Public Discourse bug reports.

Team Bounty Title
Discourse $256 Any authenticated user can download full list of users, including email
Discourse $64 SSRF in upload IMG through URL
Discourse $512 Admin Command Injection via username in user_archive ExportCsvFile
Discourse $512 Arbitrary Local-File Read from Admin - Restore From Backup due to Symlinks
Discourse $256 Stored XSS in posts because of absence of oembed variables values escaping
Discourse $256 Stored XSS in topics because of whitelisted_generic engine vulnerability
Discourse $256 XSS in topics because of bandcamp preview engine vulnerability
Discourse $128 Users can bookmark other user's messages
Discourse $256 XSS vulnerability on Audio and Video parsers
Discourse $256 XSS Vulnerability on Image link parser
Discourse $256 DOM Based XSS in Discourse Search