List of bug bounty writeups

Table of contents

Bug bounty writeups published in 2018

Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date
Add comment on a private Oculus Developer bug report Sarmad Hassan (@JubaBaghdad) Facebook IDOR, Authorization flaw - 10/18/2018
Security teams Internal attachments can be exported via “Export as .zip” feature on HackerOne Japz Divino (@japzdivino) Hackerone Logic flaw 12,500 10/17/2018
XXE in IBM’s MaaS360 Platform Cody Wass IBM XXE - 10/16/2018
Path traversal while uploading results in RCE Harsh Jaiswal (@rootxharsh) - Path traversal, RCE - 10/15/2018
Brave Browser Script Blocker Bypass Vulnerability Xiaoyin Liu Brave Software Script blocker bypass - 10/13/2018
Microsoft CSRF Vulnerability Adesh Kolte (@AdeshKolte) Microsoft CSRF $500 10/12/2018
[Bug bounty | mail.ru] Access to the admin panel of the partner site and data disclosure of 2 million users Max (@iSecMax) Mail.ru Authentication bypass, Blind XSS - 10/12/2018
Magic XSS with two parameters Mahmood Shahabi (@m4shahab1) - XSS - 10/12/2018
Add description to Instagram Posts on behalf of other users - 6500$ Sarmad Hassan (@JubaBaghdad) Facebook IDOR $6,500 10/12/2018
Microsoft Edge Remote Code Execution Abdulrahman Al-Qabandi (@Qab) Microsoft RCE - 10/11/2018
Access to staging environment via User-Agent string Yasser Gersy (@yassergersy) - Authentication bypass - 10/10/2018
Symantec Messaging Gateway authentication bypass Artem Kondratenko (@artkond) Symantec Authentication bypass - 10/10/2018
Get as image function pulls any Insights/NRQL data from any New Relic account (IDOR) Jon Bottarini New Relic IDOR $2,500 10/09/2018
DOM-XSS Bug Affecting Tinder, Shopify, Yelp, and More VPN Mentor (@vpnmentor) Tinder DOM XSS - 10/09/2018
Make any Unit in Facebook Groups Undeletable Sarmad Hassan (@JubaBaghdad) Facebook Logic flaw, IDOR, Authorization flaw - 10/09/2018
[Critical] Bypass CSRF protection on IBM Mohamed Sayed (@FlEx0Geek) IBM CSRF - 10/09/2018
Persistent XSS (unvalidated Open Graph embed) at LinkedIn.com Jonathan Bouman (@JonathanBouman) LinkedIn Stored XSS $0, HoF 10/07/2018
My First 0day Exploit (CSP Bypass + Reflected XSS) #BUGBOUNTY Ali Tütüncü(@alicanact60) - Reflected XSS, CSP bypass - 10/07/2018
Clickjacking in Google Docs and Voice typing feature. Raushan Raj (@raushan_rajj) Google Clickjacking $2,337 10/05/2018
GoogleMeetRoulette: Joining random meetings Martin Vigo (@martin_vigo) Google Bruteforce, Logic flaw - 10/04/2018
An interesting Google vulnerability that got me 3133.7 reward. Ebrahem Hegazy (@Zigoo0) Google CSRF $3,133.7 10/04/2018
Persistent XSS (Unvalidated oEmbed) at Medium.com Jonathan Bouman (@JonathanBouman) Medium Stored XSS $100 10/04/2018
Exploiting an unknown vulnerability Abhishek Bundela (@abhibundela) - Logic flaw, Payment tampering - 10/03/2018
Facebook Bug Bounty: Email Id, Phone Number Can be exposed Through Business Manager Rohit kumar (@rohitcoder) Facebook Logic flaw, Information disclosure $3,000 10/03/2018
AWS takeover through SSRF in JavaScript Gwendal Le Coguic (@gwendallecoguic) - SSRF - 10/02/2018
Applying a small bypass to steal Facebook Session tokens in Uber Samuel (@saamux) Uber XSS, CSP bypass, OAuth flaw - 10/02/2018
How i found Stored xss on your-domain.redacted.com Rudra Sarkar (@rudr4_sarkar) - XSS $0 10/02/2018
Collecting Shells by the Sea of NAS Vulnerabilities Rick Ramgattie (@RRamgattie) Lenovo OS command injection, XSS, CSRF - 10/01/2018
Subdomain Takeover via Shopify Vendor ( blog.exchangemarketplace.com ) with Steps Mohamed Haron (@m7mdharon) Shopify Subdomain takeover - 10/01/2018
Google Stored XSS in Payments Barış Sağdıç (@brsgdc) Google Stored XSS - 10/01/2018
How I was able to takeover account’s of an Earning App Abbas Wafa - Information disclosure $0 10/01/2018
Hacking the Subway Android app Wesley Gahr (@wesley_gahr) Subway Logic flaw, Authorization flaw - 09/28/2018
IDOR, Content Spoofing and Url Redirection via unsubscribe email in Confluent Divyanshu Shukla Confluent IDOR, Content spoofing, Open redirect - 09/28/2018
Just another tale of severe bugs on a private program. Siva Krishna Samireddi - Open redirect, SSRF, IDOR, Logic flaw $1,623 09/28/2018
#BugBounty — From finding Jenkins instance to Command Execution.Secure your Jenkins Instance! Avinash Jain (@logicbomb_1) - RCE, Exposed Jenkins instance - 09/27/2018
Thick Client — Attacking databases the fun/easy way Richard Clifford - Thick client flaw, Credentials sent over unencrypted channel - 09/26/2018
Arbitrary File Read in one of the largest CRMs Richard Clifford - LFI - 09/26/2018
[XSS] survey.dropbox.com Kumar Dropbox XSS $0 09/25/2018
Weaponizing XSS Attacking Internal System Rahul R - Blind XSS - 09/25/2018
Subdomain Takeover via Unsecured S3 Bucket Connected to the Website Muhammad Khizer Javed / babayaga47 (@khizer_javed47) - Subdomain takeover - 09/24/2018
How I XSS’ed Uber and Bypassed CSP Efkan (@mefkansec) Uber Reflected XSS 2,000 09/22/2018
R-XSS -> CSRF bypass to account takeover/ Nirmal Dahal (@TheNittam) - Reflected XSS, CSRF bypass - 09/21/2018
Bypassing Firebase authorization to create custom goo.gl subdomains Thomas Orlita (@ThomasOrlita) Google Logic flaw, IDOR - 09/21/2018
Another XSS in Google Colaboratory Michał Bentkowski Google XSS - 09/20/2018
Shopify Athena Bug Uranium238 (@uraniumhacker) Shopify Authorization flaw, Information disclosure - 09/20/2018
Local file inclusion at IKEA.com Jonathan Bouman (@JonathanBouman) Ikea LFI $250 09/19/2018
Facebook $750 Reward for a Simple Bug Aman Shahid (@amansmughal) Facebook Authentication bypass, Logic flaw $750 09/18/2018
Chain The Bugs to Pwn an Organisation ( LFI + Unrestricted File Upload = Remote Code Execution ) Armaan Pathan (@armaancrockroax) - LFI, Unrestricted File Upload, RCE - 09/18/2018
Reflected XSS at Philips.com Jonathan Bouman (@JonathanBouman) Philips Reflected XSS - 09/17/2018
XSS Vulnerabilities in Multiple iFrame Busters Affecting Top Tier Sites Randy Westergren (@RandyWestergren) Google XSS $0 09/17/2018
Vertical escalation of privileges Leading to Sensitive Data Exposure Umair Ahmed (@u_ahmedofficial) - Bruteforce, IDOR, Authorization flaw - 09/16/2018
User Account takeover in India’s largest digital business company Minali Arora (@AroraMinali) - Account takeover, OTP bypass - 09/16/2018
IDOR User Account Takeover By Connecting My Facebook Account with victims Account Muhammad Khizer Javed / babayaga47 (@khizer_javed47) Facebook IDOR $1,200 09/16/2018
Persistent Cross-Site Scripting on redacted worth $2,000 M.Asim Shahzad - Stored XSS $2,000 09/15/2018
How I hijacked your account when you opened my cat picture Matti Bijnens (@MattiBijnens) - Logout CSRF - 09/14/2018
Hacking your own antivirus for fun and profit (Safe browsing gone wrong) Martin Thirup Christensen (@Mthirup) Bullguard Reflected XSS $0 09/14/2018
Subdomain Takeover worth 200$ Ali Razzaq (@AliRazzaq_) Netlify Subdomain takeover $200 09/14/2018
Reflected DOM XSS and CLICKJACKING on https://silvergoldbull.de/bt.html Daniel Maksimovic Silver Gold Bull DOM XSS, Clickjacking - 09/13/2018
Snooping an Ad Network Admin Panel Tomi Ad Networks Blind XSS $100 09/13/2018
Subdomain Takeover via Campaignmonitor Mohamed Haron (@m7mdharon) Campaign Monitor Subdomain Takeover $900 09/11/2018
Open-Redirect Vulnerability in udacity.com Anil Tom Udacity Open redirect $0, Swag 09/11/2018
Hacking a Crypto Debit Card Service Muhammad Abdullah Plutus SQL injection - 09/11/2018
XXE at Bol.com Jonathan Bouman (@JonathanBouman) Bol.com XXE $500 (voucher) 09/11/2018
How to do 55.000+ Subdomain Takeover in a Blink of an Eye BuckHacker (@thebuckhacker) Shopify Subdomain takeover - 09/10/2018
Authentication Bypass Using SQL Injection AutoTrader Webmail – Bug Bounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) AutoTrader SQL injection - 09/10/2018
Making the Facebook app more secure - $8500 bounty Ash King Facebook Open redirect $8,500 09/09/2018
ZOL Zimbabwe Authentication Bypass to XSS & SQLi Vulnerability – Bug Bounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) ZOL Zimbabwe XSS, SQL injection - 09/09/2018
How I find Open-Redirect Vulnerability in redacted.com (One of the top online payment processing service website) M.Asim Shahzad - Open redirect - 09/09/2018
Disclosure of Facebook Page Admin due to insecure tagging behavior Aj Dumanhug (@ajdumanhug) Facebook Information disclosure, Logic flaw - 09/09/2018
Reflected XSS in Google Code Jam Thomas Orlita (@ThomasOrlita) Google Reflected XSS - 09/08/2018
SQL Injection Vulnerability bootcamp.nutanix.com | Bug Bounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) Nutanix SQL injection $0, Swag 09/08/2018
Bypassing Hotstar Premium with DOM manipulation and some JavaScript OpSecX Hotstar Logic flaw, Payment bypas $0 09/07/2018
RCE Unsecure Jenkins Instance | Bug Bounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) - RCE $0 09/07/2018
Write-up - Love story, from closed as informative to $3,500 USD, XSS stored in Yahoo! iOS MaiL app @omespino Yahoo! Stored XSS $3,500 09/07/2018
Simple Login Brute Force / Current Password Requirement Bypass Mandeep Jadon (@1337tr0lls) - IDOR, Account takeover, Bruteforce - 09/07/2018
#BugBounty — How Naaptol (India’s popular home shopping company) Kept their Millions of User Data at Risk! Avinash Jain (@logicbomb_1) Naaptol IDOR - 09/07/2018
How I could download the source code of an Indian e-commerce website!! Minali Arora (@AroraMinali) - File disclosure, Source code disclosure - 09/05/2018
P1 Vulnerability in 60 seconds @Wh11teW0lf - Information disclosure, File disclosure $1,500 09/05/2018
Facebook Bug Bounty! {Permission Bug} Ali Tütüncü(@alicanact60) Facebook Authorization flaw, Logic flaw $750 09/05/2018
Admin Disclosure of Facebook Business all Pages by normal employees: Kamal Facebook Information disclosure $0 09/02/2018
How I could have launched a spear phishing campaign with Starbucks email servers Kyle (@b3nac) Starbucks Host header injection $150 09/01/2018
Send request to Martians. Earthlings are already your friends. Sagar VD Google CSRF - 09/01/2018
I Own Your Customers !!! Muhammad Abdullah - Information disclosure, Hardcoded credentials, AWS flaw - 09/01/2018
Pwned Together: Hacking dev.to Antony Garand Dev.to Stored XSS $150, HoF 08/31/2018
$100 Bounty in 300 seconds isn’t bad !!! Rohan Chavan (@rohanchavan1918) Zoho Stored XSS $100, HoF 08/31/2018
Reflected XSS in Django REST Framework Api at MapBox Subdomain Mohamed Haron (@m7mdharon) Mapbox Reflected XSS $500 08/29/2018
