Public HackerOne bug reports.

2,187 Bug Reports - $966,815 Paid Out - Last Updated: 28th July, 2016
1st Place: Uber ($117,600 Paid Out)
2nd Place: The Internet ($87,000 Paid Out)
3rd Place: Flash ($81,000 Paid Out)

Highest Bounty Paid: $20,000 for [phpobject in cookie] Remote shell/command execution

Team Bounty Title
Bime $1,000 Attacker can access graphic representation of every query
Bime $1,000 Urgent: attacker can access every data source on Bime
Gratipay None don't leak Server version for
Uber $2,250 Subdomain takeover of, and
Uber None Server version disclosure
Paragon Initiative Enterprises None Site support SNI But Browser can't
Paragon Initiative Enterprises None ssl info shown
CodeIgniter None Web Server Disclosure
Paragon Initiative Enterprises None [URGENT] Password reset emails are sent in clear-text (without encryption)
Paragon Initiative Enterprises None Issue with password reset functionality [Minor]
Paragon Initiative Enterprises None Session Management Issue CMS Airship
Paragon Initiative Enterprises None User enumeration via Password reset page [Minor]
Paragon Initiative Enterprises None Airship doesn't reject weak passwords
Paragon Initiative Enterprises None Full path disclosure when CSRF validation failed
Paragon Initiative Enterprises $50 Stored XSS using SVG
Paragon Initiative Enterprises None Nginx Version Disclosure On Forbidden Page
Paragon Initiative Enterprises None Email spoofing in [email protected]
Paragon Initiative Enterprises $25 Stored XSS in comments
Paragon Initiative Enterprises $50 Stored Cross-Site-Scripting in CMS Airship's authors profiles
Keybase $350 Register multiple users using one invitation (race condition)
Coinbase None No authorization required in iOS device web-application
Coinbase None No authorization required in Windows phone web-application
HackerOne None Possible CSRF during joining report as participant
Mail.Ru None Cross Site Request Forgery (CSRF)
Veris None Email spoofing in [email protected]
Badoo $140 Change contents of the careers iframe in
Mail.Ru None Back Refresh Attack after registration and successful logout
FantasyTote None Session doesn't expired after login
FantasyTote None Weak HSTS age
FantasyTote None Betting more than max amount
FantasyTote None Urgent Fix Balance Limit bypass
FantasyTote None Bypass logout
FantasyTote None Insecure password change mechanism may lead to full account takeover
FantasyTote None Stored number of clicks in the Deposits button
FantasyTote None No email verification required when we change email from settings
Uber None uses an invalid SSL certificate
Uber None Authentication Issue for easter egg on
Uber None Command Injection, Information
Pornhub $500 RCE Possible Via Video Manager Export using @ character in Video Title
Nextcloud None No Rate Limiting on login
Uber None Server version disclosure:
Nextcloud None Deny access to + folders
Nextcloud None Log pollution can lead to HTML Injection.
Trello None Report bug on jetpack plugin
Nextcloud None REG: Content provider information leakage
Nextcloud None Email ID Disclosure.
Nextcloud None WordPress Vulnerabilities: User Enumeration, Vulnerable Akismet Plugin, XML-RPC Interface available
Nextcloud $100 Read-only share recipient can restore old versions of file
Nextcloud $250 Uploading files to a folder where invited user don't have any EDIT privilege
Uber None Error Message on 404 page
Nextcloud None Content Injection in subdomain
Nextcloud None Content injection in subdomain
Nextcloud None Content Spoofing/Text Injection -
Nextcloud None Content Injection 404 page
Nextcloud None Business/Functional logic bypass: Remove admins from admin group.
Nextcloud None help.nextcloud Email Address/Username enumeration
Nextcloud None Bypass firewall protection
Nextcloud None Bruteforcing
Nextcloud None Bruteforce attack is possible on
Slack None Unauthenticated Access to some old file thumbnails
Nextcloud None No captcha on newsletter.nextcloudcom leaves vulnerable to email spammers
Nextcloud None Directory listening and Information Disclosure
Nextcloud None Lost Password CSRF
Nextcloud None Directory Listing On & Practical Attacks on PGP (Pretty Good Privacy)
Nextcloud None Server side request forgery (SSRF) on nextcloud implementation.
Nextcloud None Vulnerable Javascript library
Nextcloud None Directory listening for 'wp-includes' forders
Nextcloud $50 Nextcloud server software: Content Spoofing
Nextcloud None No rate limiting on password protected shared file link
Nextcloud None Mail Bombing ( No Rate Limiting On Sending Emails On Contact us Page)
Nextcloud None Session Management Issue
Nextcloud None Known DoS condition (null pointer deref) in Nginx running
Nextcloud None No permission set on Activities [Android App]
Nextcloud None Enumeration of subscribed users and unauthenticated email unsubscriptions on
Nextcloud None Content Injection
Nextcloud None Content Spoofing
Nextcloud $750 Stored XSS on Share-popup of a directory's Gallery-view
Nextcloud None Content Injection Custom 404 Error
Paragon Initiative Enterprises None Session Management
Uber None Self-XSS in Partners Profile
Uber $7,000 xss in
Paragon Initiative Enterprises None Full path disclosure vulnerability on
Zomato None Stored Cross site scripting
Ian Dunn $50 Stored XSS from ticket messages in admin table in SupportFlow
Ian Dunn $50 Stored XSS in SupportFlow Ticket Subject
Uber None Bruteforce INVITE codes easy way
Uber None Email Address Enumeration
Mail.Ru $150 [] Time-Based SQL Injection
Uber $750 Brute-Forcing invite codes in
bitaccess $200 EXTREMELY URGENT: Missing control of bitcoin amount when selling bitcoin allows a user to withdraw any amount of money, unrestricted.
Ruby None Heap corruption in string.c tr_trans() due to undersized buffer
Ruby None Heap corruption in DateTime.strftime() on 32 bit for certain format strings
Ruby $500 StringIO strio_getline() can divulge arbitrary memory
WebSummit None Time Based SQL injection in url parameter
Uber None Newsroom.uber HTML form without CSRF protection
HackerOne $500 All information is not removed from published reports
The Internet $7,500 Insufficient shell characters filtering leads to (potentially remote) code execution (CVE-2016-3714)
Slack $500 File upload over private IM channel
Uber $10,000 Change any Uber user's password through /rt/users/passwordless-signup - Account Takeover (critical)
Uber None Email Enumeration Vulnerability
Badoo $280 Получение оригинала скрытого изображения
Phabricator None Full path disclosure
Coinbase None Transaction Pending Via Ip Change
Shopify $3,000 Authentication Bypass on Icinga monitoring server
Shopify $1,500 Potentially Sensitive Information on GitHub
Veris None Unauthenticated CSRF(User can input any value for CSRF Token)
Uber None Password Reset Does Not Confirm the Existence of an Email Address
Uber None Header Injection
Python $500 Heap corruption via Python 2.7.11 IOBase readline()
Uber $750 xss vulnerability in
drchrono $50 Bug Report
Moneybird $50 [STORED XSS] in debtor reports of ,,invoices''
Shopify $500 Fetching external resources through svg images
Urban Dictionary None Infinite Upvoting/Downvoting: Lockout Bypass, Plus: Exposed API Documentation
Pornhub $1,500 (Pornhub & Youporn & Brazzers ANDROID APP) : Upload Malicious APK / Overrite Existing APK / Android BackOffice Access
Zomato None Bypass OTP verification when placing Order
Trello None XSS in Jetpack plugin
Pornhub $20,000 [phpobject in cookie] Remote shell/command execution
drchrono $50 Bypassing Password Reset
drchrono None XSS in Blog
GlassWire $25 Bypass GlassWire's monitoring of Hosts file
Bime None Bime Unable to load Data Sources
HackerOne $500 Able to remove the admin access of my program
Pornhub None Reflected XSS by way of jQuery function
drchrono $50 Stored XSS via AngularJS Injection
drchrono $50 [CRITICAL] CSRF leading to account take over
Uber None Uber is Flooding my Mobile with SMS Daily like a cron JOB
Mail.Ru $150 Code source discloure & ability to get database information "SQL injection" in []
Nginx None Module ngx_http_auth_basic_module is broken and allowing all password after specific length
drchrono $50 Template stored XSS
drchrono $50 - Information Disclosure and Windows Host Exposed
drchrono $50 Ngnix Server version disclosure
drchrono $50 Bypass password complexity requirements on passsword reset page
Mail.Ru $150 [] SQL Injection
Mail.Ru None [] CRLF Injection
Uber None XSS in
Mail.Ru None Insecure cookies without httpOnly flag set
Coinbase None Cookie not secure
HackerOne None Denial of service in report view.
Gratipay $10 configure a redirect URI for Facebook OAuth $50 CJ vulnerability in subdomain
Gratipay None don't store CSRF tokens in cookies
New Relic None Session takeover
New Relic None No CSRF validation on Account Monitors in Synthetics Block
Trello $128 XSS in Jetpack Plugin
Phabricator None No authentication required to add an email address.
LocalTapiola $100 Exploiting Secure Shell (SSH) on
Uber None DOM based XSS on
Phabricator $300 Passphrase credential lock bypass
Dovecot None Apache version disclosure None Missing proper error message.
Badoo $280 Ability to collect users' ids that have visited a specific web page with malicious code
Dropbox None Lack of account link warning enables dropbox hijacking
LocalTapiola $300 Persistent XSS at using spoofed React element and React v.0.13.3
Uber None Phone Number Enumeration
Uber $7,000 OneLogin authentication bypass on WordPress sites via XMLRPC
Veris None Text injection can be used in phishing 404 page and should not include attacker text
Gratipay None don't expose path of Python
Uber None Self-XSS on
Dovecot None DIrectory Listing Found
LocalTapiola $300 Abusing and Hacking the SMTP Server
Zomato None Instagram OAuth2 Implementation Leaks Access Token; Allows for Cross-Site Script Inclusion (XSSI)
Zomato None Reflected Cross-Site Scripting in
Pornhub $150 Same-Origin Method Execution bug in plupload.flash.swf on /insights
OpenSSL $1,000 Bleichenbacher oracle in SSLv2 (CVE-2016-0704)
OpenSSL $2,500 Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703)
Pornhub $5,000 Weak user aunthentication on mobile application - I just broken userKey secret password
Mail.Ru $150 SQL Injection
Veris None Reflected XSS in domain
Pornhub $100 CSV Macro injection in Video Manager (CEMI)
Veris None Stored XSS on 'Badges' page
Ruby None SMTP command injection
HackerOne None Inadequate access controls in "Vote" functionality???
LocalTapiola $100 Amazon Bucket Accessible (
New Relic None New Relic - Session Hijacking
Sucuri $500 CRLF/HTTP header injection
Dovecot None nginx server vulnerable
Dropbox None Dropbox apps Server side request forgery
ThisData None Host Header Poisoning in
Uber None Clickjacking in
Veris None [Stored XSS]
Mail.Ru None AXFR на работает
OpenSSL $2,500 Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
Ubiquiti Networks $1,000 Source code disclosure on
Gratipay $1 don't leak server version of in error pages
Moneybird $50 Reflected XSS in Backend search
Uber None Compromising Atlassian Confluence ( via WordPress (
Mapbox $400 Denial of service in account statistics endpoint
Uber $10,000 OneLogin authentication bypass on WordPress sites
Moneybird $100 Employees with Any Permissions Can Create App with Full Permissions and Perform any API Action
OpenSSL $500 EBCDIC overread (CVE-2016-2176)
OpenSSL $500 EVP_EncryptUpdate overflow (CVE-2016-2106)
OpenSSL $500 EVP_EncodeUpdate overflow (CVE-2016-2105)
Uber None Missing authentication on Notification setting .
Romit $50 Session Fixation
Moneybird $25 information disclose
Dropbox Acquisitions None Session hacking
Dovecot None Cross-Site Scripting Vulnerability in
Paragon Initiative Enterprises None Email Authentication Bypass
LocalTapiola $400 Possibly big authorization problem in Lähitapiola´s varainhoito
Mapbox $1,000 Reflected cross-site scripting (XSS) on
LocalTapiola $5,000 Blind Stored XSS Against Lahitapiola Employees - Session and Information leakage
PHP $1,500 Integer overflow in ZipArchive::getFrom*
HackerOne $2,500 RCE in profile picture upload
OpenSSL None Potential double free in EVP_DigestInit_ex
Paragon Initiative Enterprises None The Anti-CSRF Library fails to restrict token to a particular IP address when being behind a reverse-proxy/WAF
OpenSSL $500 ASN.1 BIO excessive memory allocation (CVE-2016-2109)
Shopify $500 staff memeber can install apps even if have limitied access
Automattic $1,337 WordPress SOME bug in plupload.flash.swf leading to RCE
Automattic $1,337 WordPress Flash XSS in *flashmediaelement.swf*
Uber None Uber for Business Allows Administrators to Change Uber Driver Ratings Due to Failure to Authenticate `fast-rating` Endpoint
Zendesk $250 XSS In /zuora/ functionality
LocalTapiola None Source Code Disclosure on out of scope domain
GitLab None Private snippets in public / internal projects leaked though GitLab API
GitLab None Confidential issues leaked in public projects when attached to milestone
GitLab None Attacker can post notes on private MR, snippets, and issues
GitLab None Attacker can delete (and read) private project webhooks
ownCloud None PHP info page disclosure
Uber None Defect-Security | Driver-Broken Authentication | Able to update the Subscription Setting anonymously
QIWI None SSL Certificate on will expire soon.
Uber None Stored self-XSS at
Uber $2,000 Reflected XSS via Livefyre Media Wall in
Automattic $75 XSS on
concrete5 None ProBlog 2.6.6 CSRF Exploit
Veris None XSS in Asset name
Badoo None AWS S3 Bucket hotornot-images permissions allow for listing and removing files
Uber None Information Disclosure on
HackerOne None Manipulate report timeline activity by using null byte.
GitLab None Labels created in private projects are leaked
New Relic None Stored Cross-Site Scripting via Angular Template Injection
Udemy $50 Stored XSS at Udemy
HackerOne None Reputation Manipulation (Theoretical)
Zendesk $500 [HIGH RISK] CSRF could potentially delete a zendesk subdomain.
bitaccess None Missing SPF for
Uber None CrashPlan Backup is Vulnerable Allowing to a DoS Attack Against Uber's Backups to ``````
Uber $7,500 Stored XSS in
GitLab None Privilege escalation to access all private groups and repositories
Twitter $840 [Critical] - Steal OAuth Tokens
Coinbase $100 User's legal name could be changed despite front end controls being disabled
Uber None XSS via password recovering
Automattic $75 Akismet Several CSRF vulnerabilities
ownCloud $150 Open Redirector via (apps/files_pdfviewer) for un-authenticated users.
