE-2016-9468
Uber $2,250 Subdomain takeover of, and
WordPress $1,337 CSRF to add admin [wordpress]
Legal Robot $40 AWS S3 website can't serve security headers, may allow clickjacking
Whisper $100 Stored XSS in
Ubiquiti Networks $185 Reflected Xss in AirMax [Nanostation Loco M2]
Algolia $100 Stored xss
Slack $500 a stored xss issue in
Maximum $20 Application error message
Phabricator $600 HTML in Diffusion not escaped in certain circumstances
Paragon Initiative Enterprises $50 Stored XSS using SVG
Slack $500 "a stored xss issue in share post menu"
Maximum $20 Microsoft IIS tilde directory enumeration
Legal Robot $100 Subdomain takeover at due to non-used domain in
Pornhub $1,500 [idor] Unauthorized Read access to all the private posts(Including Photos,Videos,Gifs)
Paragon Initiative Enterprises $25 Stored XSS in comments
Paragon Initiative Enterprises $50 Stored Cross-Site-Scripting in CMS Airship's authors profiles
Keybase $350 Register multiple users using one invitation (race condition) $100 Паблики: Модератор паблика может удалять добавленные редакторами материалы с таймером на публикацию.
Uber $1,000 Wordpress Vulnerabilities in and domains
Slack $1,500 Source code leakage through GIT web access at host ''
HackerOne $500 Know undisclosed Bounty Amount when Bounty Statistics are enabled.
Badoo $140 Change contents of the careers iframe in
Moneybird $25 Logging out any user
Coinbase $100 Application error message
Slack $100 Generate new Test token
Slack $100 User can start call in a channel of an unpaid account
The Internet $500 ntpd: read_mru_list() does inadequate incoming packet checks CVE-2016-7434
Maximum $20 The POODLE attack (SSLv3 supported)
Maximum $20 RC4 cipher suites detected
HackerOne $500 Race Conditions in Popular reports feature.
LocalTapiola $150 Mixed Active Scripting Issue on
Pornhub $500 RCE Possible Via Video Manager Export using @ character in Video Title
PHP $1,000 ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize
PHP $1,000 Use After Free Vulnerability in PHP's GC algorithm and unserialize
Nextcloud $100 Read-only share recipient can restore old versions of file
Nextcloud $250 Uploading files to a folder where invited user don't have any EDIT privilege
Algolia $100 2-factor authentication bypass
Vimeo $600 Downloading password protected / restricted videos
Nextcloud $50 Nextcloud server software: Content Spoofing
Nextcloud $350 Share owner has no possibility to list all existing derived shares
Nextcloud $750 Stored XSS on Share-popup of a directory's Gallery-view
Uber $7,000 xss in
Ubiquiti Networks $1,000 Subdomain takeover on due to non-used CloudFront DNS entry
Uber $1,500 Bulk UUID enumeration via invite codes
Ubiquiti Networks $150 [] CRLF Injection
Ian Dunn $50 Stored XSS from ticket messages in admin table in SupportFlow
Ian Dunn $50 Stored XSS in SupportFlow Ticket Subject
Python $1,000 CVE-2016-0772 - python: smtplib StartTLS stripping attack
Sucuri $250 [] CRLF Injection
Sucuri $250 SSRF in
Mail.Ru $150 [] Time-Based SQL Injection
Uber $750 Brute-Forcing invite codes in
bitaccess $200 EXTREMELY URGENT: Missing control of bitcoin amount when selling bitcoin allows a user to withdraw any amount of money, unrestricted.
Ruby $500 StringIO strio_getline() can divulge arbitrary memory
HackerOne $500 All information is not removed from published reports
Instacart $100 Authorization Bypass in Delivery Chat Logs
The Internet $7,500 Insufficient shell characters filtering leads to (potentially remote) code execution (CVE-2016-3714)
Slack $500 File upload over private IM channel
Uber $10,000 Change any Uber user's password through /rt/users/passwordless-signup - Account Takeover (critical)
Badoo $280 Получение оригинала скрытого изображения
Shopify $3,000 Authentication Bypass on Icinga monitoring server
Shopify $1,500 Potentially Sensitive Information on GitHub
Mail.Ru $250 for Android Content Provider Vulnerability
Mapbox $500 XSS on because of open redirect at /core/oauth/auth
Mapbox $500 XSS on
Gratipay $40 upgrade Aspen on to pick up CR injection fix
drchrono $50 Information Disclosure
Python $500 Heap corruption via Python 2.7.11 IOBase readline()
Uber $750 xss vulnerability in
drchrono $50 Bug Report
Moneybird $50 [STORED XSS] in debtor reports of ,,invoices''
WePay $250 Invited users can modify and/or remove account owner
Shopify $500 Fetching external resources through svg images
LocalTapiola $100 DOM XSS bypassing in Regional Office -selector
Pornhub $10,000 [RCE] Unserialize to XXE - file disclosure on
Twitter $560 Information Disclosure through .DS_Store in ██████████
Mail.Ru $150 [] SQL Injection
OpenSSL $500 CVE-2016-2177 Undefined pointer arithmetic in SSL code
Pornhub $1,500 (Pornhub & Youporn & Brazzers ANDROID APP) : Upload Malicious APK / Overrite Existing APK / Android BackOffice Access $1,500 XSS в upload.php
drchrono $50 User with no permissions can create, edit, delete favorite prescriptions /erx/
Slack $200 [Screenhero] Subdomain takeover
Ubiquiti Networks $125 Stored XSS in
Pornhub $20,000 [phpobject in cookie] Remote shell/command execution
Pornhub $1,000 Private Photo Disclosure - /user/stream_photo_attach?load=album&id= endpoint
drchrono $50 Bypassing Password Reset
GlassWire $25 Bypass GlassWire's monitoring of Hosts file
HackerOne $500 Able to remove the admin access of my program
drchrono $50 User with no permissions can access full wdcalendar feed
drchrono $50 Stored XSS via AngularJS Injection
Ubiquiti Networks $260 Open Redirect in [Controller Finder]
drchrono $50 [CRITICAL] CSRF leading to account take over
Mail.Ru $150 Code source discloure & ability to get database information "SQL injection" in []
Zendesk $100 XSS in
drchrono $100 Angular injection in the profile name of onpatient
drchrono $50 Template stored XSS
drchrono $50 - Information Disclosure and Windows Host Exposed
drchrono $50 Ngnix Server version disclosure
Starbucks $4,000 Parameter Manipulation allowed for editing the shipping address for other user’s subscriptions.
Starbucks $6,000 Parameter Manipulation allowed for viewing of other user’s orders
drchrono $50 Bypass password complexity requirements on passsword reset page
drchrono $100 Security Issue : CSRF Token Design Flaw
Mail.Ru $150 [] SQL Injection
Mail.Ru $100 [] HTML injection в письмах от
Starbucks $375 Reflected XSS via utm_source parameter
Mail.Ru $160 [] /uploadphoto Insecure Direct Object References
Slack $500 Open Redirect on
Gratipay $10 configure a redirect URI for Facebook OAuth $50 CJ vulnerability in subdomain
Trello $128 XSS in Jetpack Plugin
LocalTapiola $100 Exploiting Secure Shell (SSH) on
Phabricator $300 Passphrase credential lock bypass
Ubiquiti Networks $2,750 Read-Only user can execute arbitraty shell commands on AirOS
Automattic $500 WordPress core stored XSS via attachment file name
Badoo $280 Ability to collect users' ids that have visited a specific web page with malicious code
LocalTapiola $300 Persistent XSS at using spoofed React element and React v.0.13.3
Uber $7,000 OneLogin authentication bypass on WordPress sites via XMLRPC
Pornhub $750 [idor] Profile Admin can pin any other user's post on his stream wall
LocalTapiola $100 Remote Code Execution in NovaStor NovaBACKUP DataCenter backup software (Hiback)
Pornhub $1,000 SSRF & XSS (W3 Total Cache)
LocalTapiola $300 Abusing and Hacking the SMTP Server
WP API $100 Missing access control exposing detailed information on all users
Pornhub $1,000 [IDOR] Deleting other users comment
Pornhub $150 Same-Origin Method Execution bug in plupload.flash.swf on /insights
OpenSSL $1,000 Bleichenbacher oracle in SSLv2 (CVE-2016-0704)
OpenSSL $2,500 Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703)
Pornhub $5,000 Weak user aunthentication on mobile application - I just broken userKey secret password
Pornhub $1,500 [stored xss,] stream post function
Pornhub $250 XSS Reflected incategories*p
Pornhub $250 XSS ReflectedGET /*embed_player*?
Mail.Ru $150 SQL Injection
Pornhub $1,500 [IDOR] post to anyone even if their stream is restricted to friends only
Pornhub $100 CSV Macro injection in Video Manager (CEMI)
Vimeo $600 All Vimeo Private videos disclosure via Authorization Bypass
LocalTapiola $100 Amazon Bucket Accessible (
Sucuri $500 CRLF/HTTP header injection $500 Xss in
OpenSSL $2,500 Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
Ubiquiti Networks $1,000 Source code disclosure on
Uber $8,000 [CRITICAL] -- Complete Account Takeover
Gratipay $1 don't leak server version of in error pages
Moneybird $50 Reflected XSS in Backend search
Vimeo $750 CSRF on Vimeo via cross site flashing leading to info disclosure and private videos go public
Mapbox $400 Denial of service in account statistics endpoint
Uber $10,000 OneLogin authentication bypass on WordPress sites
Moneybird $100 Employees with Any Permissions Can Create App with Full Permissions and Perform any API Action
OpenSSL $500 EBCDIC overread (CVE-2016-2176)
OpenSSL $500 EVP_EncryptUpdate overflow (CVE-2016-2106)
OpenSSL $500 EVP_EncodeUpdate overflow (CVE-2016-2105)
Romit $50 Session Fixation
Moneybird $25 information disclose
Shopify $500 View all deleted comments and rating of any app .
