List of bug bounty writeups

Table of contents

Bug bounty writeups published in 2020

Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date
My First Bug Bounty — 2 Factor Authentication Bypass Talatmehmood - OTP bypass $100 05/22/2020
Parsing the DOM elements of Other pages via XSS: A Bug Bounty Story Mandeep Jadon (@1337tr0lls) - XSS, Information disclosure - 05/22/2020
RCE in Google Cloud Deployment Manager Ezequiel Pereira (@epereiralopez) Google SSRF, RCE $31,337.00 05/21/2020
Bypassing Message Request inbox Abdellah Yaala (@yaalaab) Facebook Authorization flaw, Logic flaw - 05/21/2020
Become member of close & public group abdellah yaala Facebook Authorization flaw, Logic flaw $7,500 05/20/2020
Easy bounties with subdomain discovery - Using Project Sonar for bug bounty Torben Capiau (@TorbenCapiau) Bpost Broken access control, Authorization flaw $100 05/20/2020
How I was Able To Bypass Email Verification santuySec (@santuySec) - Email verification bypass $0 (Duplicate) 05/19/2020
FB & Messenger for iOS : Address Bar spoofing using data uri Rahul Kankrale (@RahulKankrale) Facebook URL spoofing $3,000 05/18/2020
CVE-2020–1088 — Yet another arbitrary delete EoP Søren Fritzbøger (@fritzboger) Microsoft Windows privilege escalation - 05/18/2020
Multiple flaws leads to Account Takeover within an Application Harshit Sengar (@sengarharshit1) - Account takeover, Password reset flaw, Sign-up flaw - 05/18/2020
My first 10k bdt bounty from an e-commerce site Md Saikat - IDOR 10,000 BDT (~ $117) 05/18/2020
Tale of Account Takeovers (Part-2) Vijaysimha Reddy Bathini (@fatratfatrat) - Account takeover - 05/17/2020
Stored XSS Leads to Plaintext Password Disclosure bad5ect0r (@bad5ect0r) - Stored XSS, Information disclosure, Unrestricted file upload - 05/17/2020
One Param => $10k Bilal Khan (@bilalmerokhel) - IDOR, XSS, Account takeover $10,000 05/17/2020
Account takeover CSRF Misconfiguration Saddam Hussain (@wisdomfreak1) - CSRF, Account takeover - 05/17/2020
Logical Bug which let me stop Users from Creating Ads at a Website Merbin Russel (e_23_e) - Logic flaw, DoS - 05/17/2020
Vulnerability – Account takeover using OAuth Misconfiguration Saddam Hussain (@wisdomfreak1) - OAuth misconfiguration, Account takeover, CSRF $300 05/16/2020
How I was able to make users loss of money on Google Pay santuySec (@santuySec) Google Clickjacking $0 (Duplicate) 05/16/2020
Chained Bugs [ Account TakeOver ] Bilal Khan (@bilalmerokhel) - IDOR, XSS, Account takeover $1,050 05/16/2020
Password Reset Poisoning leading to Account Takeover Swapnil Maurya (@swapmaurya20) - Password reset flaw, Account takeover - 05/16/2020
How I got my first swag on Edmodo with a simple XSS. Sanjay Verdu (@codersanjay) Edmodo Stored XSS $0 (Swag) 05/16/2020
Weak Cryptography in Password Reset to Full Account Takeover Harsh Bothra (@harshbothra_) - Account takeover, Password reset flaw, Cryptographic issues - 05/15/2020
Bug Bounty — Advanced Manual Penetration Testing Leading to Price Manipulation Vulnerability Talatmehmood - Payment tampering - 05/14/2020
$3000 Bug Bounty Award from Mozilla for a successful targeted Credential Hunt Johann Rehberger (wunderwuzzi23) - Information disclosure $3,000 05/13/2020
Lucky Bug Which Let Me Change Name of Every Accounts at a Single Click Merbin Russel (e_23_e) - SQL injection - 05/13/2020
Magic of the Back Slash Anil Tom (mr_4nk) - Path traversal $2,100 05/11/2020
How I made $10K in bug bounties from GitHub secret leaks Tillson Galloway (tillson_) - Information disclosure $10,000 05/10/2020
$20000 Facebook DOM XSS Vinoth Kumar (@vinodsparrow) Facebook DOM XSS $20,000 05/07/2020
I Found XSS Security Flaws in Rails – Here’s What Happened. Jesse Campos Ruby on Rails XSS $500 05/07/2020
DOM-Based XSS at accounts.google.com by Google Voice Extension. missoum1307 (@missoum1307) Google DOM XSS $3,133.7 05/07/2020
How we Hijacked 26+ Subdomains Aishwarya Kendle (@aish_kendle) - Subdomain takeover - 05/07/2020
DOM XSS Walkthrough Youssef Lahouifi (@YLahouifi) - DOM XSS - 05/06/2020
Google Acquisition XSS (Apigee) TnMch (@TnMch_) Google XSS - 05/06/2020
A tale of verbose error message and a JWT token Marek Geleta (@marek_geleta) - Information disclosure, Authorization flaw - 05/05/2020
DOM XSS in Gmail with a little help from Chrome Enguerran Gillier (@opnsec) Google DOM XSS $5,000 05/03/2020
#BugBounty — Adding Money Using Response Modification Line_no 6 - Payment tampering, Logic flaw - 05/03/2020
Private Dashboards were accessible by other Admins in Analytics Dashboard Rohit kumar (@rohitcoder) Facebook Authorization flaw - 05/02/2020
Reflected XSS on Microsoft.com via Angular Js template injection Pratik Dabhi (@impratikdabhi) Microsoft CSTI, XSS - 05/02/2020
Blind SSRF on coda.io Kleitonx00 Coda SSRF $0 (OOS) 05/02/2020
Exposure of Facebook object type by knowing the object ID Samm0uda (@samm0uda) Facebook Information disclosure - 05/02/2020
Add draft subtitles to any Facebook video and Full Path Disclosure Samm0uda (@samm0uda) Facebook Information disclosure - 05/02/2020
Ok Google! bypass ‘flag_secure’ Pankaj Upadhyay (@_pupadhyay) Google Authorization flaw - 05/01/2020
The Story of Blind SSRF leads to internal Host discovery. kaustubh padwad (@s3curityb3ast) - SSRF $0 (OOS) 05/01/2020
Hacking Razer Pay Ewallet App Richard Tan (@sambal0x) Razer IDOR $6,000 04/30/2020
Researching Polymorphic Images for XSS on Google Scholar Lorenzo Stella (@lorenzostella) Google Stored XSS $9,401.1 04/30/2020
[Bug Bounty Writeups] Exploiting SQL Injection Vulnerability Ahmed ElTijani - SQL injection $2,000 04/30/2020
Account taken over in style !!! kishore hariram (@kishorehariram) - Logic flaw, CSRF, Account takeover - 04/30/2020
Stealing the Trello token by abusing a cross-iframe XSS on the Butler Plugin Florian Courtial (@theflofly) Trello XSS $3,600 04/29/2020
Indirect UXSS issue on a private Android target app Kunal pandey (@kunalp94) - UXSS $1,000 04/29/2020
Recon to Sensitive Information Disclosure in Minutes Harsh Bothra (@harshbothra_) - Information disclosure, Outdated component with a known vulnerability - 04/28/2020
Private giant chat app – Send message to victim while sender blocked Rahul Kankrale (@RahulKankrale) - Authorization flaw, Logic flaw - 04/28/2020
Piercing the Veal: Short Stories to Read with Friends d0nut DuckDuckGo, [Private programs] SSRF $4,800 04/27/2020
Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams Omer Tsarfati (@OmerTsarfati) Microsoft Account takeover, Subdomain takeover - 04/27/2020
Bitrix WAF bypass Roma Ramazanoff (@r0hack) Mail.ru Reflected XSS $300 04/27/2020
1-click RCE on Keybase smaury (@smaury92) Keybase RCE $0 (Duplicate) 04/27/2020
Fun With CORS Misconfiguration — II Aman Gupta (@gupt4j1) - CORS misconfiguration, XSS - 04/25/2020
Web Cache Poisoning in Postmates [$1500] Aung Pyae Ko Ko (@BlcKVRtuL1) Postmates Web cache poisoning $1,500 04/24/2020
From Recon to P1 (Critical) — An Easy Win Harsh Bothra (@harshbothra_) - Exposed registration page - 04/24/2020
Two Factor Authentication Bypass [ $50 ] Aung Pyae Ko Ko (@BlcKVRtuL1) - 2FA bypass $50 04/24/2020
Misconfigured WordPress takeover to Remote Code Execution Smaran Chand (@smaranchand) - Wordpress takeover, RCE, Security misconfiguration - 04/22/2020
From P5 to P2, from nothing to 1000+$ Mohamed Daher (@DaherMohamed4) - Race condition, Self-XSS, Blind XSS > $1,000 04/22/2020
The Secret sauce of bug bounty Mohamed Slamat (@oxxy37) - CSTI, Stored XSS, CORS policy bypass - 04/22/2020
Exploiting a Race Condition Vulnerability Vivek Kumar Singh (@v7nc3nz) - Race condition - 04/22/2020
CORS bug on GOOGLE’s 404 page REWARDED!!! Jayateertha Guruprasad (@JayateerthaG) Google CORS misconfiguration - 04/21/2020
DOM based open redirect to the leak of a JWT token Adolphoramirez - Open redirect, DOM-based open redirect, OAuth token theft - 04/20/2020
Google Maps API (Not the Key) Bugs That I Found Over the Years Ozgur Alp (@ozgur_bbh) Google Logic flaws - 04/19/2020
Abusing HTTP Path Normalization and Cache Poisoning to steal Rocket League accounts Sam Curry (@samwcyo) Rocket League HTTP cache poisoning, Open redirect $0 (VDP) 04/19/2020
How was i able to find privilege escalation. Akshar Tank (@Akshar__tank) - IDOR, Authorization flaw - 04/18/2020
Here is the Non Technical write-up on Technical Bug for My Second Bounty of $xxxx From Facebook Ashok Chapagai (@ashokcpg) Facebook Logic flaw, Privacy issue - 04/17/2020
Strange Redirect (Fixed but no bounty) Abhishek Yadav (@abhishake100) - Open redirect - 04/17/2020
OTP Verification Bypass Kanhaiya Kumar Singh - OTP bypass - 04/17/2020
[Writeup][Bug Bounty][Instagram] Instagram Still Send New DMs and Video Calls to Device After Logout [ID][EN] Muhammad Thomas Fadhila Yahya (@fadhilthomas) Facebook (Instagram) Session management flaw $750 04/16/2020
Tricky Oracle SQL Injection Situation yappare (@yappare) - SQL injection - 04/16/2020
Netflix Party — XSS Vulnerabilities kr-b (@pirxcy) Netflix XSS - 04/14/2020
$55,000 Facebook token leak vs Funny Airline token leak. MasterSEC (@MasterSEC_AR) - XSS $0, 50,000 miles 04/14/2020
Business Logic Errors - A New Look Shrey Shah (@ShreySh43332033) - Logic flaw - 04/14/2020
Bounty Tip !! Easiest way to bypass API’s Rate Limit. Shaurya Sharma (@ShauryaSharma05) - Rate limiting bypass - 04/14/2020
Hacking a Telecommunication company(MTN) Afolic MTN Group OTP bruteforce - 04/13/2020
How i Unlocked the blocked accounts? Maria Zulfiqar - Password reset flaw, HTTP parameter pollution, IDOR - 04/11/2020
The story of a fuzzing integration reward Andrea Brancaleoni (@nJoyneer) Google Memory corruption bugs $10,000 bounty 04/08/2020
Listing all registered email addresses on Google’s Crisis Map thanks to IDOR and incremental IDs Thomas Orlita (@ThomasOrlita) Google IDOR - 04/07/2020
Unrestricted CV File Upload vict0ni (@vict0ni) - Unrestricted file upload - 04/07/2020
Stored XSS in Google Nest Harikrishnan Chandraganesan (@hari_cybex) Google Stored XSS - 04/07/2020
$3K Bounty For Elastic-Search Takeover Ashish Kunwar (@D0rkerDevil) - Elastic-Search Takeover $3,000 04/06/2020
How we abused Slack’s TURN servers to gain access to internal services Sandro Gauci (@sandrogauci) Slack SSRF $3,500 04/06/2020
How a Simple CSRF Attack Turned into a P1 Level Bug Lady Secspeare (@bejuveria_) - CSRF, Account takeover - 04/05/2020
Page Admin Disclosure: Facebook Bug Bounty 2020 Saugat Pokharel Facebook Information disclosure, Logic flaw - 04/04/2020