Uber None XSS in uber oauth
Moneybird $50 Stored XSS in Financial Account executing in Bank tab
Moneybird $100 Malicious File Upload
Paragon Initiative Enterprises None Vunerability : spf
ownCloud None XSS via Referrer
Uber None Unsubscribe any user from receiving email
bitaccess $50 BYASSING OTP Verification
Badoo None Badoo and Hotornot User Disclosure
Uber None Requested and received edit access to Google form
Moneybird $50 CSV Injection with the CSV export feature
Trello $128 Cross site scripting in
Uber None and are susceptible to iframes
Xero None Insecure Payment System Integration
APITest.IO None beta version reveals paths, environment variables and partially files contents
Zendesk $50 Stored XSS on [your_zendesk] in Facebook Channel
APITest.IO None Login Via FB Leads To Create A New Account Instead Of Loging In
Dropbox None No Rate Limiting while sending the feedback under Dropbox Help Centre
Python $500 Python 2.7 strop.replace Integer Overflow
GitLab None Persistent XSS on public project page
Uber None reopen #128853 (Information disclosure at
APITest.IO None Clickjacking: X-Frame-Options header missing
ownCloud None Cross site scripting in
Twitter $700 xss in DM group name in twitter
Veris None Stored XSS in member book
Uber None Disclosure of ways to the site root
Uber None User credentials are not strong on
Uber None Information disclosure at
Algolia $100 No rate-limit in Two factor Authentication leads to bypass using bruteforce attack
Gratipay None text injection in website title
Uber None Enumerating userIDs with phone numbers
New Relic None Clickjacking on authenticated pages which is inscope for New Relic
ownCloud None X-XSS-Protection not enabled
Trello $1,536 Payments informations are sent to the webhook when a team changes its visibility
OpenSSL $1,000 BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
Snapchat $1,000 Administrator access to a Django Administration Panel on * via bruteforced credentials
InVision $400 CRITICAL : Delete Boards Admin's ( or any other user ) comment. ( IDOR )
HackerOne $2,500 AWS S3 bucket writeable for authenticated aws users
GitLab None Bypassing password authentication of users that have 2FA enabled
Gratipay None Getting Error Message and in use python version 2.7 is exposed.
Gratipay None An adversary can harvest email address for spamming.
Uber $5,000 Stored XSS on admin panel / Stream WordPress plugin
Uber $250 Easy spam with USE My PHONE Feature
HackerOne None Deleted name still present via mouseover functionality for user accounts
HackerOne $1,500 Web Authentication Endpoint Credentials Brute-Force Vulnerability
HackerOne None DOS Report FILE html inside <code> in markdown
New Relic None Open redirection bypass
Badoo $852 [CRITICAL] Full account takeover using CSRF
Uber None Session Impersonation in
HackerOne $500 New hacktivity view discloses report IDs of non-public reports
ownCloud None Reflected XSS in
HackerOne $500 New hacktivity view discloses report IDs of non-public reports
PHP $1,000 php_snmp_error() Format String Vulnerability
New Relic None - monitor creation to other accounts
HackerOne None HackerOne Important Emails Notification are sent in clear-text
Uber $5,000 Information regarding trips from other users
Uber $5,000 Possibility to get private email using UUID
Uber $3,000 Possible to View Driver Waybill via Driver UUID
Uber None Use Partner/Driver App Without Being Activated
LocalTapiola $100 DOM XSS by choosing regional company
New Relic None Old CAPTCHA offers no protection
Uber None Brute Forcing rider-view Endpoint Allows for Counting Number of Active Uber Drivers
Uber $3,000 Stored XSS in Due to Injection of Javascript:alert(0)
Badoo None Insecure Direct Object Reference on
Uber None It is possible to re-rate a driver after a very long time
Uber None Pixel flood attack in
Coinbase $1,000 Sending payments via QR code does not require confirmation
Uber None Disclosure of ip addresses in local network of uber
Shopify $500 XSS on
Uber None SMS Flood with Update Profile
Uber None Changing Driver Passwords With Only an Authenticated Session (no password, no email)
Coinbase $500 Email leak in transcations in Android app
Uber None Uploading Plain Text to Through the Driver Document Upload Page
Uber None Uber password reset link EMAIL FLOOD
Uber None Privilege escalation to allow non activated users to login and use uber partner ios app
Trello $1,024 If a team is public, the web socket receives data about the Team visible boards
LocalTapiola $1,000 Posting modified information in 'Investment section' will cause unintended information change in
Uber $750 XSS In Due to Mime Sniffing in IE
Uber $1,000 CSV Injection in
Uber $2,000 Stored XSS in WordPress admin panel
Uber None Cross-site Scripting (XSS)
Uber None CRLF Injection in
Uber $10,000 may RCE by Flask Jinja2 Template Injection
Uber $3,000 SQL injection in Wordpress Plugin Huge IT Video Gallery at
Veris None XSS on multiple fields
Uber $3,000 Reflected XSS via Unvalidated / Open Redirect in
Zomato None Reflected XSS on Zomato API
Uber None Session retention is present which reveals the customer info
Uber None CSRF on may lead to server-side compromise
Uber $5,000 Possibility to brute force invite codes in
Uber None Stored Cross Site Scripting [SELF] in
Uber $3,000 Dom Based Xss
New Relic None Too many included lookups
PHP None Null pointer deref (segfault) in stream_context_get_default
Mapbox $1,000 XSS (cross-site scripting) on
Uber None Create account in uber without signup form
Uber $2,000 Bypassing Uber Partner's 3 Cancel Limit
Uber $3,000 SQLi in
Uber None XSS on
Uber None HTML Escaping Error in the 404 Page on
Uber $1,500 Lack of CNAME/A Record Trimming Pointing Uber Domains to Insecure Non-Uber AWS Instances/Sites
Uber $3,000 XSS in
Uber None LIsting of
Uber None Self-XSS Vulnerability on Password Reset Form
Uber $3,000 Reflected XSS on via Angular template injection
Gratipay $1 Hijacking user session by forcing the use of invalid HTTPs Certificate on
Uber None Cross-site Scripting (XSS) autocomplete generation in
HackerOne $1,500 External programs revealing info
HackerOne $500 Websites opened from reports can change url of report page
Shopify $500 Bypassed password authentication before enabling OTP verification
New Relic None Stored XSS through Angular Expression Sandbox Escape
HackerOne None External links should use rel="noopener" or use the redirect service
HackerOne $500 Disclosure of private programs that have an "external" page on HackerOne
Vimeo None Missing rate limit on private videos password
Shopify $500 Stored XSS via "Free Shipping" option (Discounts)
Imgur $100 XSS via React element spoofing
HackerOne $500 CSV Injection via the CSV export feature
Veris None Captcha Bypass enable login bruteforce
Zomato None Authentication Bypassing and Sensitive Information Disclosure on Verify Email Address in Registration Flow
Veris None Wordpress Pingback DDoS Attacks in domain:
Trello $768 Using WebSocket I can always access organization data even if I am removed
Veris None Stored XSS in Access Rules
Veris None Complete Profile URL is not Random and not expiring
Gratipay $1 Cookie Does Not Contain The "secure" Attribute
Gratipay None Vulnerable to clickjacking
Veris None Not Using Secure Flag Option on Cookies Could Lead to a Man in the Middle Session Highjacking
HackerOne None Sending emails (via HackerOne) impersonating other users
Gratipay $1 suppress version in Server header on or
Veris None Complete or Edit Another User's Profile
Veris None Insecure Direct 'org-visitor-log' References
Veris None Insecure Direct 'org-invite-log' References
Dropbox None Possible SQL injection can cause denial of service attack
New Relic None Synthetics Xss
Informatica None [] Open Redirect
HackerOne $500 SECURITY: Referencing previous Reports attachment_IDs on new Reports via Draft_Sync DELETES Attachments
HackerOne None Unauthorized Team members viewing
Veris None Security Vulnerability - SMTP protection not used
Veris None Insecure Direct Member Disclosure
Veris None User enumeration via error message
New Relic None Normal user can set "Job title" of other users by Direct Object Reference
HackerOne $500 Mediation link can be accepted by other users
Veris None Creating multiple user with the same link which is sent to email after registeration
HackerOne None Possible XSS
Veris None Server and PHP version Disclosed in Response Header
New Relic None Open redirection on login
HackerOne None Email Address Leak
Shopify $500 XSS on
Mail.Ru None Reflected XSS на
New Relic None file is world readable
HackerOne $1,000 Edit Auto Response Messages
Zomato None Persistent XSS on Reservation / Booking Page
Mail.Ru $200
Xero None Default.aspx exposing full path and other info on
Shopify $500 Stored XSS in
Uber None Active Email Hyperlink Sent on
Imgur $5,000 Local file read in image editor
Mapbox $200 Mapbox API Access Token with No Scope Can Read Styles
Vimeo $100 Private, embeddable videos leaks data through Facebook & Open Graph
Xero None Additonal stored XSS in Add note/Expected payment Date
Badoo $850 Account Takeover
Xero None Vulnerability : XSS Vulnerability
Badoo $427 Broken Authentication on Badoo
Bime $150 Subdomain takeover due to unclaimed Amazon S3 bucket on
ownCloud None has missing PHP handler
Veris None Multiple Stored XSS on through Veris Frontdesk Android App
Veris None Multiple Stored XSS
Veris None Critical IDOR - Make Rule for Any Group & Any Venue remotely
Veris None Critical IDOR - Get Rules of any organization remotely
Veris None Critical IDOR - Can select any Parent while creating new Venue
Veris None Critical IDOR - Get venue data of any organization remotely
Veris None Critical IDOR - Get Authentication Details of any Terminal/Gatekeeper
Veris None Critical IDOR - Set anyone's Terminal Data remotely
Veris None Critical IDOR - Get anyone's Terminal Data remotely
Veris None Critical IDOR - Delete any terminal/gatekeeper of any organization remotely
Veris None Missing Server Side Validation of CSRF Middleware Token in Change Password Request
Veris None Critical IDOR - Delete any rule of any organization remotely
Veris None Critical IDOR - Delete any venue of any organization remotely
Veris None Critical IDOR - Delete any group of any organization remotely
Veris None Critical - Insecure Direct Object Reference - Deleting any member of any organization remotely
Gratipay $1 don't serve hidden files from Nginx
OpenSSL None b2i_PVK_bio heap corruption
Pornhub $250 Public Facing Barracuda Login
OpenSSL $500 BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
Pornhub $2,500 Unprotected Memcache Installation running
LeaseWeb None Found clickjacking vulnerability
ownCloud None DROWN Attack
Badoo None Password modification without knowing actual password & httpOnly bypass
LeaseWeb None Server version is disclosure in
Coinbase None An adversary can overwhelm the resources by automating Forgot password/Sign Up requests
Veris None Password(s) can be found via login process.
Veris None DOM based XSS
HackerOne None Race Conditions Exist When Accepting Invitations
Udemy $150 Session Takeover vulnerability
Shopify $500 xss in the all widgets of
Uber $500 Open Redirection on
HackerOne $500 User with Read-Only permissions can edit the Internal comment Activities on Bug Reports After Revoke the team access permissions
Twitter $280 Sub-Domain Takeover
InVision $500 CRITICAL Stored XSS in
Coinbase $500 Misconfiguration in 2 factor allows sensitive data expose
Cakebet None Sender policy framework (SPF) records evaluation return (Too many DNS lookups) error
Twitter $2,520 Tweet Deck XSS- Persistent- Group DM name
HackerOne $500 Distinguish EP+Private vs Private programs in HackerOne
Veris None Stored XSS
Veris None Password reset link is not Expiring
Algolia $1,000 API Key added for one Indices works for all other indices too.
OpenSSL $500 CVE-2016-0799 memory issues in BIO_*printf functions
ThisData None Login CSRF using Google OAuth
HackerOne None User with Read-Only permissions can edit the SwagAwarded Activities on Bug Reports
HackerOne $500 User with Read-Only permissions can manually public disclosure the report
Shopify $500 File name and folder enumeration.
HackerOne None Abusing HOF rankings in limited circumstances
HackerOne None Denial of Service any Report
HackerOne $500 CSV Injection at the CSV export feature
KIWI.KI GmbH None Subdomain takeover : URGENT
Mail.Ru None Утечка информации через JSONP (XXSI)
Shopify None Injection via CSV Export feature in Admin Orders
LeaseWeb None Apache version disclosed on
LeaseWeb None Directory Listening
Zendesk $50 Stored XSS via Angular Expression injection on
Gratipay $1 strengthen Diffie-Hellman (DH) key exchange parameters in
LeaseWeb None PHP and Web Server version disclosed on
Gratipay $1 stop serving over HTTP
Gratipay $10 DMARC is misconfigured for
Uber $3,000 Reflected XSS on careers
Gratipay $2 SPF/DKIM/DMARC for
Mail.Ru $250 SSRF на
Gratipay $2 SPF/DKIM/DMARC for
Gratipay $1 limit HTTP methods on other domains
Gratipay $10 Email Forgery through Mandrillapp SPF
Uber $250 Multiple Vulnerabilities (Including SQLi) in
Informatica None [] Blind SQL Injection
Uber $3,000 XSS @
Gratipay $10 No Valid SPF Records.
HackerOne $500 Increase number of bugs by sending duplicate of your own valid report
Zopim $100 Chat History CSV Export Excel Injection Vulnerability
Paragon Initiative Enterprises None Spf
HackerOne $500 Private Program Disclosure in /:handle/settings/allow_report_submission.json endpoint
Gratipay None UDP port 5060 (SIP) Open
Algolia None PHP version disclosed on
Gratipay None server calendar and server status available to public
Gratipay None proxy port 7000 and shell port 514 not filtered
Mail.Ru $600 VERY DANGEROUS XSS STORED inside emails
Mail.Ru $150 [] SQL Injection
Ubiquiti Networks $1,000 Auth bypass on
General Motors None E-mail Spoof in
Slack $100 an xss issue in
Gratipay $1 The POODLE attack (SSLv3 supported) for
Gratipay None nginx SPDY heap buffer overflow for
WePay $150 2-step Verification bypass
ownCloud None Persistent XSS In Account Profile
New Relic None Potential Subdomain Takeover -
Sucuri $500 Manipulating of (List Subscription) Emails (HTML/Script Injection)
HackerOne None Null byte injection
Paragon Initiative Enterprises None file full path discloser.
HackerOne $500 Private Program Disclosure in /:handle/reports/draft.json endpoint
HackerOne $5,000 Private program activity timeline information disclosure
Shopify $500 XSS on
Imgur $1,000 SSRF / Local file enumeration / DoS due to improper handling of certain file formats by ffmpeg
New Relic None [] XSS via return_to
Imgur $800 SSRF and local file read in video to gif converter
Imgur $2,000 SSRF in
Paragon Initiative Enterprises None Email Spoof
Urban Dictionary None Cross-Site Scripting Vulnerability in
Zomato None XSS via modified Zomato widget (res_search_widget.php)
Paragon Initiative Enterprises None Missing SPF for
Paragon Initiative Enterprises $50 Full Path Disclosure
Paragon Initiative Enterprises None CSRF AT SUBSCRIBE TO LIST
Paragon Initiative Enterprises None Missing SPF for
Paragon Initiative Enterprises None Blind SQL INJ
Paragon Initiative Enterprises None Missing SPF
Mail.Ru $300 [] SQL Injection
Gratipay $10 prevent content spoofing on /search
Gratipay $5 SPF DNS Record
Paragon Initiative Enterprises None SSL certificate public key less than 2048 bit
Paragon Initiative Enterprises None Missing SPF records for
Zomato None XSS and CSRF in Zomato Contact form
Paragon Initiative Enterprises None DNSsec not configured
Paragon Initiative Enterprises None Email Authentication bypass Vulnerability
Paragon Initiative Enterprises None Email spoofing
Keybase $50 Content spoofing due to the improper behavior of the not-found meesage
Paragon Initiative Enterprises None Information Disclosure in Error Page
Paragon Initiative Enterprises None Missing SPF for
Uber None Unauthorized file (invoice) download
HackerOne $500 Putting link inside link in markdown
Zomato None Weak Password Policy
Zomato None Persistent input validation mail encoding vulnerability in the "just followed you" email notification.
New Relic None Html injection in monitor name textbox
Keybase $250 Remote Server Restart Lead to Denial of Service by only one Request.