Uber $5,000 Multiple vulnerabilities in a WordPress plugin at
LocalTapiola $400 Possibly big authorization problem in Lähitapiola´s varainhoito
Mapbox $1,000 Reflected cross-site scripting (XSS) on
LocalTapiola $100 HTTP status code manipluation & java stack trace
LocalTapiola $5,000 Blind Stored XSS Against Lahitapiola Employees - Session and Information leakage
PHP $1,500 Integer overflow in ZipArchive::getFrom*
HackerOne $2,500 RCE in profile picture upload
OpenSSL $500 ASN.1 BIO excessive memory allocation (CVE-2016-2109)
Mail.Ru $250 XSS с помощью специально сформированного файла.
Shopify $500 staff memeber can install apps even if have limitied access
Automattic $1,337 WordPress SOME bug in plupload.flash.swf leading to RCE
Automattic $1,337 WordPress Flash XSS in *flashmediaelement.swf*
Zendesk $250 XSS In /zuora/ functionality
LocalTapiola $100 Content Spoofing or Text Injection (404 error page injection)
Algolia $500 RCE on
Uber $2,000 Reflected XSS via Livefyre Media Wall in
Automattic $75 XSS on
Moneybird $25 Content Spoofing In Moneybird
Udemy $50 Stored XSS at Udemy
Slack $1,000 Stored XSS on using new Markdown editor of posts inside the Editing mode and using javascript-URIs
Zendesk $500 [HIGH RISK] CSRF could potentially delete a zendesk subdomain.
Moneybird $50 Open Redirect vulnerability in
Zendesk $100 AWS S3 bucket writable for authenticated aws user
Uber $7,500 Stored XSS in
Twitter $840 [Critical] - Steal OAuth Tokens
Coinbase $100 User's legal name could be changed despite front end controls being disabled
Automattic $75 Akismet Several CSRF vulnerabilities
ownCloud $150 Open Redirector via (apps/files_pdfviewer) for un-authenticated users.
Gratipay $1 bring up to A grade on SSLLabs
Moneybird $50 Stored XSS in Financial Account executing in Bank tab
Moneybird $100 Malicious File Upload
Ubiquiti Networks $275 Reflected XSS in
Moneybird $150 XXE issue
Moneybird $25 Stored XSS thru SVG upload
bitaccess $50 BYASSING OTP Verification
Moneybird $50 CSV Injection with the CSV export feature
Trello $128 Cross site scripting in
Slack $2,000 Authentication bypass leads to sensitive data exposure (token+secret)
Zendesk $50 Stored XSS on [your_zendesk] in Facebook Channel
Python $500 Python 2.7 strop.replace Integer Overflow
Twitter $700 xss in DM group name in twitter
Twitter $700 niche s3 buckets are readable/writeable/deleteable by authorized AWS users
Automattic $75 CPU utilization 99% on visiting wordpress site url & open redirect found
LocalTapiola $300 The PdfServlet-functionality used by the "Tee vakuutustodistus" allows injection of custom PDF-content via CSRF-attack
LocalTapiola $400 Cookie-based client-side denial-of-service to all of the Lähitapiola domains
Gratipay $10 Send email asynchronously
Algolia $100 No rate-limit in Two factor Authentication leads to bypass using bruteforce attack
Ubiquiti Networks $1,500 Read-Only user can execute arbitraty shell commands on AirOS
Trello $1,536 Payments informations are sent to the webhook when a team changes its visibility
OpenSSL $1,000 BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
Gratipay $10 fix bug in username restriction
Snapchat $1,000 Administrator access to a Django Administration Panel on * via bruteforced credentials
InVision $400 CRITICAL : Delete Boards Admin's ( or any other user ) comment. ( IDOR )
HackerOne $2,500 AWS S3 bucket writeable for authenticated aws users
Gratipay $1 Limit email address length
Uber $5,000 Stored XSS on admin panel / Stream WordPress plugin
Uber $250 Easy spam with USE My PHONE Feature
HackerOne $1,500 Web Authentication Endpoint Credentials Brute-Force Vulnerability
Badoo $852 [CRITICAL] Full account takeover using CSRF
HackerOne $500 New hacktivity view discloses report IDs of non-public reports
HackerOne $500 New hacktivity view discloses report IDs of non-public reports
PHP $1,000 php_snmp_error() Format String Vulnerability
Uber $5,000 Information regarding trips from other users
Uber $5,000 Possibility to get private email using UUID
Twitter $280 XSS using javascript:alert(8007)
Uber $3,000 Possible to View Driver Waybill via Driver UUID
LocalTapiola $100 DOM XSS by choosing regional company
Uber $3,000 Stored XSS in Due to Injection of Javascript:alert(0)
Coinbase $1,000 Sending payments via QR code does not require confirmation
Shopify $500 XSS on
Coinbase $500 Email leak in transcations in Android app
Trello $1,024 If a team is public, the web socket receives data about the Team visible boards
LocalTapiola $1,000 Posting modified information in 'Investment section' will cause unintended information change in
Uber $500 CBC "cut and paste" attack may cause Open Redirect(even XSS)
Uber $750 XSS In Due to Mime Sniffing in IE
Uber $1,000 CSV Injection in
Uber $2,000 Stored XSS in WordPress admin panel
Gratipay $10 prevent content spoofing on /~username/emails/verify.html
Uber $10,000 may RCE by Flask Jinja2 Template Injection
Uber $3,000 SQL injection in Wordpress Plugin Huge IT Video Gallery at
Uber $3,000 Reflected XSS via Unvalidated / Open Redirect in
Uber $5,000 Possibility to brute force invite codes in
Uber $3,000 Dom Based Xss
Uber $500 Estimation of a Lower Bound on Number of Uber Drivers via Enumeration
Mapbox $1,000 XSS (cross-site scripting) on
Uber $3,000 Avoiding Surge Pricing
Uber $2,000 Bypassing Uber Partner's 3 Cancel Limit
Uber $3,000 Lack of rate limiting on leads to enumeration of promotion codes and estimation of a lower bound on the number of Uber drivers
Uber $3,000 SQLi in
Uber $1,500 Lack of CNAME/A Record Trimming Pointing Uber Domains to Insecure Non-Uber AWS Instances/Sites
Uber $3,000 XSS in
Uber $3,000 Reflected XSS on via Angular template injection
Uber $500 Open Redirect in
Gratipay $1 Hijacking user session by forcing the use of invalid HTTPs Certificate on
HackerOne $1,500 External programs revealing info
HackerOne $500 Websites opened from reports can change url of report page
Shopify $500 Bypassed password authentication before enabling OTP verification
HackerOne $500 Disclosure of private programs that have an "external" page on HackerOne
Shopify $500 Stored XSS via "Free Shipping" option (Discounts)
Imgur $100 XSS via React element spoofing
HackerOne $500 CSV Injection via the CSV export feature
Shopify $1,500 Shopify GitHub Login and Password exposed all private source code might be available.
Trello $768 Using WebSocket I can always access organization data even if I am removed
Gratipay $1 auto-logout after 20 minutes
Gratipay $1 Cookie Does Not Contain The "secure" Attribute
Gratipay $1 suppress version in Server header on or
HackerOne $500 SECURITY: Referencing previous Reports attachment_IDs on new Reports via Draft_Sync DELETES Attachments
HackerOne $500 Mediation link can be accepted by other users
LocalTapiola $500 CSRF allows attacker to delete item from customer's "Postilaatikko"
Shopify $500 XSS on
HackerOne $1,000 Edit Auto Response Messages
Mail.Ru $200
Shopify $500 Stored XSS in
Imgur $5,000 Local file read in image editor
Mapbox $200 Mapbox API Access Token with No Scope Can Read Styles
Ubiquiti Networks $1,300 Shell Injection via Web Management Console (dl-fw.cgi)
Vimeo $100 Private, embeddable videos leaks data through Facebook & Open Graph
PHP $1,000 Buffer overflow in HTTP url parsing functions
Badoo $850 Account Takeover
LocalTapiola $400 CRLF injection in
Badoo $427 Broken Authentication on Badoo
Bime $150 Subdomain takeover due to unclaimed Amazon S3 bucket on
Bime $250 SSRF issue
Gratipay $1 don't serve hidden files from Nginx
Pornhub $250 Public Facing Barracuda Login
OpenSSL $500 BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
Pornhub $2,500 Unprotected Memcache Installation running
Pornhub $50 HTTP Track/Trace Method Enabled
Twitter $1,120 DOMXSS in Tweetdeck
Mail.Ru $150 By pass admin panel []
Mail.Ru $150 By pass admin panel []
Ubiquiti Networks $1,500 Read-Only user can execute arbitraty shell commands on AirOS
Udemy $150 Session Takeover vulnerability
Shopify $500 xss in the all widgets of
Uber $500 Open Redirection on
HackerOne $500 User with Read-Only permissions can edit the Internal comment Activities on Bug Reports After Revoke the team access permissions
Twitter $280 Sub-Domain Takeover
InVision $500 CRITICAL Stored XSS in
Udemy $150 Able to view others' gifts on /gift/share URL, giftId is predictable, and easy to manipulate
Coinbase $500 Misconfiguration in 2 factor allows sensitive data expose
Twitter $2,520 Tweet Deck XSS- Persistent- Group DM name
HackerOne $500 Distinguish EP+Private vs Private programs in HackerOne
Algolia $1,000 API Key added for one Indices works for all other indices too.
OpenSSL $500 CVE-2016-0799 memory issues in BIO_*printf functions
HackerOne $500 User with Read-Only permissions can manually public disclosure the report
Shopify $500 File name and folder enumeration.
Coinbase $200 XSSI (Cross Site Script Inclusion)
HackerOne $500 CSV Injection at the CSV export feature
QIWI $150 Content Spoofing in $100 Дорк
Mail.Ru $500 Admin panel access restrictions bypass []
Gratipay $1 limit number of images in statement
Zendesk $50 Stored XSS via Angular Expression injection on
Gratipay $1 strengthen Diffie-Hellman (DH) key exchange parameters in
Shopify $500 XSS in Draft Orders in Timeline i SHOPIFY Admin Site!
