Public HackerOne bug reports.

Show Bounties Only

Team Bounty Title
shopify-scripts $100 heap-use-after-free /home/operac/testafl/mruby/mrubylast/mruby/src/gc.c
LocalTapiola $1,350 SQL Injection /webApp/cancel_iltakoulu regId parameter (
Nextcloud - Email Spoofing
GitLab - [RDoc] XSS in project README files
Dovecot - Information About Your System(Sensitive Directories)
Alvosec $3 Alvocrypt uses a cryptographically insecure PRNG.
Pushwoosh - Clickjacking
LocalTapiola $1,350 SQL Injection on /webApp/lapsuudenturva (
LocalTapiola $350 Sql injection on /webApp/sijoituswebinaari (
LocalTapiola $350 SQL Injection on /webApp/viivanalle (
Boozt Fashion AB - Bypass email validity in newsletter field
U.S. Dept Of Defense - Privilege Escalation on a DoD Website
Nextcloud - is vulnerable to SWEET32 attack
Legal Robot - SWEET32 TLS attack
Nextcloud - Group admin can remove user from all his groups via API
Brave Software - No user confirmation when an auto-updated extension gets more permissions - HTML Injection possible due to bad filter
Nextcloud - Drone Nextcloud
Nextcloud - HTTP-Basic Authentication on
Twitter $560 Clickjacking on Chrome
Starbucks - Time-based Blind SQLi on
Nextcloud - Disclosure of administrators via JSON on Wordpress
shopify-scripts $100 Crash in print_backtrace
Discourse $256 Stored XSS in posts because of absence of oembed variables values escaping
Discourse $256 Stored XSS in topics because of whitelisted_generic engine vulnerability
Nextcloud - WordPress <= 4.6.1 Stored XSS Via Theme File
Nextcloud - User Information Disclosure via REST API
shopify-scripts $800 Null pointer dereference in mrb_str_modify
shopify-scripts $800 Still heap overflow in mrb_ary_splice
Starbucks - is reachable via ip address thus possible to link any doamin to Starbucks.
Discourse $256 XSS in topics because of bandcamp preview engine vulnerability
CodeIgniter - Vulnerable Javascript library
HackerOne $2,000 Disclose any user's private email through API
shopify-scripts $800 Segmentation fault on program counter
Shopify $500 - CSRF token leakage through Google Analytics
HackerOne - Report redaction doesn't apply to report title update activities
U.S. Dept Of Defense - Exposed Access Control Data Backup Files on DoD Website
Slack $100 Subdomain takeover on
GlobaLeaks - No valid SPF records on
GitLab - Users with guest access can post notes to private merge requests, issues, and snippets
GitLab - User with guest access can access private merge requests
GitLab - Every user can delete public deploy keys
GitLab - Users can download old project exports due to unclaimed namespace
Envoy - Primary Cloning of Envoy web application resulting confidential information disclosure
shopify-scripts $800 Heap overflow due to off-by-one when expanding stack
shopify-scripts $200 Heap use-after-free during range creation
shopify-scripts - Deleting Key-value pair from Frozen HASH or Clearing a Frozen HASH
Shopify $500 Authentication Bypass on monitoring server
LocalTapiola $100 OpenSSL Padding Oracle Attack (CVE-2016-2107) on
Nextcloud - Review remote code execution in SwiftMailer
Starbucks - Exposed Unencrypted Telnet Endpoint
Yelp $100 Able to download arbitrary PHP files at
Skyport Systems $25 Nginx version disclosure via forbidden page
U.S. Dept Of Defense - Misconfigured password reset vulnerability on a DoD website
Trello - The contact page is vulnerable to self-XSS via upload file name
shopify-scripts $800 SIGABRT - mrb_default_allocf - Способ узнать имя человека удаленной страницы 2
Dovecot - Directory listing
shopify-scripts $200 Double free of filename after codegen error
Gratipay - Session Fixation At Logout /Session Misconfiguration
shopify-scripts $800 attempting double-free using the mruby compiler `mrbc`
Starbucks - Create New User Whilst Logged On - Способ узнать имя человека удаленной страницы
shopify-scripts $800 Use After Free in str_replace
shopify-scripts $800 Null pointer dereference in mrb_str_prepend
shopify-scripts $800 mrb_str_modify try to write to memory not marked for writing
WebSummit $20 Subdomain Takeover at
Gratipay - User Enumeration
OWOX, Inc. - Stored XSS at
shopify-scripts $1,000 Memory disclosure in timegm
shopify-scripts $800 SIGSEGV Null Pointer mrb_str_concat()
shopify-scripts $100 heap-buffer-overflow on mruby
YouPorn $1,000 Account takeover via Pornhub Oauth
Discourse $128 Users can bookmark other user's messages
U.S. Dept Of Defense - Server side information disclosure
shopify-scripts $800 Heap Overflow in mrb_arb_splice
shopify-scripts $100 mrb_vformat() heap overflow could lead to code execution
shopify-scripts $100 Integer Overflow in mrb_ary_set
Discourse $256 XSS vulnerability on Audio and Video parsers
Shopify $500 XSS on postal codes
Badoo $280 CSRF Attack on ( account and erasing imported contacts
shopify-scripts $800 SIGSEGV mrb_obj_freeze() Manipulating Register RAX and RSI
shopify-scripts $800 SIGSEGV on mruby mrb_get_args()
Discourse $256 XSS Vulnerability on Image link parser
Discourse $256 DOM Based XSS in Discourse Search
shopify-scripts $1,000 Incorrect code generation when result of NODE_NEGATE is not used
Pornhub $1,000 XSS vulnerability using GIF tags
Legal Robot $20 Password complexity requirements not enforced
LocalTapiola $1,350 SQL Injection on /webApp/sijoitustalousuk email-parameter + potential lack of CSRF Token (
U.S. Dept Of Defense - DOM Based XSS on an Army website
OLX - Reflected XSS in []
shopify-scripts $100 Invalid memory access in `mrb_str_format`
Twitter $140 Sub Domain Takeover at
PortSwigger Web Security - HTTP OPTION Method is Enabled on
Uber $2,500 Authorization issue in Google G Suite allows DoS through HTTP redirect
Starbucks - Creation of Google G Suite Account on Behalf of starbucks.
LocalTapiola $1,350 SQL Injection in lapsuudenturva (
LocalTapiola $50 Reflected XSS on sankarikoulutus (
Gratipay - Content type incorrectly stated
Shopify $500 XSS on manually entering Postal codes
PHP (IBB) $500 Invalid parameter in memcpy function trough openssl_pbkdf2
Nextcloud - Stored XSS on new Calling plugin (spreed)
PHP (IBB) $500 imagefilltoborder stackoverflow on truecolor images
LocalTapiola $1,350 SQL Injection in sijoitustalous_peruutus (
Gratipay - Gratipay uses the random module's cryptographically insecure PRNG.
GoCD - Reflected XSS vector
Gratipay - Cookie HttpOnly Flag Not Set
LocalTapiola $400 Open Redirect bypass and cookie leakage on
shopify-scripts $1,000 Segfault when passing invalid values to `values_at`
Gratipay - Certificate signed using SHA-1
HackerOne $500 Websites opened from reports can change url of report page
shopify-scripts - Segmentation fault due to invalid memory access in codegen when using break with the 127th argument a constant
Twitter - GNIP subdomain take over
Shopify $500 Unauthenticated Stored XSS on <any> via checkout page
Urban Dictionary - Text injection on Auth problem at
U.S. Dept Of Defense - SQL injection vulnerability on a DoD website
U.S. Dept Of Defense - QuickTime Promotion on a DoD website
Starbucks $500 Persistent XSS in
U.S. Dept Of Defense - XXE on DoD web server
HackerOne $10,000 Information Disclosure in /skills call
U.S. Dept Of Defense - Reflected XSS in a Navy website
Pornhub $750 Unsecured Kibana/Elasticsearch instance
shopify-scripts $10,000 Buffer overflow in mrb_time_asctime
shopify-scripts $8,000 Segmentation fault due to bad memory access in kh_get_mt
U.S. Dept Of Defense - Remote code execution on an Army website
OLX - Multiple vulnerabilities in
Nextcloud - BruteForce in to Admin Account
Nextcloud - Login Hints on Admin Panel
Starbucks $150 Dom Based Xss DIV.innerHTML parameters store.starbucks*
U.S. Dept Of Defense - Personal information disclosure on a DoD website
Nextcloud - Wordpress Version Disclosure Bug On Nextcloud
LocalTapiola - /icons/README available on
U.S. Dept Of Defense - XSS vulnerability on an Army website
U.S. Dept Of Defense - Persistent XSS vulnerability on a DoD website
U.S. Dept Of Defense - Authentication bypass vulnerability on a DoD website
shopify-scripts - Null pointer dereference due to bug in codegen with negation of floats
shopify-scripts $10,000 Null pointer derefence due to bug in codegen with negation without using value
Nextcloud - Files Drop: WebDAV endpoint is leaking existence of resources
Trello - SVG Uploads / Attachments can be viewed by anyone that knows the URL
Slack $500 Store XSS
shopify-scripts $10,000 Invalid handling of zero-length heredoc identifiers leads to infinite loop in the sandbox
Dovecot - Web Browser XSS Protection Not Enabled
PortSwigger Web Security - JSBeautifier BApp: Race condition leads to memory disclosure
U.S. Dept Of Defense - Open Redirect in a DoD website
PortSwigger Web Security - Order-phishing via Payment ID URL
Starbucks $2,000 Subdomain takeover on due to non-used AWS S3 DNS record
Pornhub $150 Stored XSS on the
OWOX, Inc. - Access to Grafana Dashboard
Shopify $500 Stored XSS at 'Buy Button' page
Phabricator $300 Fetching binaries (for software installation) over HTTP without verification (RCE as ROOT by MITM)
U.S. Dept Of Defense - DNS Misconfiguration
HackerOne $12,500 Internal attachments can be exported via "Export as .zip" feature
GitLab - State filter in IssuableFinder allows attacker to delete all issues and merge requests CVE-2016-9469
U.S. Dept Of Defense - Information leakage on a Department of Defense website
U.S. Dept Of Defense - SQL Injection vulnerability on a DoD website
shopify-scripts $1,000 Crash: A call to leads to a crash when inspecting the resulting object
Ian Dunn $25 constant cache_page_secret in regolith
Ian Dunn $50 unchecked unserialize usages in audit-trail-extension/audit-trail-extension.php
Ian Dunn $25 unchecked unserialize usage in WordPress-Functionality-Plugin-Skeleton/functionality-plugin-skeleton.php
shopify-scripts $1,000 Invalid memory write caused by incorrect upper bound in array_copy
Twitter $560 Twitter for android is exposing user's location to any installed android app
Gratipay - Secure Pages Include Mixed Content
shopify-scripts $8,000 Crash: mrb_any_to_s can't handle NilClass, Symbol and Fixnum
shopify-scripts $10,000 Crash: Initialize Decimal with itself triggers an assertion
shopify-scripts - Null pointer dereference in mrb_str_concat
shopify-scripts $1,000 Null pointer dereference regression in parse.y
shopify-scripts $18,000 Type confusion in wrap_decimal leading to memory corruption
shopify-scripts $20,000 Type confusion in mrb_exc_set leading to memory corruption
shopify-scripts $8,000 Crash: calling Proc::initialize_copy with a Proc instance where initialize never ran leads to a crash
shopify-scripts $1,000 Read after free in mrb_vm_exec with OP_ARYCAT reading R(B)
shopify-scripts $8,000 Denial of service due to invalid memory access in mrb_ary_concat
Slack $1,000 Eavesdropping on private Slack calls
shopify-scripts $8,000 mruby-time: Crash host with uninitialized Time obj
U.S. Dept Of Defense - Unrestricted File Upload
LocalTapiola $50 Disclosure of IBM Websphere page
U.S. Dept Of Defense - Reflected XSS on a Department of Defense website
U.S. Dept Of Defense - RCE on a Department of Defense website
U.S. Dept Of Defense - Reflected XSS on an Army website
Pushwoosh - Read Application Name , Subscribers Count
U.S. Dept Of Defense - Local File Inclusion vulnerability on an Army system allows downloading local files
U.S. Dept Of Defense - Unrestricted File Download / Path Traversal
U.S. Dept Of Defense - Reflected XSS on a Navy website
U.S. Dept Of Defense - Reflected XSS on a DoD website
U.S. Dept Of Defense - Reflected XSS on a Department of Defense website
LocalTapiola $450 XSS and open redirect in
shopify-scripts - Invalid memory access while freeing memory, caused by invalid type passed to mrb_ary_unshift
shopify-scripts - Null pointer dereference in ary_concat
shopify-scripts $8,000 Null target_class DoS
shopify-scripts $10,000 Segfault and/or potential unwanted (byte)code execution with "break" and "||=" inside a loop
Pushwoosh - Nginx version disclosure via response header
shopify-scripts $8,000 SIGSEGV on mruby's mark_tbl() (Invalid memory access)
shopify-scripts $8,000 SIGSEGV on mruby mrb_str_modify() (Invalid memory access)
Pushwoosh - Administrator Access To Management Console
OWOX, Inc. - Subdomain Takeover on
Pushwoosh - Bypass the resend limit in Send Invites
shopify-scripts $10,000 Broken handling of maximum number of method call arguments leads to segfault
Badoo $140 Email Spoofing
HackerOne $10,000 Partial disclosure of report activity through new "Export as .zip" feature
shopify-scripts $10,000 Null pointer dereference due to TOCTTOU bug in mrb_time_initialize
Pushwoosh - Password Forgot/Password Reset Request Bug
LocalTapiola $60 Option method enabled (
Pushwoosh - Unsecured Grafana instance
Python (IBB) $500 Type confusion in FutureIter_throw() which may potentially lead to an arbitrary code execution
PortSwigger Web Security $350 XSS in IE11 on via Flash
Pornhub $200 Reflected cross-site scripting (XSS) vulnerability in allows attackers to inject arbitrary web script or HTML.
Pushwoosh - Spam Some one using (user.saveInvite) system
Pushwoosh - Nginx server version disclosure
Pushwoosh - Reflected Xss on
shopify-scripts $8,000 SIGSEV on mrb_ary_splice
Pushwoosh - htaccess file is accesible
Pushwoosh - Spoof Email with Hyperlink Injection via Invites functionality
Imgur $250 Stored xss in ALBUM DESCRIPTION
shopify-scripts $10,000 Range constructor type confusion DoS
shopify-scripts $20,000 TOCTTOU bug in mrb_str_setbyte leading the memory corruption
shopify-scripts $18,000 Struct type confusion RCE
shopify-scripts $10,000 SIGSEGV when invalid argument on remove_method
Udemy $200 Jenkins
LocalTapiola $150 Multiple Reflected XSS /webApp/lahti (
shopify-scripts $10,000 Segfault in mruby, mruby_engine and the parent MRI Ruby due to null pointer dereference
LocalTapiola $350 SQL Injection /webApp/sijoitustalous_peruutus locId parameter ( $1,500 Stored XSS в личных сообщениях
Informatica - [] Persistent XSS through document title
LocalTapiola $264 HTML Injection in email /webApp/lahti (
LocalTapiola $350 SQL Injection /webApp/oma_conf ctx parameter (
LocalTapiola $60 Poodle attack SSLv3 Support (
shopify-scripts $8,000 Undefined method_missing null pointer dereference
shopify-scripts $10,000 Range#initialize_copy null pointer dereference
shopify-scripts $10,000 NULL pointer dereference when parsing ternary operators
Ubiquiti Networks $500 Subdomain Takeover (
LocalTapiola $100 Error Page Content Spoofing or Text Injection (
shopify-scripts $20,000 Use after free vulnerability in mruby Array#to_h causing DOS possible RCE
shopify-scripts $2,000 Memory disclosure in mruby String#lines method
Paragon Initiative Enterprises - Not using Binary::safe* functions for substr/strlen function
shopify-scripts $8,000 Denial of Service in mruby due to null pointer dereference
Paragon Initiative Enterprises - Missing rel=noopener noreferrer in target=_blank links (Phishing attack)
Paragon Initiative Enterprises - Using plain git protocol (vulnerable to MITM)
Paragon Initiative Enterprises - Missing GIT tag/commit verification in Docker
Paragon Initiative Enterprises - Incorrect detection of onion URLs
Coinbase $100 Window.opener bug at
shopify-scripts $10,000 Exception cause SIGABRT
shopify-scripts $8,000 ruby DoS
Legal Robot $40 Missing restriction on string size in profile fields
Yelp $300 X.509 certificate validation fails on international vanity domains $300 SSRF (open) - via GET request
Open-Xchange $500 Reflected Cross-Site Scripting due to vulnerable Flash component (Flashmediaelement.swf)
Paragon Initiative Enterprises - BAD Code !
Open-Xchange $100 Selecting encryption for email with drive attachment overrides the drive email password
Paragon Initiative Enterprises - DMARC Not found for URGENT
LocalTapiola $100 Suspicious browser fingerprinting(?) scripts on redirector
LocalTapiola $1,560 SQL Injection on /webApp/omatalousuk (
Blockchain $100 Information disclosure at
Open-Xchange $666 Tab nabbing via window.opener
Open-Xchange $300 Stored XSS in Template Documents
LocalTapiola $400 Open Redirect (
Brave Software - Denial of service(POP UP Recursion) on Brave browser
Blockchain $50 server version dislosure
Brave Software - Information disclosure of website
Imgur $5,000 Unauthenticated Docker registry
Paragon Initiative Enterprises - [Airship CMS] Local File Inclusion - RST Parser
Badoo $280 Leave inaccessible messaging system with a message (
Informatica - [] Sql injection
New Relic - Potential sub-domain hijacking
Instacart $100 Access private list metadata
InVision $300 CORS Man-in-the-Middle account compromise
Shopify $1,500 Misconfiguration in Two Factor Authorisation
GitLab - Read files on application server, leads to RCE CVE-2016-9086
Informatica - [] Sql injection Oracle
Harvest $250 Stored XSS in Restoring Archived Tasks
Nextcloud - xss on due to outdated version
Starbucks $375 CSRF exploit | Adding/Editing comment of wishlist items ( - Wishlist-Comments)
Badoo $140 Unvalidated redirect on
LocalTapiola $588 Lahitapiola´s customer names send to 3rd party
Starbucks $375 Reflected XSS by exploiting CSRF vulnerability on wishlist comment module. (wishlist-comments)
HackerOne - Information disclosure via policy update notifications after removal from program
Nextcloud - Content spoofing due to the improper behavior of the 403 page in Private Server
OLX - Reflective XSS at
LocalTapiola $750 Email Server Compromised at
Mindoktor $2,000 XSS at endpoint in flash cookie
Mindoktor $300 Storing sensitive information on cookie post-registration
Coinbase $200 Authentication Issue
Brave Software $50 [ios] Address bar spoofing in Brave for iOS
Harvest $100 Editing a project (LIMITED)
Twitter $2,520 Cross-site scripting (reflected)
Ian Dunn - No CAPTCHA ia exist in pages
itBit Exchange $1,000 Round error issue -> produce money for free
Brave Software - DOS in browser using window.print() function
Brave Software $100 Denial of service attack(window object) on brave browser
Brave Software - [iOS] URI Obfuscation in iOS application
Shopify $500 race condition in adding team members
Brave Software - JavaScript URL Issues in the latest version of Brave Browser
Brave Software - Javascript confirm() crashes Brave on PC
Brave Software $50 Denial of service attack on Brave Browser.
Coinbase $100 Information disclosure of user by email using buy widget
Brave Software $100 Access to local file system using javascript
Brave Software $200 [iOS/Android] Address Bar Spoofing Vulnerability
OLX - Reflected XSS in
Brave Software $100 Address Bar Spoofing - Already resolved - Retroactive report
OpenSSL (IBB) - Remote client memory corruption in ssl_add_clienthello_tlsext()
OLX - Directory Listing of all the resource files of
Brave Software - Status Bar Obfuscation
Brave Software $150 URI Obfuscation
Shopify $2,000 Able to Login deactivated staff account in shopify app mobile
Twitter $140 Full Path Disclosure at
OLX - Reflected XSS at
Trello $256 Can run arbitrary script on
Brave Software $50 [website] Script injection in newsletter signup
Brave Software - Subdomain Takeover of
Brave Software $50 2 Directory Listing on &
PHP (IBB) $500 memcpy negative parameter _bc_new_num_ex
PHP (IBB) $500 memcpy negative size parameter in php_resolve_path
PHP (IBB) $500 Write out-of-bounds at number_format
Brave Software $100 Homograph attack
OpenSSL (IBB) - Double-free in X509 parsing
Shopify $500 [] Invalidated redirection
DigitalSellz - Public profile is vulnerable to stored XSS / Facebook Token can be stolen
Python (IBB) $1,000 chain.__setstate__ Type Confusion
Nextcloud - URI scheme bypass in mail app lead to HTML content spoof and opener control
Uber $1,000 Subdomain takeover on due to non-existent distribution on Cloudfront
Slack $700 Information Disclosure on
WePay $200 Enumeration of registered email addresses using bruteforce search on userIds
GitLab - Mailgun misconfiguration leads to email snooping and postmaster@-access on
Veris - Reflected Cross site scripting
Sucuri $500 Administrator Access to grafana instance with default credentials
Yelp $500 Requesting Show CheckIn Alert for Non Friend User
Harvest $150 Linking Invoice to uninvited project.
Trello $128 XSS on
Twitter $1,260 View liked twits of private account via
Badoo $140 No rate-limit in SERVER_SECURITY_CHECK
Nextcloud $250 Filename enumeration && DoS
Twitter $560 Circumventing the Twitter account lockout process [ACCOUNT TAKEOVER]
HackerOne - Possible CSRF during external programs
HackerOne - Researcher gets email updates on a private program after he/she quits that program.