Mapbox $200 Content Spoofing and Local Redirect in Mapbox Studio $2,500 Внедрение внешних сущностей в функционале импорта пользователей YouTrack
Shopify $500 CSRF on
Zomato None Remote File Upload Vulnerability in
Zomato None Cross Site Scripting - type Patameter
Snapchat $1,000 Subdomain takeover in pointing to Zendesk (a Snapchat acquisition)
Keybase $250 Remote Server Restart Lead to Denial of Server by only one Request.
Ruby on Rails None Remote code execution using render :inline
Zomato None Subdomain Takeover
Ruby on Rails None Regarding [CVE-2016-0752] Possible Information Leak Vulnerability in Action View
Paragon Initiative Enterprises None Cross-domain AJAX request
OpenSSL $2,500 OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701)
ownCloud None No Any Kind of Protection on Delete account
Paragon Initiative Enterprises $50 Open-redirect on
HackerOne $500 Multiple issues with Markdown and URL parsing
withinsecurity $250 WordPress Failure Notice page will generate arbitrary hyperlinks
HackerOne $500 Unintended HTML inclusion as a result of
Gratipay None is vulnerable to http-vuln-cve2011-3192
Mail.Ru $300 [] SQL Injection
Coinbase $1,000 Session Issue Maybe Can lead to huge loss [CRITICAL] $250 Full takeover of some sub domains
ownCloud None Text Injection
Udemy None Stored XSS
General Motors None XSS on
General Motors None Full Path Disclosure on
HackerOne $500 Interstitial redirect bypass / open redirect in
Mail.Ru $150 [] SSRF / XSPA
Zendesk $100 [CRITICAL] HTML injection issue leading to account take over
HackerOne None Report title and issue information prepopulated
withinsecurity $250 Error Page Text Injection #106350
Khan Academy None XSS vulnerability in "/coach/roster/" ( create your first class)
Imgur $50 Big Bug in SSL : breach compression attack (CVE-2013-3587) affect
HackerOne None attack in not an authorized user
Shopify $500 Full access to Amazon S3 bucket containing AWS CloudTrail logs
Automattic $75 XSS at
Shopify $500 XSS via third-party script
Trello $1,152 DOM based XSS via Wistia embedding $100 Checking whether user liked the media or not even when you are blocked
Vimeo $100 Legacy API exposes private video titles
Automattic $75 XSS at
ownCloud None The csrf token remains same after user logs in
Shopify $500 Attach Pinterest account - no State/CSRF parameter in Oauth Call back
Shopify $500 Twitter Disconnect CSRF
HackerOne $500 CSV Injection via the CSV export feature None XSS
withinsecurity $250 Content Spoofing OR Text Injection in
Gratipay $15 Sub Domian Take over
Automattic $250 Internal GET SSRF via CSRF with Press This scan feature
ownCloud $250 Information Exposure Through Directory Listing CVE-2016-1499
HackerOne $500 HTML injection can lead to data theft
Perl $1,000 Perl 5.22 VDir::MapPathA/W Out-of-bounds Reads and Buffer Over-reads
Phabricator $300 Extended policy checks are buggy None HTML injection via 'underlying' parameter
Coinbase $200 Direct URL access to completed reports
Coinbase None The 'Create a New Account' action is vulnerable to CSRF
Ubiquiti Networks $500 Subdomain Takeover in
HackerOne $500 User with Read-Only permissions can request/approve public disclosure
HackerOne None Requesting unknown file type returns Ruby object w/ address
Mail.Ru None Multiple vulnerabilities in subdomains
Mail.Ru $150 [] SQL Injection
PHP $1,000 Use After Free in sortWithSortKeys()
Gratipay $5 HTTP trace method is enabled
HackerOne None Signals get affected once reports closed as self
Ruby on Rails None Validation bypass for Active Record and Active Model
ownCloud None Mixed Active Scripting Issue on
ownCloud None Reflected Cross-Site Scripting
ownCloud $350 Exploiting unauthenticated encryption mode
ownCloud None [] Guessable password used for admin user
Mail.Ru $150 [] Time Based SQL Injection
Mail.Ru None XSS at forum :
Mail.Ru $500 reflected in xss
HackerOne $500 Team Member(s) associated with a Group have Read-only permission (Post internal comments) can post comment to all the participants
WePay $100 Unauthenticated Stored XSS in API Panel
Automattic $50 Possible Timing Side-Channel in XMLRPC Verification
GlassWire $100 GlassWireSetup.exe subject to EXE planting attack
Imgur $150 XSS in imgur mobile 3
Imgur $150 XSS in imgur mobile
Shopify $500 Stored XSS in /admin/orders
Zendesk $500 Stored XSS in comments
Shopify $500 Strored Cross Site Scripting
PHP $1,000 Format string vulnerability in zend_throw_or_error()
Shopify $500 HTTP-Response-Splitting on
CloudFlare None Clickjacking :
Coinbase $100 Race condition allowing user to review app multiple times
withinsecurity $250 text injection can be used in phishing 404 page should not include attacker text
Algolia $100 text injection can be used in phishing 404 page should not include attacker text
Coinbase None Potential for Double Spend via Sign Message Utility
HackerOne $500 Improve signals in reputation
Shopify $500 Reflective XSS on
HackerOne $500 Team Member(s) associated with a Custom Group Created with 'Program Managment' only permissions can Comments on Bug Reports
ownCloud None Parameter pollution in social sharing buttons
Shopify $500 "Remember me" token generated when "Remember me" box unchecked
ownCloud None XXE at host
GlassWire $100 DLL Hijacking Vulnerability in GlassWireSetup.exe
HackerOne $500 Parameter pollution in social sharing buttons
HackerOne $500 Know whether private program for company exist or not
LeaseWeb $100 DOM Based XSS in Checkout
Shopify $500 many xss in
Phabricator None libphutil: removing bytes from a PhutilRope does not work as intended
Pornhub $250 PornIQ Reflected Cross-Site Scripting
Imgur $150 risk of having secure=false in a crossdomain.xml
Shopify None [] Cookie bomb at customer chats
Square Open Source $2,000 Unsafe usage of Ruby string interpolation enabling command injection in git-fastclone
ownCloud None directory listing in
Shopify $500 CSRF in Connecting Pinterest Account
Coinbase None XXE in OAuth2 Applications gallery profile App logo
Automattic $75 XSS on
Coinbase $200 HTML injection in apps user review
Square Open Source $2,000 git-fastclone allows arbitrary command execution through usage of ext remote URLs in submodules
Shopify $1,000 XSS on sales channels via currency formatting
Slack $1,000 Trick make all fixed open redirect links vulnerable again
Python $500 tokenizer crash when processing undecodable source code
Python $1,000 PyFloat_FromString & PyNumber_Long Buffer Over-reads
PHP None Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow) CVE-2015-4643
PHP $500 Memory Corruption in phar_parse_tarfile when entry filename starts with null CVE-2015-4021
PHP $500 invalid pointer free() in phar_tar_process_metadata() CVE-2015-3307
Python $500 use after free in load_newobj_ex
Python $500 array.fromstring Use After Free
Python $1,000 bytearray.find Buffer Over-read
Python $500 hotshot pack_string Heap Buffer Overflow
Python $500 audioop.adpcm2lin Buffer Over-read
Python $500 audioop.lin2adpcm Buffer Over-read
PHP $500 Files extracted from archive may be placed outside of destination directory CVE-2015-6833
PHP $1,500 Multiple Use After Free Vulnerabilites in unserialize() CVE-2015-6831
PHP $1,000 Arbitrary code execution in str_ireplace function CVE-2015-6527
PHP $1,000 Dangling pointer in the unserialization of ArrayObject items CVE-2015-6832
PHP $500 curl_setopt_array() type confusion
The Internet $1,000 libcurl duphandle read out of bounds CVE-2014-3707
PHP $500 heap buffer overflow in enchant_broker_request_dict() CVE-2014-9705
PHP $500 Integer overflow in unserialize() (32-bits only) CVE-2014-3669
PHP $500 AddressSanitizer reports a global buffer overflow in mkgmtime() function CVE-2014-3668
PHP $1,500 SOAP serialize_function_call() type confusion / RCE CVE-2015-6836
PHP $500 zend_throw_or_error() format string vulnerability
PHP $1,000 Uninitialized pointer in phar_make_dirstream CVE-2015-7804
PHP $1,000 Buffer over-read in exif_read_data with TIFF IFD tag
PHP $500 Null pointer deref (segfault) in spl_autoload via ob_start
PHP $500 null pointer deref (segfault) in zend_eval_const_expr
PHP $500 Mem out-of-bounds write (segfault) in ZEND_ASSIGN_DIV_SPEC_CV_UNUSED_HANDLER
Python $1,000 Python deque.index() uninitialized memory
Python $500 Python scan_eol() Buffer Over-read
Python $500 time_strftime() Buffer Over-read
Python $500 Python xmlparse_setattro() Type Confusion
PHP $500 Use after free vulnerability in unserialize() with GMP
PHP $500 Use After Free Vulnerability in session deserializer CVE-2015-6835
PHP $1,000 Use After Free Vulnerability in unserialize() CVE-2015-6834
PHP $1,000 Use After Free Vulnerability in unserialize() with SplObjectStorage CVE-2015-6834
PHP $1,000 Use After Free Vulnerability in unserialize() with SplDoublyLinkedList CVE-2015-6834
Python $500 Python 3.3 - 3.5 product_setstate() Out-of-bounds Read
Ruby $1,500 Request Hijacking Vulnerability In RubyGems 2.4.6 And Earlier CVE-2015-3900
Python $500 Integer overflow in _Unpickler_Read
Apache httpd $500 mod_lua: Crash in websockets PING handling CVE-2015-0228
PHP $500 Null pointer dereference in phar_get_fp_offset() CVE-2015-7803
Khan Academy None Escaping the iframe via exceptions
HackerOne $2,500 CSRF possible when SOP Bypass/UXSS is available
Shopify $500 Open Redirect at *
Urban Dictionary None URGENT - Subdomain Takeover in pointing to Zendesk
Shopify $500 [CSRF] Install premium themes
Imgur None Attack User Privacy Settings - X-Frame-Options missing on
Algolia $100 Stored XSS in name selection $500 Обход защиты от csrf-ок в
withinsecurity $250 content injection $500 Same-Origin Policy Bypass #2 $500 Same-Origin Policy bypass on main domain -
Zendesk $500 [CRITICAL] CSRF leading to account take over
Sucuri $250 XSS Vuln in Sucuri Security - Auditing, Malware Scanner $75 Cookie bug
Shopify $500 Open redirect using theme install
Shopify $500 XSS in creating tweets
Automattic $75 Remove anyone's pic gravtar
Pornhub $250 Reflected Cross-Site Scripting on French subdomain
Twitter $140 Subdomain Expired
Uber $500 Drivers can change profile picture
Shopify None Cookie securing your "Opening soon" store is not secured against XSS
Shopify $500 An administrator without any permission is able to get order notifications using his APNS Token.
Twitter $560 xss in link items (
Imgur $5,500 Imgur dev environments facing the Internet
Twitter $560 URGENT : Account Take Over Vulnerability
Coinbase $5,000 Stored-XSS in
Shopify None CSV Excel Macro Injection Vulnerability in export list of current users -
Slack None Executing scripts on using SVG
Pornhub $250 Cross Site Scripting - On Mouse Over, Blog page
Pornhub $250 [xss,] /user/[username], multiple parameters
HackerOne $1,000 Pre-generation of 2FA secret/backup codes seems like an unnecessary risk
Mail.Ru None [] XSS в функционале авторизации
Coinbase $500 Transactions visible on Unconfirmed devices
Algolia $200 User with limited access to Index configuration can rename the Index
HackerOne $500 Limited CSRF bypass.
HackerOne None profile cover can also load external URL's
Uber $1,000 Mass Assignment Vulnerability in
Shopify $500 deleted staff member can add his amazon marketplace web services account to the store.
Algolia $100 an xss issue
Shopify $500 [CSRF] Activate PayPal Express Checkout
QIWI $3,137 XML External Entity (XXE) in + waf bypass
Mapbox $1,000 XSS in L.mapbox.shareControl in mapbox.js
Shopify $1,000 S3 Buckets open to the world thanks to 'Authenticated Users' ACL
ownCloud None RCE in /
Shopify $500 Apps can access 'channels' beta api $50 Email Verification Link can be Used as Password Reset Link!
QIWI $200 XSS Reflected in
Shopify $1,500 'Limited' RCE in certain places where Liquid is accepted $300 login to any user's cashier account and full account information disclosure
Shopify None Non-owner user can remove online store channel and re-add it.
itBit Exchange $100 No password length restriction denial of service
Algolia $100 Stored XSS on*
HackerOne $2,500 Cross-domain AJAX request
Imgur $150 XSS
Slack $100 Reflected Self-XSS in Slack
Slack $200 File upload XSS (Java applet) on None User Enumeration : Due to rate limiting on registration
Shopify $500 List of devices is accessible regardless of the account limitations
Twitter $280 Following a User After Favoriting Actually Follows Another User (related to #95243)
Shopify $500 SVG parser loads external resources on image upload
Shopify $500 Staff members with no permission can access to the files, uploaded by the administrator
HackerOne None Hackerone impersonation $250 Multiple critical vulnerabilities in Odnoklassniki Android application
HackerOne $1,000 HTTP header injection in allows setting cookies for
HackerOne $2,500 Send AJAX request to external domain
Twitter $1,120 Can see private tweets via keyword searches on tweetdeck
Shopify $500 An administrator without the 'Settings' permission is able to see payment gateways
Shopify $500 A 'Full access' administrator is able to see the shop owners user details
Shopify $500 Staff members with no permission to access domains can access them.
Keybase $50 Un-handled exception leads to Information Disclosure
itBit Exchange None email not required to be unique
Snapchat $1,500 Password Reset - query param overrides postdata
Shopify $500 Missing of csrf protection
Imgur $50 Persistent XSS in and / post statistics
Slack $500 Stored XSS in Slack (weird, trial and error)
withinsecurity None DDOS using xmlrpc.php
withinsecurity None Uses unsafe-inline without nonce
Shopify None Domain takoever - $75 Http Response Splitting - Validate link
itBit Exchange $50 user-agent Content spoofing
Mail.Ru $300 [] Authentication Data
Udemy None Reflected XSS and/or malicious redirection via JWPlayer 6 configuration modification $50 Cross Site Scripting
Shopify $500 Privilege escalation and circumvention of permission to limited access user
Imgur $250 Persistent XSS in image title
Twitter $5,040 IDOR- Activate Mopub on different organizations- steal api token-
Shopify $500 Unauthorized access to any Store Admin's First & Last name
Twitter $280 Following a User Actually Follows Another User
InVision None X-Frame-Options Header Not Set
Shopify $500 Reflected XSS in cart at
Coinbase None Balance Manipulation - BUG
Shopify $4,000 Paid account can review\download any invoice of any other shop
Whisper $30 Host Header Injection/Redirection
Ruby on Rails None http_basic_authenticate_with is suseptible to timing attacks.
