Public Mail.Ru bug reports.

Team Bounty Title
Mail.Ru - Open Redirect on [My.com]
Mail.Ru $100 BruteForce Any [My.com] Account Credentials.
Mail.Ru $150 XSS в портальной навигации
Mail.Ru $500 Xss в https://e.mail.ru/
Mail.Ru $500 Xss в https://e.mail.ru/
Mail.Ru - IDOR in tender.mail.ru leading to Information Disclosure
Mail.Ru - Open Redirection at https://it.mail.ru/
Mail.Ru - Open Redirect
Mail.Ru $750 Stored XSS in e.mail.ru (payload affect multiple users)
Mail.Ru - Reflected XSS on frag.mail.ru
Mail.Ru - Stored XSS
Mail.Ru - Open Redirect
Mail.Ru - Disclosure of information on static.dl.mail.ru
Mail.Ru - CSRF Send a message at street-combats.mail.ru
Mail.Ru - Излишние права при авторизации через интерфейс mail.ru
Mail.Ru - [ml.money.mail.ru] Open Redirect
Mail.Ru - [cooking.lady.mail.ru] Open Redirect
Mail.Ru - [element.mail.ru] /.svn/entries
Mail.Ru - [qpt.mail.ru] CRLF Injection / Open Redirect
Mail.Ru - [pokerist.mail.ru] XSS Request-URI
Mail.Ru - [allods.mail.ru] Cross-Site Request Forgery (Add-Item)
Mail.Ru $300 Time-based sql-injection на https://puzzle.mail.ru
Mail.Ru - Reflected XSS @ games.mail.ru
Mail.Ru - [cfire.mail.ru] CSRF Bypassed - Changing anyone's 'User Info'
Mail.Ru - [realty.mail.ru] XSS, SSI Injection
Mail.Ru - [opensource.mail.ru] system accounts enumeration
Mail.Ru - Cross Site Request Forgery (CSRF)
Mail.Ru - Back Refresh Attack after registration and successful logout
Mail.Ru - BRUTE FORCE ATTACK
Mail.Ru $150 [townwars.mail.ru] Time-Based SQL Injection
Mail.Ru $250 Mail.ru for Android Content Provider Vulnerability
Mail.Ru $150 [tidaltrek.mail.ru] SQL Injection
Mail.Ru $150 Code source discloure & ability to get database information "SQL injection" in [townwars.mail.ru]
Mail.Ru $150 [tidaltrek.mail.ru] SQL Injection
Mail.Ru - [sales.mail.ru] CRLF Injection
Mail.Ru - Insecure cookies without httpOnly flag set
Mail.Ru $100 [my.mail.ru] HTML injection в письмах от [email protected]
Mail.Ru $160 [upload-X.my.mail.ru] /uploadphoto Insecure Direct Object References
Mail.Ru - [torg.mail.ru] CRLF Injection
Mail.Ru $150 SQL Injection
Mail.Ru - AXFR на plexus.m.smailru.net работает
Mail.Ru $250 XSS с помощью специально сформированного файла.
Mail.Ru - Обход basic авторизации [qpt.mail.ru]
Mail.Ru - Reflected XSS на games.mail.ru
Mail.Ru $200 bgplay.mail.ru
Mail.Ru $150 By pass admin panel [conference.mail.ru]
Mail.Ru $150 By pass admin panel [seminars.mail.ru]
Mail.Ru - Утечка информации через JSONP (XXSI)
Mail.Ru $500 Admin panel access restrictions bypass [poll.mail.ru/admin/]
Mail.Ru - Stored XSS на street-combats.mail.ru
Mail.Ru $250 SSRF на element.mail.ru
Mail.Ru $600 VERY DANGEROUS XSS STORED inside emails
Mail.Ru $150 [3k.mail.ru] SQL Injection
Mail.Ru $300 [orsotenslimselfie.lady.mail.ru] SQL Injection
Mail.Ru - [touch.lady.mail.ru] CRLF Injection
Mail.Ru - [api.login.icq.net] Reflected XSS
Mail.Ru - [api.login.icq.net] Open Redirect
Mail.Ru $300 [afisha.mail.ru] SQL Injection
Mail.Ru - Logical Vulnerability : REDIRECTING on pw.mail.ru by Parameter Spoofing
Mail.Ru $150 [allods.my.com] SSRF / XSPA
Mail.Ru - [3k.mail.ru] Content Spoofing
Mail.Ru - Multiple vulnerabilities in mail.ru subdomains
Mail.Ru $150 [parapa.mail.ru] SQL Injection
Mail.Ru $150 [cfire.mail.ru] Time Based SQL Injection
Mail.Ru - XSS at forum :
Mail.Ru $500 reflected in xss
Mail.Ru - Reflected XSS on hi-tech.mail.ru
Mail.Ru - [tz.mail.ru] XSS в функционале авторизации
Mail.Ru - [w1.dwar.ru] Core Dump
Mail.Ru - [gitmm.corp.mail.ru] Auth Bypass, Information Disclosure
Mail.Ru - [otus.p.mail.ru] CRLF Injection
Mail.Ru - [otus.p.mail.ru] Full Path Disclosure
Mail.Ru - [opensource.mail.ru] Debug Mode
Mail.Ru $300 Potential SSRF in sales.mail.ru
Mail.Ru - [allods.my.com] Full Path Disclosure
Mail.Ru - [allods.my.com] Full SQL Disclosure
Mail.Ru - [it.mail.ru] Open Redirect
Mail.Ru - Reflected XSS.