Cannot Delete Post on Facebook Group: Facebook Bug Bounty Saugat Pokharel Facebook Logic flaw - 04/04/2020
Playing with JSON Web Tokens for Fun and Profit Muhammad Qasim Munir (@MeetAn0nym0us) - Password reset flaw, Email confirmation bypass - 04/04/2020
Touch ID Authentication Bypass on Evernote and Dropbox IOS Apps Sahil Tikoo (@viperbluff) Evernote, Dropbox Authentication bypass - 04/03/2020
iPhone Camera Hack Ryan Pickren Apple Zero-Click Unauthorized Access to Sensitive Data $75,000 04/02/2020
Hundreds of internal servicedesks exposed due to COVID-19 Inti De Ceukelaire (@securinti) - Security misconfiguration >$10,000 04/02/2020
Always escalate! From Self-XSS to Persistent XSS on Login Portal Phuriphat Boontanon (@zanezenzane) - Self XSS, CSRF $650 04/02/2020
Account Take Over without user Interaction Ravilla Bharath - Password reset flaw, Information disclosure, Account takeover $0 (Duplicate) 04/02/2020
Privilege Escalation - Hello Admin Shrey Shah (@ShreySh43332033) - Privilege escalation - 04/02/2020
The story of my first ever, 1500$, bounty from Facebook. Ashok Chapagai (@ashokcpg) Facebook Logic flaw $1,500 04/01/2020
$3133.7 Google Bug Bounty Writeup- XSS Vulnerability! Pethuraj (@Pethuraj) Google Reflected XSS $3,133.7 04/01/2020
Microsoft Apache Solr RCE Velocity Template | Bug Bounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) Microsoft RCE $0 03/31/2020
Akamai Web Application Firewall Bypass Journey: Exploiting “Google BigQuery” SQL Injection Vulnerability Duc Nguyen (@ducnt_) - SQL injection - 03/31/2020
Hacking makes me forget my pain Abida Fahd - SQL injection - 03/31/2020
Limited freemarker ssti to arbitrary liql query and manage lithium cms Mert (@mertistaken) & F. Celal Erdik (@celalerdik) - SSTI - 03/30/2020
Restriction is not a promise : Privilege escalation on Google. Hariharan.s (@DJHARIZ1) Google Privilege escalation, Authorization flaw $500 03/30/2020
CVE-2019-17004—Semi Universal XSS affecting Firefox for iOS cliqz (@cliqz) Mozilla, Brave Universal XSS - 03/30/2020
OTP Bruteforce- Account Takeover Ranjit Kumar - OTP bruteforce, Account takeover - 03/29/2020
Attacking HelpDesks Part 1: RCE Chain on DeskPro, with Bitdefender as a Case Study Abdulrahman Nour (@aboodnour) Bitdefender RCE $5,000 03/28/2020
Executing scripts in Safari Reader Mode to CSP Bypass Nikhil Mittal (@c0d3G33k) Apple XSS, CSP bypass - 03/28/2020
I Want that Cookie !!! Adnan Malik (@infoadnanmalik) - Logic flaw - 03/27/2020
Exploiting magic links, critical bugs are one line away 0xSha (@0xsha) Razer Information disclosure, Lack of authentication $0 (Duplicate) 03/27/2020
1st Bug Bounty Write-Up — Open Redirect Vulnerability on Login Page Phuriphat Boontanon (@zanezenzane) - Open redirect $250 03/27/2020
Getting lucky in bug bounty — shamelessly profiting off of other’s work Jeppe Bonde Weikop - Authentication bypass, Lack of rate limiting, Credentials sent over unencrypted channel $3,200 03/26/2020
Account Takeover Flow In Mail.ru ‘s Ext.A Domain [ $150 ] Myo Min Thu (@myominthu1337) - Logic flaw, Account takeover $150 03/26/2020
Exploitation of the CVE-2018-15961 – Unrestricted File Upload in Adobe ColdFusion Supras (@LdrTom) - Unrestricted file upload - 03/26/2020
XSS WAF & Character limitation bypass like a boss Prial Islam Khan (@prial261) - XSS - 03/25/2020
Self XSS to Account Takeover Ch3ckM4te - Account takeover, XSS, CSRF - 03/24/2020
Remote Image Upload Leads to RCE (Inject Malicious Code to PHP-GD Image) Muhammad R. Maulana - RCE, Unrestricted file upload - 03/21/2020
API DOCS takeover on Readme.io Oktavandi (@0ktavandi) - Subdomain takeover - 03/19/2020
EN | Administrator level Privilege Escalation story Samet Sahin (@sametsahinnet) - Privilege escalation $0 (Duplicate) 03/19/2020
Reflected XSS on microsoft.com subdomains Raimonds Liepins (@lv_linkers) Microsoft Reflected XSS $0 03/19/2020
Hacking — Always Check the Cross-domain Policy Pieter Hiele (@honoki) Starbucks SOP bypass, CSRF $750 03/19/2020
XXE-scape through the front door: circumventing the firewall with HTTP request smuggling Pieter Hiele (@honoki) - XXE - 03/18/2020
Where is my Train : Tracking to Hacking ! Anil Tom (mr_4nk) Google Reflected XSS, SQL injection - 03/17/2020
How I was able to verify any contact number for my account? Paras Arora (@parasarora06) - OTP bypass, 2FA bypass - 03/17/2020
Razer mobile PIN verification bypass $1k Bug Sourav Sahana (@kernel_rider) Razer OTP bypass, 2FA bypass $1,000 03/17/2020
How I Earned $1750 at Shopify Bug Bounty Program Ashish Dhone Shopify XSS, Open redirect $1,750 03/16/2020
Weak session validation bug let you login even after changing the session IDs and logging out from the accounts Manasjha (@manas_hunter) viator.com Logic flaw, Session management flaw - 03/16/2020
Using Vulnerability Analytics Feature Like a Boss Ozgur Alp (@ozgur_bbh) - SSRF, Reflected XSS, Authentication bypass $8,600 03/15/2020
How I earned $800 for Host Header Injection Vulnerability Pethuraj (@Pethuraj) - Host header injection, Password reset flaw $800 03/15/2020
My Weirdest Bug Bounty — Getting PII from O365. Omaid Faizyar (@rulesofthetrade) Microsoft Subdomain takeover $1,000 03/14/2020
Blocked User Can Send Notification Due to Logical Bug in Instagram | First Instagram Bug Divyanshu Shukla Facebook Logic flaw $0 (Duplicate) 03/14/2020
What is your GCP infra worth?…about ~$700 [Bugbounty] Chris Gates (@carnal0wnage) Tokopedia Information disclosure $700 (Never paid) 03/13/2020
User’s email disclosure via invalid password reset link [$250] Myo Min Thu (@myominthu1337) - Password reset flaw, Information disclosure $250 03/13/2020
API secret key Leakage leads to disclosure of Employee’s Information Ace Candelario (@phspades) - Information disclosure $2,000 03/13/2020
Generate valid signatures for FBCDN urls Philippe Harewood (@phwd) Facebook Logic flaw, Authorization flaw - 03/13/2020
How I got access to critical data of a Company in no time ? Kaustubh Kale - Information disclosure, Lack of rate limiting, Bruteforce - 03/12/2020
[Bug Bounty] Email Content Injection Navneet (@na5n33t) - Email content injection $25 03/12/2020
Generate valid signatures for files hosted in Facebook CDNs Samm0uda (@samm0uda) Facebook Authorization flaw, Logic flaw - 03/11/2020
Ability to bruteforce Instagram account’s password due to lack of rate limitation protection Samm0uda (@samm0uda) Facebook Lack of rate limiting, Bruteforce $3,000 03/11/2020
How I was able to bypass the current password? Ninad Mathpati (@ninad_mathpati) - Account takeover, CSRF - 03/11/2020
OTP Bypass - Developer’s Check Shrey Shah (@ShreySh43332033) - OTP bypass - 03/11/2020
Finding a P1 in one minute with Shodan.io (RCE) sw33tLie (@sw33tLie) - RCE - 03/11/2020
Got Easiest Bounty with HTML injection via email confirmation! Shaurya Sharma (@ShauryaSharma05) - HTML injection - 03/11/2020
Vulnerable design leads to personal data leakage- yet another case of an inter-application vulnerability… Marcin Szydlowski (@SecurityKsl) - Logic flaw - 03/09/2020
Broke limited scope with a chain of bugs (tips for every rider CORS) Valeriy Shevchenko - CORS misconfiguration, RCE - 03/09/2020
The unexpected Google wide domain check bypass David Schütz (@xdavidhu) Google Logic flaw $6,000 03/08/2020
Breaking the Competition (Bug Bounty Write-up) George O (@georgeomnet) - Race condition, DoS, Logic flaw, Session management flaw $0, Swag 03/08/2020
$5,005 worth vulnerability Duplicated, How I loose $5,005 in a day? Denial of Service - Billion LAUGH Attack (XXE) Muhammad Asim Shahzad - DoS, XXE $0 (Duplicate) 03/08/2020
How I exploit the JSON CSRF with method override technique Simgamsetti Manikanta - CSRF - 03/07/2020
Google Bug Bounty: Clickjacking on Google Payment (1337$) santuySec (@santuySec) Google Clickjacking $1,337 03/06/2020
Got Bounty with Account takeover (ATO ) Unicode-Case Mapping Collision ! Shaurya Sharma (@ShauryaSharma05) - Account takeover - 03/05/2020
Bug Bounty catches part -1 Bijan Murmu (@0xBijan) - Lack of authentication, Information disclosure, Authorization flaw - 03/04/2020
Abusing Slack for Offensive Operations Cody Thomas (@its_a_feature_) Slack Logic flaw $0 (Informative) 03/04/2020
SOP Bypass Kenan (@kenanistaken) - SOP Bypass - 03/03/2020
Exploiting an SSRF: Trials and Tribulations A Bug’z Life (@abugzlife1) - SSRF $0 (Duplicate) 03/03/2020
ManageEngine ServiceDesk Plus: Arbitrary File Upload Duc Anh Bui - Arbitrary file upload, RCE - 03/03/2020
How I CSRF’d My First Bounty! Rajesh Ranjan (@rajesh_ranjan4) - CSRF $500 03/03/2020
SQL Injection Via Stopping the redirection to a login page Abde Ouabala (@4mgh0z) - SQL injection, Authorization flaw - 03/03/2020
SSRF on PDF generator. John Michael (@michan2514) - SSRF - 03/02/2020
Discord embed spoofing DarkMatterMatt Discord Phishing $0 03/02/2020
Facebook OAuth Framework Vulnerability Amol Baikar (@AmolBaikar) Facebook OAuth flaw $55,000 03/01/2020
A mysterious bug in the firmware of Google’s Titan M chip (CVE-2019-9465) Alexander Bakker Google Cryptographic issues - 02/29/2020
Account Hijack using Authorization bypass Bhavesh Thakur (@Bhavesh_Thakur_) - Account takeover, Authorization flaw - 02/28/2020
Page Admin Disclosure via an Upgraded Page Post Dan Fabro (@0x61_) Facebook Authorization flaw, Information disclosure $3,000 02/28/2020
The Tricky XSS Smaran Chand (@smaranchand) - XSS $0 (Won’t fix) 02/28/2020
Facebook CSRF bug which lead to Instagram Partial account takeover. Samm0uda (@samm0uda) Facebook CSRF, OAuth flaw $12,500 02/28/2020
Write-up: AWS Document Signing Security Control Bypass Ozgur Alp (@ozgur_bbh) - AWS flaw $1,000 02/26/2020
Long String DoS Shrey Shah (@ShreySh43332033) - DoS $100 02/26/2020
How I Get my first P1 (Sensitive Information Disclosure) using WPScan Harrmahar (@harrmahar) - Information disclosure - 02/26/2020
Mail.Ru Ext.B Scope Account Takeover [ $1500 ] Myo Min Thu (@myominthu1337) Mail.ru Account takeover, OAuth flaw $1,500 02/25/2020
Stored-XSS-on-groups-google-com Alessandro Rumampuk (@Rando02355205) Google Stored XSS $0 (Won’t fix) 02/25/2020
Discord DoS with a single message DarkMatterMatt Discord DoS $0 02/24/2020
Reflected XSS In AT&T Myo Min Thu (@myominthu1337) AT&T Reflected XSS - 02/23/202c0
Tale of Account Takeovers (Part-1) Vijaysimha Reddy Bathini (@fatratfatrat) - Account takeover, HTTP Parameter pollution, Password reset flaw, OTP bypass $5,000 02/22/2020
