| HackerOne |
- |
IDOR on HackerOne Feedback Review |
| HackerOne |
$1,500 |
Reading redacted data via hackbot's answers |
| HackerOne |
- |
Invitation tokens leak to Google Analytics |
| HackerOne |
$10,000 |
WannaCrypt “Killswitch” |
| HackerOne |
$500 |
HackerOne reports escalation to JIRA is CSRF vulnerable |
| HackerOne |
$1,000 |
Changing Victim's JIRA Integration Settings Through Multiple Bugs |
| HackerOne |
- |
www.hackerone.com website CSP "script-src" includes "unsafe-inline" |
| HackerOne |
- |
Insecure SHA1withRSA in b5s.hackerone-ext-content.com and a4l.hackerone-ext-content.com |
| HackerOne |
$750 |
Race condition leads to duplicate payouts |
| HackerOne |
$500 |
Subdomain takeover #4 at info.hacker.one |
| HackerOne |
- |
Example HackerOne security@ forward domain is not registered |
| HackerOne |
$1,000 |
Subdomain takeover #3 at info.hacker.one |
| HackerOne |
- |
CRLF injection in info.hacker.one |
| HackerOne |
$2,000 |
A HackerOne employee's GitHub personal access token exposed in Travis CI build logs |
| HackerOne |
$500 |
Report invitation links not restricted to any existing user |
| HackerOne |
$750 |
IE 11 Self-XSS on Jira Integration Preview Base Link |
| HackerOne |
$500 |
Transitioning a Private Program to Public Does Not Clear Previously Private Updates to Hackers |
| HackerOne |
$100 |
javascript: and mailto: links are allowed in JIRA integration settings |
| HackerOne |
$1,000 |
Subdomain takeover #2 at info.hacker.one |
| HackerOne |
- |
Able to create basic user account via Google login on HackerOne Drupal CMS |
| HackerOne |
$750 |
Information leakage via CSV when content is valid JavaScript |
| HackerOne |
$1,500 |
Stealing contact form data on www.hackerone.com using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP |
| HackerOne |
$1,000 |
Subdomain takeover at info.hacker.one |
| HackerOne |
$500 |
Google Analytics could be used as CSP bypass for data exfiltration on hackerone.com |
| HackerOne |
$2,000 |
Disclose any user's private email through API |
| HackerOne |
- |
Report redaction doesn't apply to report title update activities |
| HackerOne |
$500 |
Websites opened from reports can change url of report page |
| HackerOne |
$10,000 |
Information Disclosure in /skills call |
| HackerOne |
$12,500 |
Internal attachments can be exported via "Export as .zip" feature |
| HackerOne |
$10,000 |
Partial disclosure of report activity through new "Export as .zip" feature |
| HackerOne |
- |
Limited Open redirection using SSO-SAML |
| HackerOne |
- |
Information disclosure via policy update notifications after removal from program |
| HackerOne |
- |
Possible CSRF during external programs |
| HackerOne |
- |
Researcher gets email updates on a private program after he/she quits that program. |
| HackerOne |
- |
Obtain the username & the uid of the one doing the S3 sync on Hackerone |
| HackerOne |
- |
(HackerOne SSO-SAML) Login CSRF, Open Redirect, and Self-XSS Possible Exploitation |
| HackerOne |
$500 |
Bypass rate limiting on /users/password (possibly site-wide rate limit bypass?) |
| HackerOne |
- |
Ability to enumerate private programs using SAML |
| HackerOne |
- |
Users contents on AWS is cacheable |
| HackerOne |
- |
Ability to monitor reports' submission in real time |
| HackerOne |
$500 |
Information leakage of private program |
| HackerOne |
$500 |
Requesting Mediation possible on reports that are too old for mediation |
| HackerOne |
$1,000 |
Hacker.One Subdomain Takeover |
| HackerOne |
$500 |
Non-secure requests are not automatically upgraded to HTTPS |
| HackerOne |
$500 |
Disclosure of external users invited to a specific report |
| HackerOne |
- |
Reward Money Leakage |
| HackerOne |
- |
Possible CSRF during joining report as participant |
| HackerOne |
$500 |
Know undisclosed Bounty Amount when Bounty Statistics are enabled. |
| HackerOne |
$500 |
Race Conditions in Popular reports feature. |
| HackerOne |
$500 |
All information is not removed from published reports |
| HackerOne |
$500 |
Able to remove the admin access of my program |
| HackerOne |
- |
Denial of service in report view. |
| HackerOne |
- |
Inadequate access controls in "Vote" functionality??? |
| HackerOne |
$2,500 |
RCE in profile picture upload |
| HackerOne |
- |
Manipulate report timeline activity by using null byte. |
| HackerOne |
- |
Reputation Manipulation (Theoretical) |
| HackerOne |
- |