Mail.Ru - [allods.mail.ru] Reflected XSS
Mail.Ru $300 [api.allodsteam.com] Authentication Data
Mail.Ru - Reflected XSS.
Mail.Ru - Reflective Xss on news.mail.ru and admin.news.mail.ru
Mail.Ru - [ling.go.mail.ru] Server-Status opened for all users
Mail.Ru - Reflected XSS на https://aw.mail.ru/news/
Mail.Ru - Vulnerability :- "XSS vulnerability"
Mail.Ru $500 XSS: https://light.mail.ru/compose, https://m.mail.ru/compose/[id]/reply при ответе на специальным образом сформированное письмо
Mail.Ru - [support.my.com] Internet Explorer XSS
Mail.Ru - [rabota.mail.ru] Open Redirect
Mail.Ru - xss на нескольких форумах игр от mail.ru (Cross-Site Scripting)
Mail.Ru $150 XSS at af.attachmail.ru
Mail.Ru - [riot.mail.ru] Reflected XSS in debug-mode
Mail.Ru - [start.icq.com] Reflected XSS via Cookies
Mail.Ru $150 Time-Based Blind SQL Injection Attacks
Mail.Ru $150 Cross site scripting
Mail.Ru $160 [my.mail.ru] CRLF Injection
Mail.Ru $200 Possible xWork classLoader RCE: shared.mail.ru
Mail.Ru - [tanks.mail.ru] Internet Explorer XSS via Request-URI
Mail.Ru - [mrgs.mail.ru] Internet Explorer XSS via Request-URI
Mail.Ru $250 [s.mail.ru] CRLF Injection
Mail.Ru - help2.m.smailru.net: XSS
Mail.Ru $150 Activities are not Protected and able to crash app using other app (Can Malware or third parry app).
Mail.Ru $250 HTML Injection на e.mail.ru
Mail.Ru - https://voip.agent.mail.ru/phpinfo.php
Mail.Ru $150 http://tp-dev1.tp.smailru.net/
Mail.Ru $200 tt-mac.i.mail.ru: Quagga 0.99.23.1 (Router) : Default password and default enable password
Mail.Ru $400 http://fitter1.i.mail.ru/browser/ торчит Graphite в мир
Mail.Ru $400 store-agent.mail.ru: stacked blind injection
Mail.Ru - Flash XSS on img.mail.ru
Mail.Ru $500 e.mail.ru stored XSS in agent via sticker (smile)
Mail.Ru - XSS in touch.sports.mail.ru
Mail.Ru - XSS in ad.mail.ru
Mail.Ru - XSS in realty.mail.ru
Mail.Ru $300 RCE через JDWP
Mail.Ru $150 scfbp.tng.mail.ru: Heartbleed
Mail.Ru $150 HDFS NameNode Public disclosure: http://185.5.139.33:50070/dfshealth.jsp
Mail.Ru - Full Path Disclosure
Mail.Ru $600 Same Origin Policy bypass
Mail.Ru - XSS Vulnerability in cfire.mail.ru/screen/1/
Mail.Ru - http://217.69.136.200/?p=2&c=Fetcher%20cluster&h=fetcher1.mail.ru
Mail.Ru $150 Heartbleed: my.com (185.30.178.33) port 1433
Mail.Ru $150 Hadoop Node available to public
Mail.Ru $100 Раскрытие номера мобильного телефона при двухфакторной аутентификации
Mail.Ru - 3k.mail.ru: XSS
Mail.Ru - /surveys/2auth: DOM-based XSS
Mail.Ru - GET /surveys/2auth: XSS
Mail.Ru $100 No bruteforce protection leads to enumeration of emails in http://e.mail.ru/
Mail.Ru - [odnoklassniki.ru] XSS via Host
Mail.Ru $250 [connect.mail.ru] Memory Disclosure / IE XSS
Mail.Ru - Нежелательная информация
Mail.Ru $500 Ошибка фильтрации
Mail.Ru - Flash XSS на old.corp.mail.ru
Mail.Ru $200 OpenSSL HeartBleed (CVE-2014-0160)
Mail.Ru - Авторизуюсь от имени любого пользователя parapa.mail.ru
