Public Gratipay bug reports.

Team Bounty Title
Gratipay - Reflected XSS -
Gratipay - Gratipay rails secret token (secret_key_base) publicly exposed in GitHub
Gratipay - xss
Gratipay - Sub domain take over in
Gratipay - SQL TEST
Gratipay - self cross site scripting
Gratipay - SSl Weak Ciphers
Gratipay - Possible User Session Hijack using Invalid HTTPS certificate on domain
Gratipay - Possible user session hijack by invalid HTTPS certificate on domain
Gratipay - CSP Policy Bypass and javascript execution Still Not Fixed
Gratipay - CSP Policy Bypass and javascript execution
Gratipay - Email Spoofing
Gratipay - Gratipay Website CSP "script-scr" includes "unsafe-inline"
Gratipay - CSP "script-src" includes "unsafe-inline" in
Gratipay - Unauthorized access to the slack channel via
Gratipay - Transferring incorrect data to the endpoint with correct Content-Type leads to local paths disclosure through the error message
Gratipay - POODLE SSLv3.0
Gratipay - Content-Length restriction bypass to heap overflow in
Gratipay $1 Inadequate/dangerous jQuery behavior
Gratipay - URL Given leading to end users ending up in malicious sites
Gratipay - HTTP trace method is enabled on
Gratipay - Content length restriction bypass can lead to DOS by reading large files on
Gratipay - HTTP trace method is enabled on
Gratipay - Session Fixation At Logout /Session Misconfiguration
Gratipay - User Enumeration
Gratipay - Content type incorrectly stated
Gratipay - Gratipay uses the random module's cryptographically insecure PRNG.
Gratipay - Cookie HttpOnly Flag Not Set
Gratipay - Certificate signed using SHA-1
Gratipay - Secure Pages Include Mixed Content
Gratipay $1 Incomplete or No Cache-control and Pragma HTTP Header Set
Gratipay - CSRF csrftoken in cookies
Gratipay - Username Restriction is not applied for reserved folders
Gratipay - Username can be used to trick the victim on the name of
Gratipay - Lack of CSRF token validation at server side
Gratipay - Insecure Transportation Security Protocol Supported (TLS 1.0)
Gratipay - x-xss protection header is not set in response header
Gratipay - Cross Site Scripting In Profile Statement
Gratipay - Usernames ending in .json are not restricted
Gratipay - Reset Link Issue
Gratipay - XSS Via Method injection
Gratipay - Host Header poisoning on
Gratipay - Cookie:HttpOnly Flag not set
Gratipay - nginx version disclosure on
Gratipay - Host Header Injection/Redirection Attack
Gratipay $1 Avoid "resend verification email" confusion
Gratipay $1 Content Spoofing/Text Injection
Gratipay - [] Cross Site Tracing
Gratipay - Username .. (double dot) should be restricted or handled carefully
Gratipay - User Supplied links on profile page is not validated and redirected via gratipay.
Gratipay - The contribution save option seem to be vulnerable to CSRF
Gratipay - don't leak Server version for
Gratipay - don't allow directory browsing on
Gratipay - This is a test report
Gratipay - prevent null bytes in email field
Gratipay - don't leak Server version for
Gratipay - set Expires header
Gratipay $40 upgrade Aspen on to pick up CR injection fix
Gratipay $10 configure a redirect URI for Facebook OAuth
Gratipay - don't store CSRF tokens in cookies
Gratipay - don't expose path of Python
Gratipay $1 don't leak server version of in error pages
Gratipay - PHP 5.4.45 is Outdated and Full of Preformance Interupting Arbitrary Code Execution Bugs
Gratipay $1 bring up to A grade on SSLLabs
Gratipay - Submit a non valid syntax email
Gratipay - Possible Blind SQL injection | Language choice in presentation
Gratipay - After removing app from facebook app session not expiring.
Gratipay - prevent %2f spoofed URLs in profile statement
Gratipay $10 Send email asynchronously
Gratipay - text injection in website title
Gratipay $10 fix bug in username restriction
Gratipay - Getting Error Message and in use python version 2.7 is exposed.
Gratipay - An adversary can harvest email address for spamming.
Gratipay $1 Limit email address length
Gratipay $10 prevent content spoofing on /~username/emails/verify.html
Gratipay $1 Hijacking user session by forcing the use of invalid HTTPs Certificate on
Gratipay - csrf_token cookie don't have the flag "HttpOnly"
Gratipay $1 auto-logout after 20 minutes
Gratipay $1 Cookie Does Not Contain The "secure" Attribute
Gratipay - Vulnerable to clickjacking
Gratipay $1 suppress version in Server header on or
Gratipay $1 don't serve hidden files from Nginx
Gratipay - X-Content-Type Header Missing For
Gratipay $1 limit number of images in statement
Gratipay $1 strengthen Diffie-Hellman (DH) key exchange parameters in
Gratipay $1 stop serving over HTTP
Gratipay $10 DMARC is misconfigured for
Gratipay - Login csrf.
Gratipay $10 Prevent content spoofing on /~username/emails/verify.html
Gratipay $2 SPF/DKIM/DMARC for
Gratipay $2 SPF/DKIM/DMARC for
Gratipay $1 limit HTTP methods on other domains
Gratipay $10 Email Forgery through Mandrillapp SPF
Gratipay $10 No Valid SPF Records.
Gratipay - UDP port 5060 (SIP) Open
Gratipay - server calendar and server status available to public
Gratipay - proxy port 7000 and shell port 514 not filtered
Gratipay - Markdown parsing issue enables insertion of malicious tags
Gratipay $1 The POODLE attack (SSLv3 supported) for
Gratipay - nginx SPDY heap buffer overflow for
Gratipay $10 prevent content spoofing on /search
Gratipay $5 SPF DNS Record
Gratipay - is vulnerable to http-vuln-cve2011-3192
Gratipay $15 Sub Domian Take over
Gratipay - Directory Listing on
Gratipay $5 HTTP trace method is enabled
Gratipay - Harden resend throttling
Gratipay - SPF Protection not used, I can hijack your email server
Gratipay - change bank account numbers
Gratipay - implement a cross-domain policy for Adobe products
Gratipay - Mail spaming
Gratipay - Stored XSS On Statement
Gratipay - DKIM records not present, Email Hijacking is possible
Gratipay $1 Possible SQL injection on "Jump to twitter"
Gratipay - Authentication errors in server side validaton of E-MAIL
Gratipay - [] CRLF Injection
Gratipay - Self XSS Protection not used , I can trick users to insert JavaScript
Gratipay - weak ssl cipher suites