Finding hidden gems vol. 2: REAMDE.md, the story of a bit too helpful readme file Mateusz Olejarka - Information disclosure, Github leak $0 08/29/2018
A Infinite Loop Story. Ashish Kunwar (@D0rkerDevil) - DoS $100 08/29/2018
Reflected Swf XSS at ( https://plugins.svn.wordpress.org ) Mohamed Haron (@m7mdharon) Wordpress Swf XSS, Reflected XSS $350 08/28/2018
How i found a 1500$ worth Deserialization vulnerability Ashish Kunwar (@D0rkerDevil) - Misconfigured JSF ViewState, Java deserialization $1,500 08/28/2018
IDOR FACEBOOK: malicious person add people to the “Top Fans” Jafar Abo Nada Facebook IDOR - 08/28/2018
Traversing the Path to RCE hawkinsecurity - Path traversal, RCE $0 08/27/2018
Uber Bug Bounty: 1000$ for two “high severity” issue Peuch Uber Information disclosure, Github leak $1,000 08/27/2018
Open Redirection negative Wibes Pleio Open redirection - 08/26/2018
My first valid xss(@Hackerone) Jatin Aesthetic - XSS $100 08/25/2018
Remote Code Execution on a Facebook server Daniel Le Gall Facebook RCE $5,000 08/24/2018
Privileged Escalation in Facebook Messenger Rooms Jafar Abo Nada Facebook Privilege escalation, IDOR - 08/24/2018
SQL Injection Vulnerability In University Of Cambridge Adesh Kolte (@AdeshKolte) Cambridge SQL injection - 08/24/2018
Liking GitHub repositories on behalf of other users — Stored XSS in WebComponents.org Thomas Orlita (@ThomasOrlita) Webcomponents.org Stored XSS - 08/23/2018
API key: The real goldmine Yumi - Information disclosure - 08/19/2018
User credential are sent in clear text in Whatsapp web— FIXED | Facebook Bug Bounty Thuvarakan Nakarajah Facebook (WhatsApp) Credentials sent over HTTP - 08/18/2018
YAHOO IDOR -elimination of any comment Bada Diaz (@bada77) Yahoo IDOR - 08/17/2018
3 Minutes & XSS! Ashish Jha Edmodo XSS - 08/17/2018
IDOR leads to account takeover @s0cket7 - IDOR - 08/16/2018
ICloud.com DOM-Based XSS! #BugBounty Musab Alhussein (@musab_alhussein) Apple DOM XSS $0, HOF 08/14/2018
Another “TicketTrick” story Uranium238 (@uraniumhacker) Uber Logic flaw, TicketTrick - 08/14/2018
XSS at Hubspot and XSS in email areas. Friendly (@SkeletorKeys) Hubspot, [Private program] XSS $450 08/13/2018
Distorted and Undeletable Posts in Facebook Group Sarmad Hassan (@JubaBaghdad) Facebook Authorization flaw, Logic flaw - 08/12/2018
How I Chained 4 Bugs(Features?) into RCE on Amazon Collaboration System Orange Tsai (@orange_8361) Amazon RCE - 08/11/2018
S3 Bucket Misconfiguration in Amazon Divyanshu Shukla Amazon AWS flaw $0 08/11/2018
Adminer Script Results to Pwning Server?, Private Bug Bounty Program Yasho - Authentication bypass - 08/11/2018
Misconfigured JIRA setting - Apigee Tutorgeeks Google, Jira Information disclosure - 08/10/2018
[Twitter Bug Bounty] Misconfigured JSON endpoint on ads.twitter.com lead to Access control issue and Information Disclosure of role privileged users. Peerzada Fawaz Ahmad Qureshi (@zk34911) Twitter Authorization flaw, Information disclosure $280 08/10/2018
Subdomain Takeover: Yet another Starbucks case Patrik Hudak Starbucks Subdomain takeover $2,000 08/09/2018
From TOMCAT to NT AUTHORITY\SYSTEM Rahul R - Default credentials - 08/09/2018
My Disclosed Report about Basic auth Api details at Reverb.com Mohamed Haron (@m7mdharon) Reverb Information disclosure $100 08/09/2018
This is how can I spoof ANY Sentry.Io log infinitely and create fake error-logs Carlos Daniel Giovanella HackerOne, Sentry Logs flooding and falsification $0 08/09/2018
My First Critical Report Miguel Corral (@mcorral74) - Password reset flaw, Account takeover $2,500 08/08/2018
How I hacked a Crypto Exchange (Bug Bounty Writeup) Muhammad Abdullah - IDOR - 08/07/2018
From data leak to account takeover Antony Garand - Account takeover, Information disclosure, Password reset flaw - 08/07/2018
How I gained commit access to Homebrew in 30 minutes Eric Holmes (@vesirin) Homebrew Information disclosure - 08/07/2018
Sending out phishing e-mails from @microsoft.com @si9int Microsoft HTML injection $0 08/07/2018
Unauth meetings access Uranium238 (@uraniumhacker) Google Authorization flaw, Logic flaw - 08/06/2018
Self XSS leads to blind XSS and reflected XSS. Friendly (@SkeletorKeys) - Blind XSS, Reflected XSS $700 08/06/2018
Reflected XSS Primagames.com Friendly (@SkeletorKeys) Prima Games Reflected XSS - 08/06/2018
My First Swag Pack : A Logical Bug on Edmodo Abartan Dhakal Edmodo Logic flaw $0, Swag 08/05/2018
Stored XSS in GameSkinny Friendly (@SkeletorKeys) GameSkinny Stored XSS - 08/03/2018
Blind-XSS in Chrome Experiments - Google (Write Up) Evan Ricafort Google Blind XSS $100 08/03/2018
#BugBounty — @Paytm Customer Information is at risk — India’s largest digital wallet company Avinash Jain (@logicbomb_1) Paytm IDOR - 08/03/2018
Discovering and Exploiting a Vulnerability in Android’s Personal Dictionary (CVE-2018-9375) Daniel Kachakil Google Privilege escalation, Android flaw - 08/01/2018
Exploiting a Microsoft Edge Vulnerability to Steal Files Ziyahan Albeniz Microsoft SOP bypass - 08/01/2018
Shipt Subdomain TakeOver via HeroKu ( test.shipt.com ) Mohamed Haron (@m7mdharon) Shipt Subdomain takeover - 08/01/2018
Disclose Facebook Internal Server Information With A Strange Poll Jane Manchun Wong Facebook Logic flaw - 08/01/2018
CRLF Injection Into PHP’s cURL Options TomNomNom - CRLF injection - 08/01/2018
How I could access your internal servers, steal and modify your image repository PoC || GO - RCE - 07/31/2018
Hacking Imgur for Fun and Profit Nathan (@NathOnSecurity) Imgur Outdated component with a known vulnerability, Information disclosure $5,500 07/29/2018
18th Acknowledgement From Microsoft Muhammad Muhaddis Microsoft IDOR $0, HOF 07/29/2018
Yahoo — Two XSSi vulnerabilities chained to steal user information. ($750 Bounty) Brian Hyde Yahoo XSSI $750 07/29/2018
Microsoft Office 365 Stored XSS @Pethuraj Microsoft Stored XSS $0, HOF 07/29/2018
Making a Blind SQL Injection a Little Less Blind TomNomNom - SQL injection - 07/28/2018
Binary.com ClickJacking Vulnerability — Exploiting HTML5 Security Features Ameer Assadi Binary.com Clickjacking - 07/28/2018
How I found XSS on Amazon? Coding_Karma Amazon XSS $0 07/26/2018
Exfiltration via CSS Injection d0nut - CSS injection - 07/25/2017
SQL Injection and A silly WAF Mahmoud Gamal - SQL injection - 07/25/2017
Exploitation of Server Side Template Injection with Craft CMS plugin SEOmatic <=3.1.3 [CVE-2018-14716] Sebastian (ha.cker.info) Private program, SEOmatic CMS plugin SSTI - 07/24/2018
Vulnerability in Hangouts Chat a.k.a. how Electron makes open redirect great again Michał Bentkowski Google Open redirect $7,500 07/24/2018
Finding hidden gems vol. 1: forging OAuth tokens using discovered client id and client secret Mateusz Olejarka - Information disclosure $3,133.7 07/23/2018
Google Assistant Bug Worth $3133.7 ! Circle Ninja Google Reflective XSS $3,133.7 07/21/2018
RCE due to ShowExceptions Harsh Jaiswal (@rootxharsh) - RCE $5,000 07/20/2018
Into the Borg – SSRF inside Google production network Enguerran Gillier Google SSRF $13,337 07/20/2018
The call is coming from inside the house — DNS rebinding in EOSIO keosd wallet François Proulx EOSIO DNS rebinding - 07/19/2018
RCE on Yahoo Luminate Rojan Rijal Yahoo RCE - 07/19/2018
How I was able to delete 13k+ Microsoft Translator projects Haider Mahmood Microsoft CSRF, IDOR $0 07/19/2018
Hey Developer, Give me your API keys.!! Devansh batham Crowdin Information disclosure Swag, HoF 07/18/2018
Bypass Admin approval, Mute Member and Posting Permissions for Only admins in Facebook groups Sarmad Hassan (@JubaBaghdad) Facebook Authorization flaw, Logic flaw - 07/18/2018
Hacking thousands of companies through their helpdesk Khaled Hassan - Account takeover, DoS, Logic flaw - 07/17/2018
CVE-2018-13784: PrestaShop 1.6.x Privilege Escalation Charles Fol (Ambionics Security) PrestaShop Privilege escalation, Session flaw - 07/16/2018
WRITE UP – TELEGRAM BUG BOUNTY – WHATSAPP N/A [“Blind” XSS Stored iOS in messengers twins, who really care about your security?] @omespino Facebook Blind Stored XSS - 07/16/2018
Attacking PostgreSQL Database Vishnuraj KV - Bruteforce, Weak credentials - 07/16/2018
Bug Bounty at Bangladeshi Site. Shaifullah Shaon - SQL injection BDT 10,000 (~ $120) 07/15/2018
Should this be public though? Rojan Rijal Shopify, Uber Information disclosure $500 07/13/2018
XSS in Microsoft subdomain Sudhanshu Raj Microsoft XSS - 07/13/2018
Freelancer.com Bad Design (Full disclosure) @si9int Freelancer Logic flaw $0 07/13/2018
Freelancer.com XSS (Full disclosure) @si9int Freelancer XSS $0 07/13/2018
Freelancer.com Text Injection (Full disclosure) @si9int Freelancer Text injection $0 07/13/2018
The tradeRifle Vulnerability Identified in LBank Mobile Service (CVE-2018-13363) PeckShield LBank MiTM - 07/12/2018
Gsuite Hangouts Chat 5k IDOR Cam (@SecretlyHidden1) Google IDOR $5,000 07/10/2018
Persistent XSS at AH.nl Jonathan Bouman (@JonathanBouman) AH.nl Stored XSS $200 07/09/2018
#BugBounty - Compromising User Account- “How I was able to compromise user account via HTTP Parameter Pollution(HPP)” Avinash Jain (@logicbomb_1) - HTTP Parameter Pollution, Password reset flaw, Account takeover - 07/07/2018
Server Side Request Forgery on Vanilla Forums Vikash Chaudhary Vanilla Forums SSRF - 07/07/2018
Latex to RCE, Private Bug Bounty Program Yasho - RCE - 07/06/2018
Buffer Overflow-WhatsApp[Bypass] Pratheesh P Narayanan Facebook Buffer Overflow, DoS $500 07/06/2018
The $12,000 Intersection between Clickjacking, XSS, and Denial of Service Sam Curry Bustabit Clickjacking, XSS, DoS $12,000 07/04/2018
Chaining Multiple Vulnerabilities to Gain Admin Access Ben Sadeghipour - IDOR, Account takeover - 07/02/2018
Hacking OKEx/OKCoin for Fun and No Profit! E-ARMY [ justice ] OKEx, OKCoin Information disclosure $0 07/01/2018
Bug Bounty: Tumblr reCAPTCHA vulnerability write up Leigh-Anne Galloway Tumblr reCAPTCHA bypass, email enumeration, username enumeration - 06/29/2018
Authentication bypass in Cisco Meraki takemyhand Cisco Meraki Authentication bypass - 06/29/2018
3133.70$ for RCE on *.withgoogle.com subdomain E-ARMY [ justice ] Google RCE $3,133.70 06/28/2018
12k$ for simple path traversal on http://web.whatsapp.com E-ARMY [ justice ] Facebook Path traversal $12,000 06/28/2018
This popular Facebook app publicly exposed your data for years Inti De Ceukelaire Facebook, Nametests.com Information disclosure, Authorization flaw $4,000 06/28/2018
Take Advantage of Out-of-Scope Domains in Bug Bounty Programs Abdullah Hussam (@Abdulahhusam) - XSS $1,250 06/27/2018
How re-signing up for an account lead to account takeover @zseano - Logic flaw, Account takeover - 06/26/2018