Mail.Ru None Reflective Xss on and
Shopify $500 Some S3 Buckets are world readable (and one is world writeable)
HackerOne None Minimum bounty of a private program is visible for users that were removed from the program
Zopim $1,000 Cross-site Scripting in all Zopim
Shopify $1,500 Arbitrary read on s3://shopify-delivery-app-storage/files
Shopify $2,500 Unauthorized access to all collections, products, pages from other stores
Shopify $500 Bypassing password requirement during deletion of accout
FanFootage None XSS by image file name
Shopify $2,000 Arbitrary write on s3://shopify-delivery-app-storage/files
Shopify $500 Missing authorization check on dashboard overviews
Shopify $500 get users information without full access
Adobe None Reflected XSS via. search
Shopify $1,000 Unauthenticated access to details of hidden products in any shop via title emuneration
Shopify $500 First & Last Name Disclosure of any Shopify Store Admin
Imgur None Csrf near report abuse meme
WePay $100 Subdomain Takeover in pointing to Fastly
Shopify $2,000 unauthorized access to all collections name
Keybase None xss
Coinbase $100 SPF records not found
HackerOne None HackerOne Private Programs users disclosure and de-anonymous-ize
ownCloud None Referer protection Bypassed
Shopify None The POS Firmware is leaking the root Password which can be used for unauthorized access to the device.
HackerOne None Content spoofing on invitations page
Shopify $500 Accessing Payments page and adding payment methods with limited access accounts
Badoo $456 Tokens from services like Facebook can be stolen
Shopify $2,500 unauthorized access to all customers first and last name
Automattic $75 CSV Injection in
Trello $128 CSV Injection
Shopify $500 customers password hash leak!!!!
Uber $100 Issue with Password reset functionality
ownCloud None Self-XSS in mails sent by [email protected]
Trello $256 Normal User can add new users to group
Imgur $1,600 Server Side Request Forgery In Video to GIF Functionality
Imgur $50 Crossdomain.xml settings on too open
Imgur None Content Sniffing not enabled
Imgur $50 "Sign me out everywhere" does not work for desktop sessions
Imgur None Open Url redirection on login with facebook
ownCloud None WP Super Cache plugin is outdated
IRCCloud $500 Inadequate input validation on API endpoint leading to self denial of service and increased system load.
Shopify None Passwords Returned in Later Responses.
Gratipay None implement a cross-domain policy for Adobe products
Zendesk $50 Content Spoofing
Mail.Ru None [] Server-Status opened for all users
Shopify $1,000 change Login Services settings without owner access
Shopify $1,000 create staff member without owner access
Shopify $500 Privilege escalation vulnerability
ownCloud None No email verification during registration
ownCloud None [] Web Server HTTP Trace/Track Method Support
Ruby on Rails None Nested attributes reject_if proc can be circumvented by providing "_destroy" parameter
Zaption None CSV Excel Macro Injection in Export Response
HackerOne None Minor Bug: Public un-compiled CSS with original sass, versioning, source map, comments, etc.
ownCloud None Apache documentation
Coinbase $100 User email enumuration using Gmail
Zopim $100 CSV Excel Macro Injection Vulnerability in export chat logs
Twitter $280 Tweetdeck (twitter owned app) not revoked
Zendesk $100 CSV Excel Macro Injection Vulnerability in export customer tickets
Zendesk $100 Cross-site Scripting
Slack $100 Self-XSS in posts by formatting text as code
BitHunt None No rate limit or captcha to identify humans
ownCloud None CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service)
Mail.Ru None Vulnerability :- "XSS vulnerability"
ownCloud None Apache Range Header Denial of Service Attack (Confirmed PoC)
Mail.Ru $500 XSS:,[id]/reply при ответе на специальным образом сформированное письмо
Phabricator $300 Information leakage through Graphviz blocks
ownCloud None Webview Vulnerablity [OwnCloudAndroid Application]
ownCloud None gallery_plus: Content Spoofing
Udemy $100 XSS Vulnerability
Vimeo $200 Stored XSS on and
Coinbase $100 OAUTH pemission set as true= lead to authorize malicious application
Gratipay None Mail spaming
ownCloud $25 Full Path Disclosure CVE-2016-1501
Shopify $500 XSS on blog pages via sharing buttons
Twitter $2,520 XSS on OAuth authorize/authenticate endpoint
Anghami $100 [CRITICAL] Login To Any Account Linked With Google+ With Email Only
Anghami $300 [] Sql Injection
HackerOne None Weak HSTS age in support hackerone site
Phabricator $450 Multiple so called 'type juggling' attacks. Most notably PhabricatorUser::validateCSRFToken() is 'bypassable' in certain cases.
Romit $250 IDOR on remoing Share
ownCloud None Potential XSS
ownCloud None CSRF change privacy settings
ownCloud None Password appears in user name field
ownCloud None Mixed Active Scripting Issue
ownCloud None Edit Question didn't check ACLs
InVision $400 Deleting a Project for which the user is not owner but a normal member
Shopify $500 XSS
ownCloud $25 Full Path Disclosure CVE-2016-1501
Phabricator None Dashboard panel embedded onto itself causes a denial of service
ownCloud None Config
Gratipay None Stored XSS On Statement
Zopim $100 [API ISSUE] agents can Create agents even after they are disabled !
ownCloud None Outdated plugins contains public exploits
ownCloud None Lack of HSTS on
ownCloud None CSRF in
ownCloud None Malicious file upload leads to remote code execution
ownCloud None Account Compromise Through CSRF
ownCloud None Stored XSS in profile page
Gratipay None DKIM records not present, Email Hijacking is possible
ownCloud None HTTP compression is enabled potentially leading to BREACH attack
ownCloud None Information disclosure
ownCloud None * / * Using not strong enough SSL ciphers
ownCloud None Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability
Ruby on Rails None DoS Attack in Controller Lookup Code
ownCloud None SSL Session cookie without secure flag set
ownCloud None Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability
ownCloud None Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability
ownCloud None SSL Server Allows Anonymous Authentication Vulnerability (SMTP)
ownCloud None Path Disclosure
ownCloud None SSL Session cookie without secure flag set
ownCloud None Session Cookie in URL can be captured by hackers
Khan Academy None Html injection on khanacademy
Mail.Ru None [] Reflected XSS in debug-mode
ownCloud None PermError SPF Permanent Error: Too many DNS lookups
Mail.Ru None [] Reflected XSS via Cookies
Pornhub $100 [reflected xss,] /blog, any
ownCloud None Multiple reflected XSS by insecure URL generation (IE only)
ownCloud None XSS via referrer
ownCloud None Cross Site Tracing
ownCloud None Content Sniffing not disabled
ownCloud None Allowed an attacker to force a user to change profile details. (XCSRF)
ownCloud None DOM Based XSS
Pornhub $50 Cross Site Scripting – Album Page
Zendesk $500 Stored XSS in comments
Hired $420 Stored XSS in Company Name
Shopify $500 Self XSS in chat.
Automattic $100 XSS in WordPress
Gratipay $1 Possible SQL injection on "Jump to twitter"
Shopify $500 XSS (Digital Downloads App in
Ruby on Rails None [Rails42] We can inject HTML tags when server is using strip_tags method
Ruby on Rails $2,000 Potential XSS on sanitize/Rails::Html::WhiteListSanitizer
InVision $100 Reflective XSS in
Informatica None [] Reflective Xss
HackerOne $500 Internal bounty and swag details disclosed as part of JSON response
HackerOne $500 Private Program and bounty details disclosed as part of JSON search response
Gratipay None Authentication errors in server side validaton of E-MAIL
Urban Dictionary None Reflective Xss Vulnerability
HackerOne $500 Number of invited researchers disclosed as part of JSON search response $500 Внедрение произвольного javascript-сценария в функционале просмотра изображений мобильной версии сайта
Gratipay None [] CRLF Injection
QIWI $500 Открытый доступ к корпоративным данным.
Slack $1,000 OSX slack:// protocol handler javascript injection
Flox $25 Content spoofing through Referel header $300 Доступ к чужим групповым беседам.
Udemy $50 information disclosure
Flox None Email spoofing configuration missing $200 Доступ к чужим приватным фотографиям (3) через обложку видео
Mail.Ru $150 Time-Based Blind SQL Injection Attacks $500 (URGENT!) Покупка OK дешевле, чем он стоит
Mail.Ru $150 Cross site scripting $150 Покупка песни дешевле, чем она стоит. $150 xss in group
Keybase None Sensitive server-side/application information disclosure None Cross site scripting On api Calculator API requests $500 SSRF/XSPA в форме загрузки видео по URL
Shopify $1,000 TCP Source Port Pass Firewall
MapLogin None Account creation code bypass
Keybase $100 Full path disclosure at
WordPoints $25 Weak Cryptographic Hash
Mavenlink $25 Open/Unvalidated Redirect Issue
Keybase $250 Content Sniffing not disabled
Romit $250 GA code not verified on the server side allows sending Verification Documents on behalf of another user
Keybase $250 No rate limiting for sensitive actions (like "forgot password") enables user enumeration
Keybase $500 Stealing CSRF Tokens
Keybase $500 SMTP protection not used
Zaption None Cheating at gallery rating
Zaption $25 Open redirect filter bypass
Zaption $25 Using GET method for account login with CSRF token leaking to external sites Via Referer.
Zaption $50 XSS - Gallery Search Listing
Gratipay None Self XSS Protection not used , I can trick users to insert JavaScript
Gratipay None weak ssl cipher suites
Zopim None Security Missconfiguration in Autologin
Zendesk $200 Stored Cross site scripting In
Romit $250 No rate limit which leads to "Users information Disclosure" including verfification documents etc.
Envoy None Stored XSS
Envoy None XSS in "Guest Pre-Registration" page after registration
HackerOne $500 Accessing title of the report of which you are marked as duplicate
QIWI $100 Session Cookie without HttpOnly and secure flag set
Envoy None Stored XSS in /settings/ipad Page
Mapbox $500 Disclosure of map information
DigitalSellz None The product/status method CSRF
DigitalSellz None The email updates issues
DigitalSellz None Own downloading link isn't properly checked in the email template
Romit $250 Potential for financial loss, negative Values for "Buy fee" and "Sell Fee"
Ubiquiti Networks $500 Yet another Buffer Overflow in PHP of the AirMax Products
Ubiquiti Networks $500 Other Buffer Overflow in PHP of the AirMax Products
Udemy $150 Extremely high Course rating values could be set in order to make really high Average rating of the course. Negative values could be set to.
Shopify $3,000 Attention! Remote Code Execution at
Shopify $500 Reflected XSS in chat
Ubiquiti Networks $250 Buffer Overflow in PHP of the AirMax Products
Ubiquiti Networks $18,000 Arbritrary file Upload on AirMax
Python $1,000 Integer overflow in _json_encode_unicode leads to crash
Python $500 Integer overflow in _pickle.c
Python $1,000 Python: imageop Unsafe Arithmetic
PHP $500 PHP yaml_parse/yaml_parse_file/yaml_parse_url Unsafe Deserialization
PHP $1,500 PHP yaml_parse/yaml_parse_file/yaml_parse_url Double Free
PHP $500 str_repeat() sign mismatch based memory corruption
Python $500 Multiple type confusions in unicode error handlers
Python $500 Use after free in get_filter
Python $1,500 Multiple use after free bugs in json encoding
Python $1,500 Multiple use after free bugs in heapq module
Python $1,500 Multiple use after free bugs in element module
Python $500 Tokenizer crash when processing undecodable source code
PHP $500 php_stream_url_wrap_http_ex() type-confusion vulnerability
PHP $500 Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER
PHP $500 Type Confusion Vulnerability in SoapClient
PHP $1,500 Use after free vulnerability in unserialize() with DateInterval
The Internet $3,000 libcurl: URL request injection CVE-2014-8150
OpenSSL $2,500 Malformed ECParameters causes infinite loop CVE-2015-1788
PHP $1,500 Integer overflow in ftp_genlist() resulting in heap overflow CVE-2015-4022
PHP $1,500 ZIP Integer Overflow leads to writing past heap boundary CVE-2015-2331
PHP $1,000 Buffer Over-read in unserialize when parsing Phar CVE-2015-2783
PHP $1,000 Buffer Over flow when parsing tar/zip/phar in phar_set_inode CVE-2015-3329
OpenSSL $500 X509_to_X509_REQ NULL pointer deref CVE-2015-0288
PHP $1,500 Use After Free Vulnerability in unserialize() CVE-2015-2787
PHP $500 out of bounds read crashes php-cgi CVE-2014-9427
Shopify None Body injection in mailto link while commenting shop blog
Shopify None Prevent Shop Admin From Seeing his Installed Apps / Install Persistent Unremovable App
HackerOne $500 CSV Injection with the CVS export feature
Pornhub $5,000 Unauthenticated access to Content Management System -
ThisData None Xss via Dropbox
Shopify $500 XSS at Bulk editing ProductVariants
Pornhub $2,500 Multiple endpoints are vulnerable to XML External Entity injection (XXE)
Pornhub $10,000 Publicly exposed SVN repository,
Hired $250 URGENT - Subdomain Takeover on due to unclaimed domain pointing to
Shopify $500 XSS in Myshopify Admin Site in DISCOUNTS $250 Отвязываем Twitter от любого профиля вк ! + несколько багов по дизайну
Airbnb None authenticity_token is not random across page loads
HackerOne None Redirection Page throwing error instead of redirecting to site
Automattic $100 Verification code issues for Two-Step Authentication
Shopify $1,000 Bypass access restrictions from API
InVision $150 Enumeration and Guessable Email (OWASP-AT-002)T hrough Login Form
Shopify $500 SSRF via 'Insert Image' feature of Products/Collections/Frontpage
Shopify $500 SSRF via 'Add Image from URL' feature
Shopify $500 Expire User Sessions in Admin Site does not expire user session in Shopify Application in IOS
Mail.Ru $200 Possible xWork classLoader RCE:
Shopify $500 XSS at Bulk editing products
Shopify $500 XSS at importing Product List
Slack None Link vulnerability leads to phishing attacks
Sandbox Escape $3,000 Microsoft Internet Explorer ActiveX Broker Allows EPM Bypass
Marktplaats None Multiple Apache 2.2.22 Vulnerabilities (XSS/ Code Exec/ DoS)
Marktplaats None Content Spoofing -
LibSass None type confusion in Sass::ParserState::ParserState(Sass::ParserState const&) CVE-2015-4459
Marktplaats None Secret Password reset key disclosed to third party site via referer in header
Shopify $500 [www.*] CRLF Injection
HackerOne $500 mailto: link injection on $200 Уязвимость в Указание мест на фото + фича + хакинг
Coinbase None Two-factor authentication (via SMS)
HackerOne $500 Invitation is not properly cancelled while inviting to bug reports. $500 XSS at on IE using flash files
Mail.Ru None XSS
Coinbase $5,000 OAuth authorization page vulnerable to clickjacking
concrete5 None No CSRF protection when creating new community points actions, and related stored XSS $100 Не достаточная проверка логина скайп None XSS on added name album on videos.
