Public
Square
bug reports.
4,419
Bug Reports -
$2,030,173
Paid Out
Last Updated:
12th September, 2017
Team
Bounty
Title
Square
-
Invitation threshold
Square
-
Redirecting a victim elsewhere through shopseen 0auth
Square
-
HTTP Header revealing server information.
Square
$500
Delayed, fraudulent transactions possible with encrypted Square Reader devices due to lack of server-side verification of device transaction counter
Square
$250
CSRF on adding a calendar event
Square
$500
square google calendar integration CSRF,https://squareup.com/appointments/business/settings(state parameter not checking properly)
Square
$500
CSRF on adding clients
Square
$250
Privilege Escalation
Square
$250
Redirect while opening link in new tabs
Square
$2,000
malicious file upload
Square
$400
Reflected XSS in widget script thru cookie
Square
$1,000
Reflected XSS in connect.square.com
Square
$750
Editing Client Details of other People
Square
-
XSS on bookfresh
Square
$2,000
CRITICAL Account takeover via AngularJS template injection in connect.squareup.com
Square
$500
XSS in Client Past Activity
Square
$250
Open Redirect [FreshBook]
Square
$500
XSS [BookFresh]
Square
-
CSRF login
Square
$1,500
Blind SQL injection in www.bookfresh.com