Mail.Ru - Выполнение кода PHP через FastCGI
Mail.Ru $500 touch.mail.ru XSS via message id
Mail.Ru $1,337 XSS via .eml file
Mail.Ru - Не уверен, что этому место на периметре: 94.100.180.95, 94.100.180.96, 94.100.180.97, 94.100.180.98
Mail.Ru $150 money.mail.ru: Странное поведение SMS
Mail.Ru - Version Disclosure (NginX)
Mail.Ru $150 cloud.mail.ru: File upload XSS using Content-Type header
Mail.Ru $1,000 e.mail.ru: File upload "Chapito" circus
Mail.Ru - files.mail.ru: HTTP Header Injection
Mail.Ru $100 m.agent.mail.ru: Подделываем j2me app-descriptor
Mail.Ru - target.mail.ru: XSS через Referer
Mail.Ru - target.mail.ru: XSS
Mail.Ru $3,000 Possibility to attach any mobile number to any email
Mail.Ru - tp-demo1.corp.mail.ru: SVN наружу торчит
Mail.Ru - my.mail.ru: HTTP Header Injection
Mail.Ru $400 e.mail.ru: SMS spam with custom content
Mail.Ru - Cross Site Scripting
Mail.Ru - Раскрытие полного серверного пути
Mail.Ru $150 SQL Injection on 11x11.mail.ru
Mail.Ru - Reflected XSS
Mail.Ru - Перечисление каталогов за счёт уязвимости в IIS
Mail.Ru - [corp.mail.ru] CRLF Injection / Insecure nginx configuration
Mail.Ru - Flash XSS in http://go.mail.ru
Mail.Ru - Flash XSS in http://lingvo.mail.ru
Mail.Ru - Flash XSS - http://hi-tech.mail.ru/
Mail.Ru - XSS in "About Video"
Mail.Ru $300 connect.mail.ru: SSRF
Mail.Ru $1,000 https://217.69.135.63/rb/: money.mail.ru sources disclosure
Mail.Ru - touch.afisha.mail.ru: XSS
Mail.Ru - files.mail.ru: XSS
Mail.Ru - api.video.mail.ru: XSS
Mail.Ru - (m.mail.ru) Password type input with auto-complete enabled
Mail.Ru $500 auth.mail.ru: XSS in login form
Mail.Ru - Reflected XSS connect.mail.ru (IE6-IE8)
Mail.Ru - Reflected XSS in User-Agent
Mail.Ru - Раскрытие путей сервера за счёт неопределённого индекса в сценарии /home/berserk-online.com/public_html/forum/Themes/berserker/Profile.template.php
Mail.Ru $500 XSS in a file or folder name
Mail.Ru $700 XXE and SSRF on webmaster.mail.ru
Mail.Ru $150 Stored XSS on http://cards.mail.ru
Mail.Ru $300 Stored XSS on http://top.mail.ru
Mail.Ru $250 SQL injection update.mail.ru
Mail.Ru $400 XSS in https://e.mail.ru/cgi-bin/lstatic (Limited use)
Mail.Ru - Content Spoofing vulnerability in Mail.ru mobile
Mail.Ru $150 SQL inj
Mail.Ru - Persistent XSS in afisha.mail.ru
Mail.Ru $150 SQL
Mail.Ru $150 SQL inj
Mail.Ru - Login without SSL-Protection
Mail.Ru $200 Time based sql injection
Mail.Ru $200 SQL injection [дырка в движке форума]
Mail.Ru $250 Home page reflected XSS
Mail.Ru - Unproper usage of Mobile Number that will lead to Information Disclosure
Mail.Ru - No CSRF token used in Phone Verification POST
Mail.Ru $150 localStorage не чистится после выхода
Mail.Ru - Admin panel of http://tp-test1.corp.mail.ru/ is acccessible publicly
Mail.Ru $150 Clickjacking
Mail.Ru - Reflected XSS
Mail.Ru - Clicjacking on Login panel
Mail.Ru - Xss On http://my.mail.ru/
Mail.Ru - rs.mail.ru - Flash Based XSS