Public WePay bug reports.

Team Bounty Title
WePay $200 Enumeration of registered email addresses using bruteforce search on userIds
WePay $250 Invited users can modify and/or remove account owner
WePay $150 2-step Verification bypass
WePay $100 Unauthenticated Stored XSS in API Panel
WePay $100 Subdomain Takeover in pointing to Fastly
WePay - Broken Authentication – Session Token bug
WePay $350 Horizontal Privilege Escalation
WePay $350 Critical : Account removing using CSRF attack
WePay - CSRF (Make email primary) may lead to account compromise
WePay - oauth redirect uri validation bug leads to open redirect and account compromise
WePay $100 Unauthorized Access via Join Email Link
WePay $150 CSRF on email address operations. Also performing unintended operations.
WePay $500 Session Fixation
WePay - Typical form vulnerable to csrf attack
WePay - CSRF & Nonce Token Weak Implementation
WePay $300 Open Redirect
WePay - Sensitive settings need Re authentication
WePay $100 Session fixation in