Gratipay $1 stop serving over HTTP
Gratipay $10 DMARC is misconfigured for
Uber $3,000 Reflected XSS on careers
Gratipay $10 Prevent content spoofing on /~username/emails/verify.html
Gratipay $2 SPF/DKIM/DMARC for
Mail.Ru $250 SSRF на
Gratipay $2 SPF/DKIM/DMARC for
Gratipay $1 limit HTTP methods on other domains
Gratipay $10 Email Forgery through Mandrillapp SPF
Uber $250 Multiple Vulnerabilities (Including SQLi) in
Uber $3,000 XSS @
Gratipay $10 No Valid SPF Records.
HackerOne $500 Increase number of bugs by sending duplicate of your own valid report
Zopim $100 Chat History CSV Export Excel Injection Vulnerability
Legal Robot $20 SSL Issue on
HackerOne $500 Private Program Disclosure in /:handle/settings/allow_report_submission.json endpoint $200
Legal Robot $20 SPF Issue
Legal Robot $120 Remote Code Execution (upload)
Mail.Ru $600 VERY DANGEROUS XSS STORED inside emails
Mail.Ru $150 [] SQL Injection
Ubiquiti Networks $1,000 Auth bypass on
Slack $100 an xss issue in
Gratipay $1 The POODLE attack (SSLv3 supported) for
WePay $150 2-step Verification bypass
Python $1,000 Type confusion in partial.setstate, partial_repr, partial_call leads to memory corruption, reliable control flow hijack
Sucuri $500 Manipulating of (List Subscription) Emails (HTML/Script Injection)
HackerOne $500 Private Program Disclosure in /:handle/reports/draft.json endpoint
HackerOne $5,000 Private program activity timeline information disclosure
Shopify $500 XSS on
Imgur $1,000 SSRF / Local file enumeration / DoS due to improper handling of certain file formats by ffmpeg
Imgur $800 SSRF and local file read in video to gif converter
Legal Robot $20 Rate limiting on Email confirmation link
Imgur $2,000 SSRF in
Paragon Initiative Enterprises $50 Full Path Disclosure
Mail.Ru $300 [] SQL Injection
Gratipay $10 prevent content spoofing on /search
Gratipay $5 SPF DNS Record
Keybase $50 Content spoofing due to the improper behavior of the not-found meesage
HackerOne $500 Putting link inside link in markdown
Keybase $350 Race conditions can be used to bypass invitation limit
Keybase $250 Remote Server Restart Lead to Denial of Service by only one Request.
Mapbox $200 Content Spoofing and Local Redirect in Mapbox Studio $2,500 Внедрение внешних сущностей в функционале импорта пользователей YouTrack
Shopify $500 CSRF on
Twitter $2,520 Bypassing Digits web authentication's host validation with HPP
Snapchat $1,000 Subdomain takeover in pointing to Zendesk (a Snapchat acquisition)
Keybase $250 Remote Server Restart Lead to Denial of Server by only one Request.
OpenSSL $2,500 OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701)
Paragon Initiative Enterprises $50 Open-redirect on
HackerOne $500 Multiple issues with Markdown and URL parsing
withinsecurity $250 WordPress Failure Notice page will generate arbitrary hyperlinks
HackerOne $500 Unintended HTML inclusion as a result of
Mail.Ru $300 [] SQL Injection
Coinbase $1,000 Session Issue Maybe Can lead to huge loss [CRITICAL] $250 Full takeover of some sub domains
Bime $100 The JDBC driver used by the Vertica connector allows to create files on the backends
Bime $1,000 SSRF in the Connector Designer (REST and Elastic Search)
Bime $750 XXE in the Connector Designer
HackerOne $500 Interstitial redirect bypass / open redirect in
Mail.Ru $150 [] SSRF / XSPA
Zendesk $100 [CRITICAL] HTML injection issue leading to account take over
withinsecurity $250 Error Page Text Injection #106350
Imgur $50 Big Bug in SSL : breach compression attack (CVE-2013-3587) affect
Shopify $500 Full access to Amazon S3 bucket containing AWS CloudTrail logs
Automattic $75 XSS at
Shopify $500 XSS via third-party script
Trello $1,152 DOM based XSS via Wistia embedding $100 Checking whether user liked the media or not even when you are blocked
Vimeo $100 Legacy API exposes private video titles
Automattic $75 XSS at
Pornhub $1,500 [ssrf] libav vulnerable during conversion of uploaded videos
Shopify $500 Attach Pinterest account - no State/CSRF parameter in Oauth Call back
Shopify $500 Twitter Disconnect CSRF
HackerOne $500 CSV Injection via the CSV export feature
withinsecurity $250 Content Spoofing OR Text Injection in
Gratipay $15 Sub Domian Take over
Automattic $250 Internal GET SSRF via CSRF with Press This scan feature
ownCloud $250 Information Exposure Through Directory Listing CVE-2016-1499
HackerOne $500 HTML injection can lead to data theft
Twitter $5,040 Bypassing Digits bridge origin validation
Perl $1,000 Perl 5.22 VDir::MapPathA/W Out-of-bounds Reads and Buffer Over-reads
Phabricator $300 Extended policy checks are buggy
Udemy $25 CSRF in
Coinbase $200 Direct URL access to completed reports
Ubiquiti Networks $500 Subdomain Takeover in
HackerOne $500 User with Read-Only permissions can request/approve public disclosure
Mail.Ru $150 [] SQL Injection
PHP $1,000 Use After Free in sortWithSortKeys()
Gratipay $5 HTTP trace method is enabled
Twitter $2,520 Bypassing callback_url validation on Digits
ownCloud $350 Exploiting unauthenticated encryption mode
Ubiquiti Networks $150 Reflected File Download in $500 API: Bug in method auth.signup , дающий возможность бесконечно звонить
Mail.Ru $150 [] Time Based SQL Injection
Mail.Ru $500 reflected in xss
HackerOne $500 Team Member(s) associated with a Group have Read-only permission (Post internal comments) can post comment to all the participants
WePay $100 Unauthenticated Stored XSS in API Panel
Automattic $50 Possible Timing Side-Channel in XMLRPC Verification
GlassWire $100 GlassWireSetup.exe subject to EXE planting attack
Imgur $150 XSS in imgur mobile 3
Imgur $150 XSS in imgur mobile
Shopify $500 Stored XSS in /admin/orders $100 Добавление в меню сообщества без ведома пользователя (нажатия пользователем)
Zendesk $500 Stored XSS in comments
Shopify $500 Strored Cross Site Scripting
PHP $1,000 Format string vulnerability in zend_throw_or_error()
Shopify $500 HTTP-Response-Splitting on
Maximum $20 Application error message
Coinbase $100 Race condition allowing user to review app multiple times
withinsecurity $250 text injection can be used in phishing 404 page should not include attacker text
Algolia $100 text injection can be used in phishing 404 page should not include attacker text
HackerOne $500 Improve signals in reputation
Shopify $500 Reflective XSS on
HackerOne $500 Team Member(s) associated with a Custom Group Created with 'Program Managment' only permissions can Comments on Bug Reports
Shopify $500 "Remember me" token generated when "Remember me" box unchecked
GlassWire $100 DLL Hijacking Vulnerability in GlassWireSetup.exe
HackerOne $500 Parameter pollution in social sharing buttons
HackerOne $500 Know whether private program for company exist or not
LeaseWeb $100 DOM Based XSS in Checkout
Shopify $500 many xss in
Pornhub $50 [crossdomain.xml] Dangerous Flash Cross-Domain Policy
Pornhub $250 PornIQ Reflected Cross-Site Scripting
Imgur $150 risk of having secure=false in a crossdomain.xml
Instacart $100 Cookie-Based Injection
Square Open Source $2,000 Unsafe usage of Ruby string interpolation enabling command injection in git-fastclone
Shopify $500 CSRF in Connecting Pinterest Account
Instacart $100 Cross-Site Scripting Reflected On Main Domain
Zopim $100 [] Open Redirect
Automattic $75 XSS on
Coinbase $200 HTML injection in apps user review
QIWI $200 [] Yui charts.swf XSS
Square Open Source $2,000 git-fastclone allows arbitrary command execution through usage of ext remote URLs in submodules
Shopify $1,000 XSS on sales channels via currency formatting
Slack $1,000 Trick make all fixed open redirect links vulnerable again
Python $500 tokenizer crash when processing undecodable source code
Python $1,000 PyFloat_FromString & PyNumber_Long Buffer Over-reads
PHP $500 Memory Corruption in phar_parse_tarfile when entry filename starts with null CVE-2015-4021
PHP $500 invalid pointer free() in phar_tar_process_metadata() CVE-2015-3307
Python $500 use after free in load_newobj_ex
Python $500 array.fromstring Use After Free
Python $1,000 bytearray.find Buffer Over-read
Python $500 hotshot pack_string Heap Buffer Overflow
Python $500 audioop.adpcm2lin Buffer Over-read
Python $500 audioop.lin2adpcm Buffer Over-read
PHP $500 Files extracted from archive may be placed outside of destination directory CVE-2015-6833
PHP $1,500 Multiple Use After Free Vulnerabilites in unserialize() CVE-2015-6831
PHP $1,000 Arbitrary code execution in str_ireplace function CVE-2015-6527
PHP $1,000 Dangling pointer in the unserialization of ArrayObject items CVE-2015-6832
PHP $500 curl_setopt_array() type confusion
The Internet $1,000 libcurl duphandle read out of bounds CVE-2014-3707
PHP $500 heap buffer overflow in enchant_broker_request_dict() CVE-2014-9705
PHP $500 Integer overflow in unserialize() (32-bits only) CVE-2014-3669
PHP $500 AddressSanitizer reports a global buffer overflow in mkgmtime() function CVE-2014-3668
PHP $1,500 SOAP serialize_function_call() type confusion / RCE CVE-2015-6836
PHP $500 zend_throw_or_error() format string vulnerability
PHP $1,000 Uninitialized pointer in phar_make_dirstream CVE-2015-7804
PHP $1,000 Buffer over-read in exif_read_data with TIFF IFD tag
PHP $500 Null pointer deref (segfault) in spl_autoload via ob_start
PHP $500 null pointer deref (segfault) in zend_eval_const_expr
PHP $500 Mem out-of-bounds write (segfault) in ZEND_ASSIGN_DIV_SPEC_CV_UNUSED_HANDLER
Python $1,000 Python deque.index() uninitialized memory
Python $500 Python scan_eol() Buffer Over-read
Python $500 time_strftime() Buffer Over-read
Python $500 Python xmlparse_setattro() Type Confusion
PHP $500 Use after free vulnerability in unserialize() with GMP
PHP $500 Use After Free Vulnerability in session deserializer CVE-2015-6835
PHP $1,000 Use After Free Vulnerability in unserialize() CVE-2015-6834
PHP $1,000 Use After Free Vulnerability in unserialize() with SplObjectStorage CVE-2015-6834
PHP $1,000 Use After Free Vulnerability in unserialize() with SplDoublyLinkedList CVE-2015-6834
Python $500 Python 3.3 - 3.5 product_setstate() Out-of-bounds Read
Ruby $1,500 Request Hijacking Vulnerability In RubyGems 2.4.6 And Earlier CVE-2015-3900
Python $500 Integer overflow in _Unpickler_Read
Apache httpd $500 mod_lua: Crash in websockets PING handling CVE-2015-0228
PHP $500 Null pointer dereference in phar_get_fp_offset() CVE-2015-7803
HackerOne $2,500 CSRF possible when SOP Bypass/UXSS is available
Shopify $500 Open Redirect at *
Shopify $500 [CSRF] Install premium themes
Algolia $100 Stored XSS in name selection $500 Обход защиты от csrf-ок в
withinsecurity $250 content injection $500 Same-Origin Policy Bypass #2 $500 Same-Origin Policy bypass on main domain -
Zendesk $500 [CRITICAL] CSRF leading to account take over
Sucuri $250 XSS Vuln in Sucuri Security - Auditing, Malware Scanner $75 Cookie bug
Shopify $500 Open redirect using theme install
Ubiquiti Networks $200 CSRF
Shopify $500 XSS in creating tweets
Maximum $20 RC4 cipher suites detected
Maximum $10 SSL certificate invalid date
Maximum $40 RC4 cipher suites detected
Automattic $75 Remove anyone's pic gravtar
Pornhub $250 Reflected Cross-Site Scripting on French subdomain
Twitter $140 Subdomain Expired
InVision $300 Stored Cross-Site Scripting on █████████ (with small user interaction)
Uber $500 Drivers can change profile picture
Shopify $500 An administrator without any permission is able to get order notifications using his APNS Token.