Hunting Tesla Model Y Secrets in the Parts Catalog Evan Connelly (@Evan_Connelly) Tesla Authorization flaw - 02/22/2020
Hacking SMS API Service Provider of a Company |Android App Static Security Analysis | Bug Bounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) - Information disclosure, Hardcoded credentials - 02/19/2020
A Tale of Two Formats: Exploiting Insecure XML and ZIP File Parsers to Create a Web Shell spaceraccoon (@spaceraccoonsec) - XXE, RCE - 02/18/2020
From Recon to Optimizing RCE Results - Simple Story with One of the Biggest ICT Company in the World YoKo Kho (@YokoAcc) - Information disclosure, RCE 02/18/2020
How We Found Another XSS in Google with Acunetix Andrey Leonov (@4lemon) Google XSS $5,000 02/17/2020
Plan Change Logic in Google Fiber (Webpass) Craig Arendt (@signalchaos) Google Logic flaw, Payment tampering - 02/17/2020
Exploiting WebSocket [Application Wide XSS / CSRF] Osama Avvan (@osamaavvan) - XSS, CSRF - 02/17/2020
How I Gain Unrestricted File Upload Remote Code Execution Bug Bounty Shay Grant (@kidshay) - Unrestricted file upload - 02/17/2020
Uploading Backdoor For Fun And Profit. Mohammed Abdul Raheem (@mohdaltaf163) - Unrestricted file upload, RCE - 02/17/2020
How to hack a company by circumventing its WAF through the abuse of a different security appliance and win bug bounties Red Timmy Security (@redtimmysec) - RCE - 02/16/2020
Open-redirect Vulnerability on Facebook dw1 Facebook Open redirect $500 02/16/2020
Blind IDOR in LinkedIn iOS application Hailstorm (@hailstorm1422) LinkedIn IDOR $0 02/16/2020
A Simple IDOR to Account Takeover Swapnil Maurya (@swapmaurya20) - IDOR, Account takeover $4,500 02/11/2020
Weird Vulnerabilities Happening on Load Balancers, Shallow Copies and Caches Ozgur Alp (@ozgur_bbh) - Information disclosure $1,500 02/11/2020
A step-by-step walk-through of an Invalid Endpoint Mohammed Israil (@mdisrail2468) - Information disclosure - 02/09/2020
External XML Entity via File Upload (SVG) Atul (@0xatul) - XXE, Unrestricted file upload - 02/08/2020
Determine users with detailed role model on behalf of any Facebook Application Amol Baikar (@AmolBaikar) Facebook IDOR - 02/08/2020
IDOR leads to Data leakage and Profile Update vict0ni (@vict0ni) - IDOR, Bruteforce - 02/07/2020
How Inspect Element Got me a Bounty Aditya Soni (@hetroublemakr) - Client-side enforcement of server-side security - 02/06/2020
Simple Remote Code Execution Vulnerability Examples for Beginners Ozgur Alp (@ozgur_bbh) - RCE, Unrestricted file upload $15,000 02/05/2020
Google APIS ClickJacking ( $1337) Myo Min Thu (@myominthu1337) Google Clickjacking $1,337 02/05/2020
Site wide CSRF on a popular program Ajinkya Pathare (@fellchase) - CSRF - 02/05/2020
How I Made $600 in Bug Bounty in 15 Minutes with Contrast CE – CVE- 2019-8442 David Lindner (@golfhackerdave) Atlassian (Jira) Information disclosure $600 02/05/2020
Using CSRF I Got Weird Account Takeover Mohamed Sayed (@FlEx0Geek) - CSRF, Account takeover - 02/05/2020
An Unexpected Bounty — Email Bounce Issues Keshav Malik - DoS, Email Bounce Issue - 02/05/2020
Hijacking shared report links in Google Data Studio sushiwushi (@sushiwushi2) Google Authorization flaw - 02/05/2020
How, I dumped crypto data by chaining directory listing to open S3 Bucket Ddigvijay - AWS misconfiguration, Directory listing, Information disclosure - 02/05/2020
Arbitary File Upload too Stored XSS - Bug Bounty m0chan (@m0chan98) - Arbitrary file upload, Stored XSS - 02/04/2020
Critical Security Flaw Found in WhatsApp Desktop Platform Allowing Cybercriminals Read From The File System Access Gal Weizman (@WeizmanGal) Facebook (WhatsApp) Stored XSS, CSP bypass, Open redirect, RCE $12,500 02/04/2020
Responsible Disclosure: Breaking out of a Sandboxed Editor to perform RCE Jatin Dhankhar (@jatindhankhar_) HackerEarth RCE - 02/04/2020
Exploiting Insecure Firebase Database! Muhammad Khizer Javed / babayaga47 (@khizer_javed47) - Insecure Firebase database - 02/04/2020
Easily leaking passenger information on an Airline Zseano (@zseano) - IDOR - 02/04/2020
CSRF CSRF CSRF… Navneet (@na5n33t) - CSRF $50 02/03/2020
Tumblr Bug Bounty ( $200) Myo Min Thu (@myominthu1337) Automattic (Tumblr) Unrestricted file upload, XSS, Authorization flaw $200 02/02/2020
Disclose Full Admin List of any Facebook Applications Amol Baikar (@AmolBaikar) Facebook IDOR - 02/02/2020
OK Google: bypass the authentication! Mattia Vinci Google Authentication bypass $0 (Wontfix) 01/31/2020
2FA Bypass via Logical Rate Limiting Bypass Jeppe Bonde Weikop - 2FA bypass, Logic flaw $500 01/30/2020
How I was able to takeover the company’s LinkedIn Page Vijaysimha Reddy Bathini (@fatratfatrat) - Broken Link Hijacking $500 01/29/2020
How I get my first SWAG from SIDN (Sensitive Data Expose) Mehedi Hasan Remon (@mehedi1194) SIDN Broken access control, Information disclosure $0, Swag 01/29/2020
Vimeo Livestream Bug Bounty WriteUp Mohamed Slamat (@oxxy37) Livestream IDOR, Parameter tampering - 01/29/2020
Hyperlink Injection - Easy Money (sometimes) Abhishek Yadav (@abhishake100) - Hyperlink injection $450 01/28/2020
Tale of a Misconfiguration in Password Reset Naveenroy - Password reset flaw, Information disclosure - 01/27/2020
Escalating reflected XSS with HTTP Smuggling Hazana (@HazanaSec) - Reflected XSS, HTTP Request Smuggling - 01/27/2020
XSS on Facebook-Instagram CDN Server bypassing signature protection Amol Baikar (@AmolBaikar) Facebook XSS - 01/26/2020
Disclose Facebook Business Account ID Amol Baikar (@AmolBaikar) Facebook Information disclosure $1,500 01/26/2020
XSS on Facebook’s acquisition Oculus CDN Server Amol Baikar (@AmolBaikar) Facebook XSS - 01/26/2020
Improper Input Validation | Add Custom Text and URLs In SMS send by Snapchat | Bug Bounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) Facebook (Snapshat) Parameter tampering $1,000 01/26/2020
Accidental IDOR that Deleted Admin Account. Sayaan Alam (@ehsayaan) - IDOR $325 01/25/2020
The unexpected bounty: A story of Zendesk takeover on REDACTED.com wis4nggeni - Subdomain takeover - 01/25/2020
Cross-Site Websocket Hijacking bug in Facebook that leads to account takeover Samm0uda (@samm0uda) Facebook Cross-Site Websocket Hijacking, Account takeover $12,500 01/23/2020
How I was able to take over any users account with host header injection Ajay Gautam (@evilboyajay) - Host header injection $900 01/23/2020
CORS Misconfiguration leading to Private Information Disclosure Virus0X01 (@Virus0X01) - CORS misconfiguration - 01/23/2020
A Less Known Attack Vector, Second Order IDOR Attacks Ozgur Alp (@ozgur_bbh) - IDOR - 01/22/2020
Password Reset Token Leak Via Referrer Shrey Shah (@ShreySh43332033) - Password reset flaw, Information disclosure - 01/22/2020
Facebook Vulnerability: Hidden “Community Manager” in Pages due to “Invitation Accept” logic Ritish Kumar Singh Facebook Logic flaw $500 01/22/2020
User Account Takeover via Signup Feature | Bug Bounty POC Muzammil Kayani (@muzammilabbas2) - Account takeover, Logic flaw, Authorization flaw - 01/22/2020
Google Bug Bounty: CSRF in learndigital.withgoogle.com santuySec (@santuySec) Google CSRF $0 (Duplicate) 01/21/2020
Cross Site Request Forgery vulnerability Leads to User Profile Change in Microsoft Express Logic Adesh Kolte (@AdeshKolte) Microsoft CSRF - 01/21/2020
How i bought my way to subdomain takeover on Tokopedia wis4nggeni Tokopedia Subdomain takeover - 01/20/2020
GGvulnz — How I hacked hundreds of companies through Google Groups Milan Magyar Google Logic flaw - 01/20/2020
How I accidentally found Bug in Google Search Console Tomi (@noobe_io) Google Logic flaw, Authorization flaw $1,337 01/18/2020
Adding a malicious notebook to be treated like a trusted notebook in Google Colab — 1337$ Raushan Raj (@raushan_rajj) Google Authorization flaw, Logic flaw $1,337 01/17/2020
How I discovered an interesting account takeover flaw? Akash Methani (@0xAkash) - Account takeover, Password reset flaw, Lack of rate limiting - 01/14/2020
No Rate Limit - 2K Bounty Shrey Shah (@ShreySh43332033) Yahoo Lack of rate limiting $2,000 01/12/2020
How I earn $500 from Razer open S3 bucket Sourav Sahana (@kernel_rider) Razer AWS misconfiguration $500 01/12/2020
My First RCE (Stressed Employee gets me 2x bounty) Abhishek Yadav (@abhishake100) - RCE, Unrestricted file upload $900 01/10/2020
Hunting Good Bugs with only <HTML> Ak1T4 (@akita_zen) - Open redirect, HTML injection, SSRF - 01/10/2020
Google Chrome display locking fuzzing Pawel Wylecial (@h0wlu) Google Heap Use-After-Free $5,000 01/08/2020
The Bug That Exposed Your PayPal Password Alex Birsan Paypal XSSI $15,300 01/08/2020
Update: Want to take over the Java ecosystem? All you need is a MITM! Jonathan Leitschuh (@jlleitschuh) Github Insecure communications $2,300 01/08/2020
HTML Injection(Unique Exploitation) Pratik Yadav (@PratikY9967) - HTML injection $250 01/07/2020
Saying Goodbye to my Favorite 5 Minute P1 Allyson O’Malley (@ally_o_malley) Microsoft Information disclosure - 01/06/2020
How I found a Privilege Escalation Bug in a private Ecommerce? Baibhav Anand (@iBaibhavJha) - Privilege escalation - 01/06/2020
XSS on Sony subdomain Gökhan Güzelkokar (@gkhck_) Sony Reflected XSS - 01/06/2020
Account takeover via HTTP Request Smuggling hipotermia (@hipotermia) - HTTP request smuggling, Account takeover, Open redirect, Internal header disclosure - 01/03/2020
Bypass 2FA in a website Sourav Sahana (@kernel_rider) - 2FA bypass - 01/01/2020
Bypass Mobile PIN Verification Sourav Sahana (@kernel_rider) - Authentication bypass $100 01/01/2020

Bug bounty writeups published in 2019

Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date Link 2 / Archived content
Story of an IDOR via HTTP Shuaib Oladigbolu (@_sawzeeyy) - IDOR - 12/31/2019
Exploiting HTML Injection in Email Shuaib Oladigbolu (@_sawzeeyy) - HTML injection - 12/31/2019
From POST to GET Open redirect Sourav Sahana (@kernel_rider) - Open redirect $450 12/31/2019
Bug Hunting Journey of 2019 Sudhanshu Rajbhar (@sudhanshur705) Alibaba, Verizon Media, [Private program] XSS, Privilege escalation, Information disclosure $2,500 12/31/2019
Exploiting a Self Stored XSS with an IDOR Shuaib Oladigbolu (@_sawzeeyy) - Self XSS, Stored XSS, IDOR - 12/31/2019
How did I earn $3133.70 from Google Translator? Beri Bey (@uppmen) Google XSS $3,133.70 12/30/2019