Trello $128 Full Sub Domain Takeover at
Zopim $150 Full Sub Domain Takeover at
Slack $500 CSRF in github integration
Gratipay - CSRF csrftoken in cookies
Instacart $150 Full access to any list
Nextcloud - Bad content-type in response header when getting document can lead to html injection
Romit $513 [CRITICAL]-Taking over entire subdomain of
Algolia - Possilbe Sub Domain takever at
WebSummit - Full Sub Domain Takeover at
RubyGems - Login credentials transmitted in cleartext on
RubyGems - Password Reset emails missing TLS leads account takeover
Legal Robot $40 Bypass 8 chars password complexity with 6 chars only due to insecure password reset functionaliy
HackerOne - Obtain the username & the uid of the one doing the S3 sync on Hackerone
Snapchat $250 Bypassing "You've requested your data the maximum number of times today." + "Please Verify an email address with snapchat to continue"
Shopify $500 password less login token expiration issue
WebSummit - WebSummit - Open Redirect
Shopify $500 Add signature to transactions without any permission
Udemy - Udemy s3 storage can be used by an attacker personal website because of missing CSRF Token
WebSummit $40 Subdomain take over signup.websummit
itBit Exchange - Open Redirect in - False Positive
Udemy - Critical : Malware and XSS file can be uploaded and executed on udemy
Ian Dunn - All Plugins - Direct file access to plugin files Vulnerability
Ian Dunn - Google Authenticator0.6 - PHP Version Dosclosure
Ian Dunn - Google Authenticator - Cross Site Scripting
LocalTapiola $50 Reflected XSS in LTContactFormReceiver (/cs/Satellite)
Automattic $100 Follow Button XSS
Python (IBB) $1,500 LZMADecompressor.decompress Use After Free
Trello - Unvalidated/Open Redirect allowing attackers to implement phishing attack
Legal Robot $20 Information Disclosure on rate limit defense mechanism
Ubiquiti Networks $500 Authentication bypass on via subdomain takeover of
Trello - Subdomain Take over & username enemuration
Snapchat - Subdomain takeover of
OLX - Name, email, phone and more disclosure on user ID (API)
CodeIgniter - Link sanitation bypass in xss_clean()
Nextcloud - Content spoofing in
OWOX, Inc. - HTTP Response Splitting(CRLF injection) in
HackerOne - (HackerOne SSO-SAML) Login CSRF, Open Redirect, and Self-XSS Possible Exploitation
Legal Robot $20 Near-duplicate accounts allowed with ignored email mutations
ownCloud - Accessable Htaccess
Zendesk - Missing function level access controls allowing attacker to abuse file access controls. Multiple vulnerabilities
OLX - Full path disclosure vulnerability at
Maximum $75 Facebook and twitter page claimed of [important]
LocalTapiola $18,000 Oracle Webcenter Sites administrative and hi-privilege access available directly from the internet (/cs/Satellite)
HackerOne $500 Bypass rate limiting on /users/password (possibly site-wide rate limit bypass?)
RubyGems - Invalid username updating
DigitalSellz - Access to Amazon S3 bucket
New Relic - Stored Xss in
Trello $128 SSRF in account webhook (through API)
Mail.Ru $300 Time-based sql-injection на
DigitalSellz - AWS Signature Disclosure in allows access to S3
Slack $400 Email information leakage for certain addresses
Shopify $500 Open redirect in bulk edit
Imgur $100 Stored XSS in albums on
Skyliner - DNSSEC misconfiguration
Nextcloud $750 Bypass permissions
Twitter $2,100 Twitter iOS fails to validate server certificate and sends oauth token
Coinbase $100 Information leakage on
IRCCloud $50 Exposed, outdated nginx server (v1.4.6) potentially vulnerable to heap-based buffer overflow & RCE
Snapchat $250 Incoming email hijacking on
Uber $500 Users can falsely declare their own Uber account info on the monthly billing application
Paragon Initiative Enterprises - Not clearing hex-decoded variable after usage in Authentication
Coinbase - coinbase Email leak while sending and requesting
Boozt Fashion AB - Http header injection
Instacart - User Information sent to client through websockets
SecNews - DOM based XSS in search functionality
New Relic - SSO Authentication Bypass
Nextcloud - Unauthenticated Stored xss
Zomato - [CRITICAL] Complete source code disclosure via exposed Jenkins Dashboard
Shopify $500 Deleted Post and Administrative Function Access in eCommerce Forum
HackerOne - Ability to enumerate private programs using SAML
Boozt Fashion AB $80 Make victim buy in attacker's account without any idea -
Python $1,000 msilib.OpenDatabase Type Confusion
Boozt Fashion AB - Host header poisoning leads to account password reset links hijacking
Pornhub $750 Unsecured Grafana instance
Pornhub $750 Disclosure of private photos/albums -
Yelp $200 Bybass The Closing of the account and logged again to your account
Eobot $12 No password length restriction
Boozt Fashion AB $120 XSS
OLX - XSS and Open Redirect on
Shopify $500 XSS in SHOPIFY: Unsanitized Supplier Name can lead to XSS in Transfers Timeline
Legal Robot - Server version disclosure
Twitter $560 leaking Digits OAuth authorization to third party websites
Shopify $500 Unsanitized Location Name in POS Channel can lead to XSS in Orders Timeline
Boozt Fashion AB $80 Instance of Apache Vulnerable to Several Issues
Boozt Fashion AB $120 Potential Subdomain Takeover Possible
Yelp $100 Self-XSS via location cookie city field when getting suggestions for a new location
WebSummit - Reflected xss on
Boozt Fashion AB $250 xss in Theme
Keybase $100 Denial of Service through set_preference.json
Ruby $200 Arbitrary heap overread in strscan on 32 bit Ruby, patch included
OpenSSL $500 SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
OpenSSL $2,500 Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
Yelp $500 Verification of E-Mail address possible on and
Envoy - Abuse of API can Lead to DoS
Boozt Fashion AB - No csrf protection on logout
Boozt Fashion AB - User Enumeration.
Harvest $500 Invoices can be added to any retainers - even closs-platform
OLX - Bypassing Phone Verification For Posting AD On OLX
Slack $500 Rate-limit bypass
Mindoktor $500 Vulnerable Mobile Phone configuration
Nextcloud $500 Reflected XSS in Gallery App CVE-2016-9466
Harvest $250 XSS on expenses attachments
Shopify - Subdomain Takeover in pointing to Fastly
Open-Xchange $300 OX (Guard): Stored Cross-Site Scripting via Email Attachment
Mapbox - target="_blank" Vulnerability Resulting in Critical Phishing Vector
Instacart $50 Seemingly sensitive information at /api/v2/zones
Python $1,000 urllib HTTP header injection CVE-2016-5699
Shopify $500 Access to Splunk via endpoint
Shopify $500 Open redirect allows changing iframe content in *<id>/editor
LocalTapiola $400 Open redirection protection bypass (/cs/Satellite)
Algolia $100 Hyperlink Injection in Friend Invitation Emails
LocalTapiola $400 SQL Injection on `/cs/Satellite` path
Legal Robot $60 Validation bypass on user profile
Ian Dunn $50 CSV Injection in Camptix
LocalTapiola $100 Oracle WebCenter Sites Support Tools available and Information disclosure (/cs/Satellite)
LocalTapiola $50 Reflected XSS in (/cs/Satellite) using Oracle WebCenter -page
Nextcloud - Reflected Self-XSS Vulnerability in the Comment section of Files (Different-payloads)
Phabricator - link reset problem
Legal Robot $20 Possible content spoofing due to missing error page
Mail.Ru - Reflected XSS @
Nextcloud $100 Reflected Self-XSS Vulnerability in the Comment section of Files Information
Gratipay - Username Restriction is not applied for reserved folders
Slack $2,500 Snooping into messages via email service
Gratipay - Username can be used to trick the victim on the name of
Legal Robot - Click Jacking
Legal Robot $20 unsecured assets
Nextcloud - Slow Http attack on nextcloud(DOS)
Instacart - [Critical] Subdomain Takeover
Legal Robot - UI Redressing ( ClickJacking ) Issue on Information submit form
Dropbox - XSS in OAuth Redirect Url
Legal Robot - 2 vulns
Legal Robot $20 Legal | Application is Missing CSP(Content Security Policy) Header
Legal Robot - Clickjacking: X-Frame-Options header missing
Legal Robot - Amazon Bucket Accessible (
New Relic - Java RMI (Remote Code Execution)
Skyliner - Email Spoofing
Legal Robot - Email spoofing-fake mail from your mail domain server
Legal Robot $20 CORS (Cross-Origin Resource Sharing)
Legal Robot $20 Information Disclosure in AWS S3 Bucket
Legal Robot - Email spoofing possible via Legal Robot domain
Legal Robot $120 User Information leak allows user to bypass email verification.
Legal Robot $120 User Information sent to client through websockets
Nextcloud - Wordpress: Directory Traversal / Denial of Serivce
Nextcloud - Expired SSL certificate
Nextcloud - \OCA\DAV\CardDAV\ImageExportPlugin allows serving arbitrary data with user-defined or empty mimetype CVE-2016-9465
Dropbox $1,458 Subtile Code Injection Vulnerability in Dropbox for Windows
Khan Academy - OPEN URL REDIRECT through PNG files
New Relic - Cookie Misconfiguration
Paragon Initiative Enterprises - Email Spoofing With Your Website's Email
HackerOne - Users contents on AWS is cacheable
Skyliner - [ /] Open Redirect
Nextcloud - Information Disclosure of .htaccess file in Private Server/Subdomain
Uber $100 Stealing users password (Limited Scenario)
Instacart $150 Fetch private list metadata and any user's personal name
Uber $5,000 Changing paymentProfileUuid when booking a trip allows free rides
OLX - XSS and HTML Injection
GitLab - Boards leak private label names and desciptions
Gratipay - Cross Site Scripting In Profile Statement
Shopify $500 Open Redirect possible in
Certly - Non secure requests at not upgrading to https
Nextcloud - Password Reset Link issue
Gratipay - Reset Link Issue
Harvest $500 Possible to steal any protected files on Android
Airbnb - ████ discloses valid Airbnb SSO login names via Google Search Results
Gratipay - XSS Via Method injection
Ian Dunn - Potentially vulnerable version of Apache software in and default files on
Bime $150 Subdomain takeover at due to unclaimed Amazon S3 bucket
Mail.Ru - [] CSRF Bypassed - Changing anyone's 'User Info'
Nextcloud - Content Injection -
Nextcloud - Content Injection -
Ian Dunn - bypass to csv injection
Harvest $150 Extracting private info of estimates.
Ian Dunn $100 Bypass fix in report.
Ian Dunn $50 Bypassing CSV injection using new line charcter
Coinbase $300 window.opener is leaking to external domains upon redirect on Safari
Ian Dunn - stored SELF xss on Basic Google Maps Placemarks Settings plugin
Instacart - API OAuth Public Key disclosure in mobile app
Instacart $150 Brute force login and bypass locked account restrictions via iOS app
Shopify $500 [] Open Redirect
Mail.Ru - [] XSS, SSI Injection
GitLab - XSS On meta tags in profile page
Ian Dunn - Send emails to all users using Camptix
HackerOne - Ability to monitor reports' submission in real time
Snapchat $400 [] Stored XSS via an incorrect avatar property value
Instacart $150 Issues with uploading list images
Shopify $500 Open CouchDB on
HackerOne $500 Information leakage of private program
Shopify $500 Open redirect using checkout_url
HackerOne $500 Requesting Mediation possible on reports that are too old for mediation
QIWI $950 [] Oauth захват аккаунта
LocalTapiola $3,000 Blind Stored XSS Against Lahitapiola Employees - Session and Information leakage
bitaccess - Missing Rate limiting for sensitive actions (like "forgot password") and reCaptcha error.
OLX - full path disclosure vulnerability at*
Slack $1,000 Stored XSS(Cross Site Scripting) In Slack App Name
Harvest $150 Unauthorized read access to Invoices by PM (Access control Issues)
Harvest $150 Unauthorized access to all the actions of invoices by PM (Access control Issues)
Harvest $100 PM can delete payment of any invoice in company (Access control Issue)
Harvest $100 Record payment for any invoice by PM (Access control Issue)
Harvest $100 PM can delete the company logo image (Vertical Privilege Escalation )
Starbucks $150 Improper Validation on Cancel Link Redirect
OLX - Full Account Takeover
HackerOne $1,000 Hacker.One Subdomain Takeover
Harvest $250 PM with can Set up email for invoices and estimates (Access control Issue)
OLX - [Critical] Delete any account $75 Cross site scripting
Instacart $100 Hyperlink Injection in Friend Invitation Emails
Instacart - Reflected File Download on recipe list search
Ubiquiti Networks $150 [] DOM based XSS at form.html
Shopify $1,000 (BYPASS) Open redirect and XSS in
Uber - Attacker could setup reminder remotely using brute force
GitLab - Ability to access all user authentication tokens, leads to RCE
Certly - Business logic Failure - Browser cache management and logout vulnerability in Certly
Trello $1,024 File access using image tragick
HackerOne $500 Non-secure requests are not automatically upgraded to HTTPS
Instacart $250 shopper login_code's can be brute forced
Twitter $560 redirects to vulnerable
Shopify $500 Access to Splunk at
Trello - XSS and Open-Redirect via SVG
Instacart $100 Image Upload Path Disclosure
Instacart $150 Host Header Injection/Redirection in:
Instacart $50 Server side request forgery on image upload for lists
Instacart $75 Missing rel=noreferrer tag allows link in list to change url of currently open tab
Instacart $200 Race Condition in Redeeming Coupons
Instacart $100 Cross-Site Request Forgery (CSRF)
Veris - Internal server error 500 at
Instacart $150 Stored XSS
Instacart $50 CSRF To change Email Notification Settings
OLX - these are my old reports and still i have not receive any good replys, these all are Cross Site Scripting(XSS) issues: POC1:
Shopify $500 (FULL PATH DISCLOSURE) Unknown MySQL server host ''
OLX - XSS on Meta Tag at
HackerOne $500 Disclosure of external users invited to a specific report
Gratipay - Cookie:HttpOnly Flag not set
Gratipay - Host Header Injection/Redirection Attack
New Relic - All Active user sessions should be destroyed when user change his password!
SecNews $300 Querying private posts and changing post meta
New Relic - CSRF vulnerability that allows an attacker to purge plugin metric data
New Relic - Login CSRF vulnerability
Veris - bug
Ubiquiti Networks $500 IDOR Causing Deletion of any account
Uber $10,000 Reading Emails in Uber Subdomains
Algolia $400 Unauthorized team members can leak information and see all API calls through /1/admin/* endpoints, even after they have been removed.
Nextcloud - Directory listening enabled in:
Nextcloud - Content spoofing due to default Apache Error Page
Algolia $100 Stored XSS from Display Settings triggered on Save and viewing realtime search demo
Algolia $100 Stored xss
Algolia $100 Stored XSS triggered by json key during UI generation
Open-Xchange $1,000 OX (Guard): Stored Cross-Site Scripting via Incoming Email
Phabricator - Error page Text Injection.
Uber - XSS At ""
Trello - Verification Code Reused For activating 2FA
Slack $500 CSRF - Add optional two factor mobile number
Coinbase - Create Multiple Account Using Similar X-CSRF token
Shopify $500 Staff member can delete Private Apps
Nextcloud - Arbitrary File Upload in Logo & Log in image Theming setting.
Uber - Content injection on 404 error page at
ownCloud $100 Arbitrary Code Injection in ownCloud’s Windows Client
Uber - User Enumeration and Information Disclosure
Algolia - [] XSS
Shopify $500 (BYPASS) Open Redirect after login at
Nextcloud - Content spoofing due to default Apache Error Page
OLX - Unauthorised access to user accounts.
Twitter $1,120 Stealing User emails by clickjacking
Gratipay $1 Content Spoofing/Text Injection
New Relic - Leaking license key in source code
Nextcloud $50 More content spoofing through dir param in the files app
Uber $3,000 Missing authorization checks leading to the exposure of administrator accounts
Nextcloud - Bookmarks: Delete all existing bookmarks of a user
Snapchat $3,000 Subdomain takeover on
Shopify $500 Delete/modify your own comment after limited access(IDOR)
Harvest $150 Opportunity to set arbitrary cookies
Moneybird $50 [Stored Cross-Site-Scripting] When search about Incoming ( Manual Jurnal )
Shopify $1,000 Unauthorized access to Zookeeper on
ownCloud - [] IE, Edge XSS via Request-URI
ownCloud - [] CRLF Injection
ownCloud - [] CRLF Injection
Uber $500 Blind OOB XXE At ""
Nextcloud $100 IDOR - Disable sharing CVE-2016-9464
Nextcloud - xss for admin of
Shopify - Redirect url after login is not validated
New Relic - [] Scanning local network via notification channel
Ian Dunn - [Not just a server configuration issue] Full Path Disclosure
Ian Dunn - CSRF in changing settings of Basic Google Maps Placemarks
Nextcloud - [Nextcloud 9.0.53] Content Spoofing in 'trustDomain' parameter
Mail.Ru - [] system accounts enumeration
Uber - Can add employee in without add payment method
Uber - Text Only Content Spoofing on Community Page
Starbucks - Java Deserialization RCE via JBoss JMXInvokerServlet/EJBInvokerServlet on
Ian Dunn $50 Multiple XSS in Camptix Event Ticketing Plugin
New Relic - Session Management Flaw
Harvest $500 Project Disclosure of all Harvest Instances
Nextcloud - Content spoofing in
Harvest $1,000 Leak of all project names and all user names , even across applications
Harvest $350 Users enumeration is possible through cycling through recurring[client_id] argument value.
Harvest $350 Stored XSS on invoice, executing on any subdomain
Harvest $250 CSRF token fixation in Sign in with Google
Harvest $1,000 S3 bucket takeover due to
Harvest $100 Cross-Site Request Forgery (CSRF)
Gratipay - Username .. (double dot) should be restricted or handled carefully
PHP $500 NULL Pointer Dereference in exif_process_user_comment
PHP $1,000 Out of bound read in exif_process_IFD_in_MAKERNOTE
Coursera - Broken authentication and session management flaw
OLX - Stored XSS on contact name
Uber $5,000 Stored XSS on via admin account compromise
concrete5 - CSRF Full Account Takeover
Algolia $100 No Rate Limit In Inviting Similar Contact Multiple Times
Nextcloud - The application uses basic authentication.
Gratipay - User Supplied links on profile page is not validated and redirected via gratipay.
Gratipay - The contribution save option seem to be vulnerable to CSRF
GoCD - X-Content-Type-Options header missing at Auth Login
GoCD - Directory Listening
OLX - XSS on Home page via auto save search text
Ian Dunn - User enumeration in wp-admin
Ian Dunn $375 CSV Injection at Camptix Event Ticketing
ownCloud $50 ownCloud DLL Hijacking Vulnerability
Uber $2,000 [IODR] Get business trip via organization id
Uber $3,000 Get organization info base on uuid
Slack $500 Creating Post on a restricted channel
OLX - xss
Gratipay - don't allow directory browsing on
OLX - Reflected XSS at
Paragon Initiative Enterprises - Content-type sniffing leads to stored XSS in CMS Airship on Internet Explorer
OLX - Manipulating Job Vacancy alert subscription emails (HTML Injection / Script Injection)
Automattic $300 [bbPress] Stored XSS in any forum post.
Dropbox $729 SSRF allows access to internal services like Ganglia
Shopify $1,500 Stealing livechat token and using it to chat as the user - user information disclosure
Gratipay - prevent null bytes in email field
OLX - Reflected Cross Site scripting Attack (XSS)
OLX - Arbitrary File Reading
OLX - Reflected XSS in
OLX - stored XSS in - ogloszenie TITLE element - moderator acc can be hacked
OLX - SQLi in Payment Request
OLX - Updating and Deleting any Ads on OLX Philippines
OLX - CSRF in account configuration leads to complete account compromise
OLX - XSS @ *
Uber $1,000 is vulnerable to 'SOME' XSS attack via plupload.flash.swf
Shopify $500 takeover
Twitter $420 Html Injection and Possible XSS in
Uber $4,000 SQL Injection on
IRCCloud $500 Cross Site Scripting(XSS) on IRCCloud Badges Page (using Parameter Pollution)
Ian Dunn - Brute force on wp-login
Ian Dunn - SSL certificate public key less than 2048 bit
Paragon Initiative Enterprises - Full Path Disclosure by removing CSRF token
Bime $1,000 Attacker can access graphic representation of every query
Bime $1,000 Urgent: attacker can access every data source on Bime
Nextcloud $50 Content (Text) Injection at NextCloud Server 9.0.52 - via http://custom_nextcloud_url/remote.php/dav/files/ CVE-2016-9468
Gratipay - don't leak Server version for
Uber $2,250 Subdomain takeover of, and
GitLab - Insecure 2FA/authentication implementation creates a brute force vulnerability
Legal Robot $40 AWS S3 website can't serve security headers, may allow clickjacking
Whisper $100 Stored XSS in
Uber - Server version disclosure
Paragon Initiative Enterprises - Site support SNI But Browser can't
HackerOne - Reward Money Leakage
Paragon Initiative Enterprises - ssl info shown
CodeIgniter - Web Server Disclosure
Ubiquiti Networks $185 Reflected Xss in AirMax [Nanostation Loco M2]
ExpressionEngine - Arbitrary SQL query execution and reflected XSS in the "SQL Query Form"
ExpressionEngine - Filename and directory enumeration
ExpressionEngine - Full path + some back-end code disclosure
Algolia $100 Stored xss
Paragon Initiative Enterprises - [URGENT] Password reset emails are sent in clear-text (without encryption)
Paragon Initiative Enterprises - Issue with password reset functionality [Minor]
Coinbase - Content Injection error page
Paragon Initiative Enterprises - Session Management Issue CMS Airship
Paragon Initiative Enterprises - User enumeration via Password reset page [Minor]
Paragon Initiative Enterprises - Airship doesn't reject weak passwords
Nextcloud - [Thirdparty] Stored XSS in chat module - nextcloud server 9.0.51 installed in ubuntu 14.0.4 LTS
Paragon Initiative Enterprises - Full path disclosure when CSRF validation failed
Phabricator $600 HTML in Diffusion not escaped in certain circumstances
Paragon Initiative Enterprises $50 Stored XSS using SVG
Legal Robot $100 Subdomain takeover at due to non-used domain in
Paragon Initiative Enterprises - Nginx Version Disclosure On Forbidden Page
Pornhub $1,500 [idor] Unauthorized Read access to all the private posts(Including Photos,Videos,Gifs)
Paragon Initiative Enterprises - Email spoofing in [email protected]
Paragon Initiative Enterprises $25 Stored XSS in comments
Paragon Initiative Enterprises $50 Stored Cross-Site-Scripting in CMS Airship's authors profiles
Dropbox - XSS, Unvalidated redirects & phishing website hosting on dropbox servers
Keybase $350 Register multiple users using one invitation (race condition)
Coinbase - No authorization required in iOS device web-application
Coinbase - No authorization required in Windows phone web-application
HackerOne - Possible CSRF during joining report as participant $100 Паблики: Модератор паблика может удалять добавленные редакторами материалы с таймером на публикацию.
Instacart - CSRF with redeem coupon request
Uber $1,000 Wordpress Vulnerabilities in and domains
Mail.Ru - Cross Site Request Forgery (CSRF)
ownCloud - SMB User Authentication Bypass and Persistence CVE-2016-9463
Trello - Sending Unlimited Mails To Anybody With Easy Social Share Buttons Plugin
Slack $1,500 Source code leakage through GIT web access at host ''
HackerOne $500 Know undisclosed Bounty Amount when Bounty Statistics are enabled.
