Public Vimeo bug reports.

Team Bounty Title
Vimeo $600 Downloading password protected / restricted videos
Vimeo $600 All Vimeo Private videos disclosure via Authorization Bypass
Vimeo - XSS in Subtitles of Vimeo Flash Player and Hubnut
Vimeo $750 CSRF on Vimeo via cross site flashing leading to info disclosure and private videos go public
Vimeo - Error page Text Injection.
Vimeo - Missing rate limit on private videos password
Vimeo $100 Private, embeddable videos leaks data through Facebook & Open Graph
Vimeo $100 Legacy API exposes private video titles
Vimeo $250 XSS on without user interaction and with user interaction
Vimeo $200 XSS when using captions/subtitles on video player based on Flash (requires user interaction)
Vimeo $100 XSS on | "Search within these results" feature (requires user interaction)
Vimeo - XSS on mobile version of where the button "Follow" appears
Vimeo $1,500 XSS on after other user follows you
Vimeo $200 Stored XSS on and
Vimeo $100 Reflected XSS on
Vimeo $500 Stored XSS on
Vimeo $500 API: missing invalidation of OAuth2 Authorization Code during access revocation causes authorization bypass
Vimeo - May cause account take over (Via invitation page)
Vimeo $250 [URGENT ISSUE] Add or Delete the videos in watch later list of any user .
Vimeo $250 Share your channel to any user on vimeo without following him
Vimeo $250 Invite any user to your group without even following him
Vimeo $150 Insecure Direct Object References that allows to read any comment (even if it should be private)
Vimeo $500 Insecure Direct Object References in
Vimeo $250 Post in private groups after getting removed
Vimeo $250 A user can enhance their videos with paid tracks without buying the track
Vimeo $500 A user can post comments on other user's private videos
Vimeo $250 A user can add videos to other user's private groups
Vimeo $250 A user can edit comments even after video comments are disabled
Vimeo - URGENT - Subdomain Takeover on due to unclaimed domain pointing to
Vimeo $250 Vimeo + & Vimeo PRO Unautorised Tax bypass
Vimeo - Bypassing Email verification
Vimeo $250 Red October
Vimeo - Can message users without the proper authorization
Vimeo - Brute force on "vimeo" cookie
Vimeo $250 CRITICAL vulnerability - Insecure Direct Object Reference - Unauthorized access to `Videos` of Channel whose privacy is set to `Private`.
Vimeo $100 XSS on Vimeo
Vimeo - CSRF bypass
Vimeo $100 ftp upload of video allows naming that is not sanitized as the manual naming
Vimeo - Full account takeover via Add a New Email to account without email verified and without password confirmation.
Vimeo $100 Vimeo Search - XSS Vulnerability []
Vimeo $1,000 XSS on any site that includes the moogaloop flash player | deprecated embed code
Vimeo - unvalid open authentication with facebook
Vimeo - Application XSS filter function Bypass may allow Multiple stored XSS
Vimeo - Poodle bleed vulnerability in cloud sub domain
Vimeo - Open Redirection Security Filter bypassed
Vimeo $1,000 Make API calls on behalf of another user (CSRF protection bypass)
Vimeo $100 CRITICAL full source code/config disclosure for Cameo
Vimeo - Serious Vulnerability Found
Vimeo $1,000 abusing Thumbnails( to see a private video
Vimeo - No Limitation on Following allows user to follow people automatically!
Vimeo - Securing "Reset password" pages from bots
Vimeo $250 Ability to Download Music Tracks Without Paying (Missing permission check on`/musicstore/download`)
Vimeo - profile photo update bypass
Vimeo $100 - Reflected XSS Vulnerability
Vimeo $1,000 Adding profile picture to anyone on Vimeo
Vimeo $260 Buying ondemand videos that 0.1 and sometimes for free
Vimeo - Misconfigured crossdomain.xml -
Vimeo $100 APIs for channels allow HTML entities that may cause XSS issue
Vimeo $5,000 Insecure Direct Object References Reset Password
Vimeo $100 - reflected xss vulnerability
Vimeo $100 - Reflected XSS Vulnerability
Vimeo $500 [] CRLF Injection