Missing Certificate Authority Authorization rule |
| HackerOne |
$2,500 |
AWS S3 bucket writeable for authenticated aws users |
| HackerOne |
- |
Deleted name still present via mouseover functionality for user accounts |
| HackerOne |
$1,500 |
Web Authentication Endpoint Credentials Brute-Force Vulnerability |
| HackerOne |
- |
DOS Report FILE html inside <code> in markdown |
| HackerOne |
$500 |
New hacktivity view discloses report IDs of non-public reports |
| HackerOne |
$500 |
New hacktivity view discloses report IDs of non-public reports |
| HackerOne |
- |
HackerOne Important Emails Notification are sent in clear-text |
| HackerOne |
$1,500 |
External programs revealing info |
| HackerOne |
$500 |
Websites opened from reports can change url of report page |
| HackerOne |
- |
External links should use rel="noopener" or use the redirect service |
| HackerOne |
$500 |
Disclosure of private programs that have an "external" page on HackerOne |
| HackerOne |
$500 |
CSV Injection via the CSV export feature |
| HackerOne |
- |
Sending emails (via HackerOne) impersonating other users |
| HackerOne |
$500 |
SECURITY: Referencing previous Reports attachment_IDs on new Reports via Draft_Sync DELETES Attachments |
| HackerOne |
- |
Unauthorized Team members viewing |
| HackerOne |
$500 |
Mediation link can be accepted by other users |
| HackerOne |
- |
Possible XSS |
| HackerOne |
- |
Email Address Leak |
| HackerOne |
$1,000 |
Edit Auto Response Messages |
| HackerOne |
- |
Race Conditions Exist When Accepting Invitations |
| HackerOne |
$500 |
User with Read-Only permissions can edit the Internal comment Activities on Bug Reports After Revoke the team access permissions |
| HackerOne |
$500 |
Distinguish EP+Private vs Private programs in HackerOne |
| HackerOne |
- |
User with Read-Only permissions can edit the SwagAwarded Activities on Bug Reports |
| HackerOne |
$500 |
User with Read-Only permissions can manually public disclosure the report |
| HackerOne |
- |
Abusing HOF rankings in limited circumstances |
| HackerOne |
- |
Denial of Service any Report |
| HackerOne |
$500 |
CSV Injection at the CSV export feature |
| HackerOne |
$500 |
Increase number of bugs by sending duplicate of your own valid report |
| HackerOne |
$500 |
Private Program Disclosure in /:handle/settings/allow_report_submission.json endpoint |
| HackerOne |
- |
Null byte injection |
| HackerOne |
$500 |
Private Program Disclosure in /:handle/reports/draft.json endpoint |
| HackerOne |
$5,000 |
Private program activity timeline information disclosure |
| HackerOne |
$500 |
Putting link inside link in markdown |
| HackerOne |
$500 |
Multiple issues with Markdown and URL parsing |
| HackerOne |
$500 |
Unintended HTML inclusion as a result of https://hackerone.com/reports/110578 |
| HackerOne |
$500 |
Interstitial redirect bypass / open redirect in https://hackerone.com/zendesk_session |
| HackerOne |
- |
Report title and issue information prepopulated |
| HackerOne |
- |
attack in not an authorized user |
| HackerOne |
$500 |
CSV Injection via the CSV export feature |
| HackerOne |
$500 |
HTML injection can lead to data theft |
| HackerOne |
$500 |
User with Read-Only permissions can request/approve public disclosure |
| HackerOne |
- |
Requesting unknown file type returns Ruby object w/ address |
| HackerOne |
- |
Signals get affected once reports closed as self |
| HackerOne |
- |
HackerOne is still prone to Internet Explorer UXSS |
| HackerOne |
$500 |
Team Member(s) associated with a Group have Read-only permission (Post internal comments) can post comment to all the participants |
| HackerOne |
$500 |
Improve signals in reputation |
| HackerOne |
$500 |
Team Member(s) associated with a Custom Group Created with 'Program Managment' only permissions can Comments on Bug Reports |
| HackerOne |
$500 |
Parameter pollution in social sharing buttons |
| HackerOne |
$500 |
Know whether private program for company exist or not |
| HackerOne |
$2,500 |
CSRF possible when SOP Bypass/UXSS is available |
| HackerOne |
$1,000 |
Pre-generation of 2FA secret/backup codes seems like an unnecessary risk |
| HackerOne |
$500 |
Limited CSRF bypass. |
| HackerOne |
- |
profile cover can also load external URL's |
| HackerOne |
$2,500 |
Cross-domain AJAX request |
| HackerOne |
- |
Hackerone impersonation |
| HackerOne |
$1,000 |
HTTP header injection in info.hackerone.com allows setting cookies for hackerone.com |