Subdomain Takeover: Starbucks points to Azure Patrik Hudak Starbucks Subdomain takeover $2,000 06/25/2018
Account Take over via reset password Yasser Gersy (@yassergersy) - Password reset flaw, Account takeover $1,500 06/25/2018
How I got access to local AWS info via Jira Coen Goedegebure - SSRF - 06/24/2018
Fastest Fix on Open Bug Bounty Platform Wen Bin KONG Kevag Telekom GmbH Reflected XSS, CSRF - 06/24/2018
How I hacked Apple.com (Unrestricted File Upload) Jonathan Bouman (@JonathanBouman) Apple Unrestricted file upload - 06/22/2018
XSS in Google Colaboratory + CSP bypass Michał Bentkowski Google XSS, CSP bypass - 06/21/2018
Using a GitHub app to escalate to an organization owner for a $10,000 bounty Tanner Github Authorization flaw, IDOR $10,000 06/20/2018
Setting arbitrary request headers in Chromium via CRLF injection Michał Bentkowski Google CRLF injection - 06/20/2018
I discovered a browser bug Jake Archibald Mozilla, Microsoft Browser bug, Range requests flaw - 06/20/2018
[Responsible disclosure] How I could have booked movie tickets through other user accounts Bharathvaj Ganesan AGS Cinemas Password reset flaw, Account takeover, Bruteforce, OTP bypass - 06/18/2018
How i found blind XSS in Apple Taha Smily Apple Blind XSS - 06/18/2018
Reflected Client XSS at Amazon.com Jonathan Bouman (@JonathanBouman) Amazon Reflected XSS $0 06/15/2018
Yay! 3133.70$ for RCE on *.withgoogle.com subdomain. lalka Google RCE $3,133.70 06/15/2018
Password reset to full account takeover Hamza Bettache - Password reset flaw, Account takeover - 06/15/2018
Reflected XSS in 360totalsecurity Taha Smily 360totalsecurity Reflected XSS - 06/14/2018
The 2.5 BTC Stored XSS Khaled Hassan - Stored XSS 2.5 BTC 06/13/2018
How I got paid premium plan for free on many popular websites Khaled Hassan - Logic flaw - 06/13/2018
Vulnerability Netflix (cross-site-scripting) XSS Bada Diaz (@bada77) Netflix Reflected XSS - 06/13/2018
Unvalidated Open Redirect Bol.com Jonathan Bouman (@JonathanBouman) bol.com Open redirect $100 in gift cards 06/12/2018
Full account Takeover via reset password function Khaled Hassan - IDOR, Account takeover, Password reset flaw $1,250 06/12/2018
Server-Side Spreadsheet Injection – Formula Injection to Remote Code Execution Jake Miller Google CSV injection, Server side spreadsheet injection, Formula injection, RCE - 06/11/2018
How I Found CVE-2018-8819: Out-of-Band (OOB) XXE in WebCTRL Darrell Damstedt - XXE $0 06/11/2018
[PayPal BBP] I could’ve deleted All SMC messages. Using Brute-Force technique. Ayoub Ait Elmokhtar Paypal CSRF - 06/10/2018
Steam, Fire, and Paste – A Story of UXSS via DOM-XSS & Clickjacking in Steam Inventory Helper Matthew Bryan Steam Inventory Helper Chrome extension DOM XSS, Clickjacking - 06/08/2018
How I was able to list some internal information from PayPal #BugBounty Adrien Jeanneau Paypal Expression Language Injection (JSTL), Information disclosure $0 06/07/2018
How I found XSS via SSRF vulnerability -Adesh Kolte Adesh Kolte (@AdeshKolte) CERT-EU, Motorola, Stanford SSRF, XSS $750 06/07/2018
#BugBounty —” Database hacked of India’s Popular Sports company”-Bypassing Host Header to SQL injection to dumping Database — An unusual case of SQL injection. Avinash Jain (@logicbomb_1) - SQL injection - 06/06/2018
Zero to Account Takeover: How I ‘Impersonated’ Someone Else Using Auth0 Daniel Svartman OAuth Logic flaw - 06/05/2018
Searching for XSS found LDAP injection Davide Tampellini - LDAP injection - 06/05/2018
Are you sure this is a trusted email? Khaled hassan - Open mail relay $900 06/05/2018
Reading Your Emails With A Read&Write Chrome Extension Same Origin Policy Bypass (~8 Million Users Affected) Matthew Bryan Read&Write Chrome extension SOP bypass - 06/05/2018
How I Hacked Fotor & Got “Nothing” Somdev Sangwan (D3v) Fotor SSRF, RFI $0 06/03/2018
Getting PHP Code Execution and leverage access to panels,databases,server Shawar Khan - Code execution - 06/01/2018
How i converted SSRF to XSS in Jira. Ashish Kunwar (@D0rkerDevil) - SSRF, XSS $50 06/01/2018
How I Earned $750 Bounty Reward From AT&T bug Bounty -Adesh Kolte Adesh Kolte (@AdeshKolte) AT&T RCE, Clickjacking, XSS, Same Origin Method Execution $750 06/01/2018
#Bug Bounty — How I booked a rental house for just 1.00 INR — Price Manipulation in Citrus Pay Raghavendra Reddy - Parameter tampering - 05/31/2018
Reflected XSS in Yahoo Subdomain ( hk.movies.yahoo.com ) Mohamed Haron (@m7mdharon) Yahoo! Reflected XSS - 05/30/2018
5k$ for path traversal on *.paypal-corp.com subdomain lalka Paypal Path traversal $5,000 05/30/2018
Account Takeover and Blind XSS! Go Pro, get Bugs! Tabahi - IDOR, Stored XSS, Account takeover, Blind XSS $3,500 05/30/2018
How I found 5 store XSS on a private program. Each worth “1,016.66$” Shahzad Sadiq - Stored XSS $5,083.3 05/30/2018
How I got hall of fame in two fortune 500 companies — An RCE story… Alfie - RCE - 05/29/2018
How i was able to get admin panel on a private program Shahzad Sadiq - Weak credentials $1,500 05/29/2018
reCAPTCHA bypass via HTTP Parameter Pollution Andres Riancho Google HTTP parameter pollution, reCAPTCHA bypass $500 05/28/2018
Persistent XSS to Steal Passwords – Paypal Akhil Reni Paypal Stored XSS - 05/26/2018
Simple IDOR to reject a to-be users invitation via their notification Abss TBH WePay IDOR - 05/24/2018
How I was able to see any private album passwrod in Picturepush — IDOR Murtada Kamil PicturePush IDOR - 05/23/2018
#BugBounty — ”How I was able to hack any user account via password reset?” Bikash Gupta - IDOR, Account takeover, Password reset flaw - 05/23/2018
RCE by uploading a web.config 003random - RCE - 05/22/2018
AWS Security Flaw which can grant admin access! Sharath AV Amazon Authorization flaw - 05/22/2018
Getting read access on Edmodo Production Server by exploiting SSRF Shawar Khan Edmodo SSRF - 05/21/2018
Self-XSS + CSRF to Stored XSS Renwa - Self XSS, CSRF, STored XSS - 05/20/2018
$36k Google App Engine RCE Ezequiel Pereira Google RCE $36,337 05/20/2018
Fastest Fix on Open Bug Bounty Platform Wen Bin KONG Kevag Telekom GmbH XSS, CSRF - 05/19/2018
How i got 100$ from one private website Aayush Pokhrel - Information disclosure $100 05/19/2018
How i HACKED admin account via password reset IDOR function of one private currency exchanger site Aayush Pokhrel - IDOR, Password reset flaw, Account takeover - 05/19/2018
Stored XSS in Yahoo and all subdomains! Hakim Bencella Microsoft Stored XSS $1,500 05/19/2018
Xss in Microsoft hacker_eth Microsoft XSS - 05/18/2018
How I was able to get subscription of $120/year For Free Muhammad Khizer Javed / babayaga47 (@khizer_javed47) wetransfer.com Payment bypass $500 05/18/2018
Whatsapp- DOS vulnerability on Android/iOS/Web Pratheesh P Narayanan Facebook DoS $500 05/15/2018
HSTS Bypass Vulnerability in IE Preview Xiaoyin Liu Microsoft HSTS bypass $0 05/15/2018
How I used a simple Google query to mine passwords from dozens of public Trello boards Kushagra Pathak Trello Authorization flaw, Information disclosure $0 05/09/2018
Internet Safety for Kids & Families — Trend Micro Bypass DOM XSS Honc (@honcbb) Trend Micro DOM XSS $0, HoF 05/08/2018
Asus Control Center – An Information Disclosure and a database connection Clear-Text password leakage Vulnerability Mohamed A. Baset Asus Authorization flaw, Information disclosure - 05/08/2018
Ubisoft | Blind XSS to customer support panel takeover Hx01 Ubisoft Blind XSS - 05/06/2018
A Five Minute SQL-I Ashish Jha - SQL injection - 05/06/2018
How I Got Paid $0 From the India’s largest online gifting portal — Bug Bounty Program Hariom Vashisth - Price manipulation, Parameter tampering $0 05/05/2018
$4500 bounty - How I got lucky Eray Mitrani - Subdomain takeover $4,500 05/03/2018
Disclose Private Video Thumbnail from Facebook WorkPlace Sarmad Hassan (@JubaBaghdad) Facebook IDOR $3,000 05/03/2018
Multiple security vulnerabilities in domains belonging to Google Sysdreams Google Broken access control, Directory traversal, Stored XSS - 04/30/2018
How I found 2.9 RCE at Yahoo! Bug Bounty program Kedrisec Yahoo RCE - 04/30/2018
#BugBounty — How I was able to bypass firewall to get RCE and then went from server shell to get root user account! Avinash Jain (@logicbomb_1) - RCE - 04/29/2018
Stored XSS in Yahoo! Shahzada AL Shahriar Khan Yahoo Stored XSS $2000 04/27/2018
How I earned 60K+ from private program Siva Krishna Samireddi - Open redirect, subdomain takeover, XSS, HTTP parameter pollution 60,000 INR (approx. $880) 04/25/2018
The Unknown Hero-App Logic Bugs Circle Ninja Canva Logic flaw - 04/25/2018
XSS “403 forbidden” bypass write up Nur A Alam Dipu - XSS - 04/25/2018
DOM XSS in Google VRView library Federico Fazzi Google DOM XSS $3,133.7 04/23/2018
Three Cases, Three Open Redirect Bypasses Mohammed Eldeeb (@malcolmx0x) - Open redirect - 04/22/2017
Turning Self-XSS into non-Self Stored-XSS via Authorization Issue at “PayPal Tech-Support and Brand Central Portal YoKo Kho Paypal Stored XSS - 04/21/2018
Mangobaaz hacked | XSS to credentials exposure to pwn Hx01 MangoBaaz Reflected XSS $0 04/19/2018
#BugBounty — ”Journey from LFI to RCE!!!”-How I was able to get the same in one of the India’s popular property buy/sell company. Avinash Jain (@logicbomb_1) - LFI, RCE - 04/19/2018
Bypassing the Current Password Protection at PayPal TechSupport Portal YoKo Kho Paypal Authorization flaw, Account takeover - 04/19/2018
Ribose — IDOR with Simple CSRF Bypass — Unrestricted Changes and Deletion to other Photo Profile YoKo Kho Ribose IDOR - 04/18/2018
How I Get the Name of the Hotel (and other Data) that you ever Stay - Personal Data Leaks: Private Bug Bounty Program YoKo Kho - IDOR - 04/18/2018
From an error message to DB disclosure Yumi - Hardcoded credentials - 04/17/2018
Spoof an user to create a description of a group in Flickr Samuel (@saamux) Yahoo (Flickr) IDOR - 04/16/2018
Bypassing Captcha Like a Boss Ak1T4 - Captcha bypass $xxx 04/16/2018
#SecurityBreach — ”How I was able to book hotel room for 1.50₹!” Hariom Vashisth - CORS flaw - 04/15/2018
Bypass CSP by Abusing XSS Filter in Edge Xiaoyin Liu Microsoft CSP bypass $1,500 04/15/2018
How I hacked companies related to the crypto currency and earned $60,000 Max (@iSecMax) okex.com, livecoin.net, [private program] Authorization flaw, CSRF, IDOR, Stored XSS, HTML injection $59,400 04/14/2018
How I bypassed Ebay process on redirect Mohamed Sayed (@FlEx0Geek) Ebay Open redirect $0 04/13/2018
Hijacking User’s Private Information access_token from Microsoft Office360 facebook App Mohamed A. Baset Microsoft Logic flaw $0 04/13/2018
