Public Cuvva bug reports.

Team Bounty Title
Cuvva - CSRF on allows to attacker to send multiple SMS to download the app without visiting the cuvva
Cuvva - Session cookie without secure flag on
Cuvva - Sensitive Support Mail Disclosure
Cuvva - Missing rate-limits at endpoints
Cuvva - IDOR spam anyone's cellphone number through Cuvva app link
Cuvva - Missing Rate limiting on
Cuvva - Subdomain take over and
Cuvva - Verification code for Underwriter dashboard can be brute-forced
Cuvva - Your two domain login email address are disclosed in
Cuvva - Clickjacking vulnerability in
Cuvva - CRLF Injection []
Cuvva - is vulnerable to Clickjacking attacks due to missing X-Frame-Options
Cuvva - Missing rate limit on
Cuvva - website CSP "script-src" includes "unsafe-inline"
Cuvva - RC4 cipher suit in use in
Cuvva - vulnerable to sweet32
Cuvva - Reflected XSS on Branch domain
Cuvva - No rate limiting at POST /2/2017-05-22/send_identifier_token