Mapbox $1,000 Stored Cross-Site Scripting in Map Share Page
Coinbase $5,000 Big Bug with Vault which i have already reported: Case #606962
Mail.Ru $250 HTML Injection на $500 API: Bug in method auth.validatePhone
Shopify None Header Misconfiguration - PHP API
MapLogin None Not Completed Accounts Take Over (Urgent bug)
concrete5 None No csrf protection on index.php/ccm/system/user/add_group, index.php/ccm/system/user/remove_group
Shopify $1,000 Privilege Escalation - A `MEMBER` with no ACCESS to `ORDERS` can still access the orders by using `Order Printer APP`
Romit $50 Cross site scripting
HackerOne $100 Potential denial of service in<program>/reward_settings
HackerOne $500 Logic error with notifications: user that has left team continues to receive notifications and can not 'clean' this area on account
Mavenlink $100 XSS in
HackerOne $500 External URL page bypass
Ruby on Rails None Changeable model ids on vanilla update can lead to severely bad side-effects
Mail.Ru None
Shopify $500 Bulk Discount App in exposes vulnerable to XSS
HackerOne None Email Notification should be get while changing Paypal Email
Udemy $150 Multiple sub domain are vulnerable because of leaking full path
Mail.Ru $150
Mail.Ru $200 Quagga (Router) : Default password and default enable password
Shopify $500 XSS in Admin site in TAX Overrides
Udemy $100 XSS on
jsDelivr None Pretty Photo Dom XSS
Udemy $100 Ability to add pishing links in discusion ," Bypassing uneductional Links add "
concrete5 None Multiple XSS Vulnerabilities in Concrete5
Sandbox Escape $3,000 Internet Explorer Enhanced Protected Mode sandbox escape via a broker vulnerability
Udemy $150 leak receipt of another user
Udemy $100 xss on autoserch
Mail.Ru $400 торчит Graphite в мир
HackerOne None Logical Issue (Boosting Reputation points)
Mail.Ru $400 stacked blind injection
HackerOne $500 Content Spoofing - External Link Warning Page
Udemy None Misconfigured SPF Record Flag
Mobile Vikings None XSS Vulnerability on all pages
Udemy $150 log poison vulnerability through wordpress debug.log being publically available
Udemy $150 xss profile
concrete5 None Local File Inclusion Vulnerability in Concrete5 version
concrete5 None SQL Injection Vulnerability in Concrete5 version
concrete5 None Sendmail Remote Code Execution Vulnerability in Concrete5 version
concrete5 None Multiple Stored Cross Site Scripting Vulnerabilities in Concrete5 version
concrete5 None Multiple Reflected Cross Site Scripting Vulnerabilities in Concrete5 version
concrete5 None Multiple Cross Site Request Forgery Vulnerabilities in Concrete5 version
HackerOne $500 Reopen Disable Accounts/ Hidden Access After Disable
drchrono $100 Accessing all appointments vulnerability
HackerOne $500 Fake URL + Additional vectors for homograph attack
HackerOne $500 Homograph attack
HackerOne None Homograph Attack
HackerOne $500 Making any Report Failed to load
Dropbox $512 XSS in dropbox main domain
Dropbox $216 Race condition when redeeming coupon codes
Shopify $500 Stored XSS in the Shopify Discussion Forums
Mail.Ru None Flash XSS on
OkCupid None An XSS bug was fixed due to my report, but I didn't submit it through the h1
Shopify $500 SSL cookie without secure flag set
Shopify $500 Content Spoofing
HackerOne $500 Homograph attack
Romit $50 HTML injection in email sent by
HackerOne None Missing spf flags for
Romit $50 Server responds with the server error logs on account creation
Vimeo $500 API: missing invalidation of OAuth2 Authorization Code during access revocation causes authorization bypass
Shopify $500 amazon aws s3 bucket content is public :-
Shopify $500 XSS in
WordPoints None Rank Creation function not validating user inputs.
HackerOne $500 Open-redirect on
Shopify None comment out causes information disclosure
Shopify $4,000 Notification request disclose private information about other myshopify accounts
Dropbox $512 SSRF vulnerablity in app webhooks
Dropbox None XSS in version history of an HTML file in a shared folder
Shopify None Multiple issues on Checkout Process
Shopify $500 XSS on
Shopify None XSS on
HackerOne $1,000 SPF whitelist of mandrill leads to email forgery
Shopify $500 Invitation issue
Shopify None XSS - URL Redirects
Shopify $1,000 Shop admin can change external login services
Shopify $1,000 IDOR expire other user sessions
Dropbox Acquisitions $216 Get email ID of any user on
Vimeo None May cause account take over (Via invitation page)
Coin.Space None SMTP protection not used
Twitter None Privecy Issue : view "Protected users" followers and following
Shopify $2,000 Shopify android client all API request's response leakage, including access_token, cookie, response header, response body content
Shopify $500 CSRF token fixation in facebook store app that can lead to adding attacker to victim acc
Shopify $1,000 [persistent cross-site scripting] customers can target admins
Coinbase None iframes considered harmful
Shopify $500 Force 500 Internal Server Error on any shop (for one user)
Twitter $280 Ex-admin of an organization can delete team members
Shopify None Lack of SSL Pinning on POS Application ( iOS )
Shopify $500 Open Redirect after login at
Shopify $500 Authentication Failed Mobile version
Shopify $500 Open redirection in OAuth
Twitter None Privacy Issue on protected tweets
drchrono $700 XML Parser Bug: XXE over which leads to RCE
Faceless None Bypass Setup by External Activity Invoke
PHP $3,000 Use after free vulnerability in unserialize()
PHP $2,500 SoapClient's __call() type confusion through unserialize()
PHP $2,500 Use after free vulnerability in unserialize() with DateTimeZone
PHP $2,500 Free called on unitialized pointer in exif.c
OpenSSL $3,000 Segmentation fault for invalid PSS parameters
Python $9,000 Multiple Python integer overflows
Factlink None Frameset Proxy Problem
Shopify $500 Missing spf flags for
Coinbase $1,000 Sandboxed iframes don't show confirmation screen
Mail.Ru $500 stored XSS in agent via sticker (smile)
Snapchat $100 Captcha Bypass in Snapchat's Geofilter Submission Process
Snapchat $100 Vulnerable to JavaScript injection. (WXS) (Javascript injection)!
Slack $100 Logout any user of same team
Mapbox $1,000 Persistent cross-site scripting (XSS) in map attribution
Shopify $500 Xss in website's link
HackerOne None Reflected Filename Download
Twitter $420 Insecure Direct Object Reference - access to other user/group DM's
Twitter $2,800 HTTP Response Splitting (CRLF injection) due to headers overflow
Dropbox Acquisitions $216 XSS in
Twitter $1,400 XSS in
Phabricator $300 SSRF vulnerability (access to metadata server on EC2 and OpenStack)
Vimeo $250 [URGENT ISSUE] Add or Delete the videos in watch later list of any user .
OkCupid None XSS on Send A Message Option
Phabricator $300 XSS with Time-of-Day Format
Vimeo $250 Share your channel to any user on vimeo without following him
Twitter $420 Insecure direct object reference - have access to deleted DM's
itBit Exchange $200 secretKey for OTP , is getting leaked in response of a delete request !
itBit Exchange $200 confirmation bypass of 2FA devices while they are deleting
Ubiquiti Networks $500 UniFi v3.2.10 Cross-Site Request Forgeries / Referer-Check Bypass
HackerOne None "learn more here", reward email - domain expired.
Dropbox Acquisitions None unknow files Upload in profile photo
Vimeo $150 Insecure Direct Object References that allows to read any comment (even if it should be private)
Vimeo $500 Insecure Direct Object References in
Twitter $3,500 HTTP Response Splitting (CRLF injection) in report_story
HackerOne $500 Open redirect in "Language change".
Caviar $500 Remotely modifying courier Account Details
Vimeo $250 Post in private groups after getting removed
Flash $2,000 Flash Cross Domain Policy Bypass by Using File Upload and Redirection - only in Chrome
IRCCloud None Email verification links still valid after changing it 2x
itBit Exchange None ITBit Vulnerable to SSLSTrip
Mail.Ru None XSS in
Mail.Ru None XSS in
Mail.Ru None XSS in
Vimeo $250 A user can enhance their videos with paid tracks without buying the track
Whisper $10 CVE-2014-0224 openssl ccs vulnerability
Whisper $100 Bypass pin(4 digit passcode on your android app)
Vimeo $500 A user can post comments on other user's private videos
Vimeo $250 A user can add videos to other user's private groups
concrete5 None Stored XSS in Image Alt. Text
concrete5 None Stored XSS in Message to Display When No Pages Listed.
concrete5 None Stored XSS in Bio/Quote
Vimeo $250 A user can edit comments even after video comments are disabled
Twitter $560 open redirect sends authenticity_token to any website or (ip address)
Ubiquiti Networks $500 CSRF in login form would led to account takeover
concrete5 None Stored XSS In Company URL
HackerOne None Reflected File Download attack allows attacker to 'upload' executables to domain
concrete5 None Stored XSS in testimonial Company
concrete5 None Stored XSS in Testimonial Position
concrete5 None Stored XSS in Testimonial name
concrete5 None Stored Xss in Feature Paragraph
concrete5 None Stored XSS in Feature tile
concrete5 None Stored XSS in title of date navigation
concrete5 None Stored XSS in Title of the topic List
concrete5 None Stored XSS in Contact Form
concrete5 None Stored XSS on Search Title
concrete5 None Stored XSS on Title of Page List in edit page list
concrete5 None Stored XSS on Blog's page Tile
Phabricator None Server Side Request Forgery in macro creation
concrete5 None Self Xss on File Replace
Adobe None Open redirect and reflected xss in[payload her]
Adobe None stored XSS via send file
The Internet $7,500 FREAK: Factoring RSA_EXPORT Keys to Impersonate TLS Servers
Adobe None Reflected Cross Site Scripting - 'puser' Parameter in login page
Twitter $1,400 XSS in original referrer after follow
Square None Invitation threshold
Romit $50 The csrf token remains same after user logs in
Ruby on Rails $1,000 rails-ujs will send CSRF tokens to other origins
Twitter $560 Twitter Ads Campaign information disclosure through admin without any authentication.
Twitter $1,400 Open Redirect leak of authenticity_token lead to full account take over.
Vimeo None URGENT - Subdomain Takeover on due to unclaimed domain pointing to
HackerOne $5,000 Improperly validated fields allows injection of arbitrary HTML via spoofed React objects
HackerOne None Auto Approval of Invitation to join Team as a Team member
Vimeo $250 Vimeo + & Vimeo PRO Unautorised Tax bypass
Airbnb None SSL Issues
Airbnb None Vulnerability type xss uncovered in
Airbnb None Generating Unlimited Free Travel Gift Invites | IDOR
Twitter None Cross site Port Scanning bug in twitter developers console
Mail.Ru $300 RCE через JDWP
Dropbox None Create N Accounts In Dropbox Irrespective Of Domain
HackerOne None Substantially weakened authenticity verification when using 'Remember me for a week'
Airbnb None I Can Delete Any Airbnb Users Symbol!
Vimeo None Bypassing Email verification
Mail.Ru $150 Heartbleed
Mail.Ru $150 HDFS NameNode Public disclosure:
Todoist $25 Remotely removing credit cards from business accounts!
Todoist $25 Taking over a Business Account Admin
Twitter $1,400 Redirect URL in /intent/ functionality is not properly escaped
HackerOne $500 Team member invitations to sandboxed teams are not invalidated consistently (v2)
HackerOne None Restrict any user from logging into his account.
The Internet $5,000 Bad Write in TTF font parsing (win32k.sys)
Coinbase $100 open authentication bug
Slack $200 Team admin can add billing contacts
Dropbox Acquisitions $729 Privilege Escalation at invite feature
Twitter $140 Reporting user's profile by using another people's ID
The Internet $3,000 Heap overflow in H. Spencer’s regex library on 32 bit systems
Romit $50 Email Enumeration (POC)
QIWI $200 [] XSS + Misconfiguration
Mail.Ru $600 Same Origin Policy bypass
HackerOne $2,000 CSP Bypass: Click handler for links with data-method="post" can cause authenticity_token to be sent off domain
Mobile Vikings None Approve topup method by sender of this method
Mobile Vikings None Enum phone numbers thru /en/sims/topup/add/
Mobile Vikings None Username and sim id enum
Mobile Vikings None CSRF token from another valid user session accepted
Mobile Vikings None Stored xss in user name (2) affected another user.
Mobile Vikings None Stored xss in user name
Mobile Vikings None Reflected xss in user name thru cookie
Mail.Ru None XSS Vulnerability in
Ruby on Rails None JSON keys are not properly escaped
Informatica None XSS in Search Communities Function
Flash $7,500 Use After Free in Flash MessageChannel.send can cause arbitrary code execution
Flash $10,000 Use after free during the StageVideoAvailabilityEvent can result in arbitrary code execution
Flash $10,000 Race condition in workers may cause an exploitable double free by abusing bytearray.compress()
InVision $200 Javascript Injection
itBit Exchange $50 Leakage of sensitive wallet tokens to third party sites
Flash $2,000 Adobe Flash Player Out-of-Bound Access Vulnerability
Vimeo $250 Red October
HackerOne None Markdown code block sequence makes report unreadable
HackerOne $5,000 Markdown parsing issue enables insertion of malicious tags and event handlers
Twitter $560 Twitter Card - Parent Window Redirection
Slack $100 Team admin can change unauthorized team setting (allow_message_deletion)
Slack $200 Team admin can change unauthorized team setting (require_at_for_mention)
Romit None CSRF token leakage
Romit $50 Frictionless Transferring of Wallet Ownership
Square None Redirecting a victim elsewhere through shopseen 0auth
Twitter $1,260 Problem with OAuth
HackerOne $500 Team member invitations to sandboxed teams are not invalidated consistently
HackerOne $500 Insecure Direct Object Reference vulnerability
Nearby Live None Group Invite not properly authenticated
HackerOne None In markdown, parsing things like @danlec and #46072 after links is unsafe
Vimeo None Can message users without the proper authorization
Vimeo None Brute force on "vimeo" cookie
HackerOne $5,000 Vulnerability with the way \ escaped characters in <> style links are rendered
Ruby on Rails None Explicit, dynamic render path: Dir. Trav + RCE
Vimeo $250 CRITICAL vulnerability - Insecure Direct Object Reference - Unauthorized access to `Videos` of Channel whose privacy is set to `Private`.
Vimeo $100 XSS on Vimeo
Vimeo None CSRF bypass
Vimeo $100 ftp upload of video allows naming that is not sanitized as the manual naming
Mobile Vikings None Number, username and name disclosure
Mobile Vikings None Stored XSS in Direct debit name
Vimeo None Full account takeover via Add a New Email to account without email verified and without password confirmation.
Informatica None [] - CSRF in Private Messages allows to move user's messages to Trash
Square None HTTP Header revealing server information.
itBit Exchange $50 weird bug ! ( missing validation on new email verfication )
HackerOne $500 Improper way of validating a program
itBit Exchange $200 Unsecure data in "device" response - OTP
Vimeo $100 Vimeo Search - XSS Vulnerability []
Dropbox None Unvalidated Redirects and Stored XSS
Twitter $140 Insecure Data Storage in Vine Android App
Mobile Vikings None Insecure crossdomain.xml
itBit Exchange $50 Email Length Verification
itBit Exchange $500 Notification Emails: IP + Content-Spoofing
Ruby on Rails $500 RCE due to Web Console IP Whitelist bypass in Rails 4.0 and 4.1
Vimeo $1,000 XSS on any site that includes the moogaloop flash player | deprecated embed code
Twitter $140 Flaw in login with twitter to steal Oauth tokens
Vimeo None unvalid open authentication with facebook
Twitter None Path disclosure in
HackerOne None Add text to the title of the page "Thanks"
Mail.Ru None
Mail.Ru $150 Heartbleed: ( port 1433
Vimeo None Application XSS filter function Bypass may allow Multiple stored XSS
Vimeo None Poodle bleed vulnerability in cloud sub domain
Vimeo None Open Redirection Security Filter bypassed
Vimeo $1,000 Make API calls on behalf of another user (CSRF protection bypass)
Mail.Ru $150 Hadoop Node available to public
Vimeo $100 CRITICAL full source code/config disclosure for Cameo
Vimeo None Serious Vulnerability Found
Twitter $420 twitter android app Fragment Injection
Vimeo $1,000 abusing Thumbnails( to see a private video
Vimeo None No Limitation on Following allows user to follow people automatically!
