Public Harvest bug reports.

Team Bounty Title
Harvest $300 [] Reflected XSS in Error Message via URL parameters
Harvest $400 Client can redirect payment, causing payment discrepancy between Harvest and PayPal
Harvest - Login bypass on travel.██████████ aka "Harvest Spring Summit 2017"
Harvest $250 Persistent XSS on ForecastApp
Harvest $300 Unauthorised read Access to Expense Receipt of any user in the company(Vertical Privilege escalation)
Harvest $250 Stored XSS in Restoring Archived Tasks
Harvest $100 Editing a project (LIMITED)
Harvest $150 Linking Invoice to uninvited project.
Harvest $300 Cookie Injection at ''
Harvest $500 Invoices can be added to any retainers - even closs-platform
Harvest $250 XSS on expenses attachments
Harvest $150 CSRF bypass on Submit Time sheet for Approval
Harvest $150 Project Manager can approve pending reports(Access control Issue)
Harvest $500 Possible to steal any protected files on Android
Harvest $150 Extracting private info of estimates.
Harvest $150 Unauthorized read access to Invoices by PM (Access control Issues)
Harvest $150 Unauthorized access to all the actions of invoices by PM (Access control Issues)
Harvest $100 PM can delete payment of any invoice in company (Access control Issue)
Harvest $100 Record payment for any invoice by PM (Access control Issue)
Harvest $100 PM can delete the company logo image (Vertical Privilege Escalation )
Harvest $250 PM with can Set up email for invoices and estimates (Access control Issue)
Harvest $150 Opportunity to set arbitrary cookies
Harvest $500 Project Disclosure of all Harvest Instances
Harvest $1,000 Leak of all project names and all user names , even across applications
Harvest $350 Users enumeration is possible through cycling through recurring[client_id] argument value.
Harvest $350 Stored XSS on invoice, executing on any subdomain
Harvest $250 CSRF token fixation in Sign in with Google
Harvest $1,000 S3 bucket takeover due to
Harvest $100 Cross-Site Request Forgery (CSRF)