Public
Gratipay
bug reports.
4,419
Bug Reports -
$2,030,173
Paid Out
Last Updated:
12th September, 2017
Team
Bounty
Title
Gratipay
-
Reflected XSS - gratipay.com
Gratipay
-
Gratipay rails secret token (secret_key_base) publicly exposed in GitHub
Gratipay
-
xss
Gratipay
-
Sub domain take over in gratipay.com
Gratipay
-
SQL TEST
Gratipay
-
self cross site scripting
Gratipay
-
SSl Weak Ciphers
Gratipay
-
Possible User Session Hijack using Invalid HTTPS certificate on inside.gratipay.com domain
Gratipay
-
Possible user session hijack by invalid HTTPS certificate on inside.gratipay.com domain
Gratipay
-
CSP Policy Bypass and javascript execution Still Not Fixed
Gratipay
-
CSP Policy Bypass and javascript execution
Gratipay
-
Email Spoofing
Gratipay
-
Gratipay Website CSP "script-scr" includes "unsafe-inline"
Gratipay
-
CSP "script-src" includes "unsafe-inline" in https://gratipay.com
Gratipay
-
Unauthorized access to the slack channel via inside.gratipay.com/appendices/chat
Gratipay
-
Transferring incorrect data to the http://gip.rocks/v1 endpoint with correct Content-Type leads to local paths disclosure through the error message
Gratipay
-
POODLE SSLv3.0
Gratipay
-
Content-Length restriction bypass to heap overflow in gip.rocks.
Gratipay
$1
Inadequate/dangerous jQuery behavior
Gratipay
-
URL Given leading to end users ending up in malicious sites
Gratipay
-
HTTP trace method is enabled on aspen.io
Gratipay
-
Content length restriction bypass can lead to DOS by reading large files on gip.rocks
Gratipay
-
HTTP trace method is enabled on gip.rocks
Gratipay
-
Session Fixation At Logout /Session Misconfiguration
Gratipay
-
User Enumeration
Gratipay
-
Content type incorrectly stated
Gratipay
-
Gratipay uses the random module's cryptographically insecure PRNG.
Gratipay
-
Cookie HttpOnly Flag Not Set
Gratipay
-
Certificate signed using SHA-1
Gratipay
-
Secure Pages Include Mixed Content
Gratipay
$1
Incomplete or No Cache-control and Pragma HTTP Header Set
Gratipay
-
CSRF csrftoken in cookies
Gratipay
-
Username Restriction is not applied for reserved folders
Gratipay
-
Username can be used to trick the victim on the name of www.gratipay.com
Gratipay
-
Lack of CSRF token validation at server side
Gratipay
-
Insecure Transportation Security Protocol Supported (TLS 1.0)
Gratipay
-
x-xss protection header is not set in response header
Gratipay
-
Cross Site Scripting In Profile Statement
Gratipay
-
Usernames ending in .json are not restricted
Gratipay
-
Reset Link Issue
Gratipay
-
XSS Via Method injection
Gratipay
-
Host Header poisoning on gratipay.com
Gratipay
-
Cookie:HttpOnly Flag not set
Gratipay
-
nginx version disclosure on downloads.gratipay.com
Gratipay
-
Host Header Injection/Redirection Attack
Gratipay
$1
Avoid "resend verification email" confusion
Gratipay
$1
Content Spoofing/Text Injection
Gratipay
-
[gratipay.com] Cross Site Tracing
Gratipay
-
Username .. (double dot) should be restricted or handled carefully
Gratipay
-
User Supplied links on profile page is not validated and redirected via gratipay.