Vimeo $250 Ability to Download Music Tracks Without Paying (Missing permission check on`/musicstore/download`)
Vimeo None profile photo update bypass
Mail.Ru $100 Раскрытие номера мобильного телефона при двухфакторной аутентификации
Mail.Ru None XSS
Vimeo $100 - Reflected XSS Vulnerability
Vimeo $1,000 Adding profile picture to anyone on Vimeo
Vimeo $260 Buying ondemand videos that 0.1 and sometimes for free
Python $1,000 PyUnicode_FromFormatV crasher
Ruby on Rails $1,000 Arbitrary file existence disclosure in Action Pack CVE-2014-7829
OkCupid None Stored XSS in popup messages window
HackerOne None HTTPS is not enforced for objects stored by HackerOne on Amazon S3
Dropbox None WP User Enumeration is possible at
Vimeo None Misconfigured crossdomain.xml -
Twitter $1,120 - an app admin can delete team members from other user apps
Twitter $1,400 - app member can make himself an admin
Ruby on Rails None Denial of Service in Action Pack Exception Handling
Nearby Live None Web Server information disclosure.
Ruby on Rails None Data-Tags and the New HTML Sanitizer Subverts CSRF protection
Vimeo $100 APIs for channels allow HTML entities that may cause XSS issue
Vimeo $5,000 Insecure Direct Object References Reset Password
Vimeo $100 - reflected xss vulnerability
Vimeo $100 - Reflected XSS Vulnerability
Twitter None Account Deleted without any confirmation
Uber $500 XSS on
Twitter None No rate limiting on creating lists
concrete5 None Stored XSS in adding fileset
Flash $1,000 chrome allows POST requests with custom headers using flash + 307 redirect
Twitter $420 URGENT - Subdomain Takeover on , the same issue of report #32825
Romit $250 stored xss in transaction
Nearby Live None Gain access to any user's email address
Mail.Ru None /surveys/2auth: DOM-based XSS
Mail.Ru None GET /surveys/2auth: XSS
Twitter $1,400 HTML/XSS rendered in Android App of Crashlytics through
Romit $250 Stored XSS in api key of operator wallet
Romit $100 Error stack trace
Twitter $140 POODLE Bug:,,
HackerOne None Reflected File Download
Twitter $280 Open redirection in
Mail.Ru $100 No bruteforce protection leads to enumeration of emails in
Phabricator $500 Phabricator Phame Blog Skins Local File Inclusion
Informatica None Missing SPF for
WePay None Broken Authentication – Session Token bug
HackerOne None URL Crashing browser. {Tested on firefox, Chrome and Safari}
Phabricator $300 Phabricator Diffusion application allows unauthorized users to delete mirrors
concrete5 None stored XSS in concrete5
concrete5 None SQL injection in conc/index.php/ccm/system/search/users/submit
Square $500 Delayed, fraudulent transactions possible with encrypted Square Reader devices due to lack of server-side verification of device transaction counter
Mail.Ru $250 [] Memory Disclosure / IE XSS
HackerOne $500 Issue with password change
HackerOne $500 Breaking Bugs as team member
Openfolio $100 xss in /browse/contacts/
Python $6,500 Misc Python bugs (Memory Corruption & Use After Free) $1,000 Subdomain Takeover using pointing to Hubspot
Eobot None Multiple information disclosure
Twitter None Abuse of "Remember Me" functionality.
OkCupid None Rosetta flash vulnerability in clientstats AJAX script
Sucuri None Form contained inside page loaded over SSL submits its contents to another page over HTTP
Eobot $10 XSS in only)
Sucuri $250 Open Redirect in
InVision $150 CSRF Token in cookies!
Twitter None Homograph attack.
Twitter $1,400 [Stored XSS] - profile page
Twitter None Notifications can mark as read by CSRF
Coinbase $100 New Device Confirmation, token is valid until not used.
QIWI None Metadata in hosted files is disclosing Usernames, Printers, paths, admin guides. emails
ThisData None Missing SPF header on
QIWI $1,000 [] Soap-based XXE vulnerability /soapserver/
Openfolio None Options Method Enabled
QIWI $100 [] /oauth/confirm.action XSS
Flash $2,000 Adobe Flash Player MP4 Use-After-Free Vulnerability
Apache httpd $500 mod_proxy_fcgi buffer overflow CVE-2014-3583
HackerOne $500 Logic Issue with Reputation: Boost Reputation Points
Phabricator None Content injection
Twitter None Headers Missing
Factlink None File name/folder enumeration.
QIWI None Code for registration of qiwi account is not coming even after a long interval of time for Indian mobile number
QIWI $200 [] XSS at auth?login=
QIWI $200 [] XSS proxy.html
Twitter $140 getting emails of users/removing them from victims account [using typical attack]
HackerOne $500 Gain reputation by creating a duplicate of an existing report
PHP $2,500 Locale::parseLocale Double Free None Bypassed or command injection
Mail.Ru None Нежелательная информация
Eobot None IDOR on
Twitter $280 XSS via Fabrico Account Name
Mail.Ru $500 Ошибка фильтрации None Various Low level Vulnerabilities
Mail.Ru None Flash XSS на $150 SMPT Protection not used, I can hijack your email server.
Twitter $420 Bad extended ascii handling in HTTP 301 redirects of
Twitter None Options Method Enabled
Twitter None Option Method Enabled on web server
HackerOne $500 File Name Enumeration
InVision None Password reset tokens is valid after changing the password by logging in the account
Uzbey None test
Twitter None Flaw in valid password policy.
Uzbey None Test
Uzbey None Test
Twitter $1,400 DOM Cross-Site Scripting ( XSS )
InVision $300 Backup of wordpress configuration file found. Leaking database users/passwords
Slack $500 a stored xss in slack integration
HackerOne None Enumeration/Guess of Private (Invited) Programs
WP API None MD5 used for Key-Auth signatures
Twitter $1,680 URGENT - Subdomain Takeover on due to unclaimed domain pointing to AWS
99designs None Source Code Disclosure (PHP)
Mail.Ru $200 OpenSSL HeartBleed (CVE-2014-0160)
Twitter $280 XSS in
HackerOne None Content Spoofing via reports
The Internet $3,000 Drupal 7 pre auth sql injection and remote code execution
Twitter $140 Singup Page HTML Injection Vulnerability
Mail.Ru None Авторизуюсь от имени любого пользователя
RelateIQ $500 PoodleBleed
Flash $5,000 Adobe Flash Player Out-of-Bound Read/Write Vulnerability
HackerOne $1,000 Ability to see common response titles of other teams (limited)
Localize None files likes of is public
Twitter None Creating Unauthorized Audience Lists
concrete5 None Weak random number generator used in concrete/authentication/concrete/controller.php
WP API $50 Cryptographic Side Channel in OAuth Library None Timing Attack Side-Channel on API Token Verification None Weak Random Number Generator for Auth Tokens
Twitter $420 Unauthorized Tweeting on behalf of Account Owners
Khan Academy None Sql injection And XSS
Twitter $560 Improper Verification of email address while saving Account Settings
RelateIQ $250 Relateiq SSLv3 deprecated protocol vulnerability.
Localize None PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
Bookfresh None Missing Function Level Access Control in /cindex.php/widget/customize/
Flash $2,000 Adobe Flash Player MP4 Use-After-Free Vulnerability
Coinbase $100 New Device confirmation tokens are not properly validated.
99designs None CSRF to connect attacker's twitter account to logged in victims account
concrete5 None Stored XSS in concrete5
Square $250 CSRF on adding a calendar event
Square $500 square google calendar integration CSRF, parameter not checking properly)
Mail.Ru None Выполнение кода PHP через FastCGI
Square $500 CSRF on adding clients
The Internet $20,000 GNU Bourne-Again Shell (Bash) 'Shellshock' Vulnerability
Twitter $280 Profile Pic padding (Length-hiding) fails due to use of GZIP
HackerOne $500 homograph attack. IDNs displayed in unicode in bug reports and on external link warning page
IRCCloud $300 Unvalidated Channel names causes IRC Command Injection
Square $250 Privilege Escalation
WePay $350 Horizontal Privilege Escalation
Twitter $1,120 XSS | video-js metadata
HackerOne $500 No email verification on username change
Twitter $1,120 XSS
Sucuri $250 Usage of HTTP for exporting graph data as images
Square $250 Redirect while opening link in new tabs
Coinbase $100 Credit Card Validation Issue
Twitter None Twitter Flight SSL 2.0 deprecated protocol vulnerability.
HackerOne None "early preview" programs disclosure
HackerOne $500 Redirect FILTER bypass in report/comment
Mail.Ru $500 XSS via message id
Phabricator None Content Spoofing through URL
IRCCloud None Weak password policy
Mavenlink None Email field filtering problem.
Twitter $420 iOS App can establish Facetime calls without user's permission
Ruby on Rails $1,500 Active Record SQL Injection Vulnerability Affecting PostgreSQL CVE-2014-3483
Ruby on Rails $1,500 Active Record SQL Injection Vulnerability Affecting PostgreSQL CVE-2014-3482
PHP $2,500 SPL ArrayObject/SPLObjectStorage Unserialization Type Confusion Vulnerabilities CVE-2014-3515
Twitter $1,400 Cross site scripting on
HackerOne $500 Window Opener Property Bug
Twitter $1,400 Stored xss
Square $2,000 malicious file upload
Flash $1,000 Flash Local Sandbox Bypass CVE-2014-0554
GlassWire None Clickjacking: X-Frame-Options header missing
Phabricator None Content spoofing
Twitter $1,400 xss
Square $400 Reflected XSS in widget script thru cookie
Twitter $2,800 Delete Credit Cards from any Twitter Account in [New Vulnerability]
Square $1,000 Reflected XSS in
Square $750 Editing Client Details of other People
Twitter $140 Missing Rate Limiting on
The Internet $3,000 open redirect in rfc6749
Mail.Ru $1,337 XSS via .eml file
WePay $350 Critical : Account removing using CSRF attack
Square None XSS on bookfresh
Twitter $140 Full path disclosure at
Slack None HTTP Strict Transport Policy not enabled on newly made accounts
Phabricator None Password Policy issue
Square $2,000 CRITICAL Account takeover via AngularJS template injection in
Square $500 XSS in Client Past Activity
ExpressionEngine None Stored Cross-Site Scripting Vulnerability in /admin.php?/cp/admin_system/general_configuration
HackerOne None Notification of previous signed out user leakage.
Mavenlink None DNS load balancing not enabled
WePay None CSRF (Make email primary) may lead to account compromise
CloudFlare None Apache mod_negotiation filename bruteforcing
Square $250 Open Redirect [FreshBook]
Square $500 XSS [BookFresh]
HackerOne $100 Change Any username and profile link in hackerone
CloudFlare None User can request for password reset link without giving his website, eventhough he have it None SMTP protection not used (please read carefully )
Phabricator $400 Open redirection on
Twitter None HTML form without CSRF protection at None openssh-server Forced Command Handling Information Disclosure Vulnerability on None Reflected XSS -
Mail.Ru None Не уверен, что этому место на периметре:,,,
concrete5 None broken authentication
Twitter None User's DM won't deleted after logout from Twitter for iOS (
Mail.Ru $150 Странное поведение SMS
Secret None Broken Authentication and Session Management
Mail.Ru None Version Disclosure (NginX)
HackerOne $500 Redirect while opening links in new tabs
Phabricator $300 Forgot Password Issue
Square None CSRF login
Square $1,500 Blind SQL injection in
Uzbey None SQL Injection
Uzbey None XSS in 3rd party plugin (not affecting Uzbey's users)
Phabricator None Password Reset Links Not Expiring
Twitter None Broken authentication and invalidated email address leads to account takeover
Automattic None Open Redirect in WordPress Feed Statistics {Affected All Versions}
Slack $200 Content Spoofing all Integrations in
Twitter None Password reset link not validated.
Yahoo! None Blind Sql Injection
IRCCloud None Bruteforce protection not enabled on the login page
Slack $100 Content spoofing at Stripe Integrations
Mavenlink $50 privilege escalation
Mavenlink $200 Flash XSS on swfupload.swf showing at
Mavenlink $50 Clickjacking
HackerOne None Account Hijacking (Only rare case scenario)
Mavenlink $100 Login CSRF
Phabricator None Back - Refresh - Attack To Obtain User Credentials
Coinbase $1,000 Invoice Details activate JS that filled in
The Internet $3,000 rsync hash collisions may allow an attacker to corrupt or modify files
Apache httpd $500 moderate: mod_deflate denial of service CVE-2014-0118
Mail.Ru $150 File upload XSS using Content-Type header
Python $1,500 integer overflow in 'buffer' type allows reading memory
WePay None oauth redirect uri validation bug leads to open redirect and account compromise
Mail.Ru $1,000 File upload "Chapito" circus
Mail.Ru None HTTP Header Injection
Mail.Ru $100 Подделываем j2me app-descriptor
DigitalSellz None USER Account is not being deleted after user "Delete Account" from DASHBOARD
DigitalSellz None Verbose SQL error messages
ExpressionEngine None Cross Site Scripting (Stored)
HackerOne None No option to logout concurrent sessions
Twitter None password sent over HTTP
Automattic None Missing HSTS header in
Automattic None Missing HSTS header in
RelateIQ $100 Cross-site Scripting in mailing (username)
Envoy None Authentication Bypass None Host header is not Validated resulting in Redirect
Envoy None Delete visitor from IPAD with fullname which contains JS results XSS
HackerOne None Session Hijacking attack (Different Scenario)
Envoy None Too much sensitive information in GET
Envoy None Stored XSS on adding locations
Envoy None Stored XSS on sign_up page
Uzbey None Missing "size check" on files to upload could make memory leaks.
Uzbey None IFXSS (image filename XSS) by creating a new Photo Gallery
Localize None PHP PDOException and Full Path Disclosure
Mail.Ru None XSS через Referer
Mail.Ru None XSS
Secret None ClientId gives away platform (iOS/Android) from which a secret was posted.
Mail.Ru $3,000 Possibility to attach any mobile number to any email
Sandbox Escape $5,000 .NET Type Traversal Vulnerability CVE-2014-0257
Sandbox Escape None OSX ATS memory corruption may lead to App Sandbox bypass CVE-2014-1262
Sandbox Escape None OSX ATS arbitrary free issue may lead to App Sandbox bypass CVE-2014-1255
HackerOne None Email changing
WePay $100 Unauthorized Access via Join Email Link
Factlink None XSS 01 on
DC Compendium $25 Multiple Full Path Disclosure (FPD) Vulnerability on domain
RelateIQ $190 Resubmitted with POC #18685 Password reset CSRF
Phabricator $1,000 XSS in editor by any user
WePay $150 CSRF on email address operations. Also performing unintended operations.