Facebook Bug bounty Story: $X000 for an Information Disclosure Bug Circle Ninja (@circleninja) Facebook Information disclosure - 12/29/2019
How I made $7500 from My First Bug Bounty Found on Google Cloud Platform James Grunewald Google Logic flaw $7,500 12/29/2019
Drop the mic?! no! Drop the connection ;) Sasi Levi (@sasi2103) Google DOM XSS - 12/29/2019
Effortlessly finding Cross Site Script Inclusion (XSSI) & JSONP for bug bounty Omkar Bhagwat (@th3_hidd3n_mist) - XSSI $0 (Duplicate) 12/27/2019
Bypassing Brand Collabs Manager Eligibility on Facebook Ajay Gautam (@evilboyajay) Facebook Authorization flaw $0 12/26/2019
Subdomain takeover via pantheon Smaran Chand (@smaranchand) - Subdomain takeover - 12/26/2019
Microsoft Edge (Chromium) - EoP via XSS to Potential RCE Abdulrahman Al-Qabandi (@Qab) Microsoft XSS, RCE $40,000 12/24/2019
SOP Bypass via browser-cache Aaron Costello (@ConspiracyProof) Keybase SOP bypass $1,500 12/24/2019
Abusing ImageMagick to obtain RCE Strynx (@Strynx_Security) - ImageMagick, RCE $5,000 12/24/2019
How we hacked one of the worlds largest Cryptocurrency Website Strynx (@Strynx_Security) - SQL injection, RCE - 12/24/2019
Airbnb : Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method (IDOR) Vijay Kumar (@IndoAppSec) Airbnb IDOR $3,000 12/24/2019
Bugbounty | A Dom Xss Jinone (@jinonehk) - DOM XSS $500 12/24/2019
GraphQL IDOR leads to information disclosure Eshan Singh (@R0X4R) - IDOR - 12/24/2019
CSRF Token Bypasss — A Tale of my $2k bug Adeyefa Oluwatoba (@adeyefa_codes) - CSRF, Account takeover $2,000 12/23/2019
reCAPTCHA Exploits Dr. Neal Krawetz (@hackerfactor) Google reCAPTCHA bypass $0 12/23/2019
From broken link to subfolder takeover on Bukalapak wis4nggeni Bukalapak AWS flaw - 12/23/2019
2 FA Bypass via CSRF Attack Vishal Bharad Mail.ru 2FA bypass, CSRF $0 (Out of scope) 12/23/2019
Full Account Takeover (Android Application) Vishal Bharad - Information disclosure, Account takeover - 12/21/2019
Bypassing Captcha ! Abhishek Yadav (@abhishake100) - Captcha bypass $200 12/20/2019
Account Takeover Through Password Reset Poisoning Vishal Bharad - Password reset flaw, Account takeover - 12/19/2019
#BugBounty — How Snapdeal (India’s Popular E-commerce Website) Kept their Users Data at Risk! Nanda Kumar (@nk00_nk) Snapdeal Insecure storage of sensitive information - 12/19/2019
[Google VRP] SSRF in Google Cloud Platform StackDriver Ron Chan (@ngalongc) Google SSRF - 12/19/2019
Abusing feature to steal your tokens Harsh Jaiswal (@rootxharsh) - OAuth flaw $3,750 12/17/2019
BreakingApp – WhatsApp Crash & Data Loss Bug Dikla Barda, Roman Zaikin & Yaara Shriki Facebook DoS - 12/17/2019
[email protected] Disclosure via IDOR Pratyush Anjan Sarangi - IDOR $750 12/16/2019
Stored Iframe Injection + CSRF = Account Takeover 😎😎 Rounak Dhadiwal (@XploiteR_D) - HTML injection, CSRF - 12/16/2019
How I Took Over 2 Subdomains with Azure CDN Profiles m0chan (@m0chan98) - Subdomain takeover - 12/16/2019
4 Google Cloud Shell bugs explained [email protected] (@wtm_offensi) Google RCE - 12/16/2019
Authorization bug that every bug hunter missed on a popular program Ajinkya Pathare (@fellchase) - Authorization flaw - 12/15/2019
Vimeo upload function SSRF Sayed Abdelhafiz (@dPhoeniixx) - SSRF $5,000 12/13/2019
How I was able to find a logical bug on Instagram? Jabir Khan (@Jabirkhan0x0) Facebook Logic flaw - 12/13/2019
Facebook New Account Verification Bypass Santosh Baral (@santoshbrl5) Facebook Authentication bypass $0 (Internal duplicate) 12/13/2019
Multiple Host Header Attacks after bypassing protection with… a Header Attack vict0ni (@vict0ni) - Host header injection - 12/12/2019
A $25 Easy Bug. Navneet (@na5n33t) - Session management flaw $25 12/12/2019
SSRF via FFmpeg HLS processing Pflash Punk (@PflashPunk) - SSRF $0 (Duplicate) 12/11/2019
Blind Xss (A mind game to win the battle) Dirtycoder (@dirtycoder0124) - Blind XSS $1,000 12/11/2019
AirDoS: Remotely render any nearby iPhone or iPad unusable Kishan Bagaria (@KishanBagaria) Apple DoS - 12/10/2019
Get pwned by scanning QR Code Nikhil Mittal (@c0d3G33k) Mozilla XSS, CSP bypass - 12/10/2019
Authentication Bypass Rushiikesh (@u1tran00b) - 2FA bypass $700 12/09/2019
Media deletion CSRF vulnerability on Instagram Pouya Darabi (@Pouyadarabi) Facebook CSRF $3,000 12/09/2019
Telegram (v4.9.155353) was rendering file:// links + opening them via NSWorkspace.open -> code execution. Vladimir Metnew (@vladimir_metnew) Telegram RCE $500 12/08/2019
Reusing Cookies Ricardo Iramar dos Santos - Session management flaws $400 12/07/2019
HTML Injection to XSS bypass in [REDACTED.com] Evan Ricafort (@evanricafort) - Reflected XSS $600 12/07/2019
$150 XSS at Error Page of Respository Code Navneet (@na5n33t) - Reflected XSS $150 12/07/2019
Google Chrome portal element fuzzing Pawel Wylecial (@h0wlu) Google RCE, Heap Buffer Overflow, Heap Use-After-Free $8,000 12/06/2019
HTTP Request Smuggling + IDOR hipotermia (@hipotermia) - HTTP request smuggling, IDOR - 12/05/2019
XSS like a Pro Anas Mahmood (@AnasIsHere) - XSS $450 12/05/2019
Dank Writeup On Broken Access Control On An Indian Startup Divyanshu Shukla - Unrestricted file upload, Authorization flaw - 11/30/2019
My first RCE: a tale of good ideas and good friends rez0 (@rez0__) - RCE, ImageTragick - 11/29/2019
How I turned Self XSS to Stored via CSRF Abhishek Yadav (@abhishake100) - Self XSS, CSRF $550 11/29/2019
Hacking GitHub with Unicode’s dotless ‘i’ John Gracey (@jagracey) Github Logic flaw - 11/28/2019
XSS Stored On [ Outlook Web — Outlook Android App ] ElMahdi Mrhassel (@ElMrhassel) Microsoft Stored XSS $2,400 11/28/2019 Archived content
Reflected XSS in graph.facebook.com leads to account takeover in IE/Edge Samm0uda (@samm0uda) Facebook Reflected XSS, Account takeover $5,000 11/27/2019 Archived content
Getting access to disabled/hidden features with the help of Burpsuite Match and Replace settings Johns Simon (@Johnssimon22) - Authorization flaw - 11/27/2019 Archived content
How Did Tons of People Like Me on Tinder? Mustafa iran (@Mustafaran) - HTTP request smuggling $2,500 11/25/2019
Finding a security bug in Discord and what it taught me Tristan Farkas (@TristanAtFarkas) Discord OAuth flaw - 11/24/2019
CORS Misconfiguration to Account TakeOver [Out of scope to grab items In-Scope] Mashoud1122 (@mashoud1122) - CORS misconfiguration, Open redirect, Reflected XSS, Session management flaw $1,500 11/24/2019
The AccountTakeOver Killing Chain أنس روبي (@xhzeem) - Account takeover, CSRF, Self-XSS - 11/23/2019
Exploiting padding oracles with fixed IVs Teddy Katz (@not_aardvark) - Padding oracle, Account takeover - 11/23/2019
IDOR via Websockets Shuaib Oladigbolu (@_sawzeeyy) - IDOR - 11/23/2019
Stories Of IDOR-Part 2 Shivbihari Pandey (@ninja_pandit_) - IDOR $3,650 11/21/2019
Disable Any Unconfirmed Account in Facebook Lokesh Kumar (@lokeshdlk77) Facebook Bruteforce $1,000 11/21/2019
700$ Denial of Service(DoS) vulnerability in script-loader.php (CVE-2018-6389) Pankaj Thakur (@Nep_1337_1998) - DoS $700 11/21/2019
How I paid 2$ for a 1054$ XSS bug + 20 chars blind XSS payloads Mohamed Daher (@DaherMohamed4) - XSS $1,054 11/20/2019
Cracking reCAPTCHA, Turbo Intruder style James Kettle (@albinowax) Google Race condition $0 11/20/2019
Subdomain Takeover via Campaignmonitor.com Mohamed Haron (@m7mdharon) - Subdomain takeover $900 11/20/2019
How I could delete Facebook Ask for Recommendations post’s place objects in comments Raja Sudhakar (@Rajasudhakar) Facebook IDOR - 11/20/2019
Broken session management leads to bypass 2FA and Permanent access to Facebook user’s Mahmoud Barakat (@0xBarakat) Facebook Authentication bypass - 11/19/2019
Disclose the owner of a recruiting manager in Jobs Beta Philippe Harewood (@phwd) Facebook Information disclosure - 11/19/2019
Million Users PII Leak Data Leak Shivbihari Pandey (@ninja_pandit_) - Information disclosure, Blind XSS $3,250 11/18/2019
XSS in GMail’s AMP4Email via DOM Clobbering Michał Bentkowski Google XSS, DOM Clobbering - 11/18/2019
This is How I was able to hunt a rare bug in a private program Abida Fahd - Lack of authentication, Privilege escalation - 11/18/2019
My First Bug ($500) Abhishek Yadav (@abhishake100) - No valid SPF records $500 11/18/2019
Bypassing the patch for my previous Instagram bug. Baibhav Anand (@iBaibhavJha) Facebook Authorization flaw, Logic flaw - 11/18/2019
Privilege Escalation with simple recon Mayur Gupta (@RisingHunter_) - Privilege Escalation, Blind XSS - 11/16/2019
LDAP Admin Account Bypassed :) Himanshu Pdy (@himanshu_pdy_01) - LDAP injection, Authentication bypass - 11/16/2019
View the ranked messenger users for any page Philippe Harewood (@phwd) Facebook Information disclosure, Authorization flaw - 11/16/2019
[Writeup][Bug Bounty][Tokopedia] Manipulation of Likes in Product Reviews [EN] Muhammad Thomas Fadhila Yahya (@fadhilthomas) Tokopedia IDOR $135 11/15/2019
Authenticated CORS with Access-Control-Allow-Origin: * BitK (@BitK_) Chromium Caching issue, Browser bug $0 (won’t fix) 11/15/2019
Chains on Chains!! Chaining several IDOR’s into Account Takeover(PART ONE) Daniel Marte (@DanielM59720745) - IDOR - 11/15/2019
Taking over Facebook Page Tabs Sagar Tanur (@Sagarvd01) Facebook Broken link hijacking $0 (informative) 11/14/2019
[Server Side Request Forgery] Blind SSRF due to Sentry Misconfiguration Kent Bayron (@bayronkentoy) - SSRF $300 11/14/2019
Command Injection Through BLH Shankar R (@trapp3r_hat) Facebook Broken link hijacking $0 (informative) 11/14/2019
Mass XS-Search using Cache Attack terjanq (@terjanq) Google XS-Search - 11/12/2019
How I accidentally took down GitHub Actions Teddy Katz (@not_aardvark) GitHub Denial of Service, Commit Hash Collisions $5,000 11/12/2019
Bug Bounty: Broken API Authorization Th3hidd3nmist (@th3_hidd3n_mist) - Authorization flaw $440 11/12/2019
How i Bought VPS, Hosting, Domain only $0.01 Zerb0a - Payment tampering $500 11/12/2019
Keylogging users via Slack themes Matt Langlois (@fletchto99) Slack CSS injection $500 11/11/2019
My First SSRF Using DNS Rebinding Marek Geleta (@marek_geleta) - SSRF, DNS rebinding - 11/11/2019
DOM-Based XSS | Bug Bounty Writeup HacknPentest (@HacknPentest) - DOM XSS $100 11/10/2019
BugBounty: How I Cracked 2FA (Two-Factor Authentication) with Simple Factor Brute-force !!! 😎 Akash Agrawal (@akashmagrawal) - 2FA bypass, Lack of rate limiting - 11/08/2019
How I Hacked Dutch Government in 5 Minutes? Twitter Account Takeover Numan ÖZDEMİR (@numanozdemircom) Dutch Government Broken link hijacking $0, Swag 11/06/2019