Gratipay
-
The contribution save option seem to be vulnerable to CSRF
Gratipay
-
don't leak Server version for assets.gratipay.com
Gratipay
-
don't allow directory browsing on grtp.co
Gratipay
-
This is a test report
Gratipay
-
prevent null bytes in email field
Gratipay
-
don't leak Server version for assets.gratipay.com
Gratipay
-
set Expires header
Gratipay
$40
upgrade Aspen on inside.gratipay.com to pick up CR injection fix
Gratipay
$10
configure a redirect URI for Facebook OAuth
Gratipay
-
don't store CSRF tokens in cookies
Gratipay
-
don't expose path of Python
Gratipay
$1
don't leak server version of grtp.co in error pages
Gratipay
-
PHP 5.4.45 is Outdated and Full of Preformance Interupting Arbitrary Code Execution Bugs
Gratipay
$1
bring grtp.co up to A grade on SSLLabs
Gratipay
-
Submit a non valid syntax email
Gratipay
-
Possible Blind SQL injection | Language choice in presentation
Gratipay
-
After removing app from facebook app session not expiring.
Gratipay
-
prevent %2f spoofed URLs in profile statement
Gratipay
$10
Send email asynchronously
Gratipay
-
text injection in website title
Gratipay
$10
fix bug in username restriction
Gratipay
-
Getting Error Message and in use python version 2.7 is exposed.
Gratipay
-
An adversary can harvest email address for spamming.
Gratipay
$1
Limit email address length
Gratipay
$10
prevent content spoofing on /~username/emails/verify.html
Gratipay
$1
Hijacking user session by forcing the use of invalid HTTPs Certificate on images.gratipay.com
Gratipay
-
csrf_token cookie don't have the flag "HttpOnly"
Gratipay
$1
auto-logout after 20 minutes
Gratipay
$1
Cookie Does Not Contain The "secure" Attribute
Gratipay
-
Vulnerable to clickjacking
Gratipay
$1
suppress version in Server header on gratipay.com or grtp.co
Gratipay
$1
don't serve hidden files from Nginx
Gratipay
-
X-Content-Type Header Missing For aspen.io
Gratipay
$1
limit number of images in statement
Gratipay
$1
strengthen Diffie-Hellman (DH) key exchange parameters in grtp.co
Gratipay
$1
stop serving grtp.co over HTTP
Gratipay
$10
DMARC is misconfigured for grtp.co
Gratipay
-
Login csrf.
Gratipay
$10
Prevent content spoofing on /~username/emails/verify.html
Gratipay
$2
SPF/DKIM/DMARC for aspen.io
Gratipay
$2
SPF/DKIM/DMARC for grtp.co
Gratipay
$1
limit HTTP methods on other domains
Gratipay
$10
Email Forgery through Mandrillapp SPF
Gratipay
$10
No Valid SPF Records.
Gratipay
-
UDP port 5060 (SIP) Open
Gratipay
-
server calendar and server status available to public
Gratipay
-
proxy port 7000 and shell port 514 not filtered
Gratipay
-
Markdown parsing issue enables insertion of malicious tags
Gratipay
$1
The POODLE attack (SSLv3 supported) for https://grtp.co/
Gratipay
-
nginx SPDY heap buffer overflow for https://grtp.co/
Gratipay
$10
prevent content spoofing on /search
Gratipay
$5
SPF DNS Record
Gratipay
-
grtp.co is vulnerable to http-vuln-cve2011-3192
Gratipay
$15
Sub Domian Take over
Gratipay
-
Directory Listing on grtp.co
Gratipay
$5
HTTP trace method is enabled
Gratipay
-
Harden resend throttling
Gratipay
-
SPF Protection not used, I can hijack your email server
Gratipay
-
change bank account numbers
Gratipay
-
implement a cross-domain policy for Adobe products
Gratipay
-
Mail spaming
Gratipay
-
Stored XSS On Statement
Gratipay
-
DKIM records not present, Email Hijacking is possible
Gratipay
$1
Possible SQL injection on "Jump to twitter"
Gratipay
-
Authentication errors in server side validaton of E-MAIL
Gratipay
-
[gratipay.com] CRLF Injection
Gratipay
-
Self XSS Protection not used , I can trick users to insert JavaScript
Gratipay
-
weak ssl cipher suites