Automattic None Top 10 2013-A2-Broken Authentication and Session Management -
WePay $500 Session Fixation
jsDelivr None HSTS Policy not enabled on
DC Compendium $50 Backend source code disclosure on 404 pages
jsDelivr None Using nmap revealing sensitive information
jsDelivr None XSS
jsDelivr None Directory Traversal at
DC Compendium $25 source code disclosure
Yahoo! $250 Yahoo! Reflected XSS
DC Compendium $25 XSS on Home page
DC Compendium $25 Error page Cross-site scripting
DC Compendium None Forward Secrecy is disable
DC Compendium None Login CSRF
DC Compendium $25 Clickjacking: X-Frame-Options header missing
HackerOne $100 Denial of Service
Faceless None Tap Jacking Attack on Button Tags
The Internet $6,000 LZ4 Core CVE-2014-4611
Factlink None Click-Jacking due to missing X-frame header
Uzbey None Mass invitation send
IRCCloud $500 Reflected XSS in Pastebin-view
Uzbey None Information Disclosure (phpinfo())
HackerOne None Account takeover
Yahoo! $50 Default /docs folder of PHPBB3 installation on
Uzbey None Price Manipulation
Phabricator $300 Broken Authentication and Session Management
Uzbey None Flash Content-Type Sniffing Vulnerability
HackerOne $100 Category- Broken Authentication and Session Management (leads to account compromise if some conditions are met)
Mail.Ru None SVN наружу торчит
Uzbey None Email Flooding Vuln
Uzbey None Clickjacking at
Uzbey None HTML Form Without CSRF Protection Vulnerability
Uzbey None Breach Attack Vulnerability
Uzbey None Cross site scripting in type parameter
Uzbey None CMS Information Disclosure
Uzbey None email field doesn't filtered against XSS
Uzbey None Language version disclosure in response header
Uzbey None All Active user sessions should be destroyed when user change his password!
Uzbey None Cross-site scripting vulnerability detected
Uzbey None Missing HSTS (Strict Transport Security)
Uzbey None Album image XSS
Uzbey None SQL injection, time zoom script, tile ID
Uzbey None SQL injection, tile ID None Found clickjacking vulnerability
Slack $100 Password Policy issue (Weak Protect)
HackerOne None Cache leads to Privacy leaks
Mail.Ru None HTTP Header Injection
Mail.Ru $400 SMS spam with custom content
Slack $100 Open Redirect login account
Coinbase None 2FA settings allowed to be changed with no delay/freeze on funds
RelateIQ $250 SSRF (Portscan) via Register Function (Custom Server)
RelateIQ $200 Failed Certificate Validation On Custom Server (Register)
Automattic None User Enumeration and Guessable User Account Attack on WORDPRESS
Mail.Ru None Cross Site Scripting
Yahoo! $200 Yahoo Sports Fantasy Golf (Join Public Group)
Phabricator $300 Abusing daemon logs for Privilege escalation under certain scenarios None Facilitation of XSS attacks through supporting the HTTP TRACE method (cross-site tracing)
The Internet $5,000 Multiple issues in looking-glass software (aka from web to BGP injections)
Phabricator $600 Abusing VCS control on phabricator None Wordpress readme.html / X-Powered-By-Header (low crit) None Report: Wordpress Bug!‏‏‏ None Directory Listing None OPTIONS method is enabled None Information disclosure : Web Server Version Details None Admin interface accessible externally
Localize None PHP PDOException and Full Path Disclosure
Mavenlink $50 Non Validation of session after password reset
Mail.Ru None Раскрытие полного серверного пути
HackerOne $100 Session not invalidated after password reset
Automattic None Process of changing email address and password does not asks old Password.
Mail.Ru $150 SQL Injection on
Localize None Bug on registration as new Translator user
Mail.Ru None Reflected XSS
Mail.Ru None Перечисление каталогов за счёт уязвимости в IIS
FanFootage None Cookie fixation
FanFootage None Same user name and uuid for multiple user names
FanFootage None Reporting Bugs
Factlink None Criptographic Issue: Strisct Transport Security with not good max age..(TOO SHORT!)
FanFootage None Session Token is not Verified while changing Account Setting's which Result In account Takeover
FanFootage None NO CSRF token found on user details update
Coinbase $1,000 Leaking CSRF token over HTTP resulting in CSRF protection bypass
Flash $3,000 Flash Sandbox Bypass CVE-2014-0535
Mail.Ru None Flash XSS in
Yahoo! None Open Redirect via Request-URI
Mail.Ru None Flash XSS in
Twitter None Cookie not marked as secure.
Mavenlink $100 Password reset token not expiring
Twitter None XSS vulnerability in video player page
Twitter None Captcha bypass with extension at
Twitter None [ /] CSRF protection bypass
Automattic None Serving Transitions From: HTTP Protocol (not secure)
WePay None Typical form vulnerable to csrf attack
Factlink None Anonymous Proxy and IP leak
WePay None CSRF & Nonce Token Weak Implementation
WePay $300 Open Redirect
WePay None Sensitive settings need Re authentication
Mavenlink $50 Clickjacking at main website
Mavenlink $50 Login password guessing attack
WePay $100 Session fixation in
Mavenlink None The web application discloses version details of the underlying Platform / Server
Mavenlink None Clickjacking & CSRF attack can be done at
Mail.Ru None Flash XSS -
Factlink None Password reset link doesn't expire.
Automattic None - DOM based XSS.
Automattic None Self XSS
InVision None Sensitive information in cookies
Yahoo! None Multiple vulnerabilities
Twitter None and are vulnerable to CRIME attack
Twitter None Token remains alive ever after logging out!
Slack $300 SSRF on
Slack None Remote file Inclusion - RFI in upload
Mail.Ru None XSS in "About Video"
Mail.Ru $300 SSRF
Automattic $250 privilege escalation
Automattic None information disclosure
Twitter None CSRF in
Automattic None XSS on gravatar
HackerOne $100 Potential denial of service in
Automattic None xss in
Automattic None logout csrf
Automattic None xss in
Factlink None Meta characters not filtered on signup
Factlink None Proxy service crash DoS
Factlink None X/Csrf token problem
IRCCloud None Missing Character Restriction
IRCCloud None Password type input with auto-complete enabled
Factlink None Session not expired on logout
Factlink None Sign up CSRF
Factlink None Password Complexity very low.
Factlink None Missing SPF for and
Factlink None Leaking of password reset token through referer
Factlink None Login CSRF using Twitter oauth
Factlink None Url Redirection
Factlink None HTML5 cross-origin resource sharing
Factlink None Click jacking
Khan Academy None Unchecking hidden parameter is vulnerable to XSS-attack
Mail.Ru $1,000 sources disclosure
Sandbox Escape $10,000 Linux PI futex self-requeue bug CVE-2014-3153
Mail.Ru None XSS
Khan Academy None CRLF Injection
Mail.Ru None XSS
Mail.Ru None XSS
IRCCloud $100 Host Header Injection -
Khan Academy None Suffix of url-path is vulnerable to XSS-attack
Localize None full path disclosure from false language
Mail.Ru None ( Password type input with auto-complete enabled
Mail.Ru $500 XSS in login form
Secret None secret app for iOS and android is sending some info over HTTP
Urban Dictionary None Open URL Redirection
Urban Dictionary None Open Redirection
Mail.Ru None Reflected XSS (IE6-IE8)
Localize None missing sender policy framework (SPF)
HackerOne None Improper filtering of classes used in codeblocks in Markdown
Mail.Ru None Reflected XSS in User-Agent
Mail.Ru None Раскрытие путей сервера за счёт неопределённого индекса в сценарии /home/
HackerOne None Spamming any user from Reset Password Function
Yahoo! $100 Testing for user enumeration (OWASP‐AT‐002) -
Yahoo! $50 Authorization issue on
Faceless None Account hijacking possible through ADB backup feature None X-Content-Type-Options header missing
Mail.Ru $500 XSS in a file or folder name
Mail.Ru $700 XXE and SSRF on
Secret None Content Sniffing not disabled
Flash $7,500 Adobe Flash Player FileReference Use-after-Free Vulnerability CVE-2014-0538
ReddAPI None Content Sniffing not disabled
ReddAPI None Browser cross-site scripting filter misconfiguration
ReddAPI None Strict Transport Security Misconfiguration
Kadira None API keys being cached
Respondly None XSS in the input
InVision None Multiple Upload Vulnerability !File Upload + File Inclusion (Access Not Forbidden)
Kadira None Undeletable File
Kadira None MISSING SPF (Sender Policy Framework) for
Python $1,500 Python vulnerability: reading arbitrary process memory CVE-2014-4616 None Login password guessing attack
Yahoo! None
CloudFlare None CSRF and No password requirement in this URL Billing Info
Yahoo! None TESTING FOR REFLECTED CROSS SITE SCRIPTING (OWASP‐DV‐001) None SSH Port Wide Open None HTTP Strict Transport Security (HSTS) Policy Not Enabled
Mail.Ru $150 Stored XSS on
Mail.Ru $300 Stored XSS on
Mail.Ru $250 SQL injection
CloudFlare None Password reset threshold not set
Musopen None Port 22 Open/Banner visible on
Coinbase None Simultaneous Session Logon : Improper Session Management
Hubdia None Subscribe User bug
Musopen None USERNAME Related Issue!
Yahoo! $250 Infrastructure and Application Admin Interfaces (OWASP‐CM‐007)
Mail.Ru $400 XSS in (Limited use)
4chan None Login panel brute force attack
Meteor None Open Url Reditection After authentication
4chan None XSS in settings
CloudFlare None Bug Report
Mail.Ru None Content Spoofing vulnerability in mobile
Yahoo! None Authentication Bypass due to Session Mismanagement
CloudFlare None User's data leak
Coinbase $100 CSRF in function "Set as primary" on accounts page
99designs $400 report a reflected XSS
99designs None Reflected XSS in
Yahoo! None Yahoo! Messenger v11.5.0.228 emoticons.xml shortcut Value Handling Stack-Based Buffer Overflow
99designs None Insecure transition from HTTP to HTTPS in form post
99designs None Server leaks version number
Localize None XSS in Team Only Area
Coinbase $100 CSRF on "Set as primary" option on the accounts page
Coinbase $1,000 Bypassing 2FA for BTC transfers
Mail.Ru $150 SQL inj
C2FO None All Active user sessions should be destroyed when user change his password!
The Internet $3,000 Bypassing Same Origin Policy With JSONP APIs and Flash
Slack $500 Stored XSS in (integrations)
RelateIQ None Old Sessions remain valid after the password change.
Mail.Ru None Persistent XSS in
HackerOne None Flooding mailbox of user
Mail.Ru $150 SQL
Mail.Ru $150 SQL inj
Mail.Ru None Login without SSL-Protection
HackerOne $100 All Active user sessions should be deleted when user change his password!
Mail.Ru $200 Time based sql injection
Mail.Ru $200 SQL injection [дырка в движке форума]
OkCupid None XSS Vulnerability Found!
CloudFlare None Threat control information leak
Slack $500 Stored XSS Found
Localize None Full Path Disclosure (FPD) in
StopTheHacker None Reflected cross site scripting in login page
Yahoo! None Loadbalancer + URI XSS #3
CloudFlare None Security issue with your "bag" script
Automattic None storage.swf XSS
Ian Dunn None PHP and Wordpress version disclosure
Ian Dunn None Multiple Path Disclosure
HackerOne $100 Anti-MIME-Sniffing header X-Content-Type-Options header has not been set.
Respondly None OAuth Bug
Ian Dunn $25 Xss in CampTix Event Ticketing
Ian Dunn $25 Stored XSS in all fields in Basic Google Maps Placemarks Settings
Mail.Ru $250 Home page reflected XSS
Localize None Full Path Disclosure (FPD) in
StopTheHacker None XSS 1
StopTheHacker None XSS Reflected -
Respondly None Full Path Disclosure
Mail.Ru None Unproper usage of Mobile Number that will lead to Information Disclosure
Localize None Atttacker can send "Invitation Request" to a Project that is not even created yet!
Mail.Ru None No CSRF token used in Phone Verification POST
CloudFlare None Cookie missing the Secure flag
CloudFlare None Flash-based XSS in subdomain
Localize None Criptographic Issue: Strisct Transport Security with not good max age..(TOO SHORT!)
Respondly None No Bruteforce Protection
CloudFlare None System Status Update CSRF
CloudFlare None XSS -
CloudFlare None Apache Multiviews are enabled
StopTheHacker None XSS in Stopthehacker support
CloudFlare None csrf on password change functionality
Mail.Ru $150 localStorage не чистится после выхода
StopTheHacker None CSRF - Disabling orders at
CloudFlare None Cross-site scripting 2
CloudFlare None Content spoofing /CSRF at
Mail.Ru None Admin panel of is acccessible publicly
CloudFlare None jplayer.swf Cross-site scripting
StopTheHacker None Information Disclosure (FPD) -
Respondly None Deleting team members
Mail.Ru $150 Clickjacking
Mail.Ru None Reflected XSS
Mail.Ru None Clicjacking on Login panel
Mail.Ru None Xss On
Mail.Ru None - Flash Based XSS
Yahoo! $300 information disclosure (LOAD BALANCER + URI XSS)
Yahoo! $500 - XSS (STORED)
OkCupid None Reflected XSS on
Localize None Projects Watch or Notifications Settings Change Via CSRF
Respondly None Allowed method disclosure
Localize None No Wildcard DNS
Localize None Private Project Access Request Invitation Sent Via CSRF
Localize None Private Project Access Request Accpeted Via CSRF
Localize None Group Deletion Via CSRF
Localize None Group Creation Via CSRF
Localize None OPTIONS Method Enabled
Localize None Deleting groups in any project without permission
Localize None Making groups in any project without permission
Localize None infinite number of new project creation!
Localize None Full Path Disclosure / Info Disclosure in Importing XML Section!
Localize None Full Path Disclosure / Info Disclosure in Creating New Group
Localize None Full Path Disclosure (FPD) in
HackerOne $100 Password Reset Bug
Localize None Numerous open ports/services None readable .htaccess
Localize None X-Content-Type-Options header missing
Localize None Apache Documentation
Respondly None X-Content-Type-Options header missing
Localize None Possible sensitive files
Localize None Login page password-guessing attack
Localize None Full Path Disclosure (2)
Respondly None XSS via Email Link
Localize None XSS in password
Localize None Full Path Disclosure
Respondly None HTTP Strict transport security policy not enabled
Localize None Sensitive file
Localize None CSRF in adding phrase.
Localize None Password type input with auto-complete enabled
Localize None User credentials are sent in clear text
Respondly None DNS Misconfiguration
Respondly None x-frame options-sameorigin warning
Localize None A Serious Bug on SIGNUP Process!
Secret None Login CSRF in
HackerOne $150 Issue with remember_user_token
Localize None Information Disclosure (Directory Structure)
HackerOne None Arbitrary file uploads to Amazon WS.
Respondly None Clickjacking - changing role
Localize None Apache2 /icons/ folder accessible
Localize None Assigning a non-existing role to user causes exception when opening project page
Respondly None XSS via Email
Respondly None Find, private notes Cross-site scripting.
Localize None No Cross-Site Request Forgery protection at multiple locations
Localize None Uninitialized variable error message leaks information
Localize None Server header - information disclosure
Respondly None Import emails from Gmail are activate XSS
Localize None Business logic Failure - Browser cache management and logout vulnerability.
Localize None Path Disclosure (Info Disclosure) in
Respondly None OAuth open redirect
Respondly None Persistent Cross-site scripting vulnerability settings.
Localize None HTML/Javascript possible in "Discussion" section of reviews
Localize None Full path disclosure
Localize None XSS in
Localize None Unexpected array leaks information about the system
Localize None XSS in invite approval
Localize None XSS in main page (invitation)
Localize None Password Policy
Localize None XSS in main page
Localize None XSS & HTML injection
Localize None Stored XSS
Localize None Change user settings through CSRF
Localize None No BruteForce Protection
Localize None XSS in Groups
Localize None Sign-up Form CSRF
Localize None HTML Form Without CSRF protection
Localize None ClickJacking
Automattic None HTML form without CSRF protection
Automattic None Session Cookie without Secure flag set
Yahoo! $250 readble .htaccess + Source Code Disclosure (+ .SVN repository)
Flash $2,000 Security bypass could lead to information disclosure
Yahoo! $2,500 Local File Include on
Yahoo! None clickjacking on leaving group(flick)
Yahoo! None Unvalidate open url redirection
Automattic None Session Cookie without Secure flag set None OPTIONS method enabled on webserver
Yahoo! $400 - CSRF/email disclosure
Automattic None Simplenote Silverlight cross-domain policy misconfiguration
IRCCloud $100 Login CSRF can be bypassed (Similar approach to previous one).