Veris - Email spoofing in [email protected]
Badoo $140 Change contents of the careers iframe in
Mail.Ru - Back Refresh Attack after registration and successful logout
Moneybird $25 Logging out any user
leetfiles - [] MSIE, Edge XSS via Request-URI
Coinbase $100 Application error message
concrete5 - Local File Inclusion path bypass
Slack $100 Generate new Test token
FantasyTote - Session doesn't expired after login
Slack $100 User can start call in a channel of an unpaid account
FantasyTote - Weak HSTS age
FantasyTote - Betting more than max amount
FantasyTote - Urgent Fix Balance Limit bypass
FantasyTote - Bypass logout
FantasyTote - Insecure password change mechanism may lead to full account takeover
Informatica - [] Reflected Cross Site Scripting to XSS Shell Possible
FantasyTote - Stored number of clicks in the Deposits button
FantasyTote - No email verification required when we change email from settings
Informatica - [] Tomcat Example Scripts Exposed Unauthenticated
Dropbox - Can make any number of dropbox accounts with one email - DOM XSS в /activation.php?act=activate_mobile
New Relic - SSRF/XSPA
Uber - uses an invalid SSL certificate
HackerOne $500 Race Conditions in Popular reports feature.
Uber - Authentication Issue for easter egg on
Uber - Command Injection, Information
LocalTapiola $150 Mixed Active Scripting Issue on
Pornhub $500 RCE Possible Via Video Manager Export using @ character in Video Title
Informatica - [] Unauthenticated Apache Tomcat 8 Installation
Nextcloud - No Rate Limiting on login
Uber - Server version disclosure:
New Relic - Html injection in monitor name textbox
Nextcloud - Deny access to + folders
Nextcloud - Log pollution can lead to HTML Injection.
PHP $1,000 ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize
PHP $1,000 Use After Free Vulnerability in PHP's GC algorithm and unserialize
Trello - Report bug on jetpack plugin
Nextcloud - REG: Content provider information leakage
Instacart - Authentication Bypass in Updating Personal Information
Nextcloud - Email ID Disclosure.
Nextcloud - WordPress Vulnerabilities: User Enumeration, Vulnerable Akismet Plugin, XML-RPC Interface available
Nextcloud $100 Read-only share recipient can restore old versions of file
Nextcloud $250 Uploading files to a folder where invited user don't have any EDIT privilege
Nextcloud - Password reset link remains valid after email change
Uber - Error Message on 404 page
Nextcloud - Content Injection in subdomain
Nextcloud - Content injection in subdomain
Nextcloud - Content Spoofing/Text Injection -
Nextcloud - Content Injection 404 page
Nextcloud - Business/Functional logic bypass: Remove admins from admin group.
Nextcloud - help.nextcloud Email Address/Username enumeration
Nextcloud - Bypass firewall protection
Nextcloud - Bruteforcing
Nextcloud - Bruteforce attack is possible on
Algolia $100 2-factor authentication bypass
Slack - Unauthenticated Access to some old file thumbnails
Nextcloud - No captcha on newsletter.nextcloudcom leaves vulnerable to email spammers
Nextcloud - Avatar image upload and bypass real image verification
Nextcloud - Directory listening and Information Disclosure
Nextcloud - Lost Password CSRF
Nextcloud - Directory Listing On & Practical Attacks on PGP (Pretty Good Privacy)
Nextcloud - Server side request forgery (SSRF) on nextcloud implementation.
Nextcloud - Vulnerable Javascript library
Nextcloud - Directory listening for 'wp-includes' forders
Vimeo $600 Downloading password protected / restricted videos
Nextcloud $50 Nextcloud server software: Content Spoofing
Nextcloud - No rate limiting on password protected shared file link
Nextcloud - Mail Bombing ( No Rate Limiting On Sending Emails On Contact us Page)
Nextcloud $350 Share owner has no possibility to list all existing derived shares
Nextcloud - Session Management Issue
Nextcloud - Known DoS condition (null pointer deref) in Nginx running
Nextcloud - No permission set on Activities [Android App]
Nextcloud - Enumeration of subscribed users and unauthenticated email unsubscriptions on
Nextcloud - Response Header injection using redirect_uri together with PHP that utilizes Header Folding according to RFC1945 and Internet Explorer 11
Nextcloud - Content Injection
Nextcloud - Content Spoofing
Nextcloud $750 Stored XSS on Share-popup of a directory's Gallery-view
Nextcloud - Content Injection Custom 404 Error
Veris - Registeration Link "Jacking&Redirecting"
Paragon Initiative Enterprises - Session Management
Uber - Self-XSS in Partners Profile
Uber $7,000 xss in
Paragon Initiative Enterprises - Full path disclosure vulnerability on
Zomato - Stored Cross site scripting
Ubiquiti Networks $1,000 Subdomain takeover on due to non-used CloudFront DNS entry
Uber $1,500 Bulk UUID enumeration via invite codes
Ian Dunn $50 Stored XSS from ticket messages in admin table in SupportFlow
Ian Dunn $50 Stored XSS in SupportFlow Ticket Subject
Uber - Bruteforce INVITE codes easy way
Uber - Email Address Enumeration
Python $1,000 CVE-2016-0772 - python: smtplib StartTLS stripping attack
Sucuri $250 [] CRLF Injection
Sucuri $250 SSRF in
Mail.Ru $150 [] Time-Based SQL Injection
Uber $750 Brute-Forcing invite codes in
bitaccess $200 EXTREMELY URGENT: Missing control of bitcoin amount when selling bitcoin allows a user to withdraw any amount of money, unrestricted.
New Relic - Open redirection bypass .
Ruby - Heap corruption in string.c tr_trans() due to undersized buffer
Ruby - Heap corruption in DateTime.strftime() on 32 bit for certain format strings
Ruby $500 StringIO strio_getline() can divulge arbitrary memory
WebSummit - Time Based SQL injection in url parameter
Uber - Newsroom.uber HTML form without CSRF protection
HackerOne $500 All information is not removed from published reports
SecNews - Text injection on error page.
SecNews - Content spoofing due to the improper behavior of the not-found message
Instacart $100 Authorization Bypass in Delivery Chat Logs
The Internet $7,500 Insufficient shell characters filtering leads to (potentially remote) code execution (CVE-2016-3714)
Slack $500 File upload over private IM channel
Uber $10,000 Change any Uber user's password through /rt/users/passwordless-signup - Account Takeover (critical)
Uber - Email Enumeration Vulnerability
Badoo $280 Получение оригинала скрытого изображения
Phabricator - Full path disclosure
Coinbase - Transaction Pending Via Ip Change
Shopify $3,000 Authentication Bypass on Icinga monitoring server
Shopify $1,500 Potentially Sensitive Information on GitHub
Veris - Unauthenticated CSRF(User can input any value for CSRF Token)
Zomato - XSS on
Uber - Password Reset Does Not Confirm the Existence of an Email Address
Mail.Ru $250 for Android Content Provider Vulnerability
Uber - Header Injection
drchrono $50 Information Disclosure
Python $500 Heap corruption via Python 2.7.11 IOBase readline()
Uber $750 xss vulnerability in
drchrono $50 Bug Report
Moneybird $50 [STORED XSS] in debtor reports of ,,invoices''
WePay $250 Invited users can modify and/or remove account owner
Shopify $500 Fetching external resources through svg images
LocalTapiola $100 DOM XSS bypassing in Regional Office -selector
Urban Dictionary - Infinite Upvoting/Downvoting: Lockout Bypass, Plus: Exposed API Documentation
Pornhub $10,000 [RCE] Unserialize to XXE - file disclosure on
Twitter $560 Information Disclosure through .DS_Store in ██████████
Pushwoosh - Cross-Site Scripting Stored On Rich Media
Mail.Ru $150 [] SQL Injection
OpenSSL $500 CVE-2016-2177 Undefined pointer arithmetic in SSL code
Pornhub $1,500 (Pornhub & Youporn & Brazzers ANDROID APP) : Upload Malicious APK / Overrite Existing APK / Android BackOffice Access
Zomato - Bypass OTP verification when placing Order
Trello - XSS in Jetpack plugin $1,500 XSS в upload.php
drchrono $50 User with no permissions can create, edit, delete favorite prescriptions /erx/
Slack $200 [Screenhero] Subdomain takeover
Ubiquiti Networks $125 Stored XSS in
Pornhub $20,000 [phpobject in cookie] Remote shell/command execution
Pornhub $1,000 Private Photo Disclosure - /user/stream_photo_attach?load=album&id= endpoint
drchrono $50 Bypassing Password Reset
drchrono - XSS in Blog
GlassWire $25 Bypass GlassWire's monitoring of Hosts file
New Relic - SSRF on permitting access to sensitive data
Bime - Bime Unable to load Data Sources
HackerOne $500 Able to remove the admin access of my program
drchrono $50 User with no permissions can access full wdcalendar feed
Pornhub - Reflected XSS by way of jQuery function
drchrono $50 Stored XSS via AngularJS Injection
Ubiquiti Networks $260 Open Redirect in [Controller Finder]
drchrono $50 [CRITICAL] CSRF leading to account take over
Uber - Uber is Flooding my Mobile with SMS Daily like a cron JOB
Mail.Ru $150 Code source discloure & ability to get database information "SQL injection" in []
New Relic - Blind SSRF on
Zendesk $100 XSS in
drchrono $100 Angular injection in the profile name of onpatient
Nginx - Module ngx_http_auth_basic_module is broken and allowing all password after specific length
drchrono $50 Template stored XSS
drchrono $50 - Information Disclosure and Windows Host Exposed
drchrono $50 Ngnix Server version disclosure
Starbucks $4,000 Parameter Manipulation allowed for editing the shipping address for other user’s subscriptions.
Pushwoosh - Stored XSS in Filters
Starbucks $6,000 Parameter Manipulation allowed for viewing of other user’s orders
drchrono $50 Bypass password complexity requirements on passsword reset page
drchrono $100 Security Issue : CSRF Token Design Flaw
Mail.Ru $150 [] SQL Injection
Mail.Ru - [] CRLF Injection
Uber - XSS in
Mail.Ru - Insecure cookies without httpOnly flag set
Coinbase - Cookie not secure
HackerOne - Denial of service in report view.
Mail.Ru $100 [] HTML injection в письмах от [email protected]
Starbucks $375 Reflected XSS via utm_source parameter
Mail.Ru $160 [] /uploadphoto Insecure Direct Object References
Slack $500 Open Redirect on
Gratipay $10 configure a redirect URI for Facebook OAuth $50 CJ vulnerability in subdomain
Gratipay - don't store CSRF tokens in cookies
New Relic - Session takeover
New Relic - No CSRF validation on Account Monitors in Synthetics Block
Trello $128 XSS in Jetpack Plugin
Zomato - XSS onmouseover
Phabricator - No authentication required to add an email address.
LocalTapiola $100 Exploiting Secure Shell (SSH) on
Uber - DOM based XSS on
Phabricator $300 Passphrase credential lock bypass
Dovecot - Outdated Apache Server in is vulnerable to various attack.
Dovecot - Apache version disclosure
New Relic - Privilege Escalation In Moniter
Informatica - [] Unauthenticated emails and HTML injection in email messages
Ubiquiti Networks $2,750 Read-Only user can execute arbitraty shell commands on AirOS - Missing proper error message.
Automattic $500 WordPress core stored XSS via attachment file name
Badoo $280 Ability to collect users' ids that have visited a specific web page with malicious code
New Relic - Improper Session Management
Dropbox - Lack of account link warning enables dropbox hijacking
LocalTapiola $300 Persistent XSS at using spoofed React element and React v.0.13.3
Uber - Phone Number Enumeration
Uber $7,000 OneLogin authentication bypass on WordPress sites via XMLRPC
New Relic - Missing rate limit on password
Pornhub $750 [idor] Profile Admin can pin any other user's post on his stream wall
LocalTapiola $100 Remote Code Execution in NovaStor NovaBACKUP DataCenter backup software (Hiback)
Veris - Text injection can be used in phishing 404 page and should not include attacker text
Pornhub $1,000 SSRF & XSS (W3 Total Cache)
Gratipay - don't expose path of Python
Uber - Self-XSS on
Dovecot - DIrectory Listing Found
Mail.Ru - [] CRLF Injection
LocalTapiola $300 Abusing and Hacking the SMTP Server
Zomato - Instagram OAuth2 Implementation Leaks Access Token; Allows for Cross-Site Script Inclusion (XSSI)
Zomato - Reflected Cross-Site Scripting in
WP API $100 Missing access control exposing detailed information on all users
Pornhub $1,000 [IDOR] Deleting other users comment
Pornhub $150 Same-Origin Method Execution bug in plupload.flash.swf on /insights
OpenSSL $1,000 Bleichenbacher oracle in SSLv2 (CVE-2016-0704)
OpenSSL $2,500 Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703)
Pornhub $5,000 Weak user aunthentication on mobile application - I just broken userKey secret password
Pornhub $1,500 [stored xss,] stream post function
Pornhub $250 XSS Reflected incategories*p
Pornhub $250 XSS ReflectedGET /*embed_player*?
StopTheHacker - Wordpress flashmediaelement.swf XSS on
Mail.Ru $150 SQL Injection
Pornhub $1,500 [IDOR] post to anyone even if their stream is restricted to friends only
Veris - Reflected XSS in domain
Pornhub $100 CSV Macro injection in Video Manager (CEMI)
Veris - Stored XSS on 'Badges' page
Square Open Source - Cache poisoning for okhttp
Pornhub - vulnerabilitie
Ruby - SMTP command injection
HackerOne - Inadequate access controls in "Vote" functionality???
Vimeo $600 All Vimeo Private videos disclosure via Authorization Bypass
LocalTapiola $100 Amazon Bucket Accessible (
New Relic - New Relic - Session Hijacking
Twitter - List of a ton of internal twitter servers available on GitHub
Sucuri $500 CRLF/HTTP header injection
Dovecot - nginx server vulnerable
Dropbox - Dropbox apps Server side request forgery
ThisData - Host Header Poisoning in
Uber - Clickjacking in
Veris - [Stored XSS] $500 Xss in
Veris - [XSS]
Mail.Ru - AXFR на работает
Vimeo - XSS in Subtitles of Vimeo Flash Player and Hubnut
Udemy - Csrf on creating course
OpenSSL $2,500 Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
Ubiquiti Networks $1,000 Source code disclosure on
Uber $8,000 [CRITICAL] -- Complete Account Takeover
Gratipay $1 don't leak server version of in error pages
Moneybird $50 Reflected XSS in Backend search
Uber - Compromising Atlassian Confluence ( via WordPress (
Vimeo $750 CSRF on Vimeo via cross site flashing leading to info disclosure and private videos go public
GitLab - Persistent XSS on public wiki pages
Mapbox $400 Denial of service in account statistics endpoint
Uber $10,000 OneLogin authentication bypass on WordPress sites
Moneybird $100 Employees with Any Permissions Can Create App with Full Permissions and Perform any API Action
OpenSSL $500 EBCDIC overread (CVE-2016-2176)
OpenSSL $500 EVP_EncryptUpdate overflow (CVE-2016-2106)
OpenSSL $500 EVP_EncodeUpdate overflow (CVE-2016-2105)
Uber - Missing authentication on Notification setting .
Romit $50 Session Fixation
Moneybird $25 information disclose
Shopify $500 View all deleted comments and rating of any app .
Dropbox Acquisitions - Session hacking
Dovecot - Cross-Site Scripting Vulnerability in
Uber $5,000 Multiple vulnerabilities in a WordPress plugin at
Paragon Initiative Enterprises - Email Authentication Bypass
LocalTapiola $400 Possibly big authorization problem in Lähitapiola´s varainhoito
Mapbox $1,000 Reflected cross-site scripting (XSS) on
LocalTapiola $100 HTTP status code manipluation & java stack trace
LocalTapiola $5,000 Blind Stored XSS Against Lahitapiola Employees - Session and Information leakage
PHP $1,500 Integer overflow in ZipArchive::getFrom*
HackerOne $2,500 RCE in profile picture upload
OpenSSL - Potential double free in EVP_DigestInit_ex
Paragon Initiative Enterprises - The Anti-CSRF Library fails to restrict token to a particular IP address when being behind a reverse-proxy/WAF
OpenSSL $500 ASN.1 BIO excessive memory allocation (CVE-2016-2109)
Shopify $500 staff memeber can install apps even if have limitied access
Automattic $1,337 WordPress SOME bug in plupload.flash.swf leading to RCE
Automattic $1,337 WordPress Flash XSS in *flashmediaelement.swf*
Uber - Uber for Business Allows Administrators to Change Uber Driver Ratings Due to Failure to Authenticate `fast-rating` Endpoint
Zendesk $250 XSS In /zuora/ functionality
LocalTapiola - Source Code Disclosure on out of scope domain
LocalTapiola $100 Content Spoofing or Text Injection (404 error page injection)
Algolia $500 RCE on
GitLab - Private snippets in public / internal projects leaked though GitLab API
GitLab - Confidential issues leaked in public projects when attached to milestone
GitLab - Attacker can post notes on private MR, snippets, and issues
GitLab - Attacker can delete (and read) private project webhooks
ownCloud - PHP info page disclosure
Uber - Defect-Security | Driver-Broken Authentication | Able to update the Subscription Setting anonymously
QIWI - SSL Certificate on will expire soon.
Uber - Stored self-XSS at
Uber $2,000 Reflected XSS via Livefyre Media Wall in
New Relic - rails directory traversal vuln
Automattic $75 XSS on
concrete5 - ProBlog 2.6.6 CSRF Exploit
Moneybird $25 Content Spoofing In Moneybird
Veris - XSS in Asset name
Badoo - AWS S3 Bucket hotornot-images permissions allow for listing and removing files
Uber - Information Disclosure on
Legal Robot - No DMARC Record in
HackerOne - Manipulate report timeline activity by using null byte.
New Relic - Cache-Control Misconfiguration Leads to Sensitive Information Leakage
GitLab - Labels created in private projects are leaked
New Relic - Stored Cross-Site Scripting via Angular Template Injection
Udemy $50 Stored XSS at Udemy
New Relic - Open redirection
Slack $1,000 Stored XSS on using new Markdown editor of posts inside the Editing mode and using javascript-URIs
HackerOne - Reputation Manipulation (Theoretical)
Zendesk $500 [HIGH RISK] CSRF could potentially delete a zendesk subdomain.
Moneybird $50 Open Redirect vulnerability in
bitaccess - Missing SPF for
Uber - CrashPlan Backup is Vulnerable Allowing to a DoS Attack Against Uber's Backups to ``````
New Relic - Login Open Redirect
Zendesk $100 AWS S3 bucket writable for authenticated aws user
Udemy - AWS S3 bucket writable for authenticated aws user
Uber $7,500 Stored XSS in
CloudFlare - Reflected XSS on
GitLab - Privilege escalation to access all private groups and repositories
Twitter $840 [Critical] - Steal OAuth Tokens
Coinbase $100 User's legal name could be changed despite front end controls being disabled
Uber - XSS via password recovering
Automattic $75 Akismet Several CSRF vulnerabilities
ownCloud $150 Open Redirector via (apps/files_pdfviewer) for un-authenticated users.
Gratipay $1 bring up to A grade on SSLLabs
Uber - XSS in uber oauth
Moneybird $50 Stored XSS in Financial Account executing in Bank tab
Moneybird $100 Malicious File Upload
Paragon Initiative Enterprises - Vunerability : spf
ownCloud - XSS via Referrer
Vimeo - Error page Text Injection.
Ubiquiti Networks $275 Reflected XSS in
Trello - Error Page Text Injection.
New Relic - Sensitive information contained with New Relic APM iOS application
Uber - Unsubscribe any user from receiving email
bitaccess $50 BYASSING OTP Verification
Badoo - Badoo and Hotornot User Disclosure
Uber - Requested and received edit access to Google form
Moneybird $50 CSV Injection with the CSV export feature
Trello $128 Cross site scripting in
Uber - and are susceptible to iframes
Xero - Insecure Payment System Integration
Slack $2,000 Authentication bypass leads to sensitive data exposure (token+secret)
APITest.IO - beta version reveals paths, environment variables and partially files contents
Zendesk $50 Stored XSS on [your_zendesk] in Facebook Channel
APITest.IO - Login Via FB Leads To Create A New Account Instead Of Loging In
Dropbox - No Rate Limiting while sending the feedback under Dropbox Help Centre
Python $500 Python 2.7 strop.replace Integer Overflow
GitLab - Persistent XSS on public project page
Uber - reopen #128853 (Information disclosure at
APITest.IO - Clickjacking: X-Frame-Options header missing
ownCloud - Cross site scripting in
Twitter $700 xss in DM group name in twitter
Veris - Stored XSS in member book
New Relic - APT repository is signed using weak digest (SHA-1)
Uber - Disclosure of ways to the site root
LocalTapiola $300 The PdfServlet-functionality used by the "Tee vakuutustodistus" allows injection of custom PDF-content via CSRF-attack
LocalTapiola $400 Cookie-based client-side denial-of-service to all of the Lähitapiola domains
Uber - User credentials are not strong on
Uber - Information disclosure at
Algolia $100 No rate-limit in Two factor Authentication leads to bypass using bruteforce attack
Gratipay - text injection in website title
Ubiquiti Networks $1,500 Read-Only user can execute arbitraty shell commands on AirOS
Uber - Enumerating userIDs with phone numbers
APITest.IO - SSRF on testing endpoint
New Relic - Clickjacking on authenticated pages which is inscope for New Relic
ownCloud - X-XSS-Protection not enabled
Trello $1,536 Payments informations are sent to the webhook when a team changes its visibility
OpenSSL $1,000 BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
Gratipay $10 fix bug in username restriction
Snapchat $1,000 Administrator access to a Django Administration Panel on * via bruteforced credentials
InVision $400 CRITICAL : Delete Boards Admin's ( or any other user ) comment. ( IDOR )
HackerOne $2,500 AWS S3 bucket writeable for authenticated aws users
GitLab - Bypassing password authentication of users that have 2FA enabled
GitLab - Attacker can extract list of private project's project members
Gratipay - Getting Error Message and in use python version 2.7 is exposed.
Gratipay - An adversary can harvest email address for spamming.