Please email me your password Jasmin Laundry - Blind XSS, Blind SQL injection, SMTP header injection, Account takeover - 04/11/2018
How I broke into Google Issue Tracker Abhishek Bundela (@abhibundela) Google Logic flaw, Authorization flaw $0 04/10/2018
Source Code Analysis in YSurvey — Luminate bug Rojan Rijal Yahoo Authentication bypass, Authorization flaw, SQL injection - 04/10/2018
Piercing the veil: Server Side Request Forgery to NIPRNet access Alyssa Herrera (@Alyssa_Herrera_) DoD SSRF - 04/09/2018
Stealing HttpOnly Cookie via XSS Yasser Gersy (@yassergersy) - XSS - 04/08/2018
Reflected XSS on www.zomato.com By Mustafa Hasan Mohamed Haron (@m7mdharon) Zomato Reflected XSS $100 04/07/2018
“Exploiting a Single Parameter” Hisham Mir (@Hishammir1) - SSRF, XSS $2,500 04/06/2018
Link injection on 2 Twitter Subdomain Mohamed Haron (@m7mdharon) Twitter Link injection $280 04/01/2018
Avinash Jain (@logicbomb_1) - IDOR - 04/05/2018
How I caught Multiple vulnerabilities in Udemy.com, But not rewarded for serious XSS vulnerability :( Satyendra Shrivastava Udemy XSS, HTML injection - 04/05/2018
Directory Listing To Sensitive Files Exposure Hx01 - Directory listing - 04/04/2018
My Best Small Report Bounty Report in Private Program ( Django REST framework Admin Login ByPass ) Mohamed Haron (@m7mdharon) - SQL injection, Auth bypass, Account takeover $2,000 04/01/2018
XSS in Yahoo Subdomain Mohamed Haron (@m7mdharon) Yahoo! Flash XSS $600 03/31/2018
XSS In sports.tw.campaign.yahoo.net Mohamed Haron (@m7mdharon) Yahoo! Reflected XSS - 03/31/2018
How I hacked one cryptocurrency service Valeriy Shevchenko PayKassa Blind XSS, Reflected XSS, CSRF $300 03/31/2018
How I Could Have Promoted Any Facebook Page For Free. Anees Khan Facebook Logic flaw $0 03/30/2018
View Insights for Any Facebook Marketplace Product Jane Manchun Wong Facebook Authorization flaw - 03/29/2018
Creating Test Conversion using any App Joshua Regio Facebook Web parameter tampering $3,000 03/27/2018
Google bug bounty for security exploit that influences search results Tom Anthony Google Logic flaw $5,000 03/27/2018
Reflected XSS Moogaloop SWF ( Version < 6.2.x ) Mohamed Haron (@m7mdharon) Vimeo Flash XSS, Reflected XSS - 03/26/2018
Misconfiguration of Demographics Privacy in a Page Mark Christian Deduyo Facebook Logic flaw $750 03/26/2018
#BugBounty — Rewarded by securing vulnerabilities in Bookmyshow (India’s largest online movie & event booking portal) Avinash Jain (@logicbomb_1) BookMyShow Host header attack, IDOR - 03/25/2018
Hacking Oracle in 5 Minutes Rahul R Oracle Directory listing - 03/25/2018
Google adwords 3133.7$ Stored XSS Emad Shanab Google Stored XSS $3,133.7 03/21/2018
Leaking WordPress CSRF Tokens for Fun, $1337 bounty, and CVE-2017-5489 Abdullah Hussam (@Abdulahhusam) Wordpress CSRF $1337 03/15/2018
#BugBounty — “Let me reset your password and login into your account “-How I was able to Compromise any User Account via Reset Password Functionality Avinash Jain (@logicbomb_1) - Logic flaw, Password reset flaw, Account takeover - 03/14/2018
Dox Facebook Employees Behind “Did You Know” Questions Jane Manchun Wong Facebook Information disclosure - 03/13/2018
Union Based Sql injection Write up ->A private Company Site Nur A Alam Dipu - SQL injection - 03/12/2018
How I hacked 74k users of a website. Utkarsh Agrawal - Authorization flaw - 03/11/2018
Getting any Facebook user’s friend list and partial payment card details Josip Franjkovic Facebook Information disclosure, IDOR - 03/09/2018
Stored XSS, and SSRF in Google using the Dataset Publishing Language Craig Arendt (@signalchaos) Google Stored XSS, SSRF $18,337 03/07/2018
Clickjackings in Google worth 12644.7$ Raushan Raj (@raushan_rajj) Google Clickjacking $12,644.7 03/06/2018
Facebook Bug Bounty Reports Raushan Raj (@raushan_rajj) Facebook Authorization flaw, Logic flaw, Information disclosure $6,000 03/06/2018
#BugBounty — How I could book cab using your wallet money in India’s largest auto transportation company! Avinash Jain (@logicbomb_1) - OTP bypass - 03/05/2018
How I found A Surprising XSS Vulnerability on Oracle NetSuite ? Circle Ninja Oracle XSS - 03/02/2018
The 2.5mins or 2.5k$ hawk-eye bug – A Facebook Pages Admins Disclosure Vulnerability! Mohamed A. Baset Facebook Information disclosure $2,500 02/25/2018
Re-dressing Instagram – Leaking Application Tokens via Instagram ClickJacking Vulnerability! Mohamed A. Baset Facebook Clickjacking - 02/25/2018
How i Hacked into a bugcrowd. public program Vishnuraj KV - RCE - 02/25/2018
#BugBounty — API keys leakage, Source code disclosure in India’s largest e-commerce health care company. Avinash Jain (@logicbomb_1) - Path traversal - 02/25/2018
How I was able to delete any image in Facebook community question forum Sarmad Hassan (@JubaBaghdad) Facebook IDOR $1500 02/24/2018
Bypassing Google’s authentication to access their Internal Admin panels Vishnu Prasad P G Google Authentication bypass $13,337 02/24/2018
The Fuzz…The Bug..The Action – A Race Condition bug in Facebook Chat Groups leads to spy on conversations! Seif Elsallamy Facebook Race condition - 02/23/2018
Modifying any Ad Space and Placement Joshua Regio Facebook IDOR - 02/22/2018
POODLE SSLv3 bug on multiple twitter smtp servers @omespino Twitter Cryptographic issues $280 02/21/2018
Google bugs stories and the shiny pixelbook. Missoum Said (@missoum1307) Google DOM XSS, Stored XSS, Logic flaw, Reflected XSS, CSRF $6,250 02/20/2018
How I hacked Tinder accounts using Facebook’s Account Kit and earned $6,250 in bounties Anand Prakash (@sehacure) Tinder, Facebook Account takeover, Authorization flaw $6,250 02/20/2018
Exploiting CORS Miss configuration using XSS Noman Shaikh - CORS misconfiguration - 02/18/2018
#BugBounty — Exploiting CRLF Injection can lands into a nice bounty Avinash Jain (@logicbomb_1) - CRLF injection $250 02/17/2018
How I was able to remotely crash any android user’s instagram app and was paid a mere 500$ for it. Waleed Ahmed Facebook Android, DoS $500 02/15/2018
#BugBounty — “How I was able to shop for free!”- Payment Price Manipulation Avinash Jain (@logicbomb_1) - Web parameter tampering / Price manipulation - 02/11/2018
Oracle Cross Site Scripting Vulnerability -Adesh Kolte Adesh Kolte (@AdeshKolte) Oracle Reflected XSS - 02/10/2018
Stored XSS on Snapchat Mrityunjoy Snapchat Stored XSS - 02/09/2018
I figured out a way to hack any of Facebook’s 2 billion accounts, and they paid me a $15,000 bounty for it Anand Prakash (@sehacure) Facebook Bruteforce, Account takeover $15,000 02/09/2018
Taking over Facebook accounts using Free Basics partner portal Josip Franjkovic Facebook Information disclosure, IDOR - 02/07/2018
How I gained access to Sony’s database Rahul R Sony - $0 02/06/2018
SQL injection with load file and into outfile NoGe - SQL injection $750 02/05/2018
How I found IDOR on Twitter’s Acquisition – Mopub.com janijay007 Twitter IDOR - 02/05/2018
Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) Mohammed Abdul Raheem - IDOR $3000 02/04/2018
#BugBounty — ”I don’t need your current password to login into your account” - How could I completely takeover any user’s account in an online classified ads company. Avinash Jain (@logicbomb_1) - Authentication bypass - 02/03/2018
Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART 2) Mohammed Abdul Raheem - IDOR $3000 02/03/2018
Internal IPs disclosure @omespino Nokia Internal IP disclosure - 02/02/2018
How I was able to Bypass XSS Protection on HackerOne’s Private Program janijay007 - XSS - 02/02/2018
Getting access to prompt debug dialog and serialized tool on main website facebook.com @omespino Facebook Debug info disclosure - 01/31/2018
How I was able to Download Any file from Web server! hammadhassan924 - XSS, IDOR $450 01/27/2018
How I got 22000$ worth ethereum Shubham Gupta - Blind XSS ~22,000 Ethereum 01/26/2018
JSON CSRF attack on a Social Networking Site[Hackerone Platform] Sahil Tikoo (@viperbluff) Badoo CSRF $280 01/26/2018
Here’s how I could’ve ridden for free with Uber Anand Prakash (@sehacure) Uber Logic flaw $5,000 01/26/2018
Full Account Takeover through CORS with connection Sockets Samuel (@saamux) - CORS misconfiguration, Account takeover - 01/25/2018
[Yahoo Bug Bounty] Unauthorized Access to Unisphere Management Server Debugging Facility on https://bf1-uaddbcx-002.data.bf1.yahoo.com/Debug/ Peerzada Fawaz Ahmad Qureshi (@zk34911) Yahoo Authorization flaw $300 01/25/2018
No RCE? Then SSH to the box! Jasmin Laundry - LFI, Directory traversal, RCE - 01/25/2018
Reflected XSS + Possible Server Side Template Injection in HubSpot CMS ( All Websites Uses HubSpot was affected ) Mohamed Haron (@m7mdharon) Hubspot Reflected XSS - 01/24/2018
#BugBounty @ Linkedln-How I was able to bypass Open Redirection Protection Avinash Jain (@logicbomb_1) LinkedIn Open redirect - 01/24/2018
Asus Cross Site Scrpting And Directory Listing Vulnerability Adesh Kolte (@AdeshKolte) Asus Directory listing, XSS - 01/23/2018
File Disclosure via .DS_Store file (macOS) @omespino Facebook Directory listing - 01/23/2018
Internshala Bug in Internshala Student Partner Circle Ninja Internshala Bruteforce $0 01/20/2018
Reflected File Download ( RFD ) in www.Google.com Mohamed Haron (@m7mdharon) Google Reflected File Download $0 01/18/2018
$1800 in less than an hour. @yappare Indeed CSRF, XSS $1,800 01/17/2018
Reflected XSS via AngularJS Template Injection Taha Ibrahim Draidia Hostinger Reflected XSS - 01/17/2018
#BugBounty — AWS S3 added to my “Bucket” list! Avinash Jain (@logicbomb_1) - AWS flaws - 01/16/2018
View the bug subscriptions for any Oculus User Philippe Harewood Facebook IDOR - 01/15/2018
Hacking Facebook accounts using CSRF in Oculus-Facebook integration Josip Franjkovic Facebook CSRF - 01/15/2018
#BugBounty — How I was able to delete anyone’s account in an Online Car Rental Company Avinash Jain (@logicbomb_1) - CSRF, Web parameter tampering - 01/14/2018
Google Tez XSS @Pethuraj Google XSS $3,133.7 01/13/2018
#BugBounty — How I was able to read chat of users in an Online travel portal Avinash Jain (@logicbomb_1) - IDOR - 01/10/2018
RCE Vulnerabilite in Yahoo Subdomain! ( Yahoo! RCE via Spring Engine SSTI ) By tghawkins Mohamed Haron (@m7mdharon) Yahoo! RCE $8,000 01/05/2018
Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) Mohammed Abdul Raheem - IDOR $3,000 02/04/2018
F**k you Thomas” - ToyTalk bug bounty writeup Jahmel Harris ToyTalk Authentication bypass, HTML injection - 01/04/2018
Abusing internal API to achieve IDOR in New Relic Jon Bottarini New Relic IDOR $1000 01/02/2018