Twitter $560 xss in link items (
Yelp $1,500 Access to internal CMS containing private Data
Imgur $5,500 Imgur dev environments facing the Internet
Twitter $560 URGENT : Account Take Over Vulnerability
Coinbase $5,000 Stored-XSS in
Twitter $560 Add tweet to collection CSRF
Pornhub $250 Cross Site Scripting - On Mouse Over, Blog page
Pornhub $250 [xss,] /user/[username], multiple parameters
HackerOne $1,000 Pre-generation of 2FA secret/backup codes seems like an unnecessary risk
QIWI $100 Open Redirect in
Coinbase $500 Transactions visible on Unconfirmed devices
Algolia $200 User with limited access to Index configuration can rename the Index
drchrono $100 Request Accepts without X-CSRFToken [ Header - Cookie ]
HackerOne $500 Limited CSRF bypass.
drchrono $100 CSRF Add Album On
Boozt Fashion AB $100 Reflected XSS on
Badoo $153 Open redirect helps to steal Facebook access_token
Uber $1,000 Mass Assignment Vulnerability in
Shopify $500 deleted staff member can add his amazon marketplace web services account to the store.
Algolia $100 an xss issue
Shopify $500 [CSRF] Activate PayPal Express Checkout
QIWI $3,137 XML External Entity (XXE) in + waf bypass
Mapbox $1,000 XSS in L.mapbox.shareControl in mapbox.js
Slack $100 RC4 cipher suites detected on
Shopify $1,000 S3 Buckets open to the world thanks to 'Authenticated Users' ACL
Shopify $500 Apps can access 'channels' beta api $50 Email Verification Link can be Used as Password Reset Link!
Twitter $280 Urgent : Disclosure of all the apps with hash ID in mopub through API request (Authentication bypass)
QIWI $200 XSS Reflected in
Shopify $1,500 'Limited' RCE in certain places where Liquid is accepted $300 login to any user's cashier account and full account information disclosure
itBit Exchange $100 No password length restriction denial of service
Algolia $100 Stored XSS on*
HackerOne $2,500 Cross-domain AJAX request
Imgur $150 XSS
Slack $100 Reflected Self-XSS in Slack
Twitter $1,120 File Upload XSS in image uploading of App in mopub
Slack $200 File upload XSS (Java applet) on
Shopify $500 List of devices is accessible regardless of the account limitations
Twitter $280 Following a User After Favoriting Actually Follows Another User (related to #95243)
Shopify $500 SVG parser loads external resources on image upload
Shopify $500 Staff members with no permission can access to the files, uploaded by the administrator
Mail.Ru $300 Potential SSRF in $250 Multiple critical vulnerabilities in Odnoklassniki Android application
HackerOne $1,000 HTTP header injection in allows setting cookies for
HackerOne $2,500 Send AJAX request to external domain
Twitter $1,120 Can see private tweets via keyword searches on tweetdeck
Shopify $500 An administrator without the 'Settings' permission is able to see payment gateways
Shopify $500 A 'Full access' administrator is able to see the shop owners user details
Shopify $500 Staff members with no permission to access domains can access them.
Keybase $50 Un-handled exception leads to Information Disclosure
Badoo $310 crossdomain.xml too permissive on,, etc.
Snapchat $1,500 Password Reset - query param overrides postdata
Shopify $500 Missing of csrf protection
Imgur $50 Persistent XSS in and / post statistics
Slack $500 Stored XSS in Slack (weird, trial and error)
Vimeo $250 XSS on without user interaction and with user interaction $75 Http Response Splitting - Validate link
itBit Exchange $50 user-agent Content spoofing
Mail.Ru $300 [] Authentication Data $50 Cross Site Scripting
Shopify $500 Privilege escalation and circumvention of permission to limited access user
Imgur $250 Persistent XSS in image title
Twitter $280 CSRF on cards API
Twitter $5,040 IDOR- Activate Mopub on different organizations- steal api token-
Shopify $500 Unauthorized access to any Store Admin's First & Last name
Twitter $280 Following a User Actually Follows Another User
Twitter $280 XSS in the "Poll" Feature on
Shopify $500 Reflected XSS in cart at
Shopify $4,000 Paid account can review\download any invoice of any other shop
Whisper $30 SMS Invite Form Abuse
Whisper $30 Host Header Injection/Redirection
Shopify $500 Some S3 Buckets are world readable (and one is world writeable)
Zopim $1,000 Cross-site Scripting in all Zopim
Shopify $1,500 Arbitrary read on s3://shopify-delivery-app-storage/files
Shopify $2,500 Unauthorized access to all collections, products, pages from other stores
Shopify $500 Bypassing password requirement during deletion of accout
Shopify $2,000 Arbitrary write on s3://shopify-delivery-app-storage/files
Shopify $500 Missing authorization check on dashboard overviews
Shopify $500 get users information without full access
Shopify $1,000 Unauthenticated access to details of hidden products in any shop via title emuneration
Shopify $500 First & Last Name Disclosure of any Shopify Store Admin
WePay $100 Subdomain Takeover in pointing to Fastly $100 Способ узнать имя человека и ВУЗ удаленной страницы
Shopify $2,000 unauthorized access to all collections name
Coinbase $100 SPF records not found
Shopify $500 Accessing Payments page and adding payment methods with limited access accounts
Badoo $456 Tokens from services like Facebook can be stolen
Shopify $2,500 unauthorized access to all customers first and last name
Automattic $75 CSV Injection in
Trello $128 CSV Injection
Shopify $500 customers password hash leak!!!!
Uber $100 Issue with Password reset functionality
Trello $256 Normal User can add new users to group
Imgur $1,600 Server Side Request Forgery In Video to GIF Functionality
Imgur $50 Crossdomain.xml settings on too open
Automattic $50 WooCommerce: Support Ticket indirect object reference
Imgur $50 Reflected Flash XSS using swfupload.swf with an epileptic reloading to bypass the button-event
Imgur $50 "Sign me out everywhere" does not work for desktop sessions
IRCCloud $500 Inadequate input validation on API endpoint leading to self denial of service and increased system load.
Zendesk $50 Content Spoofing
Shopify $1,000 change Login Services settings without owner access
Shopify $1,000 create staff member without owner access
Shopify $500 Privilege escalation vulnerability
Coinbase $100 User email enumuration using Gmail
Zopim $100 CSV Excel Macro Injection Vulnerability in export chat logs
Twitter $280 Tweetdeck (twitter owned app) not revoked $500 CSRF в получении резервных токенов+framing , приводящие к компроментации 2fa
Zendesk $100 CSV Excel Macro Injection Vulnerability in export customer tickets
Zendesk $100 Cross-site Scripting
Slack $100 Self-XSS in posts by formatting text as code
Mail.Ru $500 XSS:,[id]/reply при ответе на специальным образом сформированное письмо
Twitter $2,520 Multiple DOMXSS on Amplify Web Player
Vimeo $200 XSS when using captions/subtitles on video player based on Flash (requires user interaction)
Phabricator $300 Information leakage through Graphviz blocks
Vimeo $100 XSS on | "Search within these results" feature (requires user interaction)
Vimeo $1,500 XSS on after other user follows you
Udemy $100 XSS Vulnerability
Vimeo $200 Stored XSS on and
Coinbase $100 OAUTH pemission set as true= lead to authorize malicious application
ownCloud $25 Full Path Disclosure CVE-2016-1501
Shopify $500 XSS on blog pages via sharing buttons
Twitter $2,520 XSS on OAuth authorize/authenticate endpoint
Keybase $500 [] Open Redirect
Anghami $100 [CRITICAL] Login To Any Account Linked With Google+ With Email Only
Anghami $300 [] Sql Injection
Phabricator $450 Multiple so called 'type juggling' attacks. Most notably PhabricatorUser::validateCSRFToken() is 'bypassable' in certain cases.