Uber $5,000 Stored XSS on admin panel / Stream WordPress plugin
Uber $250 Easy spam with USE My PHONE Feature
HackerOne - Deleted name still present via mouseover functionality for user accounts
HackerOne $1,500 Web Authentication Endpoint Credentials Brute-Force Vulnerability
HackerOne - DOS Report FILE html inside <code> in markdown
New Relic - Password disclosure during signup process
New Relic - Open redirection bypass
Badoo $852 [CRITICAL] Full account takeover using CSRF
Uber - Session Impersonation in
HackerOne $500 New hacktivity view discloses report IDs of non-public reports
ownCloud - Reflected XSS in
HackerOne $500 New hacktivity view discloses report IDs of non-public reports
PHP $1,000 php_snmp_error() Format String Vulnerability
New Relic - - monitor creation to other accounts
New Relic - Mobile Authentication Endpoint Credentials Brute-Force Vulnerability
HackerOne - HackerOne Important Emails Notification are sent in clear-text
Coursera - XSS in
Uber $5,000 Information regarding trips from other users
Uber $5,000 Possibility to get private email using UUID
Twitter $280 XSS using javascript:alert(8007)
Uber $3,000 Possible to View Driver Waybill via Driver UUID
Uber - Use Partner/Driver App Without Being Activated
LocalTapiola $100 DOM XSS by choosing regional company
New Relic - CSV Injection in sub_accounts.csv
New Relic - Old CAPTCHA offers no protection
New Relic - User enumeration possible from log-in timing difference
Uber - Brute Forcing rider-view Endpoint Allows for Counting Number of Active Uber Drivers
Uber $3,000 Stored XSS in Due to Injection of Javascript:alert(0)
Badoo - Insecure Direct Object Reference on
Uber - It is possible to re-rate a driver after a very long time
Uber - Pixel flood attack in
Coinbase $1,000 Sending payments via QR code does not require confirmation
Uber - Disclosure of ip addresses in local network of uber
Shopify $500 XSS on
Uber - SMS Flood with Update Profile
Uber - Changing Driver Passwords With Only an Authenticated Session (no password, no email)
Coinbase $500 Email leak in transcations in Android app
Uber - Uploading Plain Text to Through the Driver Document Upload Page
Uber - Uber password reset link EMAIL FLOOD
Uber - Privilege escalation to allow non activated users to login and use uber partner ios app
Trello $1,024 If a team is public, the web socket receives data about the Team visible boards
Uber - text injection in
LocalTapiola $1,000 Posting modified information in 'Investment section' will cause unintended information change in
Uber $500 CBC "cut and paste" attack may cause Open Redirect(even XSS)
Uber $750 XSS In Due to Mime Sniffing in IE
Uber $1,000 CSV Injection in
Uber $2,000 Stored XSS in WordPress admin panel
Uber - Cross-site Scripting (XSS)
Uber - CRLF Injection in
Uber $10,000 may RCE by Flask Jinja2 Template Injection
Uber $3,000 SQL injection in Wordpress Plugin Huge IT Video Gallery at
Veris - XSS on multiple fields
Uber $3,000 Reflected XSS via Unvalidated / Open Redirect in
Zomato - Reflected XSS on Zomato API
Uber - Session retention is present which reveals the customer info
Uber - Brute Force Amplification Attack
Uber - CSRF on may lead to server-side compromise
Uber $5,000 Possibility to brute force invite codes in
Uber - Stored Cross Site Scripting [SELF] in
Uber $3,000 Dom Based Xss
Uber $500 Estimation of a Lower Bound on Number of Uber Drivers via Enumeration
New Relic - Too many included lookups
PHP - Null pointer deref (segfault) in stream_context_get_default
Mapbox $1,000 XSS (cross-site scripting) on
Uber $3,000 Avoiding Surge Pricing
Uber - Create account in uber without signup form
Uber $2,000 Bypassing Uber Partner's 3 Cancel Limit
Uber $3,000 Lack of rate limiting on leads to enumeration of promotion codes and estimation of a lower bound on the number of Uber drivers
Uber $3,000 SQLi in
Uber - XSS on
Uber - HTML Escaping Error in the 404 Page on
Uber $1,500 Lack of CNAME/A Record Trimming Pointing Uber Domains to Insecure Non-Uber AWS Instances/Sites
Uber $3,000 XSS in
Uber - LIsting of
Uber - Self-XSS Vulnerability on Password Reset Form
Uber $3,000 Reflected XSS on via Angular template injection
Uber $500 Open Redirect in
Gratipay $1 Hijacking user session by forcing the use of invalid HTTPs Certificate on
Uber - Cross-site Scripting (XSS) autocomplete generation in
HackerOne $1,500 External programs revealing info
HackerOne $500 Websites opened from reports can change url of report page
Shopify $500 Bypassed password authentication before enabling OTP verification
New Relic - Stored XSS through Angular Expression Sandbox Escape
HackerOne - External links should use rel="noopener" or use the redirect service
HackerOne $500 Disclosure of private programs that have an "external" page on HackerOne
Vimeo - Missing rate limit on private videos password
Shopify $500 Stored XSS via "Free Shipping" option (Discounts)
Imgur $100 XSS via React element spoofing
HackerOne $500 CSV Injection via the CSV export feature
Veris - Captcha Bypass enable login bruteforce
Zomato - Authentication Bypassing and Sensitive Information Disclosure on Verify Email Address in Registration Flow
Veris - Wordpress Pingback DDoS Attacks in domain:
Trello $768 Using WebSocket I can always access organization data even if I am removed
Veris - Stored XSS in Access Rules
Veris - Complete Profile URL is not Random and not expiring
Gratipay - csrf_token cookie don't have the flag "HttpOnly"
Gratipay $1 auto-logout after 20 minutes
Gratipay $1 Cookie Does Not Contain The "secure" Attribute
Gratipay - Vulnerable to clickjacking
Veris - Not Using Secure Flag Option on Cookies Could Lead to a Man in the Middle Session Highjacking
HackerOne - Sending emails (via HackerOne) impersonating other users
Gratipay $1 suppress version in Server header on or
Veris - Complete or Edit Another User's Profile
Veris - Insecure Direct 'org-visitor-log' References
Veris - Insecure Direct 'org-invite-log' References
Dropbox - Possible SQL injection can cause denial of service attack
New Relic - Synthetics Xss
Informatica - [] Open Redirect
HackerOne $500 SECURITY: Referencing previous Reports attachment_IDs on new Reports via Draft_Sync DELETES Attachments
HackerOne - Unauthorized Team members viewing
Veris - Security Vulnerability - SMTP protection not used
New Relic - Host Header Injection / Cache Poisoning
Veris - Insecure Direct Member Disclosure
Veris - User enumeration via error message
New Relic - Normal user can set "Job title" of other users by Direct Object Reference
HackerOne $500 Mediation link can be accepted by other users
Veris - Creating multiple user with the same link which is sent to email after registeration
LocalTapiola $500 CSRF allows attacker to delete item from customer's "Postilaatikko"
HackerOne - Possible XSS
Veris - Server and PHP version Disclosed in Response Header
New Relic - All the active session should destroy when user change his password
New Relic - Open redirection on login
HackerOne - Email Address Leak
New Relic - no email confirmation on signup
New Relic - vulnerable to clickjacking !
Shopify $500 XSS on
New Relic - Emails and alert policies can be altered by malicious users.
Mail.Ru - Reflected XSS на
New Relic - Vulnerable Link Leaks the User Names
New Relic - file is world readable
HackerOne $1,000 Edit Auto Response Messages
Zomato - Persistent XSS on Reservation / Booking Page
Mail.Ru $200
Xero - Default.aspx exposing full path and other info on
Shopify $500 Stored XSS in
Uber - Active Email Hyperlink Sent on
New Relic - Server Side Browsing - localhost open port enumeration
Imgur $5,000 Local file read in image editor
Mapbox $200 Mapbox API Access Token with No Scope Can Read Styles
Ubiquiti Networks $1,300 Shell Injection via Web Management Console (dl-fw.cgi)
Vimeo $100 Private, embeddable videos leaks data through Facebook & Open Graph
Xero - Additonal stored XSS in Add note/Expected payment Date
PHP $1,000 Buffer overflow in HTTP url parsing functions
Badoo $850 Account Takeover
Xero - Vulnerability : XSS Vulnerability
LocalTapiola $400 CRLF injection in
Badoo $427 Broken Authentication on Badoo
Bime $150 Subdomain takeover due to unclaimed Amazon S3 bucket on
ownCloud - has missing PHP handler
Veris - Multiple Stored XSS on through Veris Frontdesk Android App
General Motors - Reflected Cross Site Script in
Veris - Multiple Stored XSS
Veris - Critical IDOR - Make Rule for Any Group & Any Venue remotely
Veris - Critical IDOR - Get Rules of any organization remotely
Veris - Critical IDOR - Can select any Parent while creating new Venue
Veris - Critical IDOR - Get venue data of any organization remotely
Veris - Critical IDOR - Get Authentication Details of any Terminal/Gatekeeper
Veris - Critical IDOR - Set anyone's Terminal Data remotely
Veris - Critical IDOR - Get anyone's Terminal Data remotely
Veris - Critical IDOR - Delete any terminal/gatekeeper of any organization remotely
Veris - Missing Server Side Validation of CSRF Middleware Token in Change Password Request
Veris - Critical IDOR - Delete any rule of any organization remotely
Veris - Critical IDOR - Delete any venue of any organization remotely
Veris - Critical IDOR - Delete any group of any organization remotely
Veris - Critical - Insecure Direct Object Reference - Deleting any member of any organization remotely
Gratipay $1 don't serve hidden files from Nginx
OpenSSL - b2i_PVK_bio heap corruption
Pornhub $250 Public Facing Barracuda Login
OpenSSL $500 BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
Pornhub $2,500 Unprotected Memcache Installation running
Pornhub $50 HTTP Track/Trace Method Enabled
LeaseWeb - Found clickjacking vulnerability
ownCloud - DROWN Attack
Badoo - Password modification without knowing actual password & httpOnly bypass
LeaseWeb - Server version is disclosure in
Coinbase - An adversary can overwhelm the resources by automating Forgot password/Sign Up requests
Veris - Password(s) can be found via login process.
Veris - DOM based XSS
HackerOne - Race Conditions Exist When Accepting Invitations
Ubiquiti Networks $1,500 Read-Only user can execute arbitraty shell commands on AirOS
Udemy $150 Session Takeover vulnerability
Shopify $500 xss in the all widgets of
Uber $500 Open Redirection on
HackerOne $500 User with Read-Only permissions can edit the Internal comment Activities on Bug Reports After Revoke the team access permissions
Twitter $280 Sub-Domain Takeover
InVision $500 CRITICAL Stored XSS in
New Relic - CSRF - Regenerate all admin api keys
Coinbase $500 Misconfiguration in 2 factor allows sensitive data expose
Cakebet - Sender policy framework (SPF) records evaluation return (Too many DNS lookups) error
Twitter $2,520 Tweet Deck XSS- Persistent- Group DM name
HackerOne $500 Distinguish EP+Private vs Private programs in HackerOne
Veris - Stored XSS
Veris - Password reset link is not Expiring
Algolia $1,000 API Key added for one Indices works for all other indices too.
OpenSSL $500 CVE-2016-0799 memory issues in BIO_*printf functions
ThisData - Login CSRF using Google OAuth
HackerOne - User with Read-Only permissions can edit the SwagAwarded Activities on Bug Reports
HackerOne $500 User with Read-Only permissions can manually public disclosure the report
Shopify $500 File name and folder enumeration.
HackerOne - Abusing HOF rankings in limited circumstances
HackerOne - Denial of Service any Report
HackerOne $500 CSV Injection at the CSV export feature
KIWI.KI GmbH - Subdomain takeover : URGENT
Mail.Ru - Утечка информации через JSONP (XXSI)
Shopify - Injection via CSV Export feature in Admin Orders $100 Дорк
LeaseWeb - Apache version disclosed on
LeaseWeb - Directory Listening
Zendesk $50 Stored XSS via Angular Expression injection on
Gratipay $1 strengthen Diffie-Hellman (DH) key exchange parameters in
Shopify $500 XSS in Draft Orders in Timeline i SHOPIFY Admin Site!
LeaseWeb - PHP and Web Server version disclosed on
Gratipay $1 stop serving over HTTP
Gratipay $10 DMARC is misconfigured for
Uber $3,000 Reflected XSS on careers
Mail.Ru - Stored XSS на
Gratipay $2 SPF/DKIM/DMARC for
Mail.Ru $250 SSRF на
Gratipay $2 SPF/DKIM/DMARC for
Gratipay $1 limit HTTP methods on other domains
Gratipay $10 Email Forgery through Mandrillapp SPF
Uber $250 Multiple Vulnerabilities (Including SQLi) in
Informatica - [] Blind SQL Injection
Uber $3,000 XSS @
Gratipay $10 No Valid SPF Records.
HackerOne $500 Increase number of bugs by sending duplicate of your own valid report
Zopim $100 Chat History CSV Export Excel Injection Vulnerability
Paragon Initiative Enterprises - Spf
Legal Robot $20 SSL Issue on
HackerOne $500 Private Program Disclosure in /:handle/settings/allow_report_submission.json endpoint
Gratipay - UDP port 5060 (SIP) Open $200
Algolia - PHP version disclosed on
Gratipay - server calendar and server status available to public
Gratipay - proxy port 7000 and shell port 514 not filtered
Legal Robot $20 SPF Issue
Legal Robot $120 Remote Code Execution (upload)
Mail.Ru $600 VERY DANGEROUS XSS STORED inside emails
Mail.Ru $150 [] SQL Injection
Ubiquiti Networks $1,000 Auth bypass on
General Motors - E-mail Spoof in
Slack $100 an xss issue in
General Motors - Content Spoof in
Gratipay $1 The POODLE attack (SSLv3 supported) for
Gratipay - nginx SPDY heap buffer overflow for
New Relic - open redirection at login
WePay $150 2-step Verification bypass
Python $1,000 Type confusion in partial.setstate, partial_repr, partial_call leads to memory corruption, reliable control flow hijack
ownCloud - Persistent XSS In Account Profile
New Relic - Potential Subdomain Takeover -
Sucuri $500 Manipulating of (List Subscription) Emails (HTML/Script Injection)
HackerOne - Null byte injection
Paragon Initiative Enterprises - file full path discloser.
HackerOne $500 Private Program Disclosure in /:handle/reports/draft.json endpoint
HackerOne $5,000 Private program activity timeline information disclosure
Shopify $500 XSS on
Imgur $1,000 SSRF / Local file enumeration / DoS due to improper handling of certain file formats by ffmpeg
New Relic - [] Access to private directories
New Relic - [] XSS via return_to
Imgur $800 SSRF and local file read in video to gif converter
Legal Robot $20 Rate limiting on Email confirmation link
Legal Robot - Rate limiting on password reset links
Imgur $2,000 SSRF in
Zomato - Two XSS vulns in widget parameters (all_collections.php and o2.php)
Paragon Initiative Enterprises - Email Spoof
Urban Dictionary - Cross-Site Scripting Vulnerability in
Zomato - XSS via modified Zomato widget (res_search_widget.php)
Paragon Initiative Enterprises - Missing SPF for
Paragon Initiative Enterprises $50 Full Path Disclosure
Paragon Initiative Enterprises - CSRF AT SUBSCRIBE TO LIST
Paragon Initiative Enterprises - Missing SPF for
Paragon Initiative Enterprises - Blind SQL INJ
Paragon Initiative Enterprises - Missing SPF
Mail.Ru $300 [] SQL Injection
Gratipay $10 prevent content spoofing on /search
Gratipay $5 SPF DNS Record
Paragon Initiative Enterprises - SSL certificate public key less than 2048 bit
Paragon Initiative Enterprises - Missing SPF records for
Zomato - XSS and CSRF in Zomato Contact form
Paragon Initiative Enterprises - DNSsec not configured
Paragon Initiative Enterprises - Email Authentication bypass Vulnerability
Paragon Initiative Enterprises - Email spoofing
Keybase $50 Content spoofing due to the improper behavior of the not-found meesage
Paragon Initiative Enterprises - Information Disclosure in Error Page
Paragon Initiative Enterprises - Missing SPF for
Uber - Unauthorized file (invoice) download
HackerOne $500 Putting link inside link in markdown
Zomato - Weak Password Policy
Keybase $350 Race conditions can be used to bypass invitation limit
Zomato - Persistent input validation mail encoding vulnerability in the "just followed you" email notification.
New Relic - Basic Authorization over HTTP
New Relic - Html injection in monitor name textbox
New Relic - Unsafe HTML in reset password email and Account verification in email is missing in Sign up
New Relic - No validation on account names
Keybase $250 Remote Server Restart Lead to Denial of Service by only one Request.
Zomato - Several XSS affecting and
Mapbox $200 Content Spoofing and Local Redirect in Mapbox Studio $2,500 Внедрение внешних сущностей в функционале импорта пользователей YouTrack
Shopify $500 CSRF on
Zomato - Remote File Upload Vulnerability in
Mail.Ru - [] CRLF Injection
Twitter $2,520 Bypassing Digits web authentication's host validation with HPP
Zomato - Cross Site Scripting - type Patameter
Snapchat $1,000 Subdomain takeover in pointing to Zendesk (a Snapchat acquisition)
Zomato - Twitter Disconnect CSRF
Keybase $250 Remote Server Restart Lead to Denial of Server by only one Request.
Ruby on Rails - Remote code execution using render :inline
Zomato - Subdomain Takeover
Ruby on Rails - Regarding [CVE-2016-0752] Possible Information Leak Vulnerability in Action View
Paragon Initiative Enterprises - Cross-domain AJAX request
OpenSSL $2,500 OpenSSL Key Recovery Attack on DH small subgroups (CVE-2016-0701)
ownCloud - No Any Kind of Protection on Delete account
Paragon Initiative Enterprises $50 Open-redirect on
HackerOne $500 Multiple issues with Markdown and URL parsing
withinsecurity $250 WordPress Failure Notice page will generate arbitrary hyperlinks
HackerOne $500 Unintended HTML inclusion as a result of
Gratipay - is vulnerable to http-vuln-cve2011-3192
Mail.Ru $300 [] SQL Injection
Coinbase $1,000 Session Issue Maybe Can lead to huge loss [CRITICAL] $250 Full takeover of some sub domains
ownCloud - Text Injection
Bime $100 The JDBC driver used by the Vertica connector allows to create files on the backends
Bime $1,000 SSRF in the Connector Designer (REST and Elastic Search)
Bime $750 XXE in the Connector Designer
Udemy - Stored XSS
General Motors - XSS on
General Motors - Full Path Disclosure on
HackerOne $500 Interstitial redirect bypass / open redirect in
Mail.Ru $150 [] SSRF / XSPA
Zendesk $100 [CRITICAL] HTML injection issue leading to account take over
HackerOne - Report title and issue information prepopulated
withinsecurity $250 Error Page Text Injection #106350
Khan Academy - XSS vulnerability in "/coach/roster/" ( create your first class)
Imgur $50 Big Bug in SSL : breach compression attack (CVE-2013-3587) affect
HackerOne - attack in not an authorized user
Shopify $500 Full access to Amazon S3 bucket containing AWS CloudTrail logs
Automattic $75 XSS at
Shopify $500 XSS via third-party script
Trello $1,152 DOM based XSS via Wistia embedding $100 Checking whether user liked the media or not even when you are blocked
Vimeo $100 Legacy API exposes private video titles
Automattic $75 XSS at
Pornhub $1,500 [ssrf] libav vulnerable during conversion of uploaded videos
ownCloud - The csrf token remains same after user logs in
Shopify $500 Attach Pinterest account - no State/CSRF parameter in Oauth Call back
Shopify $500 Twitter Disconnect CSRF
HackerOne $500 CSV Injection via the CSV export feature - XSS
withinsecurity $250 Content Spoofing OR Text Injection in
Gratipay $15 Sub Domian Take over
Automattic $250 Internal GET SSRF via CSRF with Press This scan feature
ownCloud $250 Information Exposure Through Directory Listing CVE-2016-1499
HackerOne $500 HTML injection can lead to data theft
Perl $1,000 Perl 5.22 VDir::MapPathA/W Out-of-bounds Reads and Buffer Over-reads
Phabricator $300 Extended policy checks are buggy
Udemy $25 CSRF in - HTML injection via 'underlying' parameter
Coinbase $200 Direct URL access to completed reports
Coinbase - The 'Create a New Account' action is vulnerable to CSRF
Ubiquiti Networks $500 Subdomain Takeover in
HackerOne $500 User with Read-Only permissions can request/approve public disclosure
General Motors - refelected Xss on
HackerOne - Requesting unknown file type returns Ruby object w/ address
General Motors - SQLi via forgot_password.jsp
Mail.Ru - Multiple vulnerabilities in subdomains
General Motors - XSS in GM
Mail.Ru $150 [] SQL Injection
PHP $1,000 Use After Free in sortWithSortKeys()
Gratipay $5 HTTP trace method is enabled
HackerOne - Signals get affected once reports closed as self
Ruby on Rails - Validation bypass for Active Record and Active Model
ownCloud - Mixed Active Scripting Issue on
ownCloud - Reflected Cross-Site Scripting
Twitter $2,520 Bypassing callback_url validation on Digits
ownCloud $350 Exploiting unauthenticated encryption mode $500 API: Bug in method auth.signup , дающий возможность бесконечно звонить
ownCloud - [] Guessable password used for admin user
Mail.Ru $150 [] Time Based SQL Injection
Mail.Ru - XSS at forum :
Mail.Ru $500 reflected in xss
HackerOne $500 Team Member(s) associated with a Group have Read-only permission (Post internal comments) can post comment to all the participants
WePay $100 Unauthenticated Stored XSS in API Panel
Automattic $50 Possible Timing Side-Channel in XMLRPC Verification
GlassWire $100 GlassWireSetup.exe subject to EXE planting attack
Imgur $150 XSS in imgur mobile 3
Imgur $150 XSS in imgur mobile
Shopify $500 Stored XSS in /admin/orders
Informatica - [] - XXE via SAML $100 Добавление в меню сообщества без ведома пользователя (нажатия пользователем)
Informatica - [] - XXE
Informatica - [] - XXE
Zendesk $500 Stored XSS in comments
Informatica - [] Reflective XSS
Shopify $500 Strored Cross Site Scripting
PHP $1,000 Format string vulnerability in zend_throw_or_error()
Shopify $500 HTTP-Response-Splitting on
CloudFlare - Clickjacking :
Coinbase $100 Race condition allowing user to review app multiple times
withinsecurity $250 text injection can be used in phishing 404 page should not include attacker text
Algolia $100 text injection can be used in phishing 404 page should not include attacker text
Coinbase - Potential for Double Spend via Sign Message Utility
HackerOne $500 Improve signals in reputation
Shopify $500 Reflective XSS on
HackerOne $500 Team Member(s) associated with a Custom Group Created with 'Program Managment' only permissions can Comments on Bug Reports
ownCloud - Parameter pollution in social sharing buttons
Shopify $500 "Remember me" token generated when "Remember me" box unchecked
ownCloud - XXE at host
GlassWire $100 DLL Hijacking Vulnerability in GlassWireSetup.exe
HackerOne $500 Parameter pollution in social sharing buttons
HackerOne $500 Know whether private program for company exist or not
LeaseWeb $100 DOM Based XSS in Checkout
Shopify $500 many xss in
Phabricator - libphutil: removing bytes from a PhutilRope does not work as intended
Pornhub $50 [crossdomain.xml] Dangerous Flash Cross-Domain Policy
Pornhub $250 PornIQ Reflected Cross-Site Scripting
Imgur $150 risk of having secure=false in a crossdomain.xml
Informatica - [] - XXE
Instacart $100 Cookie-Based Injection
Shopify - [] Cookie bomb at customer chats
Square Open Source $2,000 Unsafe usage of Ruby string interpolation enabling command injection in git-fastclone
ownCloud - directory listing in
Shopify $500 CSRF in Connecting Pinterest Account
Instacart $100 Cross-Site Scripting Reflected On Main Domain
Zopim $100 [] Open Redirect
Coinbase - XXE in OAuth2 Applications gallery profile App logo
Automattic $75 XSS on
Coinbase $200 HTML injection in apps user review
QIWI $200 [] Yui charts.swf XSS
Square Open Source $2,000 git-fastclone allows arbitrary command execution through usage of ext remote URLs in submodules
Shopify $1,000 XSS on sales channels via currency formatting
Slack $1,000 Trick make all fixed open redirect links vulnerable again
Python $500 tokenizer crash when processing undecodable source code
Python $1,000 PyFloat_FromString & PyNumber_Long Buffer Over-reads
PHP - Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow) CVE-2015-4643
PHP $500 Memory Corruption in phar_parse_tarfile when entry filename starts with null CVE-2015-4021
PHP $500 invalid pointer free() in phar_tar_process_metadata() CVE-2015-3307
Python $500 use after free in load_newobj_ex
Python $500 array.fromstring Use After Free
Python $1,000 bytearray.find Buffer Over-read
Python $500 hotshot pack_string Heap Buffer Overflow
Python $500 audioop.adpcm2lin Buffer Over-read
Python $500 audioop.lin2adpcm Buffer Over-read
PHP $500 Files extracted from archive may be placed outside of destination directory CVE-2015-6833
PHP $1,500 Multiple Use After Free Vulnerabilites in unserialize() CVE-2015-6831
PHP $1,000 Arbitrary code execution in str_ireplace function CVE-2015-6527
PHP $1,000 Dangling pointer in the unserialization of ArrayObject items CVE-2015-6832
PHP $500 curl_setopt_array() type confusion
The Internet $1,000 libcurl duphandle read out of bounds CVE-2014-3707
PHP $500 heap buffer overflow in enchant_broker_request_dict() CVE-2014-9705
PHP $500 Integer overflow in unserialize() (32-bits only) CVE-2014-3669
PHP $500 AddressSanitizer reports a global buffer overflow in mkgmtime() function CVE-2014-3668
PHP $1,500 SOAP serialize_function_call() type confusion / RCE CVE-2015-6836
PHP $500 zend_throw_or_error() format string vulnerability
PHP $1,000 Uninitialized pointer in phar_make_dirstream CVE-2015-7804
PHP $1,000 Buffer over-read in exif_read_data with TIFF IFD tag
PHP $500 Null pointer deref (segfault) in spl_autoload via ob_start
PHP $500 null pointer deref (segfault) in zend_eval_const_expr
PHP $500 Mem out-of-bounds write (segfault) in ZEND_ASSIGN_DIV_SPEC_CV_UNUSED_HANDLER
Python $1,000 Python deque.index() uninitialized memory
Python $500 Python scan_eol() Buffer Over-read
Python $500 time_strftime() Buffer Over-read
Python $500 Python xmlparse_setattro() Type Confusion
PHP $500 Use after free vulnerability in unserialize() with GMP
PHP $500 Use After Free Vulnerability in session deserializer CVE-2015-6835
PHP $1,000 Use After Free Vulnerability in unserialize() CVE-2015-6834
PHP $1,000 Use After Free Vulnerability in unserialize() with SplObjectStorage CVE-2015-6834
PHP $1,000 Use After Free Vulnerability in unserialize() with SplDoublyLinkedList CVE-2015-6834
Python $500 Python 3.3 - 3.5 product_setstate() Out-of-bounds Read
Ruby $1,500 Request Hijacking Vulnerability In RubyGems 2.4.6 And Earlier CVE-2015-3900
Python $500 Integer overflow in _Unpickler_Read
Apache httpd $500 mod_lua: Crash in websockets PING handling CVE-2015-0228
PHP $500 Null pointer dereference in phar_get_fp_offset() CVE-2015-7803
Khan Academy - Escaping the iframe via exceptions
HackerOne $2,500 CSRF possible when SOP Bypass/UXSS is available
Shopify $500 Open Redirect at *
CERT/CC - manipulate the Practical HTTP Host header
Urban Dictionary - URGENT - Subdomain Takeover in pointing to Zendesk
Shopify $500 [CSRF] Install premium themes
Imgur - Attack User Privacy Settings - X-Frame-Options missing on
Algolia $100 Stored XSS in name selection $500 Обход защиты от csrf-ок в
withinsecurity $250 content injection $500 Same-Origin Policy Bypass #2 $500 Same-Origin Policy bypass on main domain -
Zendesk $500 [CRITICAL] CSRF leading to account take over
Sucuri $250 XSS Vuln in Sucuri Security - Auditing, Malware Scanner $75 Cookie bug
Shopify $500 Open redirect using theme install
Ubiquiti Networks $200 CSRF
Shopify $500 XSS in creating tweets
Automattic $75 Remove anyone's pic gravtar
Pornhub $250 Reflected Cross-Site Scripting on French subdomain
Twitter $140 Subdomain Expired
Uber $500 Drivers can change profile picture
Shopify - Cookie securing your "Opening soon" store is not secured against XSS
Shopify $500 An administrator without any permission is able to get order notifications using his APNS Token.