Bug bounty writeups published in 2017

</tr>
Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date
Stealing $10,000 Yahoo Cookies! Tabahi Yahoo CORS flaw $10,000 12/30/2017
Jumping to the hell with 10 attempts to bypass devil’s WAF Ak1T4 - XSS - 12/27/2017
Microsoft SharePoint’s ‘Follow’ Feature XSS (CVE-2017–8514) -Adesh Kolte Adesh Kolte (@AdeshKolte) Microsoft XSS - 12/21/2017
Account Takeover Due to Misconfigured Login with Facebook/Google Bhavuk Jain (@bhavukjain1) Google, Facebook Account takeover, Authorization flaw - 12/20/2017
P4 to P2 - The story of one blind SSRF Mikhail Klyuchnikov (@Mn1) - Blind SSRF - 12/19/2017
Unrestricted File Upload to RCE | Bug Bounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) Facebook RCE - 12/19/2017
Don’t Trust the Host Header for Sending Password Reset Emails Jack Cable Mavenlink Password reset flaw, Account takeover $1,500 12/13/2017
How I was able to takeover Facebook account Ameer Hamza Facebook Authentication bypass $0 12/10/2017
Using App Ads Helper as an Analytic User Joshua Regio Facebook Authorization flaw $500 12/09/2017
Bug Bounty: Fastmail Brian Hyde Fastmail Read-only access to private server files, Blind SSRF/Blind XXE $3000 12/08/2017
How I Was Able To See The Bounty Balance Of Any Bug Bounty Program In HackerOne Cj Legacion Hackerone Logic flaw $0 12/06/2017
Getting a RCE — CTF Way Uranium238 (@uraniumhacker) - RCE - 12/05/2017
DEV XSS Protection bypass made my quickest bounty ever!! Yeasir Arafat - XSS $150 12/03/2017
LFI to Command Execution: Deutche Telekom Bug Bounty Daniel Maksimovic Deutche Telekom LFI, RCE - 11/30/2017
Image removal vulnerability in Facebook polling feature Pouya Darabi (@Pouyadarabi) Facebook IDOR $10,000 11/25/2017
Story of bypassing Referer Header to make open redirect Mohammed Eldeeb (@malcolmx0x) - Open redirect - 11/22/2017
Taking note: XSS to RCE in the Simplenote Electron client Yasin Soliman (@SecurityYasin) Automattic XSS, RCE - 11/22/2017
Amazon Bypass Open Redirect Honc (@honcbb) Amazon Open redirect - 11/19/2017
VMware Official VCDX Reflected XSS Honc (@honcbb) VMware Reflected XSS - 11/19/2017
UBER Wildcard Subdomain Takeover | BugBounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) Uber Subdomain takeover - 11/20/2017
Account Take Over Vulnerability in Google acquisition [Famebit] Hassan Khan Yusufzai Google CSRF - 11/17/2017
Transforming a Domain into the Matrix (an open redirect story) Ak1T4 - Open redirect - 11/17/2017
Why I walked away from $30,000 of DJI bounty money Kevin Finisterre DJI AWS flaw $0 11/16/2017
SQL in everywhere. Utkarsh Agrawal - SQL injection $0 11/16/2017
Bypassing Crossdomain Policy and Hit Hundreds of Top Alexa Sites Ak1T4 - CSRF - 11/16/2017
How signing up for an account with an @company.com email can have unexpected results @zseano - Logic flaw - 11/15/2017
How I Pwned a company using IDOR & Blind XSS Osama Ansari - IDOR, Blind XSS - 11/15/2017
Stealing bitcoin wallet backups from blockchain.info Shashank Blockchain.info Logic flaw $1,600 11/11/2017
How to delete all company progress by one “rm” command in AWS s3 Buckets Valeriy Shevchenko - AWS flaw $0 11/09/2017
Local File Read via XSS in Dynamically Generated PDF Rahul Maini - XSS, LFI - 11/08/2017
From SSRF to Local File Disclosure Tung Pun - SSRF, Local File Disclosure $0 11/08/2017
Get your Microsoft account hijacked by simply clicking connect button -Adesh Kolte Adesh Kolte (@AdeshKolte) Microsoft Stored XSS - 11/06/2017
Open redirect in informatica (BugBounty) Vulnerables Informatica Open redirect - 11/06/2017
Multiple Intel Vulnerabilities-Adesh Kolte Adesh Kolte (@AdeshKolte) Intel Open redirect, Directory listing - 11/05/2017
Non-persistent XSS at Microsoft -Adesh Kolte Adesh Kolte (@AdeshKolte) Microsoft Reflected XSS - 11/05/2017
CRLF injection in blockchain.info Shashank Blockchain.info CRLF injection $1,600 11/05/2017
Accessing Localhost via Vhost Muhammad Khizer Javed / babayaga47 (@khizer_javed47) - vhost flaw - 11/04/2017
Accessing Localhost via Vhost | VIRTUAL HOST ENUMERATION | BugBounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) - vHost enumeration - 11/04/2017
[Facebook Bug Bounty] How I was able to enumerate Instagram Accounts who had enabled 2FA (Two Step Verification) for additional protection Peerzada Fawaz Ahmad Qureshi (@zk34911) Facebook Logic flaw $500 11/03/2017
App Maker and Colaboratory: a stored Google XSS double-bill Yasin Soliman (@SecurityYasin) Google Stored XSS - 11/01/2017
How I hacked Google’s bug tracking system itself for $15,600 in bounties Alex Birsan Google Logic flaws $15,600 10/30/2017
Abusing new Claps feature in Medium Sai Krishna Kothapalli Medium IDOR $0 10/29/2017
How i found an SSRF in Yahoo! Guesthouse (Recon Wins) Th3G3nt3lman Yahoo SSRF - 10/20/2017
Taking over every Ad on OLX (automated), an IDOR story Roderick Schaefer OLX IDOR - 10/18/2017
Sensitive data exposure by requesting a resource with a different content type Yogendra Jaiswal (Vulnholic) - Information disclosure - 10/17/2017
How I hacked all the [REDACT] Agents accounts Neeraj Sonaniya - Default credentials $100 10/17/2017
Reading Internal Files using SSRF vulnerability Neeraj Sonaniya - SSRF - 10/16/2017
DOM XSS – auth.uber.com StamOne_ Uber DOM XSS - 10/14/2017
How I was Able to see someone’s all private files with a single file share link through Atom feed & Never Give Up #togetherwehitharder HackerOne Yogendra Jaiswal (Vulnholic) - Information disclosure - 10/13/2017
Leaking Amazon.com CSRF Tokens Using Service Worker API Abdullah Hussam (@Abdulahhusam) Amazon CSRF $0 10/11/2017
Bugcrowd’s Domain & Subdomain Takeover vulnerability! Muhammad Khizer Javed / babayaga47 (@khizer_javed47) Bugcrowd Subdomain takeover $600 10/10/2017
Exploiting Insecure Cross Origin Resource Sharing ( CORS ) | api.artsy.net Muhammad Khizer Javed / babayaga47 (@khizer_javed47) Artsy CORS flaw - 10/10/2017
Subdomain Takeover Through Expired Cloudfront Distribution Muhammad Khizer Javed / babayaga47 (@khizer_javed47) Lamborghini Subdomain takeover - 10/10/2017
Facebook GraphQL CSRF Philippe Harewood Facebook CSRF $7,500 10/08/2017
How I Was Able To View Private Tweets Of Any Private Twitter Account Cj Legacion Twitter IDOR - 10/06/2017
How I could have mass uploaded from every Flickr account! Jazzy (@ret2got) Yahoo Bruteforce $4,000 10/05/2017
Device Authorization Bypass! Hassan Khan Yusufzai - Authorization flaw - 09/25/2017
Filter Bypass to Reflected XSS on https://finance.yahoo.com (mobile version) Samuel (@saamux) Yahoo Reflected XSS - 09/24/2017
900$ XSS in yahoo ( Recon Wins ) Th3G3nt3lman Yahoo XSS $900 09/24/2017
How i bypassed Practo’s firewall and triggered a XSS. Vipin Chaudhary Practo XSS - 09/23/2017
IDOR – Execute JavaScript into anyone account Shubham Gupta Terapeak IDOR, Stored XSS - 09/21/2017
Stored XSS to Full Information disclosure Shubham Gupta Terapeak Stored XSS $750 09/21/2017
Luminate Internal Privilege Escalation — Admin to Owner Rojan Rijal Yahoo Authorization flaw - 09/21/2017
All About Hackerone Private Program Terapeak Shubham Gupta Terapeak IDOR, Reflected XSS $0 09/20/2017
This domain is my domain — G Suite A record vulnerability Rojan Rijal Google Domain takeover - 09/20/2017
Multiple vulnerabilities in Oracle EBS Shubham Gupta - SQL injection, XXE, XSS - 09/19/2017
First bounty, time to step up my game Roderick Schaefer - SOME - 09/19/2017
Exploiting a Single Request for Multiple Vulnerabilities Osama Ansari - Stored XSS, Reflected XSS, SSRF, Command injection - 09/19/2017
Story of a Parameter Specific XSS! Rahul Maini - XSS - 09/19/2017
Chaining Self XSS with UI Redressing is Leading to Session Hijacking (PWN users like a boss) Armaan Pathan - Self XSS, Clickjacking - 09/18/2017
Stored XSS] with arbitrary cookie installation Arbaz Hussain - XSS - 09/17/2017
How I hacked hundreds of companies through their helpdesk Inti De Ceukelaire Gitlab, Slack, Yammer, Kayako, Zendesk & more Logic flaw, TicketTrick $5,000 09/10/2017
Bypassing Facebook Profile Picture Guard Security. Armaan Pathan Facebook Authorization flaw $0 09/09/2017
Phishing with history.back() open redirect Brian Hyde - Open redirect - 09/09/2017
Reflective XSS and Open Redirect on Indeed.com subdomain Syntax Error Indeed Reflective XSS, Open redirect - 09/04/2017
How I found Reflective XSS in Yahoo Subdomain Syntax Error Yahoo Reflective XSS - 09/03/2017
IDOR on HackerOne Hacker Review “What Program Say” Japz Divino Hackerone IDOR $0, Swag 09/02/2017
Don’t just alert(1) , Because XSS is for fun…!! Armaan Pathan Optimizely XSS $0 09/02/2017
My write up about UBER Cross-site scripting by help of KNOXSS Emad Shanab Uber Reflected XSS $500 09/02/2017
Stealing 0Auth Token (MITM) Arbaz Hussain - OAuth flaw - 09/01/2017
Reflected XSS in Yahoo! Shahzada AL Shahriar Khan Yahoo Reflected XSS $700 08/31/2017
Uber XSS via Cookie Chaobin Zhang Uber XSS $5,000 08/30/2017
Luminate Store Basics defacement and potential takeover Rojan Rijal Yahoo CSRF, session issue - 08/30/2017
Developer Luminate IDOR Rojan Rijal Yahoo IDOR - 08/30/2017
Developer Luminate IDOR Uranium238 (@uraniumhacker) Yahoo IDOR - 08/30/2017
Luminate Store Basics defacement and potential takeover Uranium238 (@uraniumhacker) Yahoo CSRF - 08/30/2017
Improper Storage of Private Project’s Files Arbaz Hussain - IDOR - 08/30/2017
Bypassing Rate Limit Protection by spoofing originating IP Arbaz Hussain - Bruteforce - 08/30/2017
Upgrade from LFI to RCE via PHP Sessions Julien Ahrens - LFI, RCE - 08/28/2017
Pre-domain wildcard CORS Exploitation Arbaz Hussain - CORS flaw $1000 08/26/2017
Facebook stories disclose Facebook friend list Philippe Harewood Facebook Logic flaw, Authorization flaw - 08/24/2017
Password Not Provided - Compromising Any Flurry User’s Account [Yahoo Bug Bounty] Jack Cable Yahoo Authentication flaw, Account takeover - 08/15/2017
Accidentally typo to bypass administration access @yappare - Authentication bypass - 08/13/2017
