Public Vimeo bug reports.

Team Bounty Title
Vimeo $600 Downloading password protected / restricted videos
Vimeo $600 All Vimeo Private videos disclosure via Authorization Bypass
Vimeo - XSS in Subtitles of Vimeo Flash Player and Hubnut
Vimeo $750 CSRF on Vimeo via cross site flashing leading to info disclosure and private videos go public
Vimeo - Error page Text Injection.
Vimeo - Missing rate limit on private videos password
Vimeo $100 Private, embeddable videos leaks data through Facebook & Open Graph
Vimeo $100 Legacy API exposes private video titles
Vimeo $250 XSS on player.vimeo.com without user interaction and vimeo.com with user interaction
Vimeo $200 XSS when using captions/subtitles on video player based on Flash (requires user interaction)
Vimeo $100 XSS on vimeo.com | "Search within these results" feature (requires user interaction)
Vimeo - XSS on mobile version of vimeo.com where the button "Follow" appears
Vimeo $1,500 XSS on vimeo.com/home after other user follows you
Vimeo $200 Stored XSS on vimeo.com and player.vimeo.com
Vimeo $100 Reflected XSS on vimeo.com/musicstore
Vimeo $500 Stored XSS on player.vimeo.com
Vimeo $500 API: missing invalidation of OAuth2 Authorization Code during access revocation causes authorization bypass
Vimeo - May cause account take over (Via invitation page)
Vimeo $250 [URGENT ISSUE] Add or Delete the videos in watch later list of any user .
Vimeo $250 Share your channel to any user on vimeo without following him
Vimeo $250 Invite any user to your group without even following him
Vimeo $150 Insecure Direct Object References that allows to read any comment (even if it should be private)
Vimeo $500 Insecure Direct Object References in https://vimeo.com/forums
Vimeo $250 Post in private groups after getting removed
Vimeo $250 A user can enhance their videos with paid tracks without buying the track
Vimeo $500 A user can post comments on other user's private videos
Vimeo $250 A user can add videos to other user's private groups
Vimeo $250 A user can edit comments even after video comments are disabled
Vimeo - URGENT - Subdomain Takeover on status.vimeo.com due to unclaimed domain pointing to statuspage.io
Vimeo $250 Vimeo + & Vimeo PRO Unautorised Tax bypass
Vimeo - Bypassing Email verification
Vimeo $250 Red October 1511493148.cloud.vimeo.com
Vimeo - Can message users without the proper authorization
Vimeo - Brute force on "vimeo" cookie
Vimeo $250 CRITICAL vulnerability - Insecure Direct Object Reference - Unauthorized access to `Videos` of Channel whose privacy is set to `Private`.
Vimeo $100 XSS on Vimeo
Vimeo - CSRF bypass
Vimeo $100 ftp upload of video allows naming that is not sanitized as the manual naming
Vimeo - Full account takeover via Add a New Email to account without email verified and without password confirmation.
Vimeo $100 Vimeo Search - XSS Vulnerability [http://vimeo.com/search]
Vimeo $1,000 XSS on any site that includes the moogaloop flash player | deprecated embed code
Vimeo - unvalid open authentication with facebook
Vimeo - Application XSS filter function Bypass may allow Multiple stored XSS
Vimeo - Poodle bleed vulnerability in cloud sub domain
Vimeo - Open Redirection Security Filter bypassed
Vimeo $1,000 Make API calls on behalf of another user (CSRF protection bypass)
Vimeo - USER PRIVACY VIOLATED (PRIVATE DATA GETTING TRANSFER OVER INSECURE CHANNEL )
Vimeo $100 CRITICAL full source code/config disclosure for Cameo
Vimeo - Serious Vulnerability Found
Vimeo $1,000 abusing Thumbnails(https://vimeo.com/upload/select_thumb) to see a private video
Vimeo - No Limitation on Following allows user to follow people automatically!
Vimeo - Securing "Reset password" pages from bots
Vimeo $250 Ability to Download Music Tracks Without Paying (Missing permission check on`/musicstore/download`)
Vimeo - profile photo update bypass
Vimeo $100 player.vimeo.com - Reflected XSS Vulnerability
Vimeo $1,000 Adding profile picture to anyone on Vimeo
Vimeo $260 Buying ondemand videos that 0.1 and sometimes for free
Vimeo - Misconfigured crossdomain.xml - vimeo.com
Vimeo $100 APIs for channels allow HTML entities that may cause XSS issue
Vimeo $5,000 Vimeo.com Insecure Direct Object References Reset Password
Vimeo $100 Vimeo.com - reflected xss vulnerability
Vimeo $100 Vimeo.com - Reflected XSS Vulnerability
Vimeo $500 [vimeopro.com] CRLF Injection