Twitter $560 xss in link items (
Yelp $1,500 Access to internal CMS containing private Data
Imgur $5,500 Imgur dev environments facing the Internet
Twitter $560 URGENT : Account Take Over Vulnerability
Coinbase $5,000 Stored-XSS in
Twitter $560 Add tweet to collection CSRF
Shopify - CSV Excel Macro Injection Vulnerability in export list of current users -
Slack - Executing scripts on using SVG
Pornhub $250 Cross Site Scripting - On Mouse Over, Blog page
Pornhub $250 [xss,] /user/[username], multiple parameters
HackerOne $1,000 Pre-generation of 2FA secret/backup codes seems like an unnecessary risk
Mail.Ru - [] XSS в функционале авторизации
Coinbase $500 Transactions visible on Unconfirmed devices
Algolia $200 User with limited access to Index configuration can rename the Index
drchrono $100 Request Accepts without X-CSRFToken [ Header - Cookie ]
HackerOne $500 Limited CSRF bypass.
HackerOne - profile cover can also load external URL's
drchrono $100 CSRF Add Album On
Uber $1,000 Mass Assignment Vulnerability in
Shopify $500 deleted staff member can add his amazon marketplace web services account to the store.
Algolia $100 an xss issue
Shopify $500 [CSRF] Activate PayPal Express Checkout
QIWI $3,137 XML External Entity (XXE) in + waf bypass
Mapbox $1,000 XSS in L.mapbox.shareControl in mapbox.js
Slack $100 RC4 cipher suites detected on
Shopify $1,000 S3 Buckets open to the world thanks to 'Authenticated Users' ACL
ownCloud - RCE in /
Shopify $500 Apps can access 'channels' beta api $50 Email Verification Link can be Used as Password Reset Link!
Twitter $280 Urgent : Disclosure of all the apps with hash ID in mopub through API request (Authentication bypass)
QIWI $200 XSS Reflected in
Shopify $1,500 'Limited' RCE in certain places where Liquid is accepted $300 login to any user's cashier account and full account information disclosure
Shopify - Non-owner user can remove online store channel and re-add it.
itBit Exchange $100 No password length restriction denial of service
Algolia $100 Stored XSS on*
HackerOne $2,500 Cross-domain AJAX request
Imgur $150 XSS
Slack $100 Reflected Self-XSS in Slack
Twitter $1,120 File Upload XSS in image uploading of App in mopub
Slack $200 File upload XSS (Java applet) on - User Enumeration : Due to rate limiting on registration
Shopify $500 List of devices is accessible regardless of the account limitations
Twitter $280 Following a User After Favoriting Actually Follows Another User (related to #95243)
Shopify $500 SVG parser loads external resources on image upload
Shopify $500 Staff members with no permission can access to the files, uploaded by the administrator
HackerOne - Hackerone impersonation $250 Multiple critical vulnerabilities in Odnoklassniki Android application
HackerOne $1,000 HTTP header injection in allows setting cookies for
HackerOne $2,500 Send AJAX request to external domain
Twitter $1,120 Can see private tweets via keyword searches on tweetdeck
Shopify $500 An administrator without the 'Settings' permission is able to see payment gateways
Shopify $500 A 'Full access' administrator is able to see the shop owners user details
Shopify $500 Staff members with no permission to access domains can access them.
Keybase $50 Un-handled exception leads to Information Disclosure
itBit Exchange - email not required to be unique
Snapchat $1,500 Password Reset - query param overrides postdata
Shopify $500 Missing of csrf protection
Imgur $50 Persistent XSS in and / post statistics
Slack $500 Stored XSS in Slack (weird, trial and error)
withinsecurity - DDOS using xmlrpc.php
withinsecurity - Uses unsafe-inline without nonce
Shopify - Domain takoever - $75 Http Response Splitting - Validate link
itBit Exchange $50 user-agent Content spoofing
Mail.Ru $300 [] Authentication Data
Udemy - Reflected XSS and/or malicious redirection via JWPlayer 6 configuration modification $50 Cross Site Scripting
Shopify $500 Privilege escalation and circumvention of permission to limited access user
Imgur $250 Persistent XSS in image title
Twitter $5,040 IDOR- Activate Mopub on different organizations- steal api token-
Shopify $500 Unauthorized access to any Store Admin's First & Last name
Twitter $280 Following a User Actually Follows Another User
Twitter $280 XSS in the "Poll" Feature on
InVision - X-Frame-Options Header Not Set
Shopify $500 Reflected XSS in cart at
Coinbase - Balance Manipulation - BUG
Shopify $4,000 Paid account can review\download any invoice of any other shop
Whisper $30 Host Header Injection/Redirection
Ruby on Rails - http_basic_authenticate_with is suseptible to timing attacks.
Mail.Ru - Reflective Xss on and
Shopify $500 Some S3 Buckets are world readable (and one is world writeable)
HackerOne - Minimum bounty of a private program is visible for users that were removed from the program
Zopim $1,000 Cross-site Scripting in all Zopim
Shopify $1,500 Arbitrary read on s3://shopify-delivery-app-storage/files
Shopify $2,500 Unauthorized access to all collections, products, pages from other stores
Shopify $500 Bypassing password requirement during deletion of accout
FanFootage - XSS by image file name
Shopify $2,000 Arbitrary write on s3://shopify-delivery-app-storage/files
Shopify $500 Missing authorization check on dashboard overviews
Shopify $500 get users information without full access
Adobe - Reflected XSS via. search
Shopify $1,000 Unauthenticated access to details of hidden products in any shop via title emuneration
Shopify $500 First & Last Name Disclosure of any Shopify Store Admin
Imgur - Csrf near report abuse meme
WePay $100 Subdomain Takeover in pointing to Fastly $100 Способ узнать имя человека и ВУЗ удаленной страницы
Shopify $2,000 unauthorized access to all collections name
Keybase - xss
Coinbase $100 SPF records not found
HackerOne - HackerOne Private Programs users disclosure and de-anonymous-ize
ownCloud - Referer protection Bypassed
Shopify - The POS Firmware is leaking the root Password which can be used for unauthorized access to the device.
HackerOne - Content spoofing on invitations page
Shopify $500 Accessing Payments page and adding payment methods with limited access accounts
Badoo $456 Tokens from services like Facebook can be stolen
Shopify $2,500 unauthorized access to all customers first and last name
Automattic $75 CSV Injection in
Trello $128 CSV Injection
Shopify $500 customers password hash leak!!!!
Uber $100 Issue with Password reset functionality
ownCloud - Self-XSS in mails sent by [email protected]
Trello $256 Normal User can add new users to group
Imgur $1,600 Server Side Request Forgery In Video to GIF Functionality
Imgur $50 Crossdomain.xml settings on too open
Automattic $50 WooCommerce: Support Ticket indirect object reference
Imgur $50 Reflected Flash XSS using swfupload.swf with an epileptic reloading to bypass the button-event
Imgur - Content Sniffing not enabled
Imgur $50 "Sign me out everywhere" does not work for desktop sessions
Imgur - Open Url redirection on login with facebook
ownCloud - WP Super Cache plugin is outdated
IRCCloud $500 Inadequate input validation on API endpoint leading to self denial of service and increased system load.
Shopify - Passwords Returned in Later Responses.
Gratipay - implement a cross-domain policy for Adobe products
Zendesk $50 Content Spoofing
Mail.Ru - [] Server-Status opened for all users
Shopify $1,000 change Login Services settings without owner access
Shopify $1,000 create staff member without owner access
Shopify $500 Privilege escalation vulnerability
ownCloud - No email verification during registration
ownCloud - [] Web Server HTTP Trace/Track Method Support
Ruby on Rails - Nested attributes reject_if proc can be circumvented by providing "_destroy" parameter
Zaption - CSV Excel Macro Injection in Export Response
HackerOne - Minor Bug: Public un-compiled CSS with original sass, versioning, source map, comments, etc.
ownCloud - Apache documentation
Coinbase $100 User email enumuration using Gmail
Zopim $100 CSV Excel Macro Injection Vulnerability in export chat logs
Twitter $280 Tweetdeck (twitter owned app) not revoked
Zendesk $100 CSV Excel Macro Injection Vulnerability in export customer tickets
Zendesk $100 Cross-site Scripting
Slack $100 Self-XSS in posts by formatting text as code
BitHunt - No rate limit or captcha to identify humans
ownCloud - CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service)
Mail.Ru - Vulnerability :- "XSS vulnerability"
ownCloud - Apache Range Header Denial of Service Attack (Confirmed PoC)
Mail.Ru $500 XSS:,[id]/reply при ответе на специальным образом сформированное письмо
Phabricator $300 Information leakage through Graphviz blocks
ownCloud - Webview Vulnerablity [OwnCloudAndroid Application]
Mail.Ru - [] Internet Explorer XSS
Mail.Ru - [] Open Redirect
ownCloud - gallery_plus: Content Spoofing
Udemy $100 XSS Vulnerability
Vimeo $200 Stored XSS on and
Coinbase $100 OAUTH pemission set as true= lead to authorize malicious application
Gratipay - Mail spaming
ownCloud $25 Full Path Disclosure CVE-2016-1501
Shopify $500 XSS on blog pages via sharing buttons
Twitter $2,520 XSS on OAuth authorize/authenticate endpoint
Keybase $500 [] Open Redirect
Anghami $100 [CRITICAL] Login To Any Account Linked With Google+ With Email Only
Anghami $300 [] Sql Injection
HackerOne - Weak HSTS age in support hackerone site
Phabricator $450 Multiple so called 'type juggling' attacks. Most notably PhabricatorUser::validateCSRFToken() is 'bypassable' in certain cases.
Romit $250 IDOR on remoing Share
ownCloud - Potential XSS
ownCloud - CSRF change privacy settings
ownCloud - Password appears in user name field
ownCloud - Mixed Active Scripting Issue
ownCloud - Edit Question didn't check ACLs
Mail.Ru $150 XSS at
InVision $400 Deleting a Project for which the user is not owner but a normal member
Shopify $500 XSS
ownCloud $25 Full Path Disclosure CVE-2016-1501
Phabricator - Dashboard panel embedded onto itself causes a denial of service
ownCloud - Config
Gratipay - Stored XSS On Statement
Zopim $100 [API ISSUE] agents can Create agents even after they are disabled !
ownCloud - Outdated plugins contains public exploits
ownCloud - Lack of HSTS on
ownCloud - CSRF in
ownCloud - Malicious file upload leads to remote code execution
ownCloud - Account Compromise Through CSRF
ownCloud - Stored XSS in profile page
Gratipay - DKIM records not present, Email Hijacking is possible
ownCloud - HTTP compression is enabled potentially leading to BREACH attack
ownCloud - Information disclosure
ownCloud - * / * Using not strong enough SSL ciphers
ownCloud - Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability
Ruby on Rails - DoS Attack in Controller Lookup Code
InVision $100 Content Spoofing - Signout Warning Page
ownCloud - SSL Session cookie without secure flag set
ownCloud - Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability
ownCloud - Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability
ownCloud - SSL Server Allows Anonymous Authentication Vulnerability (SMTP)
ownCloud - Path Disclosure
ownCloud - SSL Session cookie without secure flag set
ownCloud - Session Cookie in URL can be captured by hackers
Khan Academy - Html injection on khanacademy
Mail.Ru - [] Reflected XSS in debug-mode
ownCloud - PermError SPF Permanent Error: Too many DNS lookups
Mail.Ru - [] Reflected XSS via Cookies
Pornhub $100 [reflected xss,] /blog, any
ownCloud - Multiple reflected XSS by insecure URL generation (IE only)
ownCloud - XSS via referrer
ownCloud - Cross Site Tracing
ownCloud - Content Sniffing not disabled
ownCloud - Allowed an attacker to force a user to change profile details. (XCSRF)
ownCloud - DOM Based XSS
Pornhub $50 Cross Site Scripting – Album Page
Zendesk $500 Stored XSS in comments
Hired $420 Stored XSS in Company Name
Shopify $500 Self XSS in chat.
Automattic $100 XSS in WordPress
Gratipay $1 Possible SQL injection on "Jump to twitter"
Shopify $500 XSS (Digital Downloads App in
Ruby on Rails - [Rails42] We can inject HTML tags when server is using strip_tags method
Ruby on Rails $2,000 Potential XSS on sanitize/Rails::Html::WhiteListSanitizer
InVision $100 Reflective XSS in
Informatica - [] Reflective Xss
HackerOne $500 Internal bounty and swag details disclosed as part of JSON response
HackerOne $500 Private Program and bounty details disclosed as part of JSON search response
Gratipay - Authentication errors in server side validaton of E-MAIL
Urban Dictionary - Reflective Xss Vulnerability
HackerOne $500 Number of invited researchers disclosed as part of JSON search response
Coinbase - Runtime manipulation iOS app breaking the PIN $500 Внедрение произвольного javascript-сценария в функционале просмотра изображений мобильной версии сайта
Gratipay - [] CRLF Injection
QIWI $500 Открытый доступ к корпоративным данным.
Slack $1,000 OSX slack:// protocol handler javascript injection
Flox $25 Content spoofing through Referel header $300 Доступ к чужим групповым беседам. $150 Critical : Access to group videos where videos are restricted for all users(Broken authentication )
Udemy $50 information disclosure
Flox - Email spoofing configuration missing $200 Доступ к чужим приватным фотографиям (3) через обложку видео
Mail.Ru $150 Time-Based Blind SQL Injection Attacks $500 (URGENT!) Покупка OK дешевле, чем он стоит
Mail.Ru $150 Cross site scripting $150 Покупка песни дешевле, чем она стоит. $150 xss in group
Keybase - Sensitive server-side/application information disclosure - Cross site scripting On api Calculator API requests $500 SSRF/XSPA в форме загрузки видео по URL
Shopify $1,000 TCP Source Port Pass Firewall $100 privilege escalation in apache tomcat SessionEample-script
MapLogin - Account creation code bypass
Keybase $100 Full path disclosure at
WordPoints $25 Weak Cryptographic Hash
Mavenlink $25 Open/Unvalidated Redirect Issue
Keybase $250 Content Sniffing not disabled
Romit $250 GA code not verified on the server side allows sending Verification Documents on behalf of another user
Keybase $250 No rate limiting for sensitive actions (like "forgot password") enables user enumeration
Keybase $500 Stealing CSRF Tokens
Keybase $500 SMTP protection not used
Zaption - Cheating at gallery rating
Zaption $25 Open redirect filter bypass
Zaption $25 Using GET method for account login with CSRF token leaking to external sites Via Referer.
Zaption $50 XSS - Gallery Search Listing
Gratipay - Self XSS Protection not used , I can trick users to insert JavaScript
Gratipay - weak ssl cipher suites
Zopim - Security Missconfiguration in Autologin
Zendesk $200 Stored Cross site scripting In
Romit $250 No rate limit which leads to "Users information Disclosure" including verfification documents etc.
Envoy - Stored XSS
Envoy - XSS in "Guest Pre-Registration" page after registration
HackerOne $500 Accessing title of the report of which you are marked as duplicate
QIWI $100 Session Cookie without HttpOnly and secure flag set
Envoy - Stored XSS in /settings/ipad Page
Mapbox $500 Disclosure of map information
DigitalSellz - The product/status method CSRF
DigitalSellz - The email updates issues
DigitalSellz - Own downloading link isn't properly checked in the email template
Romit $250 Potential for financial loss, negative Values for "Buy fee" and "Sell Fee"
Ubiquiti Networks $500 Yet another Buffer Overflow in PHP of the AirMax Products
Ubiquiti Networks $500 Other Buffer Overflow in PHP of the AirMax Products
Udemy $150 Extremely high Course rating values could be set in order to make really high Average rating of the course. Negative values could be set to.