Reflected XSS on www.yahoo.com Samuel (@saamux) Yahoo Reflected XSS - 08/12/2017
Chain the vulnerabilities and take your report impact on the moon (CSRF to HTML INJECTION which results OPEN REDIRECT and could steal USER CREDENTIALS) Armaan Pathan Legal Robot CSRF, HTML injection $40 08/12/2017
Armaan Patha Armaan Pathan Facebook IDOR $2,000 08/11/2017
Getting access to 25k employees details Sahil Ahamad - Exposed registration page giving access to 25 employees details $2500 08/11/2017
How to confirm a Google user’s specific email address (Bug Bounty Submission) Tom Anthony Google Logic flaw $0 08/09/2017
XSS Because of wrong Content-type Header Noman Shaikh Internshala XSS - 08/04/2017
Business Logic Vulnerabilities Series: How I became invisible and immune to blocking on Instagram! Ali Kabeel Facebook Logic flaw - 07/31/2017
How i found massive information disclosure of 1500 famous people Valeriy Shevchenko - Information disclosure - 07/31/2017
Referer Based XSS Arbaz Hussain - XSS - 07/30/2017
How we invented the Tesla DOM DOOM XSS Detectify Labs Tesla DOM XSS - 07/27/2017
Disabling New Emails From Facebook Without Email Owner Interaction Zahid Ali Facebook Logic flaw, Authorization flaw $0 07/26/2017
Rolling around and Bypassing Facebook’s Linkshim protection on iOS Seif Elsallamy Facebook Open redirect $0 07/26/2017
Stored XSS on Rockstar Game Arbaz Hussain Rockstar Games XSS $1,000 07/26/2017
Open Redirect In Flock | My First Swag pack Noman Shaikh Flock Open redirect - 07/24/2017
May the Shells be with You - A Star Wars RCE Adventure! Andy Gill - RCE - 07/22/2017
How i was able to bypass strong xss protection in well known website. (imgur.com) Armaan Pathan Imgur XSS $250 07/21/2017
Missing Authorization check in Facebook Pages Manager Arbaz Hussain Facebook Authorization flaw $1,000 07/20/2017
Race Condition bypassing team limit Arbaz Hussain - Race condition - 07/20/2017
Self XSS to Good XSS Clickjacking Arbaz Hussain - Race condition $300 07/20/2017
Business Logic Vulnerabilities Series: A brief on Abusing Invitation Systems Ali Kabeel Facebook Logic flaw - 07/19/2017
That Escalated Quickly : From partial CSRF to reflected XSS to complete CSRF to Stored XSS Mandeep Jadon (@1337tr0lls) - CSRF, Reflected XSS, Stored XSS - 07/19/2017
Xss using dynamically generated js file Arbaz Hussain - XSS $150 07/19/2017
Exploiting Misconfigured CORS on popular BTC Site Arbaz Hussain - CORS flaw - 07/19/2017
Stealing Access Token of One-drive Integration By Chaining CSRF Vulnerability Arbaz Hussain - OAuth flaw, CSRF - 07/18/2017
IDOR While Connecting Social Account in Hackster.io Arbaz Hussain Hackster.io IDOR - 07/18/2017
Bypassing XSS Filtering at Anchor Tag Arbaz Hussain - XSS $500 07/18/2017
ctrl+c & ctrl+v to Steal SESSIONID Arbaz Hussain - Clickjacking $100 07/18/2017
How to find internal subdomains? YQL, Yahoo! and bug bounty. Wojciech Yahoo Information disclosure $0 07/16/2017
Hey UserID x, what’s your secret token? Broken API enables me to leak/modify any users personal information @zseano - IDOR, Account takeover - 07/13/2017
Fabric.io API permission apocalypse – Privilege Escalations wesecureapp Twitter Authorization flaw, Account takeover - 07/10/2017
How we tookover shopify accounts with one single click wesecureapp Shopify Stored XSS - 07/10/2017
XSS by tossing cookies wesecureapp Microsoft, Twitter XSS - 07/10/2017
How a simple IDOR become a $4K User Impersonation vulnerability Shahmeer Amir (@Shahmeer_Amir) - IDOR $4,250 07/08/2017
Coinbase AngularJS DOM XSS via Kiteworks Pauloas yibelo Coinbase DOM XSS - 07/08/2017
Medium Content Spoofing Leads to XSS Abdullah Hussam (@Abdulahhusam) Medium Content spoofing, Stored XSS - 07/08/2017
Managed Apps and Music: a tale of two XSSes in Google Play Yasin Soliman (@SecurityYasin) Google XSS - 07/07/2017
Making an XSS triggered by CSP bypass on Twitter. tbmnull Twitter XSS, CSP bypass - 07/06/2017
OpenProject Session Management Security Vulnerability aka CVE-2017-11667 Mohamed A. Baset OpenProject Session management flaw - 06/30/2017
Posting on groups as people whenever their email was known by an attacker Zahid Ali Facebook Authorization flaw $7,500 06/29/2017
Escalating XSS in PhantomJS Image Rendering to SSRF/Local-File Read Brett Buerhaus - XSS, SSRF, LFI - 06/29/2017
CVE-2017-10711: Reflected XSS vulnerability in SimpleRisk – Open Source Risk Management System Mohamed A. Baset SimpleRisk Reflected XSS - 06/28/2017
Road to (unauthenticated) recovery: downloading GitHub SSO bypass codes Yasin Soliman (@SecurityYasin) Github Authorization flaw - 06/25/2017
Authentication bypass on Uber’s Single Sign-On via subdomain takeover Arne Swinnen Uber Subdomain takeover, Authentication bypass $4,500 06/25/2017
Stored XSS in the heart of the Russian email provider giant (Mail.ru) Seif Elsallamy Mail.ru Stored XSS $600 06/24/2017
How I Built An XSS Worm On Atmail Jake Miller Atmail XSS - 06/23/2017
Authentication bypass on Airbnb via OAuth tokens theft Arne Swinnen Airbnb OAuth flaw, Login CSRF, Open redirect, Authentication bypass $5,000 06/22/2017
How I hacked 23.900.000 tumblr domains at once :) Ak1T4 Tumblr IDOR $0 06/19/2017
XSS on Bugcrowd and so many other website’s main Domain Bull Bugcrowd Reflected XSS $600 06/14/2017
Vulnerability in Metasploit Project aka CVE-2017-5244 Mohamed A. Baset Rapid7 CSRF - 06/12/2017
Godaddy XSS affects parked domains redirector/processor! Mohamed A. Baset GoDaddy Reflected XSS - 06/11/2017
Let’s steal some tokens! Mahmoud Gamal Google, Shopify, [Private program] CSRF, XSS, Account takeover $1,000 06/11/2017
WHATSAPP — DOS VULNERABILITY IN IOS & ANDROID Vishnu Prasad P G Facebook DOS $500 06/07/2017
From JS to another JS files lead to authentication bypass @yappare - Authentication bypass - 06/06/2017
How I got 5500$ from Yahoo for RCE Th3G3nt3lman Yahoo RCE $5,500 06/04/2017
Django Privilege Escalation – Zero To Superuser Sean Melia - Privilege escalation - 06/01/2017
Pivoting from blind SSRF to RCE with HashiCorp Consul Peter Adkins - Blind SSRF, RCE - 05/29/2017
A pair of Plotly bugs: Stored XSS and AWS Metadata SSRF Yasin Soliman (@SecurityYasin) Plotly Stored XSS, SSRF - 05/25/2017
Hacking the NHS for Fun and No Profit Nathan (@NathOnSecurity) NHS SQL injection, LFI $0 05/22/2017
One Cloud-based Local File Inclusion = Many Companies affected Francisco Correa (@panchocosil) Oracle Responsys, Facebook, Linkedin, Dropbox Directory traversal - 05/17/2017
Find Mingle Suggestions for any Facebook User (Revisited) Philippe Harewood Facebook Logic flaw, Authorization flaw - 05/11/2017
I got emails — G Suite Vulnerability Rojan Rijal Google, Yelp, Facebook Logic flaw, Email takeover - 05/05/2017
Inspect Element leads to Stripe Account Lockout Authentication Bypass Jon Bottarini Stripe Authentication bypass $500 04/03/2017
Airbnb – Web to App Phone Notification IDOR to view Everyone’s Airbnb Messages Brett Buerhaus, Ben Sadeghipour Airbnb IDOR - 03/31/2017
Hundreds of hundreds sub-secdomains hack3d! (including Hacker0ne) Ak1T4 Hackerone Subdomain takeover $1,000 03/28/2017
Critical information disclosure on Wappalyzer.com Davide Tampellini Wappalyzer Information disclosure - 03/24/2017
Penetrating PornHub – XSS vulns galore (plus a cool shirt!) Jon Bottarini PornHub XSS $250 03/16/2017
Airbnb – Ruby on Rails String Interpolation led to Remote Code Execution Brett Buerhaus, Ben Sadeghipour Airbnb RCE - 03/13/2017
Airbnb – Chaining Third-Party Open Redirect into Server-Side Request Forgery (SSRF) via LivePerson Chat Brett Buerhaus, Ben Sadeghipour Airbnb Open redirect, SSRF, Path traversal - 03/09/2017
Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities Brett Buerhaus, Ben Sadeghipour Airbnb XSS, CSP bypass - 03/08/2017
Ok Google, Give Me All Your Internal DNS Information! Julien Ahrens Google SSRF - 03/01/2017
Hacking Slack using postMessage and WebSocket-reconnect to steal your precious token Frans Rosén Slack postMessage flaw, Violation of Secure Design Principles 3,000 02/28/2017
How I got your phone number through Facebook Inti De Ceukelaire Facebook Logic flaw - 02/20/2017
How I bypassed State Bank of India OTP. Neeraj Sonaniya State Bank of India OTP bypass $0 02/20/2017
How I was able to remove your Instagram Phone number Neeraj Sonaniya Facebook Bruteforce $1,000 02/20/2017
From RSS to XXE: feed parsing on Hootsuite Yasin Soliman (@SecurityYasin) Hootsuite XSS, XXE - 02/17/2017
SQL injection in an UPDATE query - a bug bounty story! Mahmoud Gamal - SQL injection - 02/17/2017
Lightweight markup: a trio of persistent XSS in GitLab Yasin Soliman (@SecurityYasin) Gitlab Stored XSS - 02/15/2017
Vulnerabilities in Facebook Login Approval Form Zahid Ali Facebook Authorization flaw, Logic flaw $2,250 02/14/2017
Facebook Account Recovery Form (CONFLICTING) Zahid Ali Facebook Logic flaw $1,000 02/13/2017
Bypassed Facebook Phone Number Security Zahid Ali Facebook Authorization flaw, Logic flaw, Information disclosure $3,000 02/10/2017
This domain is my domain - G Suite A record vulnerability White Hats - Nepal Google, Uber Subdomain takeover, Authorization flaw - 02/07/2017
Facebook Groups Hack Zahid Ali Facebook Authorization flaw, Logic flaw $3,000 02/04/2017
Cross Site Request Forgery in Facebook Zahid Ali Facebook CSRF $1,000 02/04/2017
I got emails - G Suite Vulnerability Uranium238 (@uraniumhacker) / White Hats - Nepal Google, Facebook, Yelp Logic flaw, Authorization flaw - 02/02/2017
12k$ for simple path traversal on http://web.whatsapp.com lalka Facebook Path traversal $12,000 01/31/2017
How I could have compromised any account on one of the biggest startup based in California Prateek Tiwari - Account takeover, IDOR, Password reset flaw - 01/28/2017
0day writeup: XXE in uber.com - Uber XXE $9,000 01/24/2017
How I could have Hacked IIT Guwahati’s website Sai Krishna Kothapalli IIT Guwahati Unrestricted file upload - 12/09/2017
My first bug on @facebook bug bounty program. lalka Facebook SQL injection - 01/03/2017