Romit $250 IDOR on remoing Share
Vimeo $100 Reflected XSS on
Vimeo $500 Stored XSS on
Mail.Ru $150 XSS at
InVision $400 Deleting a Project for which the user is not owner but a normal member
Shopify $500 XSS
ownCloud $25 Full Path Disclosure CVE-2016-1501
Zopim $100 [API ISSUE] agents can Create agents even after they are disabled !
InVision $100 Content Spoofing - Signout Warning Page
Pornhub $100 [reflected xss,] /blog, any
Pornhub $50 Cross Site Scripting – Album Page
Zendesk $500 Stored XSS in comments
Hired $420 Stored XSS in Company Name
Shopify $500 Self XSS in chat.
Automattic $100 XSS in WordPress
Gratipay $1 Possible SQL injection on "Jump to twitter"
Shopify $500 XSS (Digital Downloads App in
Ruby on Rails $2,000 Potential XSS on sanitize/Rails::Html::WhiteListSanitizer
InVision $100 Reflective XSS in
HackerOne $500 Internal bounty and swag details disclosed as part of JSON response
HackerOne $500 Private Program and bounty details disclosed as part of JSON search response
HackerOne $500 Number of invited researchers disclosed as part of JSON search response $500 Внедрение произвольного javascript-сценария в функционале просмотра изображений мобильной версии сайта
QIWI $500 Открытый доступ к корпоративным данным.
Slack $1,000 OSX slack:// protocol handler javascript injection
Flox $25 Content spoofing through Referel header $300 Доступ к чужим групповым беседам. $150 Critical : Access to group videos where videos are restricted for all users(Broken authentication )
Udemy $50 information disclosure $200 Доступ к чужим приватным фотографиям (3) через обложку видео
Mail.Ru $150 Time-Based Blind SQL Injection Attacks $500 (URGENT!) Покупка OK дешевле, чем он стоит
Mail.Ru $150 Cross site scripting $200 Stored XSS в имени песни (2) на платёжном гейте. $100 Покупка=>скачка песен, которые не предназначены для продажи $150 Покупка песни дешевле, чем она стоит. $150 xss in group $100 cross siite scripting in the blog $500 SSRF/XSPA в форме загрузки видео по URL
Shopify $1,000 TCP Source Port Pass Firewall $100 privilege escalation in apache tomcat SessionEample-script
Keybase $100 Full path disclosure at
WordPoints $25 Weak Cryptographic Hash
Mavenlink $25 Open/Unvalidated Redirect Issue
Keybase $250 Content Sniffing not disabled
Romit $250 GA code not verified on the server side allows sending Verification Documents on behalf of another user
Keybase $250 No rate limiting for sensitive actions (like "forgot password") enables user enumeration
Keybase $500 Stealing CSRF Tokens
Keybase $500 SMTP protection not used
Zaption $25 Open redirect filter bypass
Zaption $25 Using GET method for account login with CSRF token leaking to external sites Via Referer.
Zaption $50 XSS - Gallery Search Listing
Zendesk $200 Stored Cross site scripting In
Romit $250 No rate limit which leads to "Users information Disclosure" including verfification documents etc.
HackerOne $500 Accessing title of the report of which you are marked as duplicate
QIWI $100 Session Cookie without HttpOnly and secure flag set
Mapbox $500 Disclosure of map information
Zendesk $50 Error stack trace enabled
Romit $250 Potential for financial loss, negative Values for "Buy fee" and "Sell Fee"
Ubiquiti Networks $500 Yet another Buffer Overflow in PHP of the AirMax Products
Ubiquiti Networks $500 Other Buffer Overflow in PHP of the AirMax Products
Udemy $150 Extremely high Course rating values could be set in order to make really high Average rating of the course. Negative values could be set to.
Shopify $3,000 Attention! Remote Code Execution at
Shopify $500 Reflected XSS in chat
Ubiquiti Networks $250 Buffer Overflow in PHP of the AirMax Products
Ubiquiti Networks $18,000 Arbritrary file Upload on AirMax
Python $1,000 Integer overflow in _json_encode_unicode leads to crash
Python $500 Integer overflow in _pickle.c
Python $1,000 Python: imageop Unsafe Arithmetic
PHP $500 PHP yaml_parse/yaml_parse_file/yaml_parse_url Unsafe Deserialization
PHP $1,500 PHP yaml_parse/yaml_parse_file/yaml_parse_url Double Free
PHP $500 str_repeat() sign mismatch based memory corruption
Python $500 Multiple type confusions in unicode error handlers
Python $500 Use after free in get_filter
Python $1,500 Multiple use after free bugs in json encoding
Python $1,500 Multiple use after free bugs in heapq module
Python $1,500 Multiple use after free bugs in element module
Python $500 Tokenizer crash when processing undecodable source code
PHP $500 php_stream_url_wrap_http_ex() type-confusion vulnerability
PHP $500 Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER
PHP $500 Type Confusion Vulnerability in SoapClient
PHP $1,500 Use after free vulnerability in unserialize() with DateInterval
The Internet $3,000 libcurl: URL request injection CVE-2014-8150
OpenSSL $2,500 Malformed ECParameters causes infinite loop CVE-2015-1788
PHP $1,500 Integer overflow in ftp_genlist() resulting in heap overflow CVE-2015-4022
PHP $1,500 ZIP Integer Overflow leads to writing past heap boundary CVE-2015-2331
PHP $1,000 Buffer Over-read in unserialize when parsing Phar CVE-2015-2783
PHP $1,000 Buffer Over flow when parsing tar/zip/phar in phar_set_inode CVE-2015-3329
OpenSSL $500 X509_to_X509_REQ NULL pointer deref CVE-2015-0288
PHP $1,500 Use After Free Vulnerability in unserialize() CVE-2015-2787
PHP $500 out of bounds read crashes php-cgi CVE-2014-9427
HackerOne $500 CSV Injection with the CVS export feature $300 Уязвимость Создание фотографий без ведома пользователей
Pornhub $5,000 Unauthenticated access to Content Management System -
Shopify $500 XSS at Bulk editing ProductVariants
Pornhub $2,500 Multiple endpoints are vulnerable to XML External Entity injection (XXE)
Pornhub $10,000 Publicly exposed SVN repository,
Hired $250 URGENT - Subdomain Takeover on due to unclaimed domain pointing to
Shopify $500 XSS in Myshopify Admin Site in DISCOUNTS $250 Отвязываем Twitter от любого профиля вк ! + несколько багов по дизайну
Automattic $100 Verification code issues for Two-Step Authentication $100 Issue in the implementation of captcha and race condition
Shopify $1,000 Bypass access restrictions from API
InVision $150 Enumeration and Guessable Email (OWASP-AT-002)T hrough Login Form
Shopify $500 SSRF via 'Insert Image' feature of Products/Collections/Frontpage
Mail.Ru $160 [] CRLF Injection
Shopify $500 SSRF via 'Add Image from URL' feature $200 Уязвимость получения всех номеров телефонов вк (по совместительству логинов профилей)
Shopify $500 Expire User Sessions in Admin Site does not expire user session in Shopify Application in IOS
Mail.Ru $200 Possible xWork classLoader RCE:
Shopify $500 XSS at Bulk editing products
Shopify $500 XSS at importing Product List
Sandbox Escape $3,000 Microsoft Internet Explorer ActiveX Broker Allows EPM Bypass
Legal Robot $20 - Guessing registered users in
Shopify $500 [www.*] CRLF Injection
Legal Robot $20 No valid SPF record
HackerOne $500 mailto: link injection on
Mail.Ru $250 [] CRLF Injection $200 Уязвимость в Указание мест на фото + фича + хакинг
HackerOne $500 Invitation is not properly cancelled while inviting to bug reports. $500 XSS at on IE using flash files $400 Уязвимость приватных записей пользователя (личных)
Coinbase $5,000 OAuth authorization page vulnerable to clickjacking
Mail.Ru $150 Activities are not Protected and able to crash app using other app (Can Malware or third parry app). $100 Не достаточная проверка логина скайп
Mapbox $1,000 Stored Cross-Site Scripting in Map Share Page
Legal Robot $20 CSRF
Coinbase $5,000 Big Bug with Vault which i have already reported: Case #606962
Mail.Ru $250 HTML Injection на $500 API: Bug in method auth.validatePhone
Legal Robot $40 Registration bypass using OAuth logical bug $100 Able to intercept app Traffic after choosing up the Secured Connection using SSL (HTTPS)
Legal Robot $20 Missing security headers, possible clickjacking
Legal Robot $20 missing SPF for
Shopify $1,000 Privilege Escalation - A `MEMBER` with no ACCESS to `ORDERS` can still access the orders by using `Order Printer APP`
Romit $50 Cross site scripting
HackerOne $100 Potential denial of service in<program>/reward_settings
HackerOne $500 Logic error with notifications: user that has left team continues to receive notifications and can not 'clean' this area on account
Mavenlink $100 XSS in
HackerOne $500 External URL page bypass
Shopify $500 Bulk Discount App in exposes vulnerable to XSS
Udemy $150 Multiple sub domain are vulnerable because of leaking full path
Mail.Ru $150
Mail.Ru $200 Quagga (Router) : Default password and default enable password
Shopify $500 XSS in Admin site in TAX Overrides
Udemy $100 XSS on
Udemy $100 Ability to add pishing links in discusion ," Bypassing uneductional Links add "
Sandbox Escape $3,000 Internet Explorer Enhanced Protected Mode sandbox escape via a broker vulnerability
Udemy $150 leak receipt of another user
Udemy $100 xss on autoserch
Slack $100 Bypass of the SSRF protection (Slack commands, Phabricator integration)
Mail.Ru $400 торчит Graphite в мир
Mail.Ru $400 stacked blind injection
HackerOne $500 Content Spoofing - External Link Warning Page
Udemy $150 log poison vulnerability through wordpress debug.log being publically available
Udemy $150 xss profile
HackerOne $500 Reopen Disable Accounts/ Hidden Access After Disable
drchrono $100 Accessing all appointments vulnerability
drchrono $150 Create and Update patients vulnerability
HackerOne $500 Fake URL + Additional vectors for homograph attack
HackerOne $500 Homograph attack
HackerOne $500 Making any Report Failed to load
Dropbox $512 XSS in dropbox main domain
Dropbox $216 Race condition when redeeming coupon codes
Shopify $500 Stored XSS in the Shopify Discussion Forums
Shopify $500 SSL cookie without secure flag set
Shopify $500 Content Spoofing
HackerOne $500 Homograph attack
Whisper $50 Insecure Local Data Storage : Application stores data using a binary sqlite database
Romit $50 HTML injection in email sent by
Coinbase $100 ByPassing the email Validation Email on Sign up process in mobile apps
Romit $50 Server responds with the server error logs on account creation
Vimeo $500 API: missing invalidation of OAuth2 Authorization Code during access revocation causes authorization bypass
Shopify $500 amazon aws s3 bucket content is public :-
Shopify $500 XSS in
Twitter $280 DOM based cookie bomb
HackerOne $500 Open-redirect on
Shopify $4,000 Notification request disclose private information about other myshopify accounts
Dropbox $512 SSRF vulnerablity in app webhooks
Whisper $30 Missing DMARC record
Shopify $500 XSS on
HackerOne $1,000 SPF whitelist of mandrill leads to email forgery
Shopify $500 Invitation issue
Shopify $500 Payment gateway status transferred to Shopify without authentication
Shopify $1,000 Shop admin can change external login services
Shopify $1,000 IDOR expire other user sessions
Dropbox Acquisitions $216 Get email ID of any user on
Shopify $2,000 Shopify android client all API request's response leakage, including access_token, cookie, response header, response body content
Shopify $500 CSRF token fixation in facebook store app that can lead to adding attacker to victim acc
Shopify $1,000 [persistent cross-site scripting] customers can target admins
Shopify $500 Force 500 Internal Server Error on any shop (for one user)
Twitter $280 Ex-admin of an organization can delete team members
Shopify $500 Open Redirect after login at
Shopify $500 Authentication Failed Mobile version
Shopify $500 Open redirection in OAuth
drchrono $700 XML Parser Bug: XXE over which leads to RCE
PHP $3,000 Use after free vulnerability in unserialize()
PHP $2,500 SoapClient's __call() type confusion through unserialize()
PHP $2,500 Use after free vulnerability in unserialize() with DateTimeZone
PHP $2,500 Free called on unitialized pointer in exif.c
OpenSSL $3,000 Segmentation fault for invalid PSS parameters
Python $9,000 Multiple Python integer overflows
Shopify $500 Missing spf flags for
Coinbase $1,000 Sandboxed iframes don't show confirmation screen
Mail.Ru $500 stored XSS in agent via sticker (smile)
Snapchat $100 Captcha Bypass in Snapchat's Geofilter Submission Process
Snapchat $100 Vulnerable to JavaScript injection. (WXS) (Javascript injection)!