| HackerOne |
$2,500 |
Send AJAX request to external domain |
| HackerOne |
- |
Minimum bounty of a private program is visible for users that were removed from the program |
| HackerOne |
- |
HackerOne Private Programs users disclosure and de-anonymous-ize |
| HackerOne |
- |
Content spoofing on invitations page |
| HackerOne |
- |
Minor Bug: Public un-compiled CSS with original sass, versioning, source map, comments, etc. |
| HackerOne |
- |
Weak HSTS age in support hackerone site |
| HackerOne |
$500 |
Internal bounty and swag details disclosed as part of JSON response |
| HackerOne |
$500 |
Private Program and bounty details disclosed as part of JSON search response |
| HackerOne |
$500 |
Number of invited researchers disclosed as part of JSON search response |
| HackerOne |
$500 |
Accessing title of the report of which you are marked as duplicate |
| HackerOne |
$500 |
CSV Injection with the CVS export feature |
| HackerOne |
- |
Redirection Page throwing error instead of redirecting to site |
| HackerOne |
$500 |
mailto: link injection on https://hackerone.com/directory |
| HackerOne |
$500 |
Invitation is not properly cancelled while inviting to bug reports. |
| HackerOne |
$100 |
Potential denial of service in hackerone.com/<program>/reward_settings |
| HackerOne |
$500 |
Logic error with notifications: user that has left team continues to receive notifications and can not 'clean' this area on account |
| HackerOne |
$500 |
External URL page bypass |
| HackerOne |
- |
Email Notification should be get while changing Paypal Email |
| HackerOne |
- |
Logical Issue (Boosting Reputation points) |
| HackerOne |
$500 |
Content Spoofing - External Link Warning Page |
| HackerOne |
$500 |
Reopen Disable Accounts/ Hidden Access After Disable |
| HackerOne |
$500 |
Fake URL + Additional vectors for homograph attack |
| HackerOne |
$500 |
Homograph attack |
| HackerOne |
- |
Homograph Attack |
| HackerOne |
$500 |
Making any Report Failed to load |
| HackerOne |
$500 |
Homograph attack |
| HackerOne |
- |
Missing spf flags for hackerone.com |
| HackerOne |
$500 |
Open-redirect on hackerone.com |
| HackerOne |
$1,000 |
SPF whitelist of mandrill leads to email forgery |
| HackerOne |
- |
Reflected Filename Download |
| HackerOne |
- |
"learn more here", reward email - domain expired. |
| HackerOne |
$500 |
Open redirect in "Language change". |
| HackerOne |
- |
Reflected File Download attack allows attacker to 'upload' executables to hackerone.com domain |
| HackerOne |
$5,000 |
Improperly validated fields allows injection of arbitrary HTML via spoofed React objects |
| HackerOne |
- |
Auto Approval of Invitation to join Team as a Team member |
| HackerOne |
- |
Substantially weakened authenticity verification when using 'Remember me for a week' |
| HackerOne |
$500 |
Team member invitations to sandboxed teams are not invalidated consistently (v2) |
| HackerOne |
- |
Restrict any user from logging into his account. |
| HackerOne |
$2,000 |
CSP Bypass: Click handler for links with data-method="post" can cause authenticity_token to be sent off domain |
| HackerOne |
- |
Markdown code block sequence makes report unreadable |
| HackerOne |
$5,000 |
Markdown parsing issue enables insertion of malicious tags and event handlers |
| HackerOne |
$500 |
Team member invitations to sandboxed teams are not invalidated consistently |
| HackerOne |
$500 |
Insecure Direct Object Reference vulnerability |
| HackerOne |
- |
In markdown, parsing things like @danlec and #46072 after links is unsafe |
| HackerOne |
$5,000 |
Vulnerability with the way \ escaped characters in <http://danlec.com> style links are rendered |
| HackerOne |
$500 |
Improper way of validating a program |
| HackerOne |
- |
Add text to the title of the page "Thanks" |
| HackerOne |
- |
HTTPS is not enforced for objects stored by HackerOne on Amazon S3 |
| HackerOne |
- |
Reflected File Download |
| HackerOne |
- |
URL Crashing browser. {Tested on firefox, Chrome and Safari} |
| HackerOne |
$500 |
Issue with password change |
| HackerOne |
$500 |
Breaking Bugs as team member |
| HackerOne |
$500 |
Logic Issue with Reputation: Boost Reputation Points |
| HackerOne |
$500 |
Gain reputation by creating a duplicate of an existing report |
| HackerOne |
$500 |
File Name Enumeration |
| HackerOne |
- |
Enumeration/Guess of Private (Invited) Programs |
| HackerOne |
- |
Content Spoofing via reports |