Bug bounty writeups published in 2016

Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date
IDOR in Facebook’s Acquisition (Parse) Venkatesh Sivakumar Facebook IDOR - 12/11/2016
The Orphaned Internet – Taking Over 120K Domains via a DNS Vulnerability in AWS, Google Cloud, Rackspace and Digital Ocean Matthew Bryan Google, Amazon, Rackspace, Digital Ocean Domain name takeover $1,337 12/05/2016
Authentication bypass on Ubiquity’s Single Sign-On via subdomain takeover Arne Swinnen Ubiquity Networks Subdomain takeover, Authentication bypass $500 11/29/2016
Bypassing Ebay XSS Protection to launch XSS by Nirmal Dahal Nirmal Dahal / White Hats - Nepal Ebay Reflective XSS - 11/18/2016
Svg XSS in Unifi v5.0.2 Shubham Gupta Ubiquity Networks Stored XSS - 11/13/2016
Stored XSS in UniFi v4.8.12 Controller Shubham Gupta Ubiquity Networks Stored XSS - 11/12/2016
Rewriting a photo not owned by the session user in Moments App (Revisited) Philippe Harewood Facebook Logic flaw, Authorization flaw - 10/27/2016
Leak Private Videos [Vimeo Bug Bounty] Abdullah Hussam (@Abdulahhusam) Vimeo Logic flaw, Authorization flaw $0 10/23/2016
Open Redirect Scanner with Uber.com Ak1T4 Uber Open redirect - 10/10/2016
gif it time it’ll come to you - Finding More Holes in The Hub Andy Gill Pornhub XSS $0 10/01/2016
Persisting on Pornhub Andy Gill Pornhub Stored XSS $1,500 09/23/2016
Link Injection Manipulation at admin.google.com Ak1T4 Google Link injection - 09/23/2016
Vine Re-auth Bypass [Twitter Bug Bounty] Abdullah Hussam (@Abdulahhusam) Twitter Authentication flaw $420 09/21/2016
Bug Bounty : Account Takeover Vulnerability POC Rakesh Mane - OAuth flaw, account takeover, Stored self-XSS - 09/16/2016
How I snooped into your private Slack messages [Slack Bug bounty worth $2,500] Uranium238 (@uraniumhacker) / White Hats - Nepal Slack Subdomain takeover - 09/13/2016
Decoding a $😱,000.00 htpasswd bounty Patrik Fehrenbach - .htpasswd misconfiguration $x,000 09/08/2016
Internet Explorer has a URL problem File Descriptor Github, Google OAuth flaw, RPO, XSS - 09/06/2016
Reading Uber’s Internal Emails [Uber Bug Bounty report worth $10,000] White Hats - Nepal Uber Subdomain takeover $10,000 09/05/2016
RCE In AddThis White Hats - Nepal AddThis RCE - 09/04/2016
PornHub: Email Confirmation Bypass Vaxo Dai (@___0x00) / White Hats - Nepal PornHub Email confirmation bypass $0 09/04/2016
Turning Self-XSS into Good XSS v2: Challenge Completed but Not Rewarded - Uber XSS, Arbitrary cookie installation $1,000 08/29/2016
[demo.paypal.com] Node.js code injection (RCE) Michael Stepankin (@artsploit) Paypal RCE - 08/19/2016
Swf XSS (Dom Based Xss) Shubham Gupta Ubiquiti Networks Flash XSS, DOM XSS - 07/31/2016
Xss filter bypass in Yahoo dev.flurry.com Shubham Gupta Yahoo! XSS - 07/31/2016
XSS on Flickr Shubham Gupta Yahoo! XSS $400, HoF 07/31/2016
CSV Injection -> Meterpreter on Pornhub Andy Gill Pornhub CSV injection $500 07/29/2016
Messenger.com Site-Wide CSRF Jack Whitton Facebook CSRF - 07/26/2016
BMW Vulnerabilities – Hijack Cars ConnectedDrive™ Service! Mohamed A. Baset BMW Clickjacking, CSRF - 07/24/2016
Remote Code Execution (RCE) on Microsoft’s ‘signout.live.com’ Peter Adkins Microsoft RCE $0 07/24/2016
How we broke PHP, hacked Pornhub and earned $20,000 Ruslan Habalov, cutz & Dario Weißer Pornhub RCE, Use-after-free $20,000 07/23/2016
Stealing Facebook access_tokens using CSRF in device login flow Josip Franjkovic Facebook CSRF, OAuth flaw, Information disclosure - 07/19/2016
How I Could Steal Money from Instagram, Google and Microsoft Arne Swinnen Google, Microsoft, Facebook Logic flaw $2,500 07/15/2016
Race conditions on the web Josip Franjkovic Cobalt.io, Facebook, Mega.nz, Keybase Race condition $8,450 07/12/2016
TopCoder.com Vulnerabilities – A tail of site-wide bugs leads to accounts compromise & payments hijacking Mohamed A. Baset Topcoder.com CSRF, Account takeover, Payment hijacking - 06/28/2016
Uber Hacking: How we found out who you are, where you are and where you went! Fábio Pires (@)fabiopirespt Uber Bruteforce, IDOR, Information disclosure - 06/23/2016
Medium Full Account Takeover By One Click Abdullah Hussam (@Abdulahhusam) Medium XSS $100 06/23/2016
Two vulnerabilities makes an Exploit!! (XSS and CSRF in Bing) Sai Krishna Kothapalli Microsoft XSS, CSRF - 06/10/2016
Why you shouldn’t share links on Facebook Inti De Ceukelaire Facebook - $0 06/09/2016
Popping the Pornhub Cherry Andy Gill Pornhub Information disclosure $2,500 06/07/2016
RunKeeper Stored XSS Vulnerability – Where worms are able to run too! Mohamed A. Baset RunKeeper Stored XSS, CSRF - 06/06/2016
InstaBrute: Two Ways to Brute-force Instagram Account Credentials Arne Swinnen Facebook Bruteforce, User enumeration $5,000 05/19/2016
Microsoft Yammer Clickjacking – Exploiting HTML5 Security Features Mohamed A. Baset Microsoft Clickjacking - 05/18/2016
When your privacy disclosure is a “feature” not a “bug” – Badoo & HotorNot failure! Mohamed A. Baset Badoo, Hot or not Information disclosure $0 05/17/2016
Sleeping stored Google XSS Awakens a $5000 Bounty Patrik Fehrenbach Google Stored XSS $5000 05/17/2016
How I bypassed Facebook CSRF once again! Pouya Darabi (@Pouyadarabi) Facebook CSRF $7,500 05/17/2016
Facebook Vulnerability – a “Cute Bug” that reveals the “likes” of deleted posts regardless of their privacy settings Mohamed Aty Facebook Logic flaw $0 05/13/2016
Fiverr.com Full Accounts Takeover – A Vulnerability Puts $50 Million Company At Risk Mohamed A. Baset Fiverr CSRF - 05/13/2016
FirefoxOS Find My Device Service Clickjacking Bug results in Changing PINs, Wiping and Locking Phones! Mohamed A. Baset Mozilla Clickjacking - 05/12/2016
Poisoning the Well – Compromising GoDaddy Customer Support With Blind XSS Matthew Bryant GoDaddy Blind XSS - 05/08/2016
Facebook movies recommendation vulnerability – A bug capable of erasing all your important notifications! Mohamed A. Baset Facebook Logic flaw, DoS - 05/05/2016
WhatsApp Clickjacking Vulnerability – Yet another web client failure! Mohamed A. Baset Facebook Clickjacking - 05/04/2016
Official Telegram Web Client ClickJacking Vulnerability – When crypto is strong and client is weak Mohamed A. Baset Telegram Clickjacking - 04/28/2016
Facebook ClickJacking – How we put a new dress on Facebook UI Mohamed A. Baset Facebook Clickjacking - 04/22/2016
ESEA Server-Side Request Forgery and Querying AWS Meta Data Brett Buerhaus ESEA SSRF $1,000 04/18/2016
Yahoo Login Protection Seal – Stored CSS Injection Brett Buerhaus Yahoo Stored CSS injection $0 04/18/2016
Obtaining Login Tokens for an Outlook, Office or Azure Account Jack Whitton Microsoft CSRF - 04/03/2016
How I Could Compromise 4% (Locked) Instagram Accounts Arne Swinnen Facebook IDOR, DoS, Authorization flaw $5,000 03/27/2016
Uber Bug Bounty: Turning Self-XSS into Good-XSS Jack Whitton Uber XSS - 03/22/2016
Command injection which got me “6000$” from #Google Venkatesh Sivakumar Google Command injection $6,000 03/15/2016
Hacking Magento eCommerce For Fun And 17.000 USD Venkatesh Sivakumar Ebay Information disclosure, LFI, RFI $17,000 03/03/2016
Ubiquiti Bug Bounty: UniFi v3.2.10 Generic CSRF Protection Bypass Julien Ahrens Ubiquiti Networks CSRF $500 02/23/2016
How I Hacked [Oculus] OAuth +Ebay +IBM Abdullah Hussam (@Abdulahhusam) Facebook, Ebay, IBM, AnswerHub Unrestricted file upload, XSS $0 02/12/2016
A Hilarious ESET Broken Authentication Vulnerability (one click free purchase) Mohamed A. Baset ESET Authentication flaw, SQL injection - 02/12/2016
How I got access to millions of [redacted] accounts Bitquark - RFI² - 02/09/2016
An XSS on Facebook via PNGs & Wonky Content Types Jack Whitton Facebook XSS - 01/27/2016
[manager.paypal.com] Remote Code Execution Vulnerability Michael Stepankin (@artsploit) Paypal RCE - 01/25/2016
Broken Access Control in bingmapsportal !!! Sai Krishna Kothapalli Microsoft Broken access control - 01/23/2016
Click Jacking in bingmapsportal Sai Krishna Kothapalli Microsoft Clickjacking - 01/23/2016