Shopify $3,000 Attention! Remote Code Execution at
Shopify $500 Reflected XSS in chat
Ubiquiti Networks $250 Buffer Overflow in PHP of the AirMax Products
Ubiquiti Networks $18,000 Arbritrary file Upload on AirMax
Python $1,000 Integer overflow in _json_encode_unicode leads to crash
Python $500 Integer overflow in _pickle.c
Python $1,000 Python: imageop Unsafe Arithmetic
PHP $500 PHP yaml_parse/yaml_parse_file/yaml_parse_url Unsafe Deserialization
PHP $1,500 PHP yaml_parse/yaml_parse_file/yaml_parse_url Double Free
PHP $500 str_repeat() sign mismatch based memory corruption
Python $500 Multiple type confusions in unicode error handlers
Python $500 Use after free in get_filter
Python $1,500 Multiple use after free bugs in json encoding
Python $1,500 Multiple use after free bugs in heapq module
Python $1,500 Multiple use after free bugs in element module
Python $500 Tokenizer crash when processing undecodable source code
PHP $500 php_stream_url_wrap_http_ex() type-confusion vulnerability
PHP $500 Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER
PHP $500 Type Confusion Vulnerability in SoapClient
PHP $1,500 Use after free vulnerability in unserialize() with DateInterval
The Internet $3,000 libcurl: URL request injection CVE-2014-8150
OpenSSL $2,500 Malformed ECParameters causes infinite loop CVE-2015-1788
PHP $1,500 Integer overflow in ftp_genlist() resulting in heap overflow CVE-2015-4022
PHP $1,500 ZIP Integer Overflow leads to writing past heap boundary CVE-2015-2331
PHP $1,000 Buffer Over-read in unserialize when parsing Phar CVE-2015-2783
PHP $1,000 Buffer Over flow when parsing tar/zip/phar in phar_set_inode CVE-2015-3329
OpenSSL $500 X509_to_X509_REQ NULL pointer deref CVE-2015-0288
PHP $1,500 Use After Free Vulnerability in unserialize() CVE-2015-2787
PHP $500 out of bounds read crashes php-cgi CVE-2014-9427
Shopify - Body injection in mailto link while commenting shop blog
Shopify - Prevent Shop Admin From Seeing his Installed Apps / Install Persistent Unremovable App
HackerOne $500 CSV Injection with the CVS export feature $300 Уязвимость Создание фотографий без ведома пользователей
Pornhub $5,000 Unauthenticated access to Content Management System -
ThisData - Xss via Dropbox
Shopify $500 XSS at Bulk editing ProductVariants
Pornhub $2,500 Multiple endpoints are vulnerable to XML External Entity injection (XXE)
Pornhub $10,000 Publicly exposed SVN repository,
Hired $250 URGENT - Subdomain Takeover on due to unclaimed domain pointing to
Shopify $500 XSS in Myshopify Admin Site in DISCOUNTS $250 Отвязываем Twitter от любого профиля вк ! + несколько багов по дизайну
Airbnb - authenticity_token is not random across page loads
HackerOne - Redirection Page throwing error instead of redirecting to site
Automattic $100 Verification code issues for Two-Step Authentication $100 Issue in the implementation of captcha and race condition
Shopify $1,000 Bypass access restrictions from API
InVision $150 Enumeration and Guessable Email (OWASP-AT-002)T hrough Login Form
Shopify $500 SSRF via 'Insert Image' feature of Products/Collections/Frontpage
Mail.Ru $160 [] CRLF Injection
Shopify $500 SSRF via 'Add Image from URL' feature $200 Уязвимость получения всех номеров телефонов вк (по совместительству логинов профилей)
Shopify $500 Expire User Sessions in Admin Site does not expire user session in Shopify Application in IOS
Mail.Ru $200 Possible xWork classLoader RCE:
Shopify $500 XSS at Bulk editing products
Shopify $500 XSS at importing Product List
Slack - Link vulnerability leads to phishing attacks
Sandbox Escape $3,000 Microsoft Internet Explorer ActiveX Broker Allows EPM Bypass
Marktplaats - Multiple Apache 2.2.22 Vulnerabilities (XSS/ Code Exec/ DoS)
Marktplaats - Content Spoofing -
Legal Robot $20 - Guessing registered users in
LibSass - type confusion in Sass::ParserState::ParserState(Sass::ParserState const&) CVE-2015-4459
Marktplaats - Secret Password reset key disclosed to third party site via referer in header
Mail.Ru - [] Internet Explorer XSS via Request-URI
Mail.Ru - [] Internet Explorer XSS via Request-URI
Shopify $500 [www.*] CRLF Injection
Legal Robot $20 No valid SPF record
Envoy - [] Open Redirect
HackerOne $500 mailto: link injection on
Mail.Ru $250 [] CRLF Injection $200 Уязвимость в Указание мест на фото + фича + хакинг
Coinbase - Two-factor authentication (via SMS)
HackerOne $500 Invitation is not properly cancelled while inviting to bug reports. $500 XSS at on IE using flash files $400 Уязвимость приватных записей пользователя (личных)
Mail.Ru - XSS
Coinbase $5,000 OAuth authorization page vulnerable to clickjacking
concrete5 - No CSRF protection when creating new community points actions, and related stored XSS
Mail.Ru $150 Activities are not Protected and able to crash app using other app (Can Malware or third parry app). $100 Не достаточная проверка логина скайп - XSS on added name album on videos.
Mapbox $1,000 Stored Cross-Site Scripting in Map Share Page
Legal Robot $20 CSRF
Coinbase $5,000 Big Bug with Vault which i have already reported: Case #606962
Mail.Ru $250 HTML Injection на $500 API: Bug in method auth.validatePhone
Legal Robot $40 Registration bypass using OAuth logical bug
Shopify - Header Misconfiguration - PHP API
MapLogin - Bypass verification of email while creating account(No rate limiting enable for verification code)
Legal Robot $20 Missing security headers, possible clickjacking
MapLogin - Not Completed Accounts Take Over (Urgent bug)
Legal Robot $20 missing SPF for
concrete5 - No csrf protection on index.php/ccm/system/user/add_group, index.php/ccm/system/user/remove_group
Shopify $1,000 Privilege Escalation - A `MEMBER` with no ACCESS to `ORDERS` can still access the orders by using `Order Printer APP`
Romit $50 Cross site scripting
HackerOne $100 Potential denial of service in<program>/reward_settings
HackerOne $500 Logic error with notifications: user that has left team continues to receive notifications and can not 'clean' this area on account
Mavenlink $100 XSS in
HackerOne $500 External URL page bypass
Ruby on Rails - Changeable model ids on vanilla update can lead to severely bad side-effects
Mail.Ru -
Shopify $500 Bulk Discount App in exposes vulnerable to XSS
HackerOne - Email Notification should be get while changing Paypal Email
Udemy $150 Multiple sub domain are vulnerable because of leaking full path
Mail.Ru $150
Mail.Ru $200 Quagga (Router) : Default password and default enable password
Shopify $500 XSS in Admin site in TAX Overrides
Udemy $100 XSS on
jsDelivr - Pretty Photo Dom XSS
Udemy $100 Ability to add pishing links in discusion ," Bypassing uneductional Links add "
concrete5 - Multiple XSS Vulnerabilities in Concrete5
Sandbox Escape $3,000 Internet Explorer Enhanced Protected Mode sandbox escape via a broker vulnerability
Udemy $150 leak receipt of another user
Udemy $100 xss on autoserch
Slack $100 Bypass of the SSRF protection (Slack commands, Phabricator integration)
Mail.Ru $400 торчит Graphite в мир
HackerOne - Logical Issue (Boosting Reputation points)
Mail.Ru $400 stacked blind injection
HackerOne $500 Content Spoofing - External Link Warning Page
Udemy - Misconfigured SPF Record Flag
Mobile Vikings - XSS Vulnerability on all pages
Udemy $150 log poison vulnerability through wordpress debug.log being publically available
Udemy $150 xss profile
concrete5 - Local File Inclusion Vulnerability in Concrete5 version
concrete5 - SQL Injection Vulnerability in Concrete5 version
concrete5 - Sendmail Remote Code Execution Vulnerability in Concrete5 version
concrete5 - Multiple Stored Cross Site Scripting Vulnerabilities in Concrete5 version
concrete5 - Multiple Reflected Cross Site Scripting Vulnerabilities in Concrete5 version
concrete5 - Multiple Cross Site Request Forgery Vulnerabilities in Concrete5 version
HackerOne $500 Reopen Disable Accounts/ Hidden Access After Disable
drchrono $100 Accessing all appointments vulnerability
HackerOne $500 Fake URL + Additional vectors for homograph attack
HackerOne $500 Homograph attack
HackerOne - Homograph Attack
HackerOne $500 Making any Report Failed to load
Dropbox $512 XSS in dropbox main domain
Dropbox $216 Race condition when redeeming coupon codes
Shopify $500 Stored XSS in the Shopify Discussion Forums
Mail.Ru - Flash XSS on
OkCupid - An XSS bug was fixed due to my report, but I didn't submit it through the h1
Shopify $500 SSL cookie without secure flag set
Shopify $500 Content Spoofing
HackerOne $500 Homograph attack
Romit $50 HTML injection in email sent by
Coinbase $100 ByPassing the email Validation Email on Sign up process in mobile apps
HackerOne - Missing spf flags for
Romit $50 Server responds with the server error logs on account creation
Vimeo $500 API: missing invalidation of OAuth2 Authorization Code during access revocation causes authorization bypass
Shopify $500 amazon aws s3 bucket content is public :-
Shopify $500 XSS in
WordPoints - Rank Creation function not validating user inputs.
HackerOne $500 Open-redirect on
Shopify - comment out causes information disclosure
Shopify $4,000 Notification request disclose private information about other myshopify accounts
Dropbox $512 SSRF vulnerablity in app webhooks
Dropbox - XSS in version history of an HTML file in a shared folder
Shopify - Multiple issues on Checkout Process
Whisper $30 Missing DMARC record
Shopify $500 XSS on
Shopify - XSS on
HackerOne $1,000 SPF whitelist of mandrill leads to email forgery
Shopify $500 Invitation issue
Shopify - XSS - URL Redirects
Shopify $500 Payment gateway status transferred to Shopify without authentication
Shopify $1,000 Shop admin can change external login services
Shopify $1,000 IDOR expire other user sessions
Dropbox Acquisitions $216 Get email ID of any user on
Vimeo - May cause account take over (Via invitation page)
Coin.Space - SMTP protection not used
Twitter - Privecy Issue : view "Protected users" followers and following
Shopify $2,000 Shopify android client all API request's response leakage, including access_token, cookie, response header, response body content
Shopify $500 CSRF token fixation in facebook store app that can lead to adding attacker to victim acc
Shopify $1,000 [persistent cross-site scripting] customers can target admins
Coinbase - iframes considered harmful
Shopify $500 Force 500 Internal Server Error on any shop (for one user)
Twitter $280 Ex-admin of an organization can delete team members
Shopify - Lack of SSL Pinning on POS Application ( iOS )
Shopify $500 Open Redirect after login at
Shopify $500 Authentication Failed Mobile version
Shopify $500 Open redirection in OAuth
Twitter - Privacy Issue on protected tweets
drchrono $700 XML Parser Bug: XXE over which leads to RCE
Faceless - Bypass Setup by External Activity Invoke
PHP $3,000 Use after free vulnerability in unserialize()
PHP $2,500 SoapClient's __call() type confusion through unserialize()
PHP $2,500 Use after free vulnerability in unserialize() with DateTimeZone
PHP $2,500 Free called on unitialized pointer in exif.c
OpenSSL $3,000 Segmentation fault for invalid PSS parameters
Python $9,000 Multiple Python integer overflows
Factlink - Frameset Proxy Problem
Shopify $500 Missing spf flags for
Coinbase $1,000 Sandboxed iframes don't show confirmation screen
Mail.Ru $500 stored XSS in agent via sticker (smile)
Snapchat $100 Captcha Bypass in Snapchat's Geofilter Submission Process
Snapchat $100 Vulnerable to JavaScript injection. (WXS) (Javascript injection)!
Slack $100 Logout any user of same team
Mapbox $1,000 Persistent cross-site scripting (XSS) in map attribution
Shopify $500 Xss in website's link
HackerOne - Reflected Filename Download
Twitter $420 Insecure Direct Object Reference - access to other user/group DM's
Twitter $2,800 HTTP Response Splitting (CRLF injection) due to headers overflow
Dropbox Acquisitions $216 XSS in
Twitter $1,400 XSS in
Phabricator $300 SSRF vulnerability (access to metadata server on EC2 and OpenStack)
Coinbase $100 Blacklist bypass on Callback URLs
Vimeo $250 [URGENT ISSUE] Add or Delete the videos in watch later list of any user .
OkCupid - XSS on Send A Message Option
Phabricator $300 XSS with Time-of-Day Format
Vimeo $250 Share your channel to any user on vimeo without following him
Vimeo $250 Invite any user to your group without even following him
Twitter $420 Insecure direct object reference - have access to deleted DM's
itBit Exchange $200 secretKey for OTP , is getting leaked in response of a delete request !
itBit Exchange $200 confirmation bypass of 2FA devices while they are deleting
Ubiquiti Networks $500 UniFi v3.2.10 Cross-Site Request Forgeries / Referer-Check Bypass
HackerOne - "learn more here", reward email - domain expired.
Dropbox Acquisitions - unknow files Upload in profile photo
Vimeo $150 Insecure Direct Object References that allows to read any comment (even if it should be private)
Vimeo $500 Insecure Direct Object References in
Twitter $3,500 HTTP Response Splitting (CRLF injection) in report_story
HackerOne $500 Open redirect in "Language change".
Caviar $500 Remotely modifying courier Account Details
Vimeo $250 Post in private groups after getting removed
Flash $2,000 Flash Cross Domain Policy Bypass by Using File Upload and Redirection - only in Chrome
IRCCloud - Email verification links still valid after changing it 2x
itBit Exchange - ITBit Vulnerable to SSLSTrip
Mail.Ru - XSS in
Mail.Ru - XSS in
Mail.Ru - XSS in
Vimeo $250 A user can enhance their videos with paid tracks without buying the track
Whisper $10 CVE-2014-0224 openssl ccs vulnerability
Whisper $100 Bypass pin(4 digit passcode on your android app)
Vimeo $500 A user can post comments on other user's private videos
Vimeo $250 A user can add videos to other user's private groups
concrete5 - Stored XSS in Image Alt. Text
concrete5 - Stored XSS in Message to Display When No Pages Listed.
concrete5 - Stored XSS in Bio/Quote
Vimeo $250 A user can edit comments even after video comments are disabled
Twitter $560 open redirect sends authenticity_token to any website or (ip address)
Ubiquiti Networks $500 CSRF in login form would led to account takeover
concrete5 - Stored XSS In Company URL
HackerOne - Reflected File Download attack allows attacker to 'upload' executables to domain
concrete5 - Stored XSS in testimonial Company
concrete5 - Stored XSS in Testimonial Position
concrete5 - Stored XSS in Testimonial name
concrete5 - Stored Xss in Feature Paragraph
concrete5 - Stored XSS in Feature tile
concrete5 - Stored XSS in title of date navigation
concrete5 - Stored XSS in Title of the topic List
concrete5 - Stored XSS in Contact Form
concrete5 - Stored XSS on Search Title
concrete5 - Stored XSS on Title of Page List in edit page list
concrete5 - Stored XSS on Blog's page Tile
Phabricator - Server Side Request Forgery in macro creation
concrete5 - Self Xss on File Replace
Adobe - Adobe XSS
Adobe - Open redirect and reflected xss in[payload her]
Adobe - stored XSS via send file
The Internet $7,500 FREAK: Factoring RSA_EXPORT Keys to Impersonate TLS Servers
Adobe - Reflected Cross Site Scripting - 'puser' Parameter in login page
Twitter $1,400 XSS in original referrer after follow
Square - Invitation threshold
Romit $50 The csrf token remains same after user logs in
Ruby on Rails $1,000 rails-ujs will send CSRF tokens to other origins
Twitter $560 Twitter Ads Campaign information disclosure through admin without any authentication.
Twitter $1,400 Open Redirect leak of authenticity_token lead to full account take over.
Vimeo - URGENT - Subdomain Takeover on due to unclaimed domain pointing to
HackerOne $5,000 Improperly validated fields allows injection of arbitrary HTML via spoofed React objects
HackerOne - Auto Approval of Invitation to join Team as a Team member
Vimeo $250 Vimeo + & Vimeo PRO Unautorised Tax bypass
Airbnb - SSL Issues
Airbnb - Vulnerability type xss uncovered in
Airbnb - Generating Unlimited Free Travel Gift Invites | IDOR
Twitter - Cross site Port Scanning bug in twitter developers console
Mail.Ru $300 RCE через JDWP
Dropbox - Create N Accounts In Dropbox Irrespective Of Domain
HackerOne - Substantially weakened authenticity verification when using 'Remember me for a week'
Airbnb - I Can Delete Any Airbnb Users Symbol!
Vimeo - Bypassing Email verification
Mail.Ru $150 Heartbleed
Mail.Ru $150 HDFS NameNode Public disclosure:
Todoist $25 Remotely removing credit cards from business accounts!
Todoist $25 Taking over a Business Account Admin
Twitter $1,400 Redirect URL in /intent/ functionality is not properly escaped
HackerOne $500 Team member invitations to sandboxed teams are not invalidated consistently (v2)
HackerOne - Restrict any user from logging into his account.
The Internet $5,000 Bad Write in TTF font parsing (win32k.sys)
Coinbase $100 open authentication bug
Slack $200 Team admin can add billing contacts
Dropbox Acquisitions $729 Privilege Escalation at invite feature
Twitter $140 Reporting user's profile by using another people's ID
Mail.Ru - Full Path Disclosure
The Internet $3,000 Heap overflow in H. Spencer’s regex library on 32 bit systems
Romit $50 Email Enumeration (POC)
QIWI $200 [] XSS + Misconfiguration
Mail.Ru $600 Same Origin Policy bypass
HackerOne $2,000 CSP Bypass: Click handler for links with data-method="post" can cause authenticity_token to be sent off domain
Mobile Vikings - Approve topup method by sender of this method
Mobile Vikings - Enum phone numbers thru /en/sims/topup/add/
Mobile Vikings - Username and sim id enum
Mobile Vikings - CSRF token from another valid user session accepted
Mobile Vikings - Stored xss in user name (2) affected another user.
Mobile Vikings - Stored xss in user name
Mobile Vikings - Reflected xss in user name thru cookie
Mail.Ru - XSS Vulnerability in
Ruby on Rails - JSON keys are not properly escaped
Informatica - XSS in Search Communities Function
Flash $7,500 Use After Free in Flash MessageChannel.send can cause arbitrary code execution
Flash $10,000 Use after free during the StageVideoAvailabilityEvent can result in arbitrary code execution
Flash $10,000 Race condition in workers may cause an exploitable double free by abusing bytearray.compress()
InVision $200 Javascript Injection
itBit Exchange $50 Leakage of sensitive wallet tokens to third party sites
Flash $2,000 Adobe Flash Player Out-of-Bound Access Vulnerability
Vimeo $250 Red October
HackerOne - Markdown code block sequence makes report unreadable
HackerOne $5,000 Markdown parsing issue enables insertion of malicious tags and event handlers
Twitter $560 Twitter Card - Parent Window Redirection
Slack $100 Team admin can change unauthorized team setting (allow_message_deletion)
Slack $200 Team admin can change unauthorized team setting (require_at_for_mention)
Romit - CSRF token leakage
Romit $50 Frictionless Transferring of Wallet Ownership
Square - Redirecting a victim elsewhere through shopseen 0auth
Twitter $1,260 Problem with OAuth
HackerOne $500 Team member invitations to sandboxed teams are not invalidated consistently
HackerOne $500 Insecure Direct Object Reference vulnerability
Nearby Live - Group Invite not properly authenticated
HackerOne - In markdown, parsing things like @danlec and #46072 after links is unsafe
Vimeo - Can message users without the proper authorization
Vimeo - Brute force on "vimeo" cookie
HackerOne $5,000 Vulnerability with the way \ escaped characters in <> style links are rendered
Ruby on Rails - Explicit, dynamic render path: Dir. Trav + RCE
Vimeo $250 CRITICAL vulnerability - Insecure Direct Object Reference - Unauthorized access to `Videos` of Channel whose privacy is set to `Private`.
Zaption - [] Open Redirect
Trello $128 [] CRLF Injection
Trello $64 [] Open Redirect
Vimeo $100 XSS on Vimeo
Vimeo - CSRF bypass
Vimeo $100 ftp upload of video allows naming that is not sanitized as the manual naming
Mobile Vikings - Number, username and name disclosure
Mobile Vikings - Stored XSS in Direct debit name
Vimeo - Full account takeover via Add a New Email to account without email verified and without password confirmation.
Informatica - [] - CSRF in Private Messages allows to move user's messages to Trash
Square - HTTP Header revealing server information.
itBit Exchange $50 weird bug ! ( missing validation on new email verfication )
HackerOne $500 Improper way of validating a program
itBit Exchange $200 Unsecure data in "device" response - OTP
Vimeo $100 Vimeo Search - XSS Vulnerability []
Dropbox - Unvalidated Redirects and Stored XSS
Twitter $140 Insecure Data Storage in Vine Android App
Mobile Vikings - Insecure crossdomain.xml
itBit Exchange $50 Email Length Verification
itBit Exchange $500 Notification Emails: IP + Content-Spoofing
Ruby on Rails $500 RCE due to Web Console IP Whitelist bypass in Rails 4.0 and 4.1
Vimeo $1,000 XSS on any site that includes the moogaloop flash player | deprecated embed code
Twitter $140 Flaw in login with twitter to steal Oauth tokens
Vimeo - unvalid open authentication with facebook
Twitter - Path disclosure in
HackerOne - Add text to the title of the page "Thanks"
Mail.Ru -
Mail.Ru $150 Heartbleed: ( port 1433
Vimeo - Application XSS filter function Bypass may allow Multiple stored XSS
Vimeo - Poodle bleed vulnerability in cloud sub domain
Vimeo - Open Redirection Security Filter bypassed
Vimeo $1,000 Make API calls on behalf of another user (CSRF protection bypass)
Mail.Ru $150 Hadoop Node available to public
Vimeo $100 CRITICAL full source code/config disclosure for Cameo
Vimeo - Serious Vulnerability Found
Twitter $420 twitter android app Fragment Injection
Vimeo $1,000 abusing Thumbnails( to see a private video
Vimeo - No Limitation on Following allows user to follow people automatically!
Vimeo - Securing "Reset password" pages from bots
Vimeo $250 Ability to Download Music Tracks Without Paying (Missing permission check on`/musicstore/download`)
Vimeo - profile photo update bypass
Mail.Ru $100 Раскрытие номера мобильного телефона при двухфакторной аутентификации
Mail.Ru - XSS
Vimeo $100 - Reflected XSS Vulnerability
Vimeo $1,000 Adding profile picture to anyone on Vimeo
Vimeo $260 Buying ondemand videos that 0.1 and sometimes for free
Python $1,000 PyUnicode_FromFormatV crasher
Ruby on Rails $1,000 Arbitrary file existence disclosure in Action Pack CVE-2014-7829
OkCupid - Stored XSS in popup messages window
HackerOne - HTTPS is not enforced for objects stored by HackerOne on Amazon S3
Dropbox - WP User Enumeration is possible at
Vimeo - Misconfigured crossdomain.xml -
Twitter $1,120 - an app admin can delete team members from other user apps
Twitter $1,400 - app member can make himself an admin
Ruby on Rails - Denial of Service in Action Pack Exception Handling
Nearby Live - Web Server information disclosure.