| HackerOne |
$1,000 |
Ability to see common response titles of other teams (limited) |
| HackerOne |
$500 |
homograph attack. IDNs displayed in unicode in bug reports and on external link warning page |
| HackerOne |
$500 |
No email verification on username change |
| HackerOne |
- |
"early preview" programs disclosure |
| HackerOne |
$500 |
Redirect FILTER bypass in report/comment |
| HackerOne |
$500 |
Window Opener Property Bug |
| HackerOne |
- |
Notification of previous signed out user leakage. |
| HackerOne |
$100 |
Change Any username and profile link in hackerone |
| HackerOne |
$500 |
Redirect while opening links in new tabs |
| HackerOne |
- |
Account Hijacking (Only rare case scenario) |
| HackerOne |
- |
No option to logout concurrent sessions |
| HackerOne |
- |
Session Hijacking attack (Different Scenario) |
| HackerOne |
- |
Email changing |
| HackerOne |
$100 |
Denial of Service |
| HackerOne |
- |
Account takeover |
| HackerOne |
$100 |
Category- Broken Authentication and Session Management (leads to account compromise if some conditions are met) |
| HackerOne |
- |
Cache leads to Privacy leaks |
| HackerOne |
$100 |
Session not invalidated after password reset |
| HackerOne |
$100 |
Potential denial of service in hackerone.com/teams/new |
| HackerOne |
- |
Improper filtering of classes used in codeblocks in Markdown |
| HackerOne |
- |
Spamming any user from Reset Password Function |
| HackerOne |
- |
Flooding mailbox of user |
| HackerOne |
$100 |
All Active user sessions should be deleted when user change his password! |
| HackerOne |
$100 |
Anti-MIME-Sniffing header X-Content-Type-Options header has not been set. |
| HackerOne |
$100 |
Password Reset Bug |
| HackerOne |
$150 |
Issue with remember_user_token |
| HackerOne |
- |
Arbitrary file uploads to Amazon WS. |
| HackerOne |
- |
(lack of) smtp transport layer security |
| HackerOne |
$150 |
creating titleless and non-closable bugs |
| HackerOne |
$100 |
Marking notifications as read CSRF bug |
| HackerOne |
- |
javascript: and mailto: links are allowed on users' profiles |
| HackerOne |
- |
Accepting Invalid characters on email address |
| HackerOne |
$100 |
Securing sensitive pages from SearchBots |
| HackerOne |
- |
Adding an user email address to the list before confirming. |
| HackerOne |
- |
Criptographic Issue: Strisct Transport Security with not good max age..(TOO SHORT!) |
| HackerOne |
$100 |
Control Characters Not Stripped From Username on Signup |
| HackerOne |
$500 |
Weird Bug - Ability to see partial of other user's notification |
| HackerOne |
- |
Hackerone Email Addresses Enumeration |
| HackerOne |
$100 |
CSS leaks SCSS debug info |
| HackerOne |
- |
harvesting attack on user registration |
| HackerOne |
$100 |
DNS Misconfiguration |
| HackerOne |
- |
LinkedIN URL should be HTTPS |
| HackerOne |
$100 |
Autocomplete enabled in Paypal preferences |
| HackerOne |
- |
Enumeration of users |
| HackerOne |
$100 |
A password reset page does not properly validate the authenticity token at the server side. |
| HackerOne |
$100 |
Information disclosure (reset password token) and changing the user's password |
| HackerOne |
$100 |
Improper session management |
| HackerOne |
$150 |
Switching the user to the attacker's account |
| HackerOne |
$500 |
Upload profile photo from URL |
| HackerOne |
$250 |
Email spoofing |
| HackerOne |
$100 |
CSRF login |
| HackerOne |
$150 |
Logical issues with account settings |
| HackerOne |
$100 |
DNS Cache Poisoning |
| HackerOne |
$100 |
Flawed account creation process allows registration of usernames corresponding to existing file names |
| HackerOne |
$500 |
PNG compression DoS |
| HackerOne |
$250 |
GIF flooding |
| HackerOne |
$500 |
Pixel flood attack |
| HackerOne |
$100 |
Session not expired on logout |
| HackerOne |
- |
Privilege escalation..., or not?! |
| HackerOne |
$250 |
CSP not consistently applied |
| HackerOne |
$500 |
RTL override symbol not stripped from file names |
| HackerOne |
$100 |
Session Management |
| HackerOne |
$100 |
Broken Authentication and session management OWASP A2 |
| HackerOne |
$100 |
Real impersonation |
| HackerOne |
- |
Flawed account creation process allows registration of usernames corresponding to existing file names |
| HackerOne |
- |
Report title autocompletion |
| HackerOne |
$500 |
Missing SPF for hackerone.com |
| HackerOne |
- |
Login page password-guessing attack |