A simple post auth bypass leads to unauthorized web server access Hein Thant Zin (@H3Lowr) - Default credentials $750 11/08/2019
Bypassing GitHub’s OAuth flow Teddy Katz (@not_aardvark) GitHub OAuth flaw, Authorization bypass $25,000 11/05/2019
[bugbounty] A Simple SSRF Jinone (@jinonehk) - SSRF, DNS Rebinding - 11/05/2019
XSS will never die Oleksandr Opanasiuk (@Lekssik2) - XSS - 11/02/2019
Filling in the Blanks: Exploiting Null Byte Buffer Overflow for a $40,000 Bounty Sam Curry (@samwcyo) - Null byte buffer overflow $40,000 11/01/2019
Live Video facebook application (Android) its not expired when log out the device on https://www.facebook.com/settings?tab=security&section=sessions&view Naufal Septiadi Facebook Logic flaw $500 10/30/2019
GraphQL introspection leads to sensitive data disclosure Eshan Singh (@R0X4R) - Information disclosure - 10/30/2019
5,000 USD XSS Issue at Avast Desktop AntiVirus for Windows (Yes, Desktop!) YoKo Kho (@YokoAcc) Avast Reflected XSS $5,000 10/29/2019
Cross Site Request Forgery Critical Exploitable IN Infected Site? Hossam Mesbah - CSRF - 10/29/2019
XSS to Account Takeover Tomi (@noobe_io) - XSS, CSRF - 10/29/2019
[Leak] Can I take the user information, please?!! Mohamed Sayed (@FlEx0Geek) - Information disclosure - 10/29/2019
How I hacked 50+ Companies in 6 hrs Vignesh C (@pwn_r00t) - SSTI, RCE - 10/29/2019
[Writeup — FB] Crash web — app through application form of job application pages TienDat Facebook DoS - 10/28/2019
Illegal Rendered at Download Feature in Several Apps (including Opera Mini) that Lead to Extension Manipulation (with RTLO) YoKo Kho (@YokoAcc) Opera RTLO - 10/26/2019
How to Takover a ldap server. Ashish Kunwar (@D0rkerDevil) - Exposed LDAP server - 10/25/2019
Session Expiration Bypass in Facebook Creator App Ajay Gautam (@evilboyajay) Facebook Session expiration bypass $1,500 06/22/2019
How I earned by finding confidential customer data including plain-text passwords! Sushant Soni (@sushantsoni5392) - Directory listing, Information disclosure - 10/24/2019
NFC Beaming Bypasses Security Controls in Android [CVE-2019-2114] Nightwatch Cybersecurity (@nightwatchcyber) Google NFC - 10/24/2019
(POC) Disclose members in any closed Facebook group Ahmad Talahmeh Facebook Information disclosure $3,000 10/22/2019
[ BUG BOUNTY ] Flaw in Authentication ( Hall of Fame Google ) Danang Tri Atmaja (@danangtriatmj) Google Authentication flaw - 10/21/2019
How PayPal helped me to generate XSS Pflash Punk (@PflashPunk) Paypal Reflected XSS $250 10/20/2019
Escalating Privileges like a Pro Gaurav Narwani (@gauravnarwani97) - Privilege escalation - 10/20/2019
Hunting for bounties antihack.me case study 0xSha (@0xsha) AntiHack.me RCE, XSS, Logic flaw, Information disclosure - 10/20/2019
[email protected] Disclosure via IDOR Pratyush Anjan Sarangi - IDOR, Information disclosure $750 10/18/2019
1-800-Flowers Credentials and message log leak via facebook.com/facebook Philippe Harewood (@phwd) Facebook AWS misconfiguration - 10/17/2019
How I was able to bypass OTP code requirement in Razer [The story of a critical bug] Ananda Dhakal (@dhakal_ananda) Razer OTP bypass $1,000 10/16/2019
How I found RCE But Got Duplicated Smile Hacker - Unrestricted file upload, RCE - 10/15/2019
[ Writeup — Bugbounty Facebook ] Disclosure the verified phone number in Checkpoint. TienDat Facebook Information disclosure $500 10/15/2019
How I bypassed 2 Factor Authentication Hemant Singh Manral - 2FA bypass $250 10/15/2019
An inconsistent CSRF Smaran Chand (@smaranchand) - CSRF $0 10/15/2019
Finding SQL injections fast with white-box analysis — a recent bug example frycos (@frycos) Zoho SQL injection - 10/13/2019
Whitehat test accounts can act as Hidden Admin with Business manager / Ad Accounts. Rohit kumar (@rohitcoder) Facebook Authorization flaw - 10/12/2019
Bypass Uppercase filters like a PRO (XSS Advanced Methods) MasterSEC (@MasterSEC_AR) - XSS $1,000 10/11/2019
How i Hacked BASF Company !! Murtada Kamil BASF Lack of authentication - 10/10/2019
EXIF Geolocation Data Not Stripped From Uploaded Images Sourav Newatia (@souravnewatia) - Information disclosure $500 10/09/2019
How “Recon” helped Samsung protect their production repositories of SamsungTv, eCommerce / eStores Prateek Tiwari Samsung Information disclosure - 10/05/2019
From Multiple IDORs leading to Code Execution on a different Host Container Rahul (@Rahul_R95) - IDOR, RCE - 10/04/2019
How I made 1000$ with AT&T Bug Bounty(H1) Adesh Kolte (@AdeshKolte) AT&T CSRF, Account takeover $1,000 10/02/2019
REST framework Admin Panel bypass and how I recon for this vulnerability Aziz Hakim (@hackerb0y_) - Authentication bypass - 10/02/2019
GraphQL Introspection leads to Sensitive Data Disclosure. Pranay Bafna - Information disclosure - 10/02/2019
How to get RCE on AEM instance without Java knowledge byq (@ByQwert) - RCE $1,000 10/01/2019
Stealing login credentials with Reflected XSS mehulpanchal007 (@007_sharky) - Reflected XSS $100 10/01/2019
One Way to Find Hidden IDOR Vulnerability Vulkey_Chen (@Vulkey_Chen) - IDOR ¥3,000 (~ $28) 10/01/2019
Bug Hunting: Xss On Cookie Popup Warning vict0ni (@vict0ni) - Reflected XSS - 09/30/2019
Spear texting via parameter injection Kyle (@B3nac) - Parameter tampering $900 09/29/2019
XSS Is Love <3 ! Nirmal Dahal (@TheNittam) - XSS - 09/29/2019
Stories Of IDOR Shivbihari Pandey (@ninja_pandit_) - IDOR - 09/28/2019
OnePlus Open/Unvalidated Redirects & Forwards Mainak Sadhukhan OnePLus Open redirect - 09/26/2019
Analysis of CVE-2019-14994 – Jira Service Desk Path Traversal leads to Massive Information Disclosure Sam Curry (@samwcyo) Atlassian Path traversal $11,000 09/25/2019
Information Disclosure at PayPal and Xoom (PayPal Acquisition) via Simple Google Dork - 1,000 USD YoKo Kho (@YoKoAcc) Paypal Information disclosure $1,000 09/24/2019
ONEPLUS XSS vulnerability in Customer Support Portal Mainak Sadhukhan OnePLus XSS - 09/24/2019
Fuzzing Till Verneet (@err0rrrrr) - SSTI - 09/23/2019
Broken Link Hijacking - s3 buckets Tutorgeeks (@tutorgeeks) Google Broken link hijacking - 09/22/2019
[Bug Bounty] Exploiting Cookie Based XSS by Finding RCE Tomi (@noobe_io) - Information disclosure, SQL injection, Authentication bypass, Unrestricted file upload, RCE, XSS - 09/22/2019
[Case Study] OAuth Misconfiguration leads to Account Takeover Gaurang Bhatnagar (@0xgaurang) - OAuth flaw, Account takeover - 09/21/2019
Facebook Workplace Privilege Escalation Vulnerability To Change The Post Privacy As Public Guhan Raja (@havocgwen) Facebook Privilege escalation $500 09/21/2019
A Simple bypass of Registration Activation that Lead to many Bug - YoKo Kho (@YoKoAcc) - Information disclosure, IDOR, CSRF - 09/21/2019
Bug or Feature? GitHub Adventure #001 Dominik Opyd (@oad_earth) - OAuth flaw, Open redirect $0 09/21/2019
Stored XSS on Zendesk via Macro’s PART 2 Hariharan.s (@DJHARIZ1) Zendesk Stored XSS - 09/20/2019
IDOR in One plus leads to leak User personal Info. Aditya Sharma (@Assass1nmarcos) OnePlus IDOR $0, Swag 09/20/2019 Archived content
How I able to Takeover 10 subdomains in a Private Program ? Mohamed Haron (@m7mdharon) - Subdomain takeover $500 09/20/2019
Business ID leak via Creative Hub redirect Philippe Harewood (@phwd) Facebook Open redirect - 09/20/2019
Admin hijacked by Sea Surf Pirates Gaurav Narwani (@gauravnarwani97) Dolibarr Stored XSS, CSRF, Account takeover - 09/19/2019
SSRF | Reading Local Files from DownNotifier server Dr.FarFar (@3XS0) - SSRF - 09/18/2019
RCE with Flask Jinja Template Injection AkShAy KaTkAr (@AkShAy KaTkAr) - SSTI, RCE - 09/17/2019
Client, not client! Tung Pun - LFI $1,000 09/15/2019
Google Referer Leak Bug Jayateertha Guruprasad (@JayateerthaG) Google Referer leakage, information disclosure - 09/15/2019
How I found a simple and weird Account takeover bug Bijan Murmu (@0xBijan) - Account takeover, Lack of authentication - 09/14/2019
OTP Manipulation Kishan choudhary (@choudhary_1337) - OTP bypass $300 09/14/2019
Race Condition that could Result to RCE - (A story with an App that temporary stored an uploaded file within 2 seconds before moving it to Amazon S3) YoKo Kho (@YoKoAcc) - Race condition, RCE, Unrestricted file upload - 09/14/2019
I Could Have Hacked All Uber Accounts- But I Chose to Report it Instead Anand Prakash (@sehacure) Uber Information disclosure $6,500 09/13/2019
How two dead accounts allowed remote crash of any instagram android user Valerio brussani (@val_brux) Facebook DoS - 09/13/2019
Unauthorized access to all user information leaks C1h2e1 (@C1h2e11) - Information disclosure - 09/13/2019
HTTP Request Smuggling CL.TE memN0ps (@memN0ps) - HTTP request smuggling - 09/13/2019
Exploiting File Uploads Pt. 2 – A Tale of a $3k worth RCE. HackerOn2Wheels (@HackerOn2Wheels) - RCE, Unrestricted file upload $3,000 09/13/2019
Facebook employee internal tool and conversations leaked in Facebook video Philippe Harewood (@phwd) Facebook Information disclosure - 09/12/2019
How I could have hacked your Uber account Anand Prakash (@sehacure) Uber Account takeover, IDOR $6,500 09/12/2019
How does my recon win $250 in 15 minutes Hein Thant Zin (@H3Lowr) - Open redirect $250 09/12/2019
Add users to roles on Facebook pages without an invitation consent Philippe Harewood (@phwd) Facebook Authorization flaw - 09/12/2019
Pwn Them All #BugBounty Bilal Khan (@bilalmerokhel) - Host header injection, Password reset flaw - 09/11/2019
Subscribe to the list of requesters to join a Facebook live video using MQTT Philippe Harewood (@phwd) Facebook Authorization flaw - 09/10/2019
H1-4420: From Quiz to Admin - Chaining Two 0-Days to Compromise An Uber Wordpress Julien Ahrens (@MrTuxracer) Uber Stored XSS, SQL injection - 09/10/2019
Telegram addresses another privacy issue Dhiraj (@RandomDhiraj) Telegram Logic flaw, Privacy issue €2,500 09/09/2019
Accessing 2 million Verizon Pay Monthly contracts Daley Bee (@daley) Verizon Information disclosure, Authentication bypass, IDOR - 09/09/2019
Oculus identity verification bypass through brute-force karthik kumar reddy (@karthiksunny007) Facebook OTP bypass, Lack of rate limiting $750 09/09/2019
XSS in Zoho Mail Anas Mahmood (@AnasIsHere) Zoho Mail XSS $200 09/08/2019
Exploiting JSONP and Bypassing Referer Check Osama Avvan (@osamaavvan) - Information disclosure, JSONP flaw - 09/07/2019