IRCCloud None Log Out Cross site Request Forgery None Session Cookie without Secure flag set None Clickjacking: X-Frame-Options header missing
IRCCloud $1,000 Dangerous Persistent xss
IRCCloud None Unwanted Spamming Using CSRF [LOGGED IN USER]
Coinbase $100 2 factor authentication design flaw
IRCCloud $100 Host Header is not validated resulting in Open Redirect
IRCCloud None CSRF - Creating accounts
The Internet $7,500 TLS Triple Handshake Attack
Faceless None Bruteforce attack in login panel
Yahoo! $500 XSS in
Yahoo! $250 Bypass of the Clickjacking protection on Flickr using data URL in iframes
IRCCloud None Login page password-guessing attack(Brute-force attack-High).
IRCCloud $500 Persistent Cross Site Scripting within the IRCCloud Pastebin
IRCCloud None CSRF to Account Take Over Bug
IRCCloud None DNS Misconfiguration
IRCCloud None User Account Creation CSRF
IRCCloud $100 iOS application does not destroy session upon logout.
IRCCloud $100 Bug in iOS application which could lead to unauthorised access.
IRCCloud None "SESSION" Cookie without HttpOnly flag set
IRCCloud $100 Missing X-Content-Type-Options
IRCCloud None Session cookie can be leaked over an unencrypted HTTP connection
IRCCloud $500 Full account takeover using CSRF and password reset
IRCCloud $500 Session Token is not Verified while changing Account Setting's which Result In account Takeover
IRCCloud None HTML Form without CSRF protection
IRCCloud $100 Leaking Referrer in Reset Password Link
IRCCloud $100 Bruteforcing irccloud login
IRCCloud $100 Unsecure cookies, cookie flag secure not set
IRCCloud $100 Sign up CSRF
IRCCloud $100 Login CSRF
concrete5 None XSS on [/concrete/concrete/elements/dashboard/sitemap.php]
concrete5 None Cross-Site Scripting in getMarketplacePurchaseFrame
Faceless None Blocking yourself
C2FO None The server supports only older protocols for HTTPS connections
Yahoo! $2,000 Open Proxy,, 4/09/14, #SpringClean
Yahoo! $200 CSRF Token is missing on DELETE message option on
Yahoo! $400 CSRF Token missing on
ReddAPI None No Captcha or rate limit on Login Page
InVision None TLS Renegotiation and Denial of Service Attacks on InVision.
Yahoo! $3,000 REMOTE CODE EXECUTION/LOCAL FILE INCLUSION/XSPA/SSRF, view-source:http://sb*, 4/6/14, #SpringClean
Yahoo! $500 Comment Spoofing at
OpenSSL None TLS heartbeat read overrun CVE-2014-0160
Khan Academy None XSS at
ReddAPI None Login page password-guessing attack
OkCupid None vulnerable to Heartbleed attack
Khan Academy None Open Redirection in SmartHistory KhanAcademy
HackerOne None (lack of) smtp transport layer security
ReddAPI None Session Fixation Found
C2FO None is releasing sensitive Information about Database Configuration.
Khan Academy None Weak Ciphers Enabled
concrete5 None ::: HeartBleed Attack (CVE-2014-0160)
Khan Academy None Persistent class XSS [the fuck]
Khan Academy None XSS
Python $1,500 Integer overflow in strop.expandtabs
Flash $2,000 Same Origin Security Bypass Vulnerability CVE-2014-0503
Khan Academy None CSRF - Adding/Removing items to cart -
Khan Academy None User guessing/enumeration at
Khan Academy None Lighttpd version disclosure / directory listing
Khan Academy None Possible clickjacking at
Khan Academy None Stored XSS {dangerous?}
Khan Academy None Full Path Disclosure on []
Khan Academy None open-redirect
RelateIQ $100 Wildcard DNS in website
Khan Academy None Dom based XSS
HackerOne $150 creating titleless and non-closable bugs
Khan Academy None XSS
Yahoo! $1,000 Header injection on
Yahoo! $250 Cross-origin issue on
Yahoo! $300 reflected XSS,, 4/8/14, #SpringClean
Yahoo! $500 Significant Information Disclosure/Load balancer access,, 4/8/14, #SpringClean
InVision $200 captcha missing
Slack None open redirect in
Slack $500 Facebook Takeover using Slack using 302 from with access_token
Slack $300 Stored XSS in
Yahoo! None Information Disclosure,,6-april-2014, #SpringClean
HackerOne $100 Marking notifications as read CSRF bug
Coinbase $1,000 Multiple Issues related to registering applications
The Internet $500 Uncontrolled Resource Consumption with XMPP-Layer Compression
Coinbase $100 Coinbase Android Security Vulnerabilities
C2FO None Password reset token leakage through referrer at
C2FO None User guessing/enumeration at
Lookout None Clickjacking at
C2FO None OPTIONS Method Enabled
Slack None TLS1/SSLv3 Renegotiation Vulnerability
Lookout None DOM-XSS Vulnerability
MS-DOS None एमएस डॉस प्राणघाती है।
MS-DOS None Injecting Distrust and Disbelief in Addicted Gamers
MS-DOS None History Disclosure of MS-Dos
MS-DOS None Permanent Denial of Service
MS-DOS None Arbitrary command execution in MS-DOS
MS-DOS None Bug in Source Code Files(v1.1)
Yahoo! $100 XSS in Yahoo! Web Analytics
MS-DOS None Hack administrator password even if you are a guest
MS-DOS None Please contact me @sehacure otherwise i am going to disclose in Full disclosure mailing list :p
OkCupid None Xss high issue in main domain in users signup page
Coinbase $1,000 Coinbase Android Application - Bitcoin Wallet Leaks OAuth Response Code
Yahoo! None Out of date version
Coinbase None IFRAME loaded from External Domains
Coinbase None Cookie missing the HttpOnly flag
Coinbase None User Enumeration, Information Disclosure and Lack of Rate Limitation on API
Coinbase None Improper Validation of the Referrer header leading to Open URL Redirection
Coinbase None Information Disclosure That shows the webroot of CoinBase Server
concrete5 None page_controls_menu_js can reveal collection version of page
concrete5 None CONCRETE5 - path disclosure.
concrete5 None XSS IN member List (Because of City Textbox)
Yahoo! $800 From Unrestricted File Upload to Remote Command Execution
concrete5 None XSS in private message
concrete5 None dashboard/pages/types [Unknown column 'Array' in 'where clause'] disclosure.
concrete5 None /index.php/dashboard/sitemap/explore/ Cross-site scripting
concrete5 None Bypass
concrete5 None HttpOnly flag not set for cookie on
concrete5 None XSS in Theme Preview Tools File
Nginx $3,000 SPDY heap buffer overflow CVE-2014-0133
Nginx $3,000 SPDY memory corruption CVE-2014-0088
Slack $500 Duplicate of #4550
Yahoo! None Open redirect on
Slack $500 Stored XSS in Slackbot Direct Messages
Slack None Open Redirect in Slack
Yahoo! None Open URL Redirection
Yahoo! $500 Server Side Request Forgery
RelateIQ $100 TRACE disclosure attack may be possible
Yahoo! None Almost all the subdomains are infected.
Yahoo! None Stored Cross Site Scripting Vulnerability in Yahoo Mail
MoneyStream None Here is another XSS i got for you
OkCupid None XSS in by hamid
Yahoo! $250 XSS Vulnerability (
OkCupid None Server leaks version number
OkCupid None DOM based XSS in changing email address
HackerOne None javascript: and mailto: links are allowed on users' profiles
Phabricator $300 Persistent XSS: Editor link
OkCupid None Security issue in OkCupid
HackerOne None Accepting Invalid characters on email address
HackerOne $100 Securing sensitive pages from SearchBots
Phabricator $400 OAuth Stealing Attack (New)
HackerOne None Adding an user email address to the list before confirming.
Phabricator $300 Control character allowed in username
Slack None User impersonation is possible with incoming webhooks
HackerOne None Criptographic Issue: Strisct Transport Security with not good max age..(TOO SHORT!)
Phabricator $450 OAuth access_token stealing in Phabricator
Yahoo! None Clickjacking at
Yahoo! None Authentication bypass at
InVision None Found a Clickjacking in
Slack $500 flash content type sniff vulnerability in
RelateIQ $100 Captcha Bypass With Extension
RelateIQ None RelateIQ GWT based application visible to unauthenticated users
OkCupid None XSS in "Questions" search module
Ruby on Rails $1,500 Directory traversal attack in view resolver CVE-2014-0130
Phabricator $300 UnAuthorized Editorial Publishing to Blogs
OkCupid None XSS in 404 page of
HackerOne $100 Control Characters Not Stripped From Username on Signup
OkCupid None XSS -
OkCupid None Stored XSS on your site..
OkCupid None Stored Cross-site scripting vulnerability in okcupid
Yahoo! $1,000 SQL Injection ON HK.Promotion
OkCupid None XSS In Profle
OkCupid None XSS on []
OkCupid None Login destination open redirection
OkCupid None Cross-site scripting vulnerability
Slack None Content Spoofing
OkCupid None Direct XSS vulnerabilities (persistent) in
Slack None Deleting Teams implemenation
OkCupid None CSRF vulnerability.
OkCupid None Instagram Authentication - No Request Token
OkCupid None Users can easily be tricked into changing/disabling privacy and notification settings
OkCupid None Cross-site scripting
Slack None Stored XSS
Phabricator None CSRF token valid even after the session logout of a particular user
Slack $500 Reflected Xss
Slack None Email enumeration
Slack None Data exports stored on S3 can be scraped easily
RelateIQ $100 HTML injection in "Invite Collaborators"
Slack None Open redirect vulnerability
Slack None State parameter missing on google OAuth
Slack $500 Stored XSS in Channel Chat
Slack None Stored XSS on this link
Slack None CSRF on add comment section
Slack None csrf
Slack $100 CSRF vulnerability on
Slack $500 Stored XSS in
Slack $200 URL redirection flaw
Slack $200 Stored XSS in
Yahoo! $100 configuration file disclosure
Yahoo! None Yahoo mail login page bruteforce protection bypass
HackerOne $500 Weird Bug - Ability to see partial of other user's notification
Slack None Session Fixation disclosing email address
Slack $100 Slack OAuth2 "redirect_uri" Bypass
Slack $100 Broken Authentication (including Slack OAuth bugs)
Slack $150 Reflective XSS can be triggered in IE
RelateIQ $100 Cross Site Scripting (XSS) -
HackerOne None Hackerone Email Addresses Enumeration
RelateIQ $100 XSRF token problem
RelateIQ $100 Value of JSESSIONID and XSRF token parameter in cookie remains same before and after login
RelateIQ None open redirect
Yahoo! None Yahoo open redirect using ad
Sandbox Escape $5,000 Win32k Window Handle Vulnerability (EoP) CVE-2014-0262
Yahoo! None Reflected XSS in
Phabricator $500 Bypass (2)
Phabricator $300 Login CSRF using Twitter OAuth
Phabricator $1,000 Bypass
HackerOne $100 CSS leaks SCSS debug info
HackerOne None harvesting attack on user registration
Flash $10,000 Flash double free vulnerability leads to code execution CVE-2014-0502
Yahoo! $1,500 XSS on Every page
Flash $2,000 Flash local-with-fileaccess Sandbox Bypass CVE-2014-0508
Yahoo! $1,276 HK.Yahoo.Net Remote Command Execution
Yahoo! None Insufficient validation of redirect URL on login page allows hijacking user name and password
Flash $2,000 Handling of jar: URIs bypasses AllowScriptAccess=never CVE-2014-0491
Flash $10,000 Flash type confusion vulnerability leads to code execution CVE-2013-5331
Yahoo! None In Fantasy Sports iOS app, signup page is requested over HTTP
Yahoo! $1,390 Local file inclusion
Yahoo! None A csrf vulnerability which add and remove a favorite team from a user account.
Yahoo! None XSS Reflected - Yahoo Travel
Yahoo! $3,705 SQLi on
Yahoo! $750 Flickr: Invitations disclosure (resend feature)
HackerOne $100 DNS Misconfiguration
Secret None Strict Transport Security on
Yahoo! $800 HTML Injection on flickr screename using IOS App
Yahoo! None URL Redirection
Secret None SSL Not Enforced
Factlink None Proxy discloses internal web servers
Yahoo! None Yahoo YQL Injection?
Yahoo! None HTML Code Injection
PHP $1,500 PHP Heap Overflow Vulnerability in imagecrop() CVE-2013-7226
Yahoo! None Vulnerability found, XSS (Cross site Scripting)
Yahoo! None ClickJacking on
Yahoo! None Authentication Bypass in Yahoo Groups
Yahoo! None clickjacking
Yahoo! $800 XSS in my yahoo
Yahoo! $2,500 Security.allowDomain("*") in SWFs on allows data theft from Yahoo Mail (and others)
HackerOne None LinkedIN URL should be HTTPS
Yahoo! None Directory Traversal
Yahoo! None Information Disclosure
Yahoo! None Bypass of anti-SSRF defenses in YahooCacheSystem (affecting at least YQL and Pipes)
Yahoo! None XSS using yql and developers console proxy
Sandbox Escape $3,000 Linux 3.4+: arbitrary write with CONFIG_X86_X32 CVE-2014-0038
Yahoo! $1,960 Store XSS Flicker main page
Yahoo! None Java Applet Execution On Y! Messenger
Yahoo! $2,173.75 Cross-site scripting on the main page of flickr by tagging a user.
Yahoo! $677.50 XSS Yahoo Messenger Via Calendar.Yahoo.Com
HackerOne $100 Autocomplete enabled in Paypal preferences
Phabricator $300 Improperly implemented password recovery link functionality
Phabricator $300 Log in a user to another account
HackerOne None Enumeration of users
HackerOne $100 A password reset page does not properly validate the authenticity token at the server side.
HackerOne $100 Information disclosure (reset password token) and changing the user's password
HackerOne $100 Improper session management
HackerOne $150 Switching the user to the attacker's account
HackerOne $500 Upload profile photo from URL
HackerOne $250 Email spoofing
HackerOne $100 CSRF login
HackerOne $150 Logical issues with account settings
PHP $4,000 PHP openssl_x509_parse() Memory Corruption Vulnerability CVE-2013-6420
The Internet $7,500 TLS Virtual Host Confusion
The Internet $1,500 OpenSSH: Memory corruption in AES-GCM support CVE-2013-4548
Ruby $1,500 Ruby: Heap Overflow in Floating Point Parsing CVE-2013-4164
HackerOne $100 DNS Cache Poisoning
HackerOne $100 Flawed account creation process allows registration of usernames corresponding to existing file names
HackerOne $500 PNG compression DoS
HackerOne $250 GIF flooding
HackerOne $500 Pixel flood attack
HackerOne $100 Session not expired on logout
HackerOne None Privilege escalation..., or not?!
HackerOne $250 CSP not consistently applied
HackerOne $500 RTL override symbol not stripped from file names
HackerOne $100 Session Management
HackerOne $100 Broken Authentication and session management OWASP A2
HackerOne $100 Real impersonation
HackerOne None Flawed account creation process allows registration of usernames corresponding to existing file names
HackerOne None Report title autocompletion
HackerOne $500 Missing SPF for
HackerOne None Login page password-guessing attack