Slack $100 Logout any user of same team
Mapbox $1,000 Persistent cross-site scripting (XSS) in map attribution
Shopify $500 Xss in website's link
Twitter $420 Insecure Direct Object Reference - access to other user/group DM's
Twitter $2,800 HTTP Response Splitting (CRLF injection) due to headers overflow
Mapbox $1,000 Stored xss in editor
Dropbox Acquisitions $216 XSS in
Twitter $1,400 XSS in
Phabricator $300 SSRF vulnerability (access to metadata server on EC2 and OpenStack)
Coinbase $100 Blacklist bypass on Callback URLs
Vimeo $250 [URGENT ISSUE] Add or Delete the videos in watch later list of any user .
Phabricator $300 XSS with Time-of-Day Format
Vimeo $250 Share your channel to any user on vimeo without following him
Vimeo $250 Invite any user to your group without even following him
Twitter $420 Insecure direct object reference - have access to deleted DM's
itBit Exchange $200 secretKey for OTP , is getting leaked in response of a delete request !
itBit Exchange $200 confirmation bypass of 2FA devices while they are deleting
Ubiquiti Networks $500 UniFi v3.2.10 Cross-Site Request Forgeries / Referer-Check Bypass
Vimeo $150 Insecure Direct Object References that allows to read any comment (even if it should be private)
Vimeo $500 Insecure Direct Object References in
Twitter $3,500 HTTP Response Splitting (CRLF injection) in report_story
HackerOne $500 Open redirect in "Language change".
Caviar $500 Remotely modifying courier Account Details
Vimeo $250 Post in private groups after getting removed
Flash $2,000 Flash Cross Domain Policy Bypass by Using File Upload and Redirection - only in Chrome
Vimeo $250 A user can enhance their videos with paid tracks without buying the track
Whisper $10 CVE-2014-0224 openssl ccs vulnerability
Whisper $100 Bypass pin(4 digit passcode on your android app)
Vimeo $500 A user can post comments on other user's private videos
Vimeo $250 A user can add videos to other user's private groups
Vimeo $250 A user can edit comments even after video comments are disabled
Twitter $560 open redirect sends authenticity_token to any website or (ip address)
Ubiquiti Networks $500 CSRF in login form would led to account takeover
The Internet $7,500 FREAK: Factoring RSA_EXPORT Keys to Impersonate TLS Servers
Twitter $1,400 XSS in original referrer after follow
Romit $50 The csrf token remains same after user logs in
Ruby on Rails $1,000 rails-ujs will send CSRF tokens to other origins
Twitter $560 Twitter Ads Campaign information disclosure through admin without any authentication.
Twitter $1,400 Open Redirect leak of authenticity_token lead to full account take over.
HackerOne $5,000 Improperly validated fields allows injection of arbitrary HTML via spoofed React objects
Vimeo $250 Vimeo + & Vimeo PRO Unautorised Tax bypass
Mail.Ru $300 RCE через JDWP
Yelp $500 Information disclosure - emails disclosed in response >
Mail.Ru $150 Heartbleed
Mail.Ru $150 HDFS NameNode Public disclosure:
Todoist $25 Remotely removing credit cards from business accounts!
Todoist $25 Taking over a Business Account Admin
Twitter $1,400 Redirect URL in /intent/ functionality is not properly escaped
HackerOne $500 Team member invitations to sandboxed teams are not invalidated consistently (v2)
The Internet $5,000 Bad Write in TTF font parsing (win32k.sys)
Coinbase $100 open authentication bug
Slack $200 Team admin can add billing contacts
Dropbox Acquisitions $729 Privilege Escalation at invite feature
Twitter $140 Reporting user's profile by using another people's ID
The Internet $3,000 Heap overflow in H. Spencer’s regex library on 32 bit systems
Romit $50 Email Enumeration (POC)
QIWI $200 [] XSS + Misconfiguration
Mail.Ru $600 Same Origin Policy bypass
HackerOne $2,000 CSP Bypass: Click handler for links with data-method="post" can cause authenticity_token to be sent off domain
Flash $7,500 Use After Free in Flash MessageChannel.send can cause arbitrary code execution
Flash $10,000 Use after free during the StageVideoAvailabilityEvent can result in arbitrary code execution
Flash $10,000 Race condition in workers may cause an exploitable double free by abusing bytearray.compress()
InVision $200 Javascript Injection
itBit Exchange $50 Leakage of sensitive wallet tokens to third party sites
Flash $2,000 Adobe Flash Player Out-of-Bound Access Vulnerability
Vimeo $250 Red October
HackerOne $5,000 Markdown parsing issue enables insertion of malicious tags and event handlers
Twitter $560 Twitter Card - Parent Window Redirection
Slack $100 Team admin can change unauthorized team setting (allow_message_deletion)
Slack $200 Team admin can change unauthorized team setting (require_at_for_mention)
Romit $50 Frictionless Transferring of Wallet Ownership
Twitter $1,260 Problem with OAuth
HackerOne $500 Team member invitations to sandboxed teams are not invalidated consistently
HackerOne $500 Insecure Direct Object Reference vulnerability
Whisper $10 Error stack trace
Whisper $25 Directory index and information disclosure
HackerOne $5,000 Vulnerability with the way \ escaped characters in <> style links are rendered
Vimeo $250 CRITICAL vulnerability - Insecure Direct Object Reference - Unauthorized access to `Videos` of Channel whose privacy is set to `Private`.
Trello $128 [] CRLF Injection
Trello $64 [] Open Redirect
Vimeo $100 XSS on Vimeo
itBit Exchange $150 Stored xss in bank name withdraw
Vimeo $100 ftp upload of video allows naming that is not sanitized as the manual naming
itBit Exchange $50 weird bug ! ( missing validation on new email verfication )
HackerOne $500 Improper way of validating a program
itBit Exchange $200 Unsecure data in "device" response - OTP
Vimeo $100 Vimeo Search - XSS Vulnerability []
Twitter $140 Insecure Data Storage in Vine Android App
itBit Exchange $50 Email Length Verification
itBit Exchange $500 Notification Emails: IP + Content-Spoofing
Ruby on Rails $500 RCE due to Web Console IP Whitelist bypass in Rails 4.0 and 4.1
Vimeo $1,000 XSS on any site that includes the moogaloop flash player | deprecated embed code
Twitter $140 Flaw in login with twitter to steal Oauth tokens
Mail.Ru $150 Heartbleed: ( port 1433
Vimeo $1,000 Make API calls on behalf of another user (CSRF protection bypass)
Mail.Ru $150 Hadoop Node available to public
Vimeo $100 CRITICAL full source code/config disclosure for Cameo
Twitter $420 twitter android app Fragment Injection
Vimeo $1,000 abusing Thumbnails( to see a private video
Vimeo $250 Ability to Download Music Tracks Without Paying (Missing permission check on`/musicstore/download`)
Mail.Ru $100 Раскрытие номера мобильного телефона при двухфакторной аутентификации
Vimeo $100 - Reflected XSS Vulnerability
Vimeo $1,000 Adding profile picture to anyone on Vimeo
Vimeo $260 Buying ondemand videos that 0.1 and sometimes for free
Python $1,000 PyUnicode_FromFormatV crasher
Ruby on Rails $1,000 Arbitrary file existence disclosure in Action Pack CVE-2014-7829
Twitter $1,120 - an app admin can delete team members from other user apps
Twitter $1,400 - app member can make himself an admin
Vimeo $100 APIs for channels allow HTML entities that may cause XSS issue
Vimeo $5,000 Insecure Direct Object References Reset Password
Vimeo $100 - reflected xss vulnerability
Vimeo $100 - Reflected XSS Vulnerability
Uber $500 XSS on
Flash $1,000 chrome allows POST requests with custom headers using flash + 307 redirect
Twitter $420 URGENT - Subdomain Takeover on , the same issue of report #32825
Romit $250 stored xss in transaction
Twitter $1,400 HTML/XSS rendered in Android App of Crashlytics through
Romit $250 Stored XSS in api key of operator wallet
Romit $100 Error stack trace
Twitter $140 POODLE Bug:,,
Twitter $280 Open redirection in
Mail.Ru $100 No bruteforce protection leads to enumeration of emails in
Phabricator $500 Phabricator Phame Blog Skins Local File Inclusion
Vimeo $500 [] CRLF Injection
Phabricator $300 Phabricator Diffusion application allows unauthorized users to delete mirrors
Square $500 Delayed, fraudulent transactions possible with encrypted Square Reader devices due to lack of server-side verification of device transaction counter
Mail.Ru $250 [] Memory Disclosure / IE XSS
HackerOne $500 Issue with password change
HackerOne $500 Breaking Bugs as team member
Openfolio $100 xss in /browse/contacts/
Python $6,500 Misc Python bugs (Memory Corruption & Use After Free)
QIWI $150 [] Open Redirect
QIWI $100 Stored xss in $1,000 Subdomain Takeover using pointing to Hubspot
Eobot $10 XSS in only)
Sucuri $250 Open Redirect in
InVision $150 CSRF Token in cookies!