Write up of two HTTP Requests Smuggling C1h2e1 (@C1h2e11) - HTTP request smuggling - 09/07/2019
Finding Gem in Someone’s Report: Instant $500USD at HackerOne Platform Hisoka Morou - Information disclosure $500 09/07/2019
DOM Based XSS in Private Program Mohamed Haron (@m7mdharon) - DOM XSS $500 09/05/2019
Readme.com Account Takeover Ankush Goel (@0xankush) Readme.com Password reset flaw $0 09/05/2019
Exposed Jenkins to RCE on 8 Adobe Experience Managers Corben Leo (@hacker_) - RCE - 09/04/2019
Add new user with Admin permission and takeover the organization Tarek Mohamed (@Conan0x3) - Authorization flaw, Privilege escalation - 09/04/2019
RCE using Path Traversal inc0gbyt3 (@incogbyte) - RCE, Path traversal - 09/02/2019
HTML to PDF converter bug leads to RCE in Facebook server Samm0uda (@samm0uda) Facebook RCE $1,000 09/02/2019 Archived content
Google Cloud Blog platform vulnerability Alexandru Coltuneac (@dekeeu) Google XSS - 09/01/2019
Graphql Bug to Steal Anyone’s Address Pratik Yadav (@PratikY9967) - Information disclosure - 09/01/2019
My First LFI Tirtha Mandal (@tirtha_mandal) - LFI $1,000 08/31/2019
Shodan is your friend!!! If you ignore him you will lose many… Vijaysimha Reddy Bathini (@fatratfatrat) - SQL injection, Authentication bypass - 08/28/2019
How to look for JS files Vulnerability for fun and profit? Yeasir Arafat - Information disclosure - 08/27/2019
Private bug bounty $ USD: “RCE as root on Marathon-Mesos instance” @omespino - RCE - 08/27/2019
How I Hacked Instagram Again Laxman Muthiyah (@LaxmanMuthiyah) Facebook Password reset flaw, Account takeover $10,000 08/26/2019
Bug Bounty: Bypassing a crappy WAF to exploit a blind SQL injection Robin Verton (@robinverton) - Blind SQL injection - 08/25/2019
Create living room polls as a Facebook page analyst Philippe Harewood (@phwd) Facebook Authorization flaw $5,000 08/24/2019
From Github Recon To Account Takeover Dipak kumar Das (@d1pakdas) - Information disclosure, Account takeover - 08/24/2019
Cookie worth a fortune Gaurav Narwani (@gauravnarwani97) - Reflected XSS - 08/23/2019
One Bug To Rule Them All: Modern Android Password Managers and FLAG_SECURE Misuse Lorenzo Stella (@lorenzostella) 1Password, Keeper, Dashlane Information disclosure, Content leak - 08/22/2019
Rights Manager Graph API Disclosure of business employee to non business employee Jafar Abo Nada (@Jafar_Abo_Nada) Facebook Information disclosure - 08/22/2019
Instagram account is reactivated without entering 2FA ($500) Aman Shahid (@amansmughal) Facebook 2FA bypass, Authentication flaw $500 08/21/2019
Sending Message as page being an analyst/ advertiser? Baibhav Anand (@iBaibhavJha) Facebook Authorization flaw $0 08/21/2019
How I made my first $$$ from finding a bug in Facebook Aayush Pokhrel (@aayushpok) Facebook Authorization flaw - 08/21/2019
How I upgraded my privileges to the administrator of Odnoklassniki’s url shortener Sergey Kashatov (@iframe0x01) ok.ru Privilege escalation $500 08/20/2019
Facebook Bug Bounty: Reading WhatsApp contacts list without unlocking the device Arvind Facebook Authorization flaw - 08/19/2019
U.S. Department of Defense - Info Disclosure and SQLi Writeup Aaron Esau (@arinerron) U.S. Dept Of Defense Information disclosure, SQL injection - 08/19/2019
Removing profile pictures for any Facebook user Philippe Harewood (@phwd) Facebook IDOR $2,500 08/19/2019
How I was able to earn 1000$ with just 10 minutes of bug bounty? Ninad Mathpati (@ninad_mathpati) - Password reset flaw $1,000 08/17/2019
ByPassing fix of Domain Blocking feature in Business Manager Rohit kumar (@rohitcoder) Facebook Authorization flaw, Logic flaw - 08/15/2019
Facebook Messenger exposing deleted messages using [Remove for Everyone] Renwa Facebook Logic flaw - 08/15/2019
BookMyShow account takeover using social login Sukhmeet Singh (@MadGuyyy) BookMyShow OAuth flaw, Account takeover $₹2000 (~ $28) 08/15/2019
[Business Logic] Bypassing Nickname Feature Kent Bayron (@bayronkentoy) - Logic flaw $50 08/14/2019
[Business Logic Bug] Bypassing Nickname Feature Kent Bayron / kntx (@bayronkentoy) - Logic flaw $50 08/14/2019
BugBounty WriteUp — take attention and get Stored XSS Oleksandr Opanasiuk (@Lekssik2) - Stored XSS - 08/14/2019
How I XSSed Admin Account Gaurav Narwani (@gauravnarwani97) - Stored XSS, Account takeover - 08/13/2019
SSRF Vulnerability in https://app.[REDACTED].com Evan Ricafort (@evanricafort) - SSRF $0 (Duplicate) 08/13/2019
Reporting - Amazon 1 click device XSS Sneakerhax (@sneakerhax) Amazon XSS - 08/12/2019
Clickjacking DOM XSS on Google.org Thomas Orlita (@ThomasOrlita) Google Clickjacking, DOM XSS - 08/12/2019
Application Level Denial of Service [DoS] using SVG file in https://[REDACTED].com (Write Up) Evan Ricafort (@evanricafort) - DoS $300 08/10/2019
Two Easy RCE in Atlassian Products Valeriy Shevchenko Atlassian RCE - 08/09/2019
Read other user support tickets in https://support..com (Write Up) Evan Ricafort (@evanricafort) - IDOR $120 08/09/2019
Privilege Escalation using Api endpoint Ronak Patel (@ronak_9889) - Privilege Escalation - 08/09/2019
Writing my Medium blog to complete account takeover Rotem Reiss (@rotem_reiss) Medium Stored XSS, Account takeover $1,000 08/09/2019
Exploiting Out Of Band XXE using internal network and php wrappers Mahmoud Gamal (@Zombiehelp54) - XXE - 08/06/2019
Exploiting Out Of Band XXE using internal network and php wrappers Mahmoud Gamal (@Zombiehelp54) - XXE - 08/06/2019
BugBounty WriteUp — Creative thinking is our everything (Race Condition + Business Logic Error) Oleksandr Opanasiuk (@Lekssik2) - Race condition, Logic flaw - 08/05/2019
Stored XSS on LaporBug.id rizal (@sayadarijawa) LaporBug.id Stored XSS - 08/05/2019
Vulnerability in Hangouts Chat: from open redirect to code execution VulnerabilityLabs Google Open redirect, RCE $7,500 08/04/2019
Leveraging AngularJS-based XSS to Privilege Escalation Shawar Khan (@ShawarkOFFICIAL) - XSS, Privilege escalation - 08/04/2019
How I Found XSS By Searching In Shodan D1vy4n5hu 5hukl4 (@justm0rph3u5) - Reflected XSS - 08/04/2019
No Rate limiting eligible for bounty ? Smaran Chand (@smaranchand) - Lack of rate limiting - 08/03/2019
From Sub domain Takeover to Open-Redirect Anil Tom (mr_4nk) - Subdomain takeover, Open redirect $150 08/02/2019
One Misconfig (JIRA) to Leak Them All- Including NASA and Hundreds of Fortune 500 Companies! Avinash Jain (@logicbomb_1) - Information disclosure - 08/02/2019
Bypassing CORS VulnerabilityLabs - CORS misconfiguration - 08/01/2019
Complete information disclosure using Broken Access Control Bhavesh Thakur (@Bhavesh_Thakur_) - Information disclosure, Authorization flaw $100 08/01/2019
Download predictions details of ads plans of any business. Samm0uda (@samm0uda) Facebook IDOR - 08/01/2019 Archived content
Internal path disclosure in Instagram server Samm0uda (@samm0uda) Facebook Internal path disclosure, Information disclosure - 08/01/2019 Archived content
Access portal of Facebook mobile retailers and see earnings and referrals reports. Samm0uda (@samm0uda) Facebook IDOR, Authorization flaw $500 08/01/2019 Archived content
View orders and financial reports lists for any page shop. Samm0uda (@samm0uda) Facebook Authorization flaw $500 08/01/2019 Archived content
Bypassing CORS Saad Ahmed (@XSaadAhmedX) - CORS misconfiguration - 08/01/2019
RCE in Ruby using Mustache Templates Rhys Elsmore (@rhyselsmore) - RCE - 08/01/2019
Reposted [2017]: LinkedIn Hacker’s Experience Alexandru Coltuneac (@dekeeu) LinkedIn Stored XSS - 07/30/2019
Reposted [2019]: Hacking YouTube for #fun and #profit Alexandru Coltuneac (@dekeeu) Google Authorization flaw - 07/30/2019
Paypal bug $10K - All Secondary users account takeover leads to unauthorized money transfer from paypal business accounts Mohd haji (@mohdhaji24) Paypal IDOR $10,500 07/30/2019
SQL Injection in private-site.com/login.php Mohamed Haron (@m7mdharon) - SQL injection $0 (Out of scope) 07/30/2019
1st Bounty Story | Rewarded 300$ (IDOR) Md Hridoy - IDOR $300 07/29/2019
Story of an IDOR via Email Shuaib Oladigbolu (@_sawzeeyy) - IDOR - 07/29/2019
Old GitHub Profile Takeover! Mohamed Haron (@m7mdharon) - Github account takeover $1,000 07/28/2019
Chaining Cache Poisoning To Stored XSS Rohan aggarwal (@nahoragg) - Web cache poisoning, Stored XSS - 07/28/2019
Solr Injection by abusing Local Parameters on Zomato.com Ronak Patel (@ronak_9889) Zomato Solr Injection $700 07/27/2019
Story about Facebook Oauth Account Takeover Zerb0a iLOTTE Account takeover, OAuth flaw IDR 2.000.000 (~ $150) 07/26/2019
Facebook BugBounty: Tale of an Instagram bug disclosing user’s phone number via checkpoint Bijan Murmu (@0xBijan) Facebook Information disclosure - 07/26/2019
Full Account Takeover via Changing Email And Password of any User through API Parameters Adesh Kolte (@AdeshKolte) - IDOR, Password reset flaw, Account takeover - 07/26/2019
Price Parameter Tampering On Bukalapak Apapedulimu (@LocalHost31337) Bukalapak Parameter tampering $150 07/24/2019
How I found the most critical bug in live bug bounty event? Lakshay (@inn0c3ntd3v1L) - Password reset flaw, Account takeover - 07/24/2019
XSS to RCE in … Hungry Bytes (@hungrybytes) Github XSS, RCE - 07/24/2019
Disclose any main and 3rd party contributors email address and movie local path thru XML file in Plex TV - plex.tv (Write Up) Evan Ricafort (@evanricafort) Plex TV Information disclosure, Path disclosure $0 07/24/2019
XX to XXX in one day Baibhav Anand (@iBaibhavJha) WePay, [Private program] Account takeover, Parameter tampering - 07/23/2019
Pwning child company to get access to ParentCompany’s Slack Team Parth Malhotra (@Parth_Malhotra) - SQL injection, Default credentials - 07/23/2019
XSS On Twitter [Worth 1120$] Bywalks (@bywalkss) - XSS $1,120 07/22/2019
Reflected XSS in Ebay.com Sukhmeet Singh (@MadGuyyy) Ebay Reflected XSS $0, HoF 07/22/2019
Subscribe to typing notifications for any Instagram user Philippe Harewood (@phwd) Facebook Authorization flaw $5,750 07/21/2019
Not a fancy bug, just HTML Injection in Clause - clause.io (Write Up) Evan Ricafort (@evanricafort) Clause HTML injection $250 07/21/2019
Shopping Products For Free- Parameter Tampering Vulnerability D1vy4n5hu 5hukl4 (@justm0rph3u5) - Parameter tampering, Payment tampering - 07/21/2019
Exploiting a Tricky Blind SQL Injection inside LIMIT clause Rahul Maini - SQL injection - 07/21/2019
Get Page Inbox notifications for any Facebook page Philippe Harewood (@phwd) Facebook Authorization flaw, Information disclosure - 07/20/2019