Bug bounty writeups published in 2015

Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date
Leaking API keys in Bing Maps Portal Sai Krishna Kothapalli Microsoft IDOR - 12/31/2015
Instagram’s Million Dollar Bug Wesley Wineberg Facebook RCE $2,500 12/27/2015
Cloudflare WAF XSS Abdullah Hussam (@Abdulahhusam) Cloudflare XSS $0 11/16/2015
XSS vulnerability in Google image search Mahmoud Gamal Google XSS - 09/18/2015
XSS to RCE in … Neil Hakuna Matatall - XSS, RCE - 09/08/2015
CVE-2014-7216: A Journey Through Yahoo’s Bug Bounty Program Julien Ahrens Yahoo Buffer Overflow $0 09/03/2015
Blind SQL Inejction [Hootsuite] Abdullah Hussam (@Abdulahhusam) Hootsuite Blind SQL injection - 08/01/2015
One Payload to XSS Them All! Abdullah Hussam (@Abdulahhusam) Adobe Flash XSS - 08/03/2015
Bypassing Google Authentication on Periscope’s Administration Panel Jack Whitton Google Authentication bypass - 07/20/2015
The easiest bug bounties I have ever won Josip Franjkovic Facebook IDOR - 13/07/2015
Bypass ad account roles vulnerability 2015 Pouya Darabi (@Pouyadarabi) Facebook Authorization flaw $8,000 05/15/2015
Race conditions on Facebook, DigitalOcean and others (fixed) Josip Franjkovic Facebook, DigitalOcean, LastPass Race condition - 04/27/2015
How I bypassed Facebook CSRF Protection Pouya Darabi (@Pouyadarabi) Facebook CSRF $15,000 04/09/2015
Google.com – Mobile Feedback URL Redirect Regex/Validation Flaw Brett Buerhaus Google Open redirect $500 02/03/2015
Flickr API Explorer – Force users to execute any API request. Brett Buerhaus Yahoo CSRF $100 02/03/2015
admin.google.com Reflected Cross-Site Scripting (XSS) Brett Buerhaus Google Reflected XSS $5,000 01/21/2015
Yahoo – Root Access SQL Injection – tw.yahoo.com Brett Buerhaus Yahoo SQL injection - 01/15/2015
Papyal XML Upload Cross Site Scripting Vulnerability Patrik Fehrenbach Paypal XSS - 01/07/2015

Bug bounty writeups published in 2014

Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date
Reflected Cross Site Scripting at Paypal.com Patrik Fehrenbach Paypal Reflected XSS - 12/15/2014
Malicious redirect on mailroom.prezi.com Patrik Fehrenbach Prezi Open redirect $500 12/10/2014
Reading local files from Facebook’s server (fixed) Josip Franjkovic Facebook LFI, Arbitrary File upload - 12/06/2014
Google Bug Bounty: Nice Catch on Google Cloud Platform Live Julien Ahrens Google Reflected XSS - 11/20/2014
Reflected Cross Site Scripting BillMeLater Patrik Fehrenbach BillMeLater Reflected XSS $0 11/17/2014
Paypal stored XSS + Security bypass Patrik Fehrenbach Paypal Stored XSS - 11/11/2014
Paypal DOM XSS main domain Patrik Fehrenbach Paypal DOM XSS - 11/05/2014
The 5000$ Google XSS Patrik Fehrenbach Google XSS $5000 10/31/2014
Facebook Bug Bounty: secondary damage (revisited) why I really like reporting to Facebook too :) Philippe Harewood Facebook Logic flaw, AUthorization flaw - 10/30/2014
Yahoo phpinfo.php disclosure Patrik Fehrenbach Yahoo Information disclosure - 10/16/2014
Step-by-step: exploiting SQL injection(s) in Oculus’ website. Josip Franjkovic Facebook SQL injection - 09/05/2014
Popping a shell on the Oculus developer portal Bitquark Facebook SQL injection, CSRF, RCE, IDOR $30,000 08/31/2014
Flickr XSRF to Change Photo Details Abdullah Hussam (@Abdulahhusam) Yahoo XSRF - 08/06/2014
Facebook – Stored Cross-Site Scripting (XSS) – Badges Brett Buerhaus Facebook Stored XSS - 01/16/2014
ebay bug bounty Matthew Bryant Ebay Reflected XSS - 06/06/2014
Prezi (map.prezi.com) Path Traversal Patrik Fehrenbach Prezi Path traversal $1000 05/21/2014
Magix Bug Bounty: magix.com (RCE, SQLi) and xara.com (LFI, XSS) Julien Ahrens Magix RCE, SQLI, LFI, XSS - 04/26/2014
A Tale of 7 Vulnerabilities Patrik Fehrenbach Paypal Stored XSS, Reflected XSS, Default credentials, Privilege escalation $0 04/20/2014
Facebook – Send Notifications to any User Exploit Brett Buerhaus Facebook Logic flaw - 04/07/2014
Google Exploit – Steal Account Login Email Addresses Tom Anthony Google Information disclosure $1,337 03/08/2014
Tesla Motors blind SQL injection Bitquark Tesla Motors SQL injection - 02/23/2014
How I hacked Github again. Egor Homakov (homakov) Github Open redirect, Account takeover, Information disclosure $4,000 02/07/2014

Bug bounty writeups published in 2013

Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date
Google Sites: A Tale of Five Vulnerabilities Bitquark Google XSS, LFI, HTML injection $13,034.80 12/30/2013
Waze arbitrary file upload Shashank Waze Arbitrary file upload $100 12/25/2013
Imgur xss Shashank Imgur XSS - 12/19/2013
Abusing CORS for an XSS on Flickr Jack Whitton Yahoo XSS - 12/12/2013
Heroku Directory Transversal Shashank Heroku Directory traversal - 12/03/2013
Oracle xss Shashank/a> Oracle XSS - 11/17/2013
Instagram’s One-Click Privacy Switch Jack Whitton Facebook CSRF - 10/31/2013
Nokia email app pwnage Shashank Nokia XSS - 10/22/2013
LFI in Nokia maps Shashank Nokia LFI - 10/22/2013
Facebook bug bounty: secondary damage (one report that leads to more bugs), fairness, and why I really like reporting to Facebook Josip Franjkovic Facebook CSRF - 10/21/2013
Content Types and XSS: Facebook Studio Jack Whitton Facebook XSS - 10/21/2013
Facebook CSRF leading to full account takeover (fixed) Josip Franjkovic Facebook CSRF, Account takeover $8,450 10/18/2013
PayPal Bug Bounty: PayPaltech.com E-Mail Injection Julien Ahrens Paypal Email injection - 09/26/2013
Removing Covers Images on Friendship Pages, on Facebook Jack Whitton Facebook Authorization flaw - 09/25/2013
SQL injections in Nokia sites. Josip Franjkovic Nokia SQL injection $0, 1 Nokia Lumia 820 07/30/2013
How I found my way into Instagram’s Ganglia, and a bug with Facebook likes. Josip Franjkovic Facebook Reflected XSS, IDOR - 07/23/2013
Admob creative image cross-site scripting vulnerability Bitquark Google XSS - 07/19/2013
Amazon packaging feedback cross-site scripting vulnerability Bitquark Amazon XSS $0 07/03/2013
Hijacking a Facebook Account with SMS Jack Whitton Facebook Authorization flaw, account takeover $20,000 06/26/2013
Overwriting Banner Images on Etsy Jack Whitton Etsy Authorization flaw - 05/21/2013
PayPal Bug Bounty: PayPaltech.com XSS Julien Ahrens Paypal XSS - 04/13/2013
Stealing Facebook Access Tokens with a Double Submit Jack Whitton Facebook CSRF, OAuth flaw - 04/13/2013
How I Rewarded with USD?K Just With a Simple Search Form @yappare Paypal SQL injection - 04/11/2013
Framing, Part 1: Click-Jacking Etsy Jack Whitton Etsy Clickjacking - 02/05/2013
Persistent XSS on myworld.ebay.com Jack Whitton Ebay XSS - 01/27/2013
Google.com cross site scripting and privilege escalation in Consumer Surveys Josip Franjkovic Google Stored XSS, Authorization flaw - 01/03/2013

Bug bounty writeups published in 2012

Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date
My Experience with the PayPal Bug Bounty Programme Jack Whitton Paypal CSRF $750 10/12/2012

Bug bounty writeups with unknown publication date

Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date
parameter pollution bug at twitter Mert (@merttasci_) Twitter HPP - -
G Suite - Device Management XSS Uranium238 (@uraniumhacker) Google XSS - -
Auth Issues Uranium238 (@uraniumhacker) Google Authentication flaw, Logic flaw - -
Multiple XSS Uranium238 (@uraniumhacker) Google Stored XSS - -
Blind XSS against a Googler Uranium238 (@uraniumhacker) Google Blind XSS - -
Stored XSS on biz.waze.com Uranium238 (@uraniumhacker) Google XSS - -
CSRF ‘protection’ bypass on xvideos @zseano xvideos CSRF - -
Open URL redirects to grab FB OAuth Tokens @zseano Auto Trader Open redirect $0 -
XML XSS via POST @zseano - XSS - -
$10k host header Ezequiel Pereira Google Authorization flaw $10,000 -
$7.5k Google services mix-up Ezequiel Pereira Google Logic flaw $7,500 -
$5k Service dependencies Ezequiel Pereira Google Logic flaw $5,000 -
$500 getClass Ezequiel Pereira Google Java vulnerability $500 -