Twitter $1,400 [Stored XSS] - profile page
Coinbase $100 New Device Confirmation, token is valid until not used.
QIWI $1,000 [] Soap-based XXE vulnerability /soapserver/
QIWI $100 [] /oauth/confirm.action XSS
Flash $2,000 Adobe Flash Player MP4 Use-After-Free Vulnerability
Apache httpd $500 mod_proxy_fcgi buffer overflow CVE-2014-3583
HackerOne $500 Logic Issue with Reputation: Boost Reputation Points
QIWI $250 CRLF Injection []
QIWI $200 [] XSS at auth?login=
QIWI $200 [] XSS proxy.html
Twitter $140 getting emails of users/removing them from victims account [using typical attack]
HackerOne $500 Gain reputation by creating a duplicate of an existing report
PHP $2,500 Locale::parseLocale Double Free
Twitter $280 XSS via Fabrico Account Name
Mail.Ru $500 Ошибка фильтрации $150 SMPT Protection not used, I can hijack your email server.
Twitter $420 Bad extended ascii handling in HTTP 301 redirects of
HackerOne $500 File Name Enumeration
Twitter $1,400 DOM Cross-Site Scripting ( XSS )
InVision $300 Backup of wordpress configuration file found. Leaking database users/passwords
Slack $500 a stored xss in slack integration
Twitter $1,680 URGENT - Subdomain Takeover on due to unclaimed domain pointing to AWS
Mail.Ru $200 OpenSSL HeartBleed (CVE-2014-0160)
Twitter $280 XSS in
The Internet $3,000 Drupal 7 pre auth sql injection and remote code execution
Twitter $140 Singup Page HTML Injection Vulnerability
RelateIQ $500 PoodleBleed
Flash $5,000 Adobe Flash Player Out-of-Bound Read/Write Vulnerability
HackerOne $1,000 Ability to see common response titles of other teams (limited)
WP API $50 Cryptographic Side Channel in OAuth Library
Twitter $420 Unauthorized Tweeting on behalf of Account Owners
Twitter $560 Improper Verification of email address while saving Account Settings
RelateIQ $250 Relateiq SSLv3 deprecated protocol vulnerability.
Flash $2,000 Adobe Flash Player MP4 Use-After-Free Vulnerability
Coinbase $100 New Device confirmation tokens are not properly validated.
Square $250 CSRF on adding a calendar event
Square $500 square google calendar integration CSRF, parameter not checking properly)
Square $500 CSRF on adding clients
The Internet $20,000 GNU Bourne-Again Shell (Bash) 'Shellshock' Vulnerability
Twitter $280 Profile Pic padding (Length-hiding) fails due to use of GZIP
HackerOne $500 homograph attack. IDNs displayed in unicode in bug reports and on external link warning page
IRCCloud $300 Unvalidated Channel names causes IRC Command Injection
Square $250 Privilege Escalation
WePay $350 Horizontal Privilege Escalation
Twitter $1,120 XSS | video-js metadata
HackerOne $500 No email verification on username change
Twitter $1,120 XSS
Sucuri $250 Usage of HTTP for exporting graph data as images
Square $250 Redirect while opening link in new tabs
Coinbase $100 Credit Card Validation Issue
HackerOne $500 Redirect FILTER bypass in report/comment
Mail.Ru $500 XSS via message id
Twitter $420 iOS App can establish Facetime calls without user's permission
Ruby on Rails $1,500 Active Record SQL Injection Vulnerability Affecting PostgreSQL CVE-2014-3483
Ruby on Rails $1,500 Active Record SQL Injection Vulnerability Affecting PostgreSQL CVE-2014-3482
PHP $2,500 SPL ArrayObject/SPLObjectStorage Unserialization Type Confusion Vulnerabilities CVE-2014-3515
Twitter $1,400 Cross site scripting on
HackerOne $500 Window Opener Property Bug
Twitter $1,400 Stored xss
Square $2,000 malicious file upload
Flash $1,000 Flash Local Sandbox Bypass CVE-2014-0554
Twitter $1,400 xss
Square $400 Reflected XSS in widget script thru cookie
Twitter $2,800 Delete Credit Cards from any Twitter Account in [New Vulnerability]
Square $1,000 Reflected XSS in
Square $750 Editing Client Details of other People
Twitter $140 Missing Rate Limiting on
The Internet $3,000 open redirect in rfc6749
Mail.Ru $1,337 XSS via .eml file
WePay $350 Critical : Account removing using CSRF attack
Twitter $140 Full path disclosure at
Square $2,000 CRITICAL Account takeover via AngularJS template injection in
Django $1,000 CSRF protection bypass on any Django powered site via Google Analytics
Square $500 XSS in Client Past Activity
Square $250 Open Redirect [FreshBook]
Square $500 XSS [BookFresh]
HackerOne $100 Change Any username and profile link in hackerone
Phabricator $400 Open redirection on
Mail.Ru $150 Странное поведение SMS
HackerOne $500 Redirect while opening links in new tabs
Phabricator $300 Forgot Password Issue
Square $1,500 Blind SQL injection in
Slack $200 Content Spoofing all Integrations in
Slack $100 Content spoofing at Stripe Integrations
Mavenlink $50 privilege escalation
Mavenlink $200 Flash XSS on swfupload.swf showing at
Mavenlink $50 Clickjacking
Mavenlink $100 Login CSRF
Coinbase $1,000 Invoice Details activate JS that filled in
The Internet $3,000 rsync hash collisions may allow an attacker to corrupt or modify files
Apache httpd $500 moderate: mod_deflate denial of service CVE-2014-0118
Mail.Ru $150 File upload XSS using Content-Type header
Python $1,500 integer overflow in 'buffer' type allows reading memory
Mail.Ru $1,000 File upload "Chapito" circus
Mail.Ru $100 Подделываем j2me app-descriptor
RelateIQ $100 Cross-site Scripting in mailing (username)
Mail.Ru $3,000 Possibility to attach any mobile number to any email
Sandbox Escape $5,000 .NET Type Traversal Vulnerability CVE-2014-0257
WePay $100 Unauthorized Access via Join Email Link
DC Compendium $25 Multiple Full Path Disclosure (FPD) Vulnerability on domain
RelateIQ $190 Resubmitted with POC #18685 Password reset CSRF
Phabricator $1,000 XSS in editor by any user
WePay $150 CSRF on email address operations. Also performing unintended operations.
WePay $500 Session Fixation
DC Compendium $50 Backend source code disclosure on 404 pages
DC Compendium $25 source code disclosure
Yahoo! $250 Yahoo! Reflected XSS
DC Compendium $25 XSS on Home page
DC Compendium $25 Error page Cross-site scripting
DC Compendium $25 Clickjacking: X-Frame-Options header missing
HackerOne $100 Denial of Service
The Internet $6,000 LZ4 Core CVE-2014-4611
IRCCloud $500 Reflected XSS in Pastebin-view
Yahoo! $50 Default /docs folder of PHPBB3 installation on
Phabricator $300 Broken Authentication and Session Management
HackerOne $100 Category- Broken Authentication and Session Management (leads to account compromise if some conditions are met)
Slack $100 Password Policy issue (Weak Protect)
Mail.Ru $400 SMS spam with custom content
Slack $100 Open Redirect login account
RelateIQ $250 SSRF (Portscan) via Register Function (Custom Server)
RelateIQ $200 Failed Certificate Validation On Custom Server (Register)
Yahoo! $200 Yahoo Sports Fantasy Golf (Join Public Group)
Phabricator $300 Abusing daemon logs for Privilege escalation under certain scenarios
The Internet $5,000 Multiple issues in looking-glass software (aka from web to BGP injections)
Phabricator $600 Abusing VCS control on phabricator
Mavenlink $50 Non Validation of session after password reset
HackerOne $100 Session not invalidated after password reset
Mail.Ru $150 SQL Injection on
Coinbase $1,000 Leaking CSRF token over HTTP resulting in CSRF protection bypass
Flash $3,000 Flash Sandbox Bypass CVE-2014-0535
Mavenlink $100 Password reset token not expiring
WePay $300 Open Redirect
Mavenlink $50 Clickjacking at main website
Mavenlink $50 Login password guessing attack
WePay $100 Session fixation in
Slack $300 SSRF on
Mail.Ru $300 SSRF
Automattic $250 privilege escalation
HackerOne $100 Potential denial of service in
Mail.Ru $1,000 sources disclosure
Sandbox Escape $10,000 Linux PI futex self-requeue bug CVE-2014-3153
IRCCloud $100 Host Header Injection -
Mail.Ru $500 XSS in login form
Yahoo! $100 Testing for user enumeration (OWASP‐AT‐002) -
Yahoo! $50 Authorization issue on
Mail.Ru $500 XSS in a file or folder name
Mail.Ru $700 XXE and SSRF on
Flash $7,500 Adobe Flash Player FileReference Use-after-Free Vulnerability CVE-2014-0538
Python $1,500 Python vulnerability: reading arbitrary process memory CVE-2014-4616
Mail.Ru $150 Stored XSS on
Mail.Ru $300 Stored XSS on
Mail.Ru $250 SQL injection
Yahoo! $250 Infrastructure and Application Admin Interfaces (OWASP‐CM‐007)
Mail.Ru $400 XSS in (Limited use)
Coinbase $100 CSRF in function "Set as primary" on accounts page
99designs $400 report a reflected XSS
Coinbase $100 CSRF on "Set as primary" option on the accounts page
Coinbase $1,000 Bypassing 2FA for BTC transfers
Mail.Ru $150 SQL inj
The Internet $3,000 Bypassing Same Origin Policy With JSONP APIs and Flash
Slack $500 Stored XSS in (integrations)
Mail.Ru $150 SQL
Mail.Ru $150 SQL inj
HackerOne $100 All Active user sessions should be deleted when user change his password!