Microsoft ID Open Redirect Burninator Sec Microsoft Open redirect $0 07/19/2019
Microsoft Office 365 - Outlook XSS Abdulrahman Al-Qabandi (@Qab) Microsoft XSS - 07/19/2019
SQL Injection in Forget Password Function Khaled Gaber - SQL injection - 07/18/2019
How to lock a GitHub user out of their repos (bug or feature?) Teserakt AG Github DoS $0 (Feature) 07/18/2019
Сookie-based XSS exploitation | $2300 Bug Bounty story Max (@iSecMax) - XSS $2,300 07/17/2019
Account Takeover Vulnerability :) Sumit Jain (@sumit_cfe) - Password reset flaw, Account takeover - 07/17/2019
How Recon helped me to to find a Facebook domain takeover Sudhanshu Rajbhar (@sudhanshur705) Facebook Subdomain takeover $500 07/17/2019
Facebook Informative Bug From Triaged Circle Ninja (@circleninja) Facebook Lack of rate limiting $0 07/17/2019
CSRF Email Confirmation Vulnerability for Gmail & G-Suite in Facebook Lokesh Kumar (@lokeshdlk77) Facebook CSRF $3,000 07/16/2019
Bypass CSRF With ClickJacking Worth $1250 Injector Pca / SaadAhmed (@XSaadAhmedX) - CSRF, Clickjacking $1,250 07/16/2019
What do Netcat, SMTP and self XSS have in common? Stored XSS Plenum (@plenumlab) - Stored XSS - 07/16/2019
How I Could Get The Instagram Username of Anyone on Tinder Shahar Albeck Tinder Information disclosure - 07/16/2019
The Bugs Are Out There, Hiding in Plain Sight A Bug’z Life (@abugzlife1) - IDOR, SSRF, Information disclosure, CORS misconfiguration $9,000 07/15/2019
500$ bounty: Man in the Middle on Slack Wiard van Rij / Sysrant (@RijWiard) Slack MiTM $500 07/15/2019
Facebook Bug : Sending messages as a page with jobmanager permission Devansh batham (@devanshwolf) Facebook Authorization flaw, Privilege escalation $0 (Duplicate) 07/15/2019
[TOKOPEDIA] Site-wide CSRF through GraphQL request Rafie Muhammad (@rafiem777) Tokopedia CSRF - 07/15/2019
How I Could Have Hacked Any Instagram Account Laxman Muthiyah (@LaxmanMuthiyah) Facebook Race condition, Rate limiting bypass $30,000 07/14/2019
Cracking my windshield and earning $10,000 on the Tesla Bug Bounty Program Sam Curry (@samwcyo) Tesla Blind XSS $10,000 07/14/2019
Hacking intoTinder’s Premium Model Sanskar Jethi (@sansyrox) Tinder Authorization flaw $0 07/14/2019
Account takeover on Airbnb acquisition | An Unusual Bug Part-2 🐛 PRince CHaddha (@princechaddha) Airbnb IDOR, Account takeover Swag 07/13/2019
Facebook Bug bounty page admin disclose bug {Facebook Android app} Yusuf Furkan (@h1_yusuf) Facebook Information disclosure $500 07/12/2019
XSS on Google Custom Search Engine KL Sreeram (@kl_sree) Google XSS - 07/11/2019
Story of my Biggest Bounty ever : Command Execution on Jenkin Jay Jani (@JayJani007) - RCE $8,000 07/11/2019
SQL Injection Bug Bounty POC! Arif-ITSEC111 - SQL injection €5,000 07/11/2019
Tale of account takeover — Sensitive info Disclosure + Broken Access Control Md Saqib (@sakyb7) - IDOR, Account takeover $2,650 07/10/2019
OAuth authentication bypass on Airbnb acquisition using 1-char Open Redirect Evgeniy Yakovchuk (@h1_sp1d3r) Airbnb Open redirect, OAuth token theft, Account takeover - 07/10/2019
A malicious editor of a page can support to a community action which can’t be unsupported by the admin! mAshraf Facebook Authorization flaw - 07/09/2019
Information Disclosure via Misconfigured AWS to AWS Bucket Takeover Pratyush Anjan Sarangi - AWS flaw - 07/08/2019
Cleartext password in LocalStorage (Writeup) ruv lol - Violation of secure design principles $1,500 07/07/2019
Blind (time-based) SQLi - Bug Bounty Jspin - SQL injection - 07/05/2019
This is how I managed to win $2000 through Facebook Bug Bounty Saugat Pokharel Facebook Logic flaw $2,000 07/04/2019
Facebook Vulnerability: Unremovable Co-Host in facebook page events Ritish Kumar Singh Facebook Logic flaw, DoS $500 07/04/2019
Account Takeover Using CSRF(json-based) shub rathore (@shub66452) - CSRF, Account takeover $1,000 07/04/2019
Story of a stored xss to full account takeover vulnerability(N/A to accepted) Jatin Aesthetic (@techyfreakk) - Stored XSS - 07/04/2019
Finding hidden gems vol. 4: Rakefile a.k.a. how to get AWS keys again Mateusz Olejarka - Information disclosure, Github leak - 07/03/2019
Yeah! I got P2 in 1 minute - Stored XSS via Markdown Editor Schopath - Stored XSS - 07/02/2019
Injecting {{6*200}} to $1200 Gaurav Narwani (@gauravnarwani97) - SSTI $1,200 07/02/2019
Another Download Protection Bypass in Google Chrome – BIN files in Mac OS Nightwatch Cybersecurity (@nightwatchcyber) Google Browser flaw $1,000 07/02/2019
How I escalated RFI into LFI Hassan Khan Yusufzai (@Splint3r7) - RFI, LFI - 07/01/2019
Accidental IDOR Injector Pca / SaadAhmed (@XSaadAhmedX) - IDOR - 07/01/2019
Stored XSS on Indeed Tirtha Mandal (@tirtha_mandal) Indeed Stored XSS $1,500 06/30/2019
One more Parameter manipulation bug (🤑) Kanchan Singh Yadav (@KanchanSingh0) - Parameter tampering - 06/28/2019
Facebook BugBounty : Short story on Page admin disclosure Bijan Murmu (@0xBijan) Facebook Authorization flaw, Privilege escalation - 06/28/2019
Nuget/Squirrel uncontrolled endpoints leads to arbitrary code execution Reegun J (@reegun21) Microsoft RCE - 06/28/2019
Gain adfly SMTP access with SSRF via Gopher Protocol Zerb0a Adf.ly SSRF - 05/27/2019
View Facebook payouts for any Facebook Trivia Game Philippe Harewood (@phwd) Facebook Information disclosure $0 (Informative) 05/27/2019
1-Click Account Takeover in Virgool.io — a Nice Case Study Yasho (@YShahinzadeh) Virgool Account takeover, Open redirect - 06/27/2019
CORS To CSRF Attack Osama Avvan (@osamaavvan) - CORS misconfiguration, CSRF - 06/27/2019
Toggle Group Rules Agreement as a non-member Philippe Harewood (@phwd) Facebook Authorization flaw - 06/26/2019
Sensitive Information Disclosure: Web Cache Deception Attack Wasim Shaikh (@Wa_sim_sim) Intuit Information disclosure $0, HoF 06/26/2019
Download .arexport files for any public AR Studio Effect Philippe Harewood (@phwd) Facebook IDOR - 06/24/2019
CSV injection at Comment Section. Navneet (@na5n33t) - CSV injection $0 (VDP) 06/24/2019
Password Reset Vulnerability — Full Account takeover (Insecure Direct Object Reference) Muhammad Asim Shahzad - Password reset flaw, IDOR, Account takeover $1,200 06/22/2019
Page Admin Disclosure | Facebook Bug Bounty 2019 Ajay Gautam (@evilboyajay) Facebook Authorization flaw $1,000 06/22/2019
How I Hacked the Microsoft Outlook Android App and Found CVE-2019-1105 Bryan Appleby (@bryapp) Microsoft XSS - 06/21/2019
Catching support emails from my internet service provider Sander Lentink T-Mobile Email account takeover $0 (VDP), Swag 06/21/2019
$1800 worth Clickjacking Osama Avvan (@osamaavvan) - Clickjacking $1,800 06/21/2019
About a Sucuri RCE…and How Not to Handle Bug Bounty Reports Julien Ahrens (@MrTuxracer) Sucuri RCE $750 06/22/2019
IDOR: Payment Fraud Vibhurushi Chotaliya (@Vibhurushi) - IDOR, Payment tampering - 06/20/2019
Self XSS To Evil XSS Injector Pca / SaadAhmed (@XSaadAhmedX) - XSS $0 06/20/2019
A Fight For Duplicate Marked Bug: Story of BBC Hall Of Fame Wasim Shaikh (@Wa_sim_sim) BBC XSS $0 (HoF) 06/20/2019
How a classical XSS can lead to persistent ATO Vulnerability? Milind Purswani (@MilindPurswani) & Yash Sodha (@y_sodha) - XSS, Account takeover - 06/19/2019
Facebook Vulnerability: Unremovable Co-Host in facebook group events Ritish Kumar Singh Facebook Logic flaw $500 06/19/2019
Account Takeover with Clickjacking Osama Avvan (@osamaavvan) - Clickjacking - 06/19/2019
XSS Filter Evasion m0z (@LooseSecurity) - XSS - 06/17/2019
Business user Employees could have applied block list to all ad accounts listed in the business manager. Rohit kumar (@rohitcoder) Facebook Authorization flaw, Logic flaw $500 06/17/2019
Reflected XSS in Tokopedia Train Ticket Jon Bottarini (@jon_bottarini) New Relic Reflected XSS IDR 3.000.000 (~ $212) 06/17/2019
Using Burp Suite match and replace settings to escalate your user privileges and find hidden features Jon Bottarini (@jon_bottarini) New Relic Client-side enforcement of server-side security $500 06/17/2019
Parameter Pollution issue in API resulting $XXX Smaran Chand (@smaranchand) - Parameter pollution - 06/17/2019
SQl Injection Injector Pca / SaadAhmed (@XSaadAhmedX) - SQl Injection $500 06/17/2019
Bypassing XSS filter and Stealing User Payment Data Osama Avvan (@osamaavvan) - XSS $0 (Duplicate) 06/17/2019
Password Bypass and Something Else… Vibhurushi Chotaliya (@Vibhurushi) - Authentication bypass $600 06/16/2019
How I earned $1,500 in just 15 mins due to Amazon S3 bucket misconfiguration? Muhammad Asim Shahzad Dropbox AWS flaw $1,500 06/16/2019
Account Takeover Worth $900 Injector Pca / SaadAhmed (@XSaadAhmedX) - Account takeover, CSRF $900 06/16/2019
Stealing Cookies to Login in any Account Osama Avvan (@osamaavvan) - Cookie theft $900 06/16/2019
Bug Bounty - Information Disclosure through error message + WAF Bypass led to Local File Inclusion Λявєη (@spenkkkkk) & Çlirim Emini (@0xcela) - WAF bypass, LFI, Information disclosure - 06/15/2019
Complete Web Server Access Injector Pca / SaadAhmed (@XSaadAhmedX) - Unrestricted file upload, RCE $500 06/15/2019
Fullscreen API Attack’s Revisited and the FaceBook NA Story Circle Ninja (@circleninja) Facebook Fullscreen API Attack $0 (N/A) 06/15/2019
XSSing Google Employees — Blind XSS on googleplex.com Thomas Orlita (@ThomasOrlita) Google Blind XSS - 06/15/2019
Admin Account total Information Disclosure Nishant Saurav (@inishantsinha) - Source code disclosure, Information disclosure $200 06/15/2019
IDOR — Account Takeover Injector Pca / SaadAhmed (@XSaadAhmedX) - IDOR $500 06/14/2019
How spending our Saturday hacking earned us 20k Matti Bijnens (@MattiBijnens) - IDOR $20,000 06/14/2019
IDOR — Account Takeover Injector Pca / SaadAhmed (@XSaadAhmedX) - IDOR - 06/14/2019
Chaining Improper Authorization To Race Condition To Harvest Credit Card Details : A Bug Bounty Story Mandeep Jadon (@1337tr0lls) - Authorization flaw, Race condition - 06/13/2019
Redstrom Denial Of Service — Write Up Zerb0a - DoS $0, Swag 06/12/2019
Reflected XSS on Error Page Tomi (@noobe_io) - Reflected XSS - 06/11/2019
Facebook Vulnerability: Non-unfriendable user in /hacked workflow Ritish Kumar Singh Facebook Logic flaw $1,500 06/11/2019
Account takeover using IDOR and the misleading case of error 403. Plenum (@plenumlab) - IDOR - 06/11/2019
IDOR Leads To Project Takeover Hariharan.s (@DJHARIZ1) - IDOR - 06/09/2019