Ruby on Rails - Data-Tags and the New HTML Sanitizer Subverts CSRF protection
Vimeo $100 APIs for channels allow HTML entities that may cause XSS issue
Vimeo $5,000 Insecure Direct Object References Reset Password
Vimeo $100 - reflected xss vulnerability
Vimeo $100 - Reflected XSS Vulnerability
Twitter - Account Deleted without any confirmation
Uber $500 XSS on
Twitter - No rate limiting on creating lists
concrete5 - Stored XSS in adding fileset
Flash $1,000 chrome allows POST requests with custom headers using flash + 307 redirect
Twitter $420 URGENT - Subdomain Takeover on , the same issue of report #32825
Romit $250 stored xss in transaction
Nearby Live - Gain access to any user's email address
Mail.Ru - /surveys/2auth: DOM-based XSS
Mail.Ru - GET /surveys/2auth: XSS
Twitter $1,400 HTML/XSS rendered in Android App of Crashlytics through
Romit $250 Stored XSS in api key of operator wallet
Romit $100 Error stack trace
Twitter $140 POODLE Bug:,,
HackerOne - Reflected File Download
Twitter $280 Open redirection in
Mail.Ru $100 No bruteforce protection leads to enumeration of emails in
Phabricator $500 Phabricator Phame Blog Skins Local File Inclusion
Mail.Ru - [] XSS via Host
Dropbox - [] CRLF Injection
Informatica - Missing SPF for
WePay - Broken Authentication – Session Token bug
C2FO - [] Open Redirect
Vimeo $500 [] CRLF Injection
HackerOne - URL Crashing browser. {Tested on firefox, Chrome and Safari}
Phabricator $300 Phabricator Diffusion application allows unauthorized users to delete mirrors
concrete5 - stored XSS in concrete5
concrete5 - SQL injection in conc/index.php/ccm/system/search/users/submit
Square $500 Delayed, fraudulent transactions possible with encrypted Square Reader devices due to lack of server-side verification of device transaction counter
Mail.Ru $250 [] Memory Disclosure / IE XSS
HackerOne $500 Issue with password change
HackerOne $500 Breaking Bugs as team member
Openfolio $100 xss in /browse/contacts/
Python $6,500 Misc Python bugs (Memory Corruption & Use After Free)
QIWI $150 [] Open Redirect $1,000 Subdomain Takeover using pointing to Hubspot
Eobot - Multiple information disclosure
Twitter - Abuse of "Remember Me" functionality.
OkCupid - Rosetta flash vulnerability in clientstats AJAX script
Sucuri - Form contained inside page loaded over SSL submits its contents to another page over HTTP
Eobot $10 XSS in only)
Sucuri $250 Open Redirect in
InVision $150 CSRF Token in cookies!
Twitter - Homograph attack.
Twitter $1,400 [Stored XSS] - profile page
Twitter - Notifications can mark as read by CSRF
Coinbase $100 New Device Confirmation, token is valid until not used.
QIWI - Metadata in hosted files is disclosing Usernames, Printers, paths, admin guides. emails
ThisData - Missing SPF header on
QIWI $1,000 [] Soap-based XXE vulnerability /soapserver/
Openfolio - Options Method Enabled
QIWI $100 [] /oauth/confirm.action XSS
Flash $2,000 Adobe Flash Player MP4 Use-After-Free Vulnerability
Apache httpd $500 mod_proxy_fcgi buffer overflow CVE-2014-3583
HackerOne $500 Logic Issue with Reputation: Boost Reputation Points
Phabricator - Content injection
QIWI $250 CRLF Injection []
Twitter - Headers Missing
Factlink - File name/folder enumeration.
QIWI - Code for registration of qiwi account is not coming even after a long interval of time for Indian mobile number
QIWI $200 [] XSS at auth?login=
QIWI $200 [] XSS proxy.html
Twitter $140 getting emails of users/removing them from victims account [using typical attack]
HackerOne $500 Gain reputation by creating a duplicate of an existing report
PHP $2,500 Locale::parseLocale Double Free
Ian Dunn - XSS in Tagregator plugin - Bypassed or command injection
Mail.Ru - Нежелательная информация
Eobot - IDOR on
Twitter $280 XSS via Fabrico Account Name
Mail.Ru $500 Ошибка фильтрации - Various Low level Vulnerabilities
Mail.Ru - Flash XSS на $150 SMPT Protection not used, I can hijack your email server.
Twitter $420 Bad extended ascii handling in HTTP 301 redirects of
Twitter - Options Method Enabled
Twitter - Option Method Enabled on web server
HackerOne $500 File Name Enumeration
InVision - Password reset tokens is valid after changing the password by logging in the account
Uzbey - test
Twitter - Flaw in valid password policy.
Uzbey - Test
Uzbey - Test
Twitter $1,400 DOM Cross-Site Scripting ( XSS )
InVision $300 Backup of wordpress configuration file found. Leaking database users/passwords
Slack $500 a stored xss in slack integration
HackerOne - Enumeration/Guess of Private (Invited) Programs
WP API - MD5 used for Key-Auth signatures
Twitter $1,680 URGENT - Subdomain Takeover on due to unclaimed domain pointing to AWS
99designs - Source Code Disclosure (PHP)
Mail.Ru $200 OpenSSL HeartBleed (CVE-2014-0160)
Twitter $280 XSS in
HackerOne - Content Spoofing via reports
The Internet $3,000 Drupal 7 pre auth sql injection and remote code execution
Twitter $140 Singup Page HTML Injection Vulnerability
Mail.Ru - Авторизуюсь от имени любого пользователя
RelateIQ $500 PoodleBleed
Flash $5,000 Adobe Flash Player Out-of-Bound Read/Write Vulnerability
HackerOne $1,000 Ability to see common response titles of other teams (limited)
Localize - files likes of is public
Twitter - Creating Unauthorized Audience Lists
concrete5 - Weak random number generator used in concrete/authentication/concrete/controller.php
WP API $50 Cryptographic Side Channel in OAuth Library - Timing Attack Side-Channel on API Token Verification - Weak Random Number Generator for Auth Tokens
Twitter $420 Unauthorized Tweeting on behalf of Account Owners
Khan Academy - Sql injection And XSS
Twitter $560 Improper Verification of email address while saving Account Settings
RelateIQ $250 Relateiq SSLv3 deprecated protocol vulnerability.
Localize - PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
Bookfresh - Missing Function Level Access Control in /cindex.php/widget/customize/
Flash $2,000 Adobe Flash Player MP4 Use-After-Free Vulnerability
Coinbase $100 New Device confirmation tokens are not properly validated.
99designs - CSRF to connect attacker's twitter account to logged in victims account
concrete5 - Stored XSS in concrete5
Square $250 CSRF on adding a calendar event
Square $500 square google calendar integration CSRF, parameter not checking properly)
Mail.Ru - Выполнение кода PHP через FastCGI
Square $500 CSRF on adding clients
The Internet $20,000 GNU Bourne-Again Shell (Bash) 'Shellshock' Vulnerability
Twitter $280 Profile Pic padding (Length-hiding) fails due to use of GZIP
HackerOne $500 homograph attack. IDNs displayed in unicode in bug reports and on external link warning page
IRCCloud $300 Unvalidated Channel names causes IRC Command Injection
Square $250 Privilege Escalation
WePay $350 Horizontal Privilege Escalation
Twitter $1,120 XSS | video-js metadata
HackerOne $500 No email verification on username change
Twitter $1,120 XSS
Sucuri $250 Usage of HTTP for exporting graph data as images
Square $250 Redirect while opening link in new tabs
Coinbase $100 Credit Card Validation Issue
Twitter - Twitter Flight SSL 2.0 deprecated protocol vulnerability.
HackerOne - "early preview" programs disclosure
HackerOne $500 Redirect FILTER bypass in report/comment
Mail.Ru $500 XSS via message id
Phabricator - Content Spoofing through URL
IRCCloud - Weak password policy
Mavenlink - Email field filtering problem.
Twitter $420 iOS App can establish Facetime calls without user's permission
Ruby on Rails $1,500 Active Record SQL Injection Vulnerability Affecting PostgreSQL CVE-2014-3483
Ruby on Rails $1,500 Active Record SQL Injection Vulnerability Affecting PostgreSQL CVE-2014-3482
PHP $2,500 SPL ArrayObject/SPLObjectStorage Unserialization Type Confusion Vulnerabilities CVE-2014-3515
Twitter $1,400 Cross site scripting on
HackerOne $500 Window Opener Property Bug
Twitter $1,400 Stored xss
Square $2,000 malicious file upload
Flash $1,000 Flash Local Sandbox Bypass CVE-2014-0554
GlassWire - Clickjacking: X-Frame-Options header missing
Phabricator - Content spoofing
Twitter $1,400 xss
Square $400 Reflected XSS in widget script thru cookie
Twitter $2,800 Delete Credit Cards from any Twitter Account in [New Vulnerability]
Square $1,000 Reflected XSS in
Square $750 Editing Client Details of other People
Twitter $140 Missing Rate Limiting on
The Internet $3,000 open redirect in rfc6749
Mail.Ru $1,337 XSS via .eml file
WePay $350 Critical : Account removing using CSRF attack
Square - XSS on bookfresh
Twitter $140 Full path disclosure at
Slack - HTTP Strict Transport Policy not enabled on newly made accounts
Phabricator - Password Policy issue
Square $2,000 CRITICAL Account takeover via AngularJS template injection in
Django $1,000 CSRF protection bypass on any Django powered site via Google Analytics
Square $500 XSS in Client Past Activity
ExpressionEngine - Stored Cross-Site Scripting Vulnerability in /admin.php?/cp/admin_system/general_configuration
HackerOne - Notification of previous signed out user leakage.
Mavenlink - DNS load balancing not enabled
WePay - CSRF (Make email primary) may lead to account compromise
CloudFlare - Apache mod_negotiation filename bruteforcing
Square $250 Open Redirect [FreshBook]
Square $500 XSS [BookFresh]
HackerOne $100 Change Any username and profile link in hackerone - [] CRLF Injection / Insecure nginx configuration
CloudFlare - User can request for password reset link without giving his website, eventhough he have it - SMTP protection not used (please read carefully )
Phabricator $400 Open redirection on
Twitter - HTML form without CSRF protection at - openssh-server Forced Command Handling Information Disclosure Vulnerability on - Reflected XSS -
Mail.Ru - Не уверен, что этому место на периметре:,,,
concrete5 - broken authentication
Twitter - User's DM won't deleted after logout from Twitter for iOS (
Mail.Ru $150 Странное поведение SMS
Secret - Broken Authentication and Session Management
Mail.Ru - Version Disclosure (NginX)
HackerOne $500 Redirect while opening links in new tabs
Phabricator $300 Forgot Password Issue
Square - CSRF login
Square $1,500 Blind SQL injection in
Uzbey - SQL Injection
Uzbey - XSS in 3rd party plugin (not affecting Uzbey's users)
Phabricator - Password Reset Links Not Expiring
Twitter - Broken authentication and invalidated email address leads to account takeover
Automattic - Open Redirect in WordPress Feed Statistics {Affected All Versions}
Slack $200 Content Spoofing all Integrations in
Twitter - Password reset link not validated.
Yahoo! - Blind Sql Injection
IRCCloud - Bruteforce protection not enabled on the login page
Slack $100 Content spoofing at Stripe Integrations
Mavenlink $50 privilege escalation
Mavenlink $200 Flash XSS on swfupload.swf showing at
Mavenlink $50 Clickjacking
HackerOne - Account Hijacking (Only rare case scenario)
Mavenlink $100 Login CSRF
Phabricator - Back - Refresh - Attack To Obtain User Credentials
Coinbase $1,000 Invoice Details activate JS that filled in
The Internet $3,000 rsync hash collisions may allow an attacker to corrupt or modify files
Apache httpd $500 moderate: mod_deflate denial of service CVE-2014-0118
Mail.Ru $150 File upload XSS using Content-Type header
Python $1,500 integer overflow in 'buffer' type allows reading memory
WePay - oauth redirect uri validation bug leads to open redirect and account compromise
Mail.Ru $1,000 File upload "Chapito" circus
Mail.Ru - HTTP Header Injection
Mail.Ru $100 Подделываем j2me app-descriptor
DigitalSellz - USER Account is not being deleted after user "Delete Account" from DASHBOARD
DigitalSellz - Verbose SQL error messages
ExpressionEngine - Cross Site Scripting (Stored)
HackerOne - No option to logout concurrent sessions
Twitter - password sent over HTTP
Automattic - Missing HSTS header in
Automattic - Missing HSTS header in
RelateIQ $100 Cross-site Scripting in mailing (username)
Envoy - Authentication Bypass - Host header is not Validated resulting in Redirect
Envoy - Delete visitor from IPAD with fullname which contains JS results XSS
HackerOne - Session Hijacking attack (Different Scenario)
Envoy - Too much sensitive information in GET
Envoy - Stored XSS on adding locations
Envoy - Stored XSS on sign_up page
Uzbey - Missing "size check" on files to upload could make memory leaks.
Uzbey - IFXSS (image filename XSS) by creating a new Photo Gallery
Localize - PHP PDOException and Full Path Disclosure
Mail.Ru - XSS через Referer
Mail.Ru - XSS
Secret - ClientId gives away platform (iOS/Android) from which a secret was posted.
Mail.Ru $3,000 Possibility to attach any mobile number to any email
Sandbox Escape $5,000 .NET Type Traversal Vulnerability CVE-2014-0257
Sandbox Escape - OSX ATS memory corruption may lead to App Sandbox bypass CVE-2014-1262
Sandbox Escape - OSX ATS arbitrary free issue may lead to App Sandbox bypass CVE-2014-1255
HackerOne - Email changing
WePay $100 Unauthorized Access via Join Email Link
Factlink - XSS 01 on
DC Compendium $25 Multiple Full Path Disclosure (FPD) Vulnerability on domain
RelateIQ $190 Resubmitted with POC #18685 Password reset CSRF
Phabricator $1,000 XSS in editor by any user
WePay $150 CSRF on email address operations. Also performing unintended operations.
Automattic - Top 10 2013-A2-Broken Authentication and Session Management -
WePay $500 Session Fixation
jsDelivr - HSTS Policy not enabled on
DC Compendium $50 Backend source code disclosure on 404 pages
jsDelivr - Using nmap revealing sensitive information
jsDelivr - XSS
jsDelivr - Directory Traversal at
DC Compendium $25 source code disclosure
Yahoo! $250 Yahoo! Reflected XSS
DC Compendium $25 XSS on Home page
DC Compendium $25 Error page Cross-site scripting
DC Compendium - Forward Secrecy is disable
DC Compendium - Login CSRF
DC Compendium $25 Clickjacking: X-Frame-Options header missing
HackerOne $100 Denial of Service
Faceless - Tap Jacking Attack on Button Tags
The Internet $6,000 LZ4 Core CVE-2014-4611
Factlink - Click-Jacking due to missing X-frame header
Uzbey - Mass invitation send
IRCCloud $500 Reflected XSS in Pastebin-view
Uzbey - Information Disclosure (phpinfo())
HackerOne - Account takeover
Yahoo! $50 Default /docs folder of PHPBB3 installation on
Uzbey - Price Manipulation
Phabricator $300 Broken Authentication and Session Management
Uzbey - Flash Content-Type Sniffing Vulnerability
HackerOne $100 Category- Broken Authentication and Session Management (leads to account compromise if some conditions are met)
Mail.Ru - SVN наружу торчит
Uzbey - Email Flooding Vuln
Uzbey - Clickjacking at
Uzbey - HTML Form Without CSRF Protection Vulnerability
Uzbey - Breach Attack Vulnerability
Uzbey - Cross site scripting in type parameter
Uzbey - CMS Information Disclosure
Uzbey - email field doesn't filtered against XSS
Uzbey - Language version disclosure in response header
Uzbey - All Active user sessions should be destroyed when user change his password!
Uzbey - Cross-site scripting vulnerability detected
Uzbey - Missing HSTS (Strict Transport Security)
Uzbey - Album image XSS
Uzbey - SQL injection, time zoom script, tile ID
Uzbey - SQL injection, tile ID - Found clickjacking vulnerability
Slack $100 Password Policy issue (Weak Protect)
HackerOne - Cache leads to Privacy leaks
Mail.Ru - HTTP Header Injection
Mail.Ru $400 SMS spam with custom content
Slack $100 Open Redirect login account
Coinbase - 2FA settings allowed to be changed with no delay/freeze on funds
RelateIQ $250 SSRF (Portscan) via Register Function (Custom Server)
RelateIQ $200 Failed Certificate Validation On Custom Server (Register)
Automattic - User Enumeration and Guessable User Account Attack on WORDPRESS
Mail.Ru - Cross Site Scripting
Yahoo! $200 Yahoo Sports Fantasy Golf (Join Public Group)
Phabricator $300 Abusing daemon logs for Privilege escalation under certain scenarios - Facilitation of XSS attacks through supporting the HTTP TRACE method (cross-site tracing)
The Internet $5,000 Multiple issues in looking-glass software (aka from web to BGP injections)
Phabricator $600 Abusing VCS control on phabricator - Wordpress readme.html / X-Powered-By-Header (low crit) - Report: Wordpress Bug!‏‏‏ - Directory Listing - OPTIONS method is enabled - Information disclosure : Web Server Version Details - Admin interface accessible externally
Localize - PHP PDOException and Full Path Disclosure
Mavenlink $50 Non Validation of session after password reset
Mail.Ru - Раскрытие полного серверного пути
HackerOne $100 Session not invalidated after password reset
Automattic - Process of changing email address and password does not asks old Password.
Mail.Ru $150 SQL Injection on
Localize - Bug on registration as new Translator user
Mail.Ru - Reflected XSS
Mail.Ru - Перечисление каталогов за счёт уязвимости в IIS
FanFootage - Cookie fixation
FanFootage - Same user name and uuid for multiple user names
FanFootage - Reporting Bugs
Factlink - Criptographic Issue: Strisct Transport Security with not good max age..(TOO SHORT!)
Mail.Ru - [] CRLF Injection / Insecure nginx configuration
FanFootage - Session Token is not Verified while changing Account Setting's which Result In account Takeover
FanFootage - NO CSRF token found on user details update
Coinbase $1,000 Leaking CSRF token over HTTP resulting in CSRF protection bypass
Flash $3,000 Flash Sandbox Bypass CVE-2014-0535
Mail.Ru - Flash XSS in
Yahoo! - Open Redirect via Request-URI
Mail.Ru - Flash XSS in
Twitter - Cookie not marked as secure.
Mavenlink $100 Password reset token not expiring
Twitter - XSS vulnerability in video player page
Twitter - Captcha bypass with extension at
Twitter - [ /] CSRF protection bypass
Automattic - Serving Transitions From: HTTP Protocol (not secure)
WePay - Typical form vulnerable to csrf attack
Factlink - Anonymous Proxy and IP leak
WePay - CSRF & Nonce Token Weak Implementation
WePay $300 Open Redirect
WePay - Sensitive settings need Re authentication
Mavenlink $50 Clickjacking at main website
Mavenlink $50 Login password guessing attack
WePay $100 Session fixation in
Mavenlink - The web application discloses version details of the underlying Platform / Server
Mavenlink - Clickjacking & CSRF attack can be done at
Mail.Ru - Flash XSS -
Factlink - Password reset link doesn't expire.
Automattic - - DOM based XSS.
Automattic - Self XSS
InVision - Sensitive information in cookies
Yahoo! - Multiple vulnerabilities
Twitter - and are vulnerable to CRIME attack
Twitter - Token remains alive ever after logging out!
Slack $300 SSRF on
Slack - Remote file Inclusion - RFI in upload
Mail.Ru - XSS in "About Video"
Mail.Ru $300 SSRF
Automattic $250 privilege escalation
Automattic - information disclosure
Twitter - CSRF in
Automattic - XSS on gravatar
HackerOne $100 Potential denial of service in
Automattic - xss in
Automattic - logout csrf
Automattic - xss in
Factlink - Meta characters not filtered on signup
Factlink - Proxy service crash DoS
Factlink - X/Csrf token problem
IRCCloud - Missing Character Restriction
IRCCloud - Password type input with auto-complete enabled
Factlink - Session not expired on logout
Factlink - Sign up CSRF
Factlink - Password Complexity very low.
Factlink - Missing SPF for and
Factlink - Leaking of password reset token through referer
Factlink - Login CSRF using Twitter oauth
Factlink - Url Redirection
Factlink - HTML5 cross-origin resource sharing
Factlink - Click jacking
Khan Academy - Unchecking hidden parameter is vulnerable to XSS-attack
Mail.Ru $1,000 sources disclosure
Sandbox Escape $10,000 Linux PI futex self-requeue bug CVE-2014-3153
Mail.Ru - XSS
Khan Academy - CRLF Injection
Mail.Ru - XSS
Mail.Ru - XSS
IRCCloud $100 Host Header Injection -
Khan Academy - Suffix of url-path is vulnerable to XSS-attack
Localize - full path disclosure from false language
Mail.Ru - ( Password type input with auto-complete enabled
Mail.Ru $500 XSS in login form
Secret - secret app for iOS and android is sending some info over HTTP
Urban Dictionary - Open URL Redirection
Urban Dictionary - Open Redirection
Mail.Ru - Reflected XSS (IE6-IE8)
Localize - missing sender policy framework (SPF)
HackerOne - Improper filtering of classes used in codeblocks in Markdown
Mail.Ru - Reflected XSS in User-Agent
Mail.Ru - Раскрытие путей сервера за счёт неопределённого индекса в сценарии /home/
HackerOne - Spamming any user from Reset Password Function
Yahoo! $100 Testing for user enumeration (OWASP‐AT‐002) -
Yahoo! $50 Authorization issue on
Faceless - Account hijacking possible through ADB backup feature - X-Content-Type-Options header missing
Mail.Ru $500 XSS in a file or folder name
Mail.Ru $700 XXE and SSRF on
Secret - Content Sniffing not disabled
Flash $7,500 Adobe Flash Player FileReference Use-after-Free Vulnerability CVE-2014-0538
ReddAPI - Content Sniffing not disabled
ReddAPI - Browser cross-site scripting filter misconfiguration
ReddAPI - Strict Transport Security Misconfiguration
Kadira - API keys being cached
Respondly - XSS in the input
InVision - Multiple Upload Vulnerability !File Upload + File Inclusion (Access Not Forbidden)
Kadira - Undeletable File
Kadira - MISSING SPF (Sender Policy Framework) for
Python $1,500 Python vulnerability: reading arbitrary process memory CVE-2014-4616 - Login password guessing attack
Yahoo! -
CloudFlare - CSRF and No password requirement in this URL Billing Info
Yahoo! - TESTING FOR REFLECTED CROSS SITE SCRIPTING (OWASP‐DV‐001) - SSH Port Wide Open - HTTP Strict Transport Security (HSTS) Policy Not Enabled
Mail.Ru $150 Stored XSS on
Mail.Ru $300 Stored XSS on
Mail.Ru $250 SQL injection
CloudFlare - Password reset threshold not set
Musopen - Port 22 Open/Banner visible on
Ian Dunn - Path Disclosure Vulnerability
Coinbase - Simultaneous Session Logon : Improper Session Management
Hubdia - Subscribe User bug
Musopen - USERNAME Related Issue!