Mail.Ru $200 Time based sql injection
Mail.Ru $200 SQL injection [дырка в движке форума]
Slack $500 Stored XSS Found
HackerOne $100 Anti-MIME-Sniffing header X-Content-Type-Options header has not been set.
Ian Dunn $25 Xss in CampTix Event Ticketing
Ian Dunn $25 Stored XSS in all fields in Basic Google Maps Placemarks Settings
Mail.Ru $250 Home page reflected XSS
Mail.Ru $150 localStorage не чистится после выхода
Mail.Ru $150 Clickjacking
Yahoo! $300 information disclosure (LOAD BALANCER + URI XSS)
Yahoo! $500 - XSS (STORED)
HackerOne $100 Password Reset Bug
HackerOne $150 Issue with remember_user_token
Yahoo! $250 readble .htaccess + Source Code Disclosure (+ .SVN repository)
Flash $2,000 Security bypass could lead to information disclosure
Yahoo! $2,500 Local File Include on
Yahoo! $400 - CSRF/email disclosure
IRCCloud $100 Login CSRF can be bypassed (Similar approach to previous one).
IRCCloud $1,000 Dangerous Persistent xss
Coinbase $100 2 factor authentication design flaw
IRCCloud $100 Host Header is not validated resulting in Open Redirect
The Internet $7,500 TLS Triple Handshake Attack
Yahoo! $500 XSS in
Yahoo! $250 Bypass of the Clickjacking protection on Flickr using data URL in iframes
IRCCloud $500 Persistent Cross Site Scripting within the IRCCloud Pastebin
IRCCloud $100 iOS application does not destroy session upon logout.
IRCCloud $100 Bug in iOS application which could lead to unauthorised access.
IRCCloud $100 Missing X-Content-Type-Options
IRCCloud $500 Full account takeover using CSRF and password reset
IRCCloud $500 Session Token is not Verified while changing Account Setting's which Result In account Takeover
IRCCloud $100 Leaking Referrer in Reset Password Link
IRCCloud $100 Bruteforcing irccloud login
IRCCloud $100 Unsecure cookies, cookie flag secure not set
IRCCloud $100 Sign up CSRF
IRCCloud $100 Login CSRF
Yahoo! $2,000 Open Proxy,, 4/09/14, #SpringClean
Yahoo! $200 CSRF Token is missing on DELETE message option on
Yahoo! $400 CSRF Token missing on
Yahoo! $3,000 REMOTE CODE EXECUTION/LOCAL FILE INCLUSION/XSPA/SSRF, view-source:http://sb*, 4/6/14, #SpringClean
Yahoo! $500 Comment Spoofing at
Python $1,500 Integer overflow in strop.expandtabs
Flash $2,000 Same Origin Security Bypass Vulnerability CVE-2014-0503
RelateIQ $100 Wildcard DNS in website
HackerOne $150 creating titleless and non-closable bugs
Yahoo! $1,000 Header injection on
Yahoo! $250 Cross-origin issue on
Yahoo! $300 reflected XSS,, 4/8/14, #SpringClean
Yahoo! $500 Significant Information Disclosure/Load balancer access,, 4/8/14, #SpringClean
InVision $200 captcha missing
Slack $500 Facebook Takeover using Slack using 302 from with access_token
Slack $300 Stored XSS in
HackerOne $100 Marking notifications as read CSRF bug
Coinbase $1,000 Multiple Issues related to registering applications
The Internet $500 Uncontrolled Resource Consumption with XMPP-Layer Compression
Coinbase $100 Coinbase Android Security Vulnerabilities
Yahoo! $100 XSS in Yahoo! Web Analytics
Coinbase $1,000 Coinbase Android Application - Bitcoin Wallet Leaks OAuth Response Code
Yahoo! $800 From Unrestricted File Upload to Remote Command Execution
Nginx $3,000 SPDY heap buffer overflow CVE-2014-0133
Nginx $3,000 SPDY memory corruption CVE-2014-0088
Slack $500 Duplicate of #4550
Slack $500 Stored XSS in Slackbot Direct Messages
Yahoo! $500 Server Side Request Forgery
RelateIQ $100 TRACE disclosure attack may be possible
Yahoo! $250 XSS Vulnerability (
Phabricator $300 Persistent XSS: Editor link
HackerOne $100 Securing sensitive pages from SearchBots
Phabricator $400 OAuth Stealing Attack (New)
Phabricator $300 Control character allowed in username
Phabricator $450 OAuth access_token stealing in Phabricator
Slack $500 flash content type sniff vulnerability in
RelateIQ $100 Captcha Bypass With Extension
Ruby on Rails $1,500 Directory traversal attack in view resolver CVE-2014-0130
Phabricator $300 UnAuthorized Editorial Publishing to Blogs
HackerOne $100 Control Characters Not Stripped From Username on Signup
Yahoo! $1,000 SQL Injection ON HK.Promotion
Slack $500 Reflected Xss
RelateIQ $100 HTML injection in "Invite Collaborators"
Slack $500 Stored XSS in Channel Chat
Slack $100 CSRF vulnerability on
Slack $500 Stored XSS in
Slack $200 URL redirection flaw
Slack $200 Stored XSS in
Yahoo! $100 configuration file disclosure
HackerOne $500 Weird Bug - Ability to see partial of other user's notification
Slack $100 Slack OAuth2 "redirect_uri" Bypass
Slack $100 Broken Authentication (including Slack OAuth bugs)
Slack $150 Reflective XSS can be triggered in IE
RelateIQ $100 Cross Site Scripting (XSS) -
RelateIQ $100 XSRF token problem
RelateIQ $100 Value of JSESSIONID and XSRF token parameter in cookie remains same before and after login
Sandbox Escape $5,000 Win32k Window Handle Vulnerability (EoP) CVE-2014-0262
Phabricator $500 Bypass (2)
Phabricator $300 Login CSRF using Twitter OAuth
Phabricator $1,000 Bypass
HackerOne $100 CSS leaks SCSS debug info
Flash $10,000 Flash double free vulnerability leads to code execution CVE-2014-0502
Yahoo! $1,500 XSS on Every page
Flash $2,000 Flash local-with-fileaccess Sandbox Bypass CVE-2014-0508
Yahoo! $1,276 HK.Yahoo.Net Remote Command Execution
Flash $2,000 Handling of jar: URIs bypasses AllowScriptAccess=never CVE-2014-0491
Flash $10,000 Flash type confusion vulnerability leads to code execution CVE-2013-5331
Yahoo! $1,390 Local file inclusion
Yahoo! $3,705 SQLi on
Yahoo! $750 Flickr: Invitations disclosure (resend feature)
HackerOne $100 DNS Misconfiguration
Yahoo! $800 HTML Injection on flickr screename using IOS App
PHP $1,500 PHP Heap Overflow Vulnerability in imagecrop() CVE-2013-7226
Yahoo! $800 XSS in my yahoo
Yahoo! $2,500 Security.allowDomain("*") in SWFs on allows data theft from Yahoo Mail (and others)
Sandbox Escape $3,000 Linux 3.4+: arbitrary write with CONFIG_X86_X32 CVE-2014-0038
Yahoo! $1,960 Store XSS Flicker main page
Yahoo! $2,173.75 Cross-site scripting on the main page of flickr by tagging a user.
Yahoo! $677.50 XSS Yahoo Messenger Via Calendar.Yahoo.Com
HackerOne $100 Autocomplete enabled in Paypal preferences
Phabricator $300 Improperly implemented password recovery link functionality
Phabricator $300 Log in a user to another account
HackerOne $100 A password reset page does not properly validate the authenticity token at the server side.
HackerOne $100 Information disclosure (reset password token) and changing the user's password
HackerOne $100 Improper session management
HackerOne $150 Switching the user to the attacker's account
HackerOne $500 Upload profile photo from URL
HackerOne $250 Email spoofing
HackerOne $100 CSRF login
HackerOne $150 Logical issues with account settings
PHP $4,000 PHP openssl_x509_parse() Memory Corruption Vulnerability CVE-2013-6420
The Internet $7,500 TLS Virtual Host Confusion
The Internet $1,500 OpenSSH: Memory corruption in AES-GCM support CVE-2013-4548
Ruby $1,500 Ruby: Heap Overflow in Floating Point Parsing CVE-2013-4164
HackerOne $100 DNS Cache Poisoning
HackerOne $100 Flawed account creation process allows registration of usernames corresponding to existing file names
HackerOne $500 PNG compression DoS
HackerOne $250 GIF flooding
HackerOne $500 Pixel flood attack
HackerOne $100 Session not expired on logout
HackerOne $250 CSP not consistently applied
HackerOne $500 RTL override symbol not stripped from file names
HackerOne $100 Session Management
HackerOne $100 Broken Authentication and session management OWASP A2
HackerOne $100 Real impersonation
HackerOne $500 Missing SPF for