Yahoo! $250 Infrastructure and Application Admin Interfaces (OWASP‐CM‐007)
Mail.Ru $400 XSS in (Limited use)
4chan - Login panel brute force attack
Meteor - Open Url Reditection After authentication
4chan - XSS in settings
CloudFlare - Bug Report
Mail.Ru - Content Spoofing vulnerability in mobile
Yahoo! - Authentication Bypass due to Session Mismanagement
CloudFlare - User's data leak
Coinbase $100 CSRF in function "Set as primary" on accounts page
99designs $400 report a reflected XSS
99designs - Reflected XSS in
Yahoo! - Yahoo! Messenger v11.5.0.228 emoticons.xml shortcut Value Handling Stack-Based Buffer Overflow
99designs - Insecure transition from HTTP to HTTPS in form post
99designs - Server leaks version number
Localize - XSS in Team Only Area
Coinbase $100 CSRF on "Set as primary" option on the accounts page
Coinbase $1,000 Bypassing 2FA for BTC transfers
Mail.Ru $150 SQL inj
C2FO - All Active user sessions should be destroyed when user change his password!
The Internet $3,000 Bypassing Same Origin Policy With JSONP APIs and Flash
Slack $500 Stored XSS in (integrations)
RelateIQ - Old Sessions remain valid after the password change.
Mail.Ru - Persistent XSS in
HackerOne - Flooding mailbox of user
Mail.Ru $150 SQL
Mail.Ru $150 SQL inj
Mail.Ru - Login without SSL-Protection
HackerOne $100 All Active user sessions should be deleted when user change his password!
Mail.Ru $200 Time based sql injection
Mail.Ru $200 SQL injection [дырка в движке форума]
OkCupid - XSS Vulnerability Found!
CloudFlare - Threat control information leak
Slack $500 Stored XSS Found
Localize - Full Path Disclosure (FPD) in
StopTheHacker - Reflected cross site scripting in login page
Yahoo! - Loadbalancer + URI XSS #3
CloudFlare - Security issue with your "bag" script
Automattic - storage.swf XSS
Ian Dunn - PHP and Wordpress version disclosure
Ian Dunn - Multiple Path Disclosure
HackerOne $100 Anti-MIME-Sniffing header X-Content-Type-Options header has not been set.
Respondly - OAuth Bug
Ian Dunn $25 Xss in CampTix Event Ticketing
Ian Dunn $25 Stored XSS in all fields in Basic Google Maps Placemarks Settings
Mail.Ru $250 Home page reflected XSS
Localize - Full Path Disclosure (FPD) in
StopTheHacker - XSS 1
StopTheHacker - XSS Reflected -
Respondly - Full Path Disclosure
Mail.Ru - Unproper usage of Mobile Number that will lead to Information Disclosure
Localize - Atttacker can send "Invitation Request" to a Project that is not even created yet!
Mail.Ru - No CSRF token used in Phone Verification POST
CloudFlare - Cookie missing the Secure flag
CloudFlare - Flash-based XSS in subdomain
Localize - Criptographic Issue: Strisct Transport Security with not good max age..(TOO SHORT!)
Respondly - No Bruteforce Protection
CloudFlare - System Status Update CSRF
CloudFlare - XSS -
CloudFlare - Apache Multiviews are enabled
StopTheHacker - XSS in Stopthehacker support
CloudFlare - csrf on password change functionality
Mail.Ru $150 localStorage не чистится после выхода
StopTheHacker - CSRF - Disabling orders at
CloudFlare - Cross-site scripting 2
CloudFlare - Content spoofing /CSRF at
Mail.Ru - Admin panel of is acccessible publicly
CloudFlare - jplayer.swf Cross-site scripting
StopTheHacker - Information Disclosure (FPD) -
CloudFlare - CSRF in Cloudflare login
Respondly - Deleting team members
Mail.Ru $150 Clickjacking
Mail.Ru - Reflected XSS
Mail.Ru - Clicjacking on Login panel
Mail.Ru - Xss On
Mail.Ru - - Flash Based XSS
Yahoo! $300 information disclosure (LOAD BALANCER + URI XSS)
Yahoo! $500 - XSS (STORED)
OkCupid - Reflected XSS on
Localize - Projects Watch or Notifications Settings Change Via CSRF
Respondly - Allowed method disclosure
Localize - No Wildcard DNS
Localize - Private Project Access Request Invitation Sent Via CSRF
Localize - Private Project Access Request Accpeted Via CSRF
Localize - Group Deletion Via CSRF
Localize - Group Creation Via CSRF
Localize - OPTIONS Method Enabled
Localize - Deleting groups in any project without permission
Localize - Making groups in any project without permission
Localize - infinite number of new project creation!
Localize - Full Path Disclosure / Info Disclosure in Importing XML Section!
Localize - Full Path Disclosure / Info Disclosure in Creating New Group
Localize - Full Path Disclosure (FPD) in
HackerOne $100 Password Reset Bug
Localize - Numerous open ports/services - readable .htaccess
Localize - X-Content-Type-Options header missing
Localize - Apache Documentation
Respondly - X-Content-Type-Options header missing
Localize - Possible sensitive files
Localize - Login page password-guessing attack
Localize - Full Path Disclosure (2)
Respondly - XSS via Email Link
Localize - XSS in password
Localize - Full Path Disclosure
Respondly - HTTP Strict transport security policy not enabled
Localize - Sensitive file
Localize - CSRF in adding phrase.
Localize - Password type input with auto-complete enabled
Localize - User credentials are sent in clear text
Respondly - DNS Misconfiguration
Respondly - x-frame options-sameorigin warning
Localize - A Serious Bug on SIGNUP Process!
Secret - Login CSRF in
HackerOne $150 Issue with remember_user_token
Localize - Information Disclosure (Directory Structure)
HackerOne - Arbitrary file uploads to Amazon WS.
Respondly - Clickjacking - changing role
Localize - Apache2 /icons/ folder accessible
Localize - Assigning a non-existing role to user causes exception when opening project page
Respondly - XSS via Email
Respondly - Find, private notes Cross-site scripting.
Localize - No Cross-Site Request Forgery protection at multiple locations
Localize - Uninitialized variable error message leaks information
Localize - Server header - information disclosure
Respondly - Import emails from Gmail are activate XSS
Localize - Business logic Failure - Browser cache management and logout vulnerability.
Localize - Path Disclosure (Info Disclosure) in
Respondly - OAuth open redirect
Respondly - Persistent Cross-site scripting vulnerability settings.
Localize - HTML/Javascript possible in "Discussion" section of reviews
Localize - Full path disclosure
Localize - XSS in
Localize - Unexpected array leaks information about the system
Localize - XSS in invite approval
Localize - XSS in main page (invitation)
Localize - Password Policy
Localize - XSS in main page
Localize - XSS & HTML injection
Localize - Stored XSS
Localize - Change user settings through CSRF
Localize - No BruteForce Protection
Localize - XSS in Groups
Localize - Sign-up Form CSRF
Localize - HTML Form Without CSRF protection
Localize - ClickJacking
Automattic - HTML form without CSRF protection
Automattic - Session Cookie without Secure flag set
Yahoo! $250 readble .htaccess + Source Code Disclosure (+ .SVN repository)
Flash $2,000 Security bypass could lead to information disclosure
Yahoo! $2,500 Local File Include on
Yahoo! - clickjacking on leaving group(flick)
Yahoo! - Unvalidate open url redirection
Automattic - Session Cookie without Secure flag set - OPTIONS method enabled on webserver
Yahoo! $400 - CSRF/email disclosure
Automattic - Simplenote Silverlight cross-domain policy misconfiguration
IRCCloud $100 Login CSRF can be bypassed (Similar approach to previous one).
IRCCloud - Log Out Cross site Request Forgery - Session Cookie without Secure flag set - Clickjacking: X-Frame-Options header missing
IRCCloud $1,000 Dangerous Persistent xss
IRCCloud - Unwanted Spamming Using CSRF [LOGGED IN USER]
Coinbase $100 2 factor authentication design flaw
IRCCloud $100 Host Header is not validated resulting in Open Redirect
IRCCloud - CSRF - Creating accounts
The Internet $7,500 TLS Triple Handshake Attack
Faceless - Bruteforce attack in login panel
Yahoo! $500 XSS in
Yahoo! $250 Bypass of the Clickjacking protection on Flickr using data URL in iframes
IRCCloud - Login page password-guessing attack(Brute-force attack-High).
IRCCloud $500 Persistent Cross Site Scripting within the IRCCloud Pastebin
IRCCloud - CSRF to Account Take Over Bug
IRCCloud - DNS Misconfiguration
IRCCloud - User Account Creation CSRF
IRCCloud $100 iOS application does not destroy session upon logout.
IRCCloud $100 Bug in iOS application which could lead to unauthorised access.
IRCCloud - "SESSION" Cookie without HttpOnly flag set
IRCCloud $100 Missing X-Content-Type-Options
IRCCloud - Session cookie can be leaked over an unencrypted HTTP connection
IRCCloud $500 Full account takeover using CSRF and password reset
IRCCloud $500 Session Token is not Verified while changing Account Setting's which Result In account Takeover
IRCCloud - HTML Form without CSRF protection
IRCCloud $100 Leaking Referrer in Reset Password Link
IRCCloud $100 Bruteforcing irccloud login
IRCCloud $100 Unsecure cookies, cookie flag secure not set
IRCCloud $100 Sign up CSRF
IRCCloud $100 Login CSRF
concrete5 - XSS on [/concrete/concrete/elements/dashboard/sitemap.php]
concrete5 - Cross-Site Scripting in getMarketplacePurchaseFrame
Faceless - Blocking yourself
C2FO - The server supports only older protocols for HTTPS connections
Yahoo! $2,000 Open Proxy,, 4/09/14, #SpringClean
Yahoo! $200 CSRF Token is missing on DELETE message option on
Yahoo! $400 CSRF Token missing on
ReddAPI - No Captcha or rate limit on Login Page
InVision - TLS Renegotiation and Denial of Service Attacks on InVision.
Yahoo! $3,000 REMOTE CODE EXECUTION/LOCAL FILE INCLUSION/XSPA/SSRF, view-source:http://sb*, 4/6/14, #SpringClean
Yahoo! $500 Comment Spoofing at
OpenSSL - TLS heartbeat read overrun CVE-2014-0160
Khan Academy - XSS at
ReddAPI - Login page password-guessing attack
OkCupid - vulnerable to Heartbleed attack
Khan Academy - Open Redirection in SmartHistory KhanAcademy
HackerOne - (lack of) smtp transport layer security
ReddAPI - Session Fixation Found
C2FO - is releasing sensitive Information about Database Configuration.
Khan Academy - Weak Ciphers Enabled
concrete5 - ::: HeartBleed Attack (CVE-2014-0160)
Khan Academy - Persistent class XSS [the fuck]
Khan Academy - XSS
Python $1,500 Integer overflow in strop.expandtabs
Flash $2,000 Same Origin Security Bypass Vulnerability CVE-2014-0503
Khan Academy - CSRF - Adding/Removing items to cart -
Khan Academy - User guessing/enumeration at
Khan Academy - Lighttpd version disclosure / directory listing
Khan Academy - Possible clickjacking at
Khan Academy - Stored XSS {dangerous?}
Khan Academy - Full Path Disclosure on []
Khan Academy - open-redirect
RelateIQ $100 Wildcard DNS in website
Khan Academy - Dom based XSS
HackerOne $150 creating titleless and non-closable bugs
Khan Academy - XSS
Yahoo! $1,000 Header injection on
Yahoo! $250 Cross-origin issue on
Yahoo! $300 reflected XSS,, 4/8/14, #SpringClean
Yahoo! $500 Significant Information Disclosure/Load balancer access,, 4/8/14, #SpringClean
InVision $200 captcha missing
Slack - open redirect in
Slack $500 Facebook Takeover using Slack using 302 from with access_token
Slack $300 Stored XSS in
Yahoo! - Information Disclosure,,6-april-2014, #SpringClean
HackerOne $100 Marking notifications as read CSRF bug
Coinbase $1,000 Multiple Issues related to registering applications
The Internet $500 Uncontrolled Resource Consumption with XMPP-Layer Compression
Coinbase $100 Coinbase Android Security Vulnerabilities
C2FO - Password reset token leakage through referrer at
C2FO - User guessing/enumeration at
Lookout - Clickjacking at
C2FO - OPTIONS Method Enabled
Slack - TLS1/SSLv3 Renegotiation Vulnerability
Lookout - DOM-XSS Vulnerability
MS-DOS - एमएस डॉस प्राणघाती है।
MS-DOS - Injecting Distrust and Disbelief in Addicted Gamers
MS-DOS - History Disclosure of MS-Dos
MS-DOS - Permanent Denial of Service
MS-DOS - Arbitrary command execution in MS-DOS
MS-DOS - Bug in Source Code Files(v1.1)
Yahoo! $100 XSS in Yahoo! Web Analytics
MS-DOS - Hack administrator password even if you are a guest
MS-DOS - Please contact me @sehacure otherwise i am going to disclose in Full disclosure mailing list :p
OkCupid - Xss high issue in main domain in users signup page
Coinbase $1,000 Coinbase Android Application - Bitcoin Wallet Leaks OAuth Response Code
Yahoo! - Out of date version
Coinbase - IFRAME loaded from External Domains
Coinbase - Cookie missing the HttpOnly flag
Coinbase - User Enumeration, Information Disclosure and Lack of Rate Limitation on API
Coinbase - Improper Validation of the Referrer header leading to Open URL Redirection
Coinbase - Information Disclosure That shows the webroot of CoinBase Server
concrete5 - page_controls_menu_js can reveal collection version of page
concrete5 - CONCRETE5 - path disclosure.
concrete5 - XSS IN member List (Because of City Textbox)
Yahoo! $800 From Unrestricted File Upload to Remote Command Execution
concrete5 - XSS in private message
concrete5 - dashboard/pages/types [Unknown column 'Array' in 'where clause'] disclosure.
concrete5 - /index.php/dashboard/sitemap/explore/ Cross-site scripting
concrete5 - Bypass
concrete5 - HttpOnly flag not set for cookie on
concrete5 - XSS in Theme Preview Tools File
Nginx $3,000 SPDY heap buffer overflow CVE-2014-0133
Nginx $3,000 SPDY memory corruption CVE-2014-0088
Slack $500 Duplicate of #4550
Yahoo! - Open redirect on
Slack $500 Stored XSS in Slackbot Direct Messages
Slack - Open Redirect in Slack
Yahoo! - Open URL Redirection
Yahoo! $500 Server Side Request Forgery
RelateIQ $100 TRACE disclosure attack may be possible
Yahoo! - Almost all the subdomains are infected.
Yahoo! - Stored Cross Site Scripting Vulnerability in Yahoo Mail
MoneyStream - Here is another XSS i got for you
OkCupid - XSS in by hamid
Yahoo! $250 XSS Vulnerability (
OkCupid - Server leaks version number
OkCupid - DOM based XSS in changing email address
HackerOne - javascript: and mailto: links are allowed on users' profiles
Phabricator $300 Persistent XSS: Editor link
OkCupid - Security issue in OkCupid
HackerOne - Accepting Invalid characters on email address
HackerOne $100 Securing sensitive pages from SearchBots
Phabricator $400 OAuth Stealing Attack (New)
HackerOne - Adding an user email address to the list before confirming.
Phabricator $300 Control character allowed in username
Slack - User impersonation is possible with incoming webhooks
HackerOne - Criptographic Issue: Strisct Transport Security with not good max age..(TOO SHORT!)
Phabricator $450 OAuth access_token stealing in Phabricator
Yahoo! - Clickjacking at
Yahoo! - Authentication bypass at
InVision - Found a Clickjacking in
Slack $500 flash content type sniff vulnerability in
RelateIQ $100 Captcha Bypass With Extension
RelateIQ - RelateIQ GWT based application visible to unauthenticated users
OkCupid - XSS in "Questions" search module
Ruby on Rails $1,500 Directory traversal attack in view resolver CVE-2014-0130
Phabricator $300 UnAuthorized Editorial Publishing to Blogs
OkCupid - XSS in 404 page of
HackerOne $100 Control Characters Not Stripped From Username on Signup
OkCupid - XSS -
OkCupid - Stored XSS on your site..
OkCupid - Stored Cross-site scripting vulnerability in okcupid
Yahoo! $1,000 SQL Injection ON HK.Promotion
OkCupid - XSS In Profle
OkCupid - XSS on []
OkCupid - Login destination open redirection
OkCupid - Cross-site scripting vulnerability
Slack - Content Spoofing
OkCupid - Direct XSS vulnerabilities (persistent) in
Slack - Deleting Teams implemenation
OkCupid - CSRF vulnerability.
OkCupid - Instagram Authentication - No Request Token
OkCupid - Users can easily be tricked into changing/disabling privacy and notification settings
OkCupid - Cross-site scripting
Slack - Stored XSS
Phabricator - CSRF token valid even after the session logout of a particular user
Slack $500 Reflected Xss
Slack - Email enumeration
Slack - Data exports stored on S3 can be scraped easily
RelateIQ $100 HTML injection in "Invite Collaborators"
Slack - Open redirect vulnerability
Slack - State parameter missing on google OAuth
Slack $500 Stored XSS in Channel Chat
Slack - Stored XSS on this link
Slack - CSRF on add comment section
Slack - csrf
Slack $100 CSRF vulnerability on
Slack $500 Stored XSS in
Slack $200 URL redirection flaw
Slack $200 Stored XSS in
Yahoo! $100 configuration file disclosure
Yahoo! - Yahoo mail login page bruteforce protection bypass
HackerOne $500 Weird Bug - Ability to see partial of other user's notification
Slack - Session Fixation disclosing email address
Slack $100 Slack OAuth2 "redirect_uri" Bypass
Slack $100 Broken Authentication (including Slack OAuth bugs)
Slack $150 Reflective XSS can be triggered in IE
RelateIQ $100 Cross Site Scripting (XSS) -
HackerOne - Hackerone Email Addresses Enumeration
RelateIQ $100 XSRF token problem
RelateIQ $100 Value of JSESSIONID and XSRF token parameter in cookie remains same before and after login
RelateIQ - open redirect
Yahoo! - Yahoo open redirect using ad
Sandbox Escape $5,000 Win32k Window Handle Vulnerability (EoP) CVE-2014-0262
Yahoo! - Reflected XSS in
Phabricator $500 Bypass (2)
Phabricator $300 Login CSRF using Twitter OAuth
Phabricator $1,000 Bypass
HackerOne $100 CSS leaks SCSS debug info
HackerOne - harvesting attack on user registration
Flash $10,000 Flash double free vulnerability leads to code execution CVE-2014-0502
Yahoo! $1,500 XSS on Every page
Flash $2,000 Flash local-with-fileaccess Sandbox Bypass CVE-2014-0508
Yahoo! $1,276 HK.Yahoo.Net Remote Command Execution
Yahoo! - Insufficient validation of redirect URL on login page allows hijacking user name and password
Flash $2,000 Handling of jar: URIs bypasses AllowScriptAccess=never CVE-2014-0491
Flash $10,000 Flash type confusion vulnerability leads to code execution CVE-2013-5331
Yahoo! - In Fantasy Sports iOS app, signup page is requested over HTTP
Yahoo! $1,390 Local file inclusion
Yahoo! - A csrf vulnerability which add and remove a favorite team from a user account.
Yahoo! - XSS Reflected - Yahoo Travel
Yahoo! $3,705 SQLi on
Yahoo! $750 Flickr: Invitations disclosure (resend feature)
HackerOne $100 DNS Misconfiguration
Secret - Strict Transport Security on
Yahoo! $800 HTML Injection on flickr screename using IOS App
Yahoo! - URL Redirection
Secret - SSL Not Enforced
Factlink - Proxy discloses internal web servers
Yahoo! - Yahoo YQL Injection?
Yahoo! - HTML Code Injection
PHP $1,500 PHP Heap Overflow Vulnerability in imagecrop() CVE-2013-7226
Yahoo! - Vulnerability found, XSS (Cross site Scripting)
Yahoo! - ClickJacking on
Yahoo! - Authentication Bypass in Yahoo Groups
Yahoo! - clickjacking
Yahoo! $800 XSS in my yahoo
Yahoo! $2,500 Security.allowDomain("*") in SWFs on allows data theft from Yahoo Mail (and others)
HackerOne - LinkedIN URL should be HTTPS
Yahoo! - Directory Traversal
Yahoo! - Information Disclosure
Yahoo! - Bypass of anti-SSRF defenses in YahooCacheSystem (affecting at least YQL and Pipes)
Yahoo! - XSS using yql and developers console proxy
Sandbox Escape $3,000 Linux 3.4+: arbitrary write with CONFIG_X86_X32 CVE-2014-0038
Yahoo! $1,960 Store XSS Flicker main page
Yahoo! - Java Applet Execution On Y! Messenger
Yahoo! $2,173.75 Cross-site scripting on the main page of flickr by tagging a user.
Yahoo! $677.50 XSS Yahoo Messenger Via Calendar.Yahoo.Com
HackerOne $100 Autocomplete enabled in Paypal preferences
Phabricator $300 Improperly implemented password recovery link functionality
Phabricator $300 Log in a user to another account
HackerOne - Enumeration of users
HackerOne $100 A password reset page does not properly validate the authenticity token at the server side.
HackerOne $100 Information disclosure (reset password token) and changing the user's password
HackerOne $100 Improper session management
HackerOne $150 Switching the user to the attacker's account
HackerOne $500 Upload profile photo from URL
HackerOne $250 Email spoofing
HackerOne $100 CSRF login
HackerOne $150 Logical issues with account settings
PHP $4,000 PHP openssl_x509_parse() Memory Corruption Vulnerability CVE-2013-6420
The Internet $7,500 TLS Virtual Host Confusion
The Internet $1,500 OpenSSH: Memory corruption in AES-GCM support CVE-2013-4548
Ruby $1,500 Ruby: Heap Overflow in Floating Point Parsing CVE-2013-4164
HackerOne $100 DNS Cache Poisoning
HackerOne $100 Flawed account creation process allows registration of usernames corresponding to existing file names
HackerOne $500 PNG compression DoS
HackerOne $250 GIF flooding
HackerOne $500 Pixel flood attack
HackerOne $100 Session not expired on logout
HackerOne - Privilege escalation..., or not?!
HackerOne $250 CSP not consistently applied
HackerOne $500 RTL override symbol not stripped from file names
HackerOne $100 Session Management
HackerOne $100 Broken Authentication and session management OWASP A2
HackerOne $100 Real impersonation
HackerOne - Flawed account creation process allows registration of usernames corresponding to existing file names
HackerOne - Report title autocompletion
HackerOne $500 Missing SPF for
HackerOne - Login page password-guessing attack