Don’t underestimates the Errors They can provide good $$$ Bounty! Aditya Sharma (@Assass1nmarcos) Mamba Information disclosure, Path disclosure $200 06/07/2019
How I was able to get private ticket response panel and FortiGate web panel via blind XSS Bijan Murmu (@0xBijan) - Blind XSS $1,250 06/06/2019
Microsoft Edge Extensions Host Permission Bypass (CVE-2019-0678) Nikhil Mittal (@c0d3G33k) Microsoft Browser bug $15,000 06/06/2019
Unicode vs WAF — XSS WAF Bypass Prial Islam Khan (@prial261) - XSS - 06/05/2019
Bypassing CSP with policy injection Gareth Heyes (@garethheyes) Paypal CSP bypass $900 06/05/2019
REMOTE CODE EXECUTION ! 😜 Recon Wins Vishnuraj KV - RCE - 06/04/2019
Chaining multiple low-impact bugs to arbitrary file read in GitLab Li Rongxi (@nyan_gawa) GitLab Directory traversal - 06/04/2019
Simple PathTraversal bypass fr0stNuLL - Path traversal - 06/03/2019
Missing access control at play store Vishwaraj Bhattrai (@vishwaraj101) Google Authorization flaw - 06/03/2019
The Unusual Case of Status code- 301 Redirection to AWS Security Credentials Compromise Avinash Jain (@logicbomb_1) - RFI, SSRF - 06/02/2019
Story of a uri based xss with some simple google dorking Jatin Aesthetic (@techyfreakk) - XSS - 06/02/2019
Edmodo Account Deactivation Vulnerability Shankar R Edmodo CORS misconfiguration $0 06/01/2019
My First CSRF to Account Takeover worth $750 Nishant Saurav (@inishantsinha) - CSRF, Account takeover $750 05/30/2019
Exploiting File Uploads Pt. 1 – MIME Sniffing to Stored XSS #bugbounty HackerOn2Wheels (@HackerOn2Wheels) - Stored XSS, MIME sniffing - 05/30/2019
Stored XSS on Edmodo Rohit Verma (@rv0x00) Edmodo Stored XSS - 05/28/2019
Source Code disclose Vulnerability Mohamed R. Serwah (@mohamedrserwah) - Source code disclosure - 05/27/2019
An unexploited CORS misconfiguration reflecting further issues. Smaran Chand (@smaranchand) - CORS misconfiguration - 05/27/2019
How did I bypass a Custom Brute Force protection and why that solution is not a good idea? dortz - Bruteforce, Authentication flaw - 05/25/2019
Disclose files content from Facebook internal CDNs Samm0uda (@samm0uda) Facebook Weak encryption $12,500 05/25/2019 Archived content
Google bug bounty: LFI on production servers in “springboard.google.Com” — $13,337 USD VulnerabilityLabs Google LFI $13,337 05/24/2019
Multiple API issues due to Fixed Authorization token. Mustafa Khan (@by6153) - Authorization flaw - 05/24/2019
From file upload to email:pass fr0stNuLL - Unrestricted file upload - 05/24/2019
Security assessment on the staging domains Tutorgeeks (@tutorgeeks) - Lack of authentication - 05/24/2019
Instagram GitHub Token with public_scope found In Travis CI Build Logs Philippe Harewood (@phwd) Facebook Information disclosure $0 (Informative) 05/24/2019
How I acquired $XXX bounty by investing 99 cents Smaran Chand (@smaranchand) - Logic flaw - 05/24/2019
Escalating subdomain takeovers to steal cookies by abusing document.domain Ameya (@iamTakeMyHand) Postmates Subdomain takeover - 05/23/2019
Determine a Facebook user from an email address Philippe Harewood (@phwd) Facebook Information disclosure $1,000 05/22/2019
Google Adwords(Privilege Escalation): Read-only user able to add YouTube channels via Linked accounts Family guy Google Privilege escalation, Authorization flaw - 05/21/2019
Local File Inclusion in peering.google.com Jafar Abo Nada (@Jafar_Abo_Nada) Google LFI $3,133.7 05/21/2019
Leaking OpenID tokens with “ — the bug right infront of you Zseano (@zseano) - OpenID flaw - 05/21/2019
WRITE UP – GOOGLE BUG BOUNTY: LFI ON PRODUCTION SERVERS in “springboard.google.com” – $13,337 USD @omespino Google LFI $13,337 05/21/2019
Open-redirect to Account Takeover. Rishabh (@__cypher__) - Open redirect, Account takeover - 05/19/2019
A base64 encoded parameter. Navneet (@na5n33t) - HTML injection $75 05/19/2019
XSSed my way to 1000$ Gaurav Narwani (@gauravnarwani97) - XSS $1,100 05/17/2019
Stealing Downloads from Slack Users David Wells Slack CSRF - 05/17/2019
Bypassing Instagram’s stories restriction Baibhav Anand (@iBaibhavJha) Facebook Logic flaw $500 05/17/2019
‘Try-Harder’ for XSS Frans Hendrik Botes (@initroott) - Reflected XSS - 05/17/2019
From parameter pollution to XSS Mo’men Basel - Parameter pollution, XSS - 05/16/2019
You do not need to run 80 reconnaissance tools to get access to user accounts Stefano Vettorazzi (@stefanohablando) - Open redirect - 05/15/2019
Is MIME Sniffing XSS a real thing? [The story of weird Google bug bounties] Komodo Security Google Stored XSS, MIME sniffing - 05/15/2019
Think Outside the Scope: Advanced CORS Exploitation Techniques Ayoub (@sandh0t) - CORS misconfiguration $1,500 05/14/2019
Stored XSS on Techprofile Microsoft Mohammad Ali Syarief Microsoft Stored XSS - 05/09/2019
BLIND SSRF in *.stripe.com due to Sentry Misconfiguration Oktavandi (@0ktavandi) Stripe Blind SSRF - 05/09/2019
4x CSRFs Chained For Company Account Takeover A Bug’z Life (@abugzlife1) - CSRF, Account takeover $3,000 05/08/2019
pcextreme.nl fake bug bounty Daniel Maksimovic pcextreme.nl SSRF, XSS $0 (150€ + 150€ platform credit promised but not delivered) 05/08/2019
SQL injection through User-Agent fr0stNuLL - SQL injection - 05/08/2019
Subdomain takeover [Awarded $200] Friendly (@SkeletorKeys) ownCloud Subdomain takeover $200 05/07/2019
Server Side Request Forgery(SSRF){port issue hidden approch } Deepak Holani (@w_hat_boy) - SSRF - 05/03/2019
Tale of a Wormable Twitter XSS @0xSobky Twitter XSS $2,940 05/02/2019
Why You Shouldn’t Use a Password Manager For Your Linode Account @0xSobky Linode Account takeover, Information disclosure - 05/02/2019
XSS attacks on Googlebot allow search index manipulation Tom Anthony (@TomAnthonySEO) Google Logic flaw - 05/01/2019
Remote code execution On Microsoft edge using URL Protocol Matt harr0ey (@harr0ey) Microsoft RCE $0 (N/A) 05/01/2019
From NA to $3000 : Facebook’s URL spoofing vulnerability Rahul Kankrale (@RahulKankrale) Facebook URL spoofing $3,000 04/30/2019
From Reflected XSS to Account Takeover — Showing XSS Impact A Bug’z Life (@abugzlife1) - Reflected XSS, Account takeover - 04/30/2019
Don’t Follow The Masses: Bug Hunting in JavaScript Engines Dimitri Fourny (@dimitrifourny) Google Buffer overflow $7,500 04/29/2019
Two-Factor Authentication Bypass Gaurav Narwani (@gauravnarwani97) - 2FA bypass - 04/29/2019
Broken Access: Posting to Google private groups through any user in the group Elber Andre (@Elber333) Google Autorization flaw $0 (N/A) 04/27/2019
Denial of Service using Cookie Bombing Ronak Patel (@ronak_9889) - DoS, Cookie bombing $350 04/26/2019
How to bypass a 2FA with a HTTP header Yumi - 2FA bypass - 04/26/2019
for PayPal security team,“get user balances and transaction details” is not a vulnerability! Todaro (@tod4ro) Paypal Information disclosure $0 (N/A) 04/26/2019
Missing Authorization check while deleting App Review for Marketing API Family guy Facebook Authorization flaw - 04/25/2019
Stealing local storage data through XSS Harshad Gaikwad (@h4rsh4d) - Stored XSS, Account takeover $800 04/25/2019
The journey of Web Cache + Firewall Bypass to SSRF to AWS credentials compromise! Avinash Jain (@logicbomb_1) - LFI, SSRF, Cloudflare bypass - 04/25/2019
CSRF Attack can lead to Stored XSS Mohamed Sayed (@FlEx0Geek) - CSRF, Stored XSS - 04/25/2019
A picture that steals data Sergey Kashatov (@iframe0x01) - Information disclosure - 04/24/2019
Getting access to Zendesk’s Google Cloud and Artifactory from GitHub dotfile repos Ruby Nealon (@_ruby) Zendesk Information disclosure $3,000 04/23/2019
Facebook’s Burglary Shopping List John Moss (@x41x41x41) Facebook Information disclosure $5,000 04/23/2019
The neglected bug that can infect All Facebook users who pay for leads ads. Hesham Watany Facebook CSV injection $0 (Out of scope) 04/23/2019
Yet Other Examples of Abusing CSRF in Logout Soroush Dalili (@irsdl) - CSRF - 04/23/2019
[XSS] Reflected XSS Bypass Filter Mohamed Sayed (@FlEx0Geek) - Reflected XSS - 04/23/2019
Disclose the content of internal Facebook Javascript modules. Samm0uda (@samm0uda) Facebook Authorization flaw - 04/22/2019 Archived content
Ssrf to Read Local Files and Abusing the AWS metadata Pratik Yadav (@PratikY9967) - SSRF - 04/21/2019
[CONFIRMATION BYPASS ] Navneet (@na5n33t) - Email confirmation bypass, Information disclosure $0 (VDP) 04/21/2019
Twitter - protected tweets exposure terjanq (@terjanq) Twitter Information disclosure $560 04/19/2019
Responsible disclosure: improper access control in Gitlab private project. Riccardo Padovani (@rpadovani93) GitLab Authorization flaw $2,000 04/19/2019
Scary Tickets😨 Uranium238 (@uraniumhacker) - Ticket Trick - 04/19/2019
PDFReacter SSRF to ROOT Level Local File Read which led to RCE Armaan Pathan (@armaancrockroax) - SSRF, RCE - 04/18/2019
Code execution - Evernote Dhiraj (@mishradhiraj_) Evernote RCE, Path traversal - 04/17/2019
How I was able to Bypass XSS Protection on HackerOne’s Private Program Security Executions Code BugHunter - XSS - 04/16/2019
Banner Grabbing to DoS and Memory Corruption Daniel V. - DoS<, Information disclosure - 04/16/2019
A $5000 IDOR… Mr.Hacker (@mr_hacker0007) - IDOR $5,000 04/16/2019
How i found credential enriched redis dump Ashish Kunwar (@D0rkerDevil) - File disclosure, Information disclosure $0 04/16/2019
Just 5 minute to get my 2nd stored XSS on Edmodo.com ZishanAdThandar (@ZishanAdThandar) Edmodo Stored XSS $0, Swag 04/15/2019
How I hacked Vending Machine Valeriy Shevchenko - Violation of secure design principles €300 gift card 04/15/2019
Google Groups Authorization Bypass Daniel Marad Google Authorization flaw $500 04/15/2019
The Outlook Winner is Dash marcan2020 (@marcan2020) Microsoft Authorization flaw $0 (N/A) 04/15/2019
How I gained access to revenue and traffic data of thousands of Shopify stores Ayoub Fathi (@ayoubfathi) Shopify IDOR $0 (Policy violation) 04/15/2019
Web Cache Deception to API endpoint attack using cached token header Kunal pandey (@kunalp94) - Web cache deception $250 04/13/2019
[RCE] Remote code execution at api.PrivateProgram.com (CVE-2017-5638) Mohamed Haron (@m7mdharon) - RCE $2,250 04/12/2019
Unauthenticated Account Takeover Through HTTP Leak Nik srivastava (@niksthehacker) - HTML injection, HTTP Leak, Account takeover - 04/11/2019
Account Takeover by chaining two vulnerabilities. Sheraz Khalid - CSRF, Open redirect, Account takeover - 04/10/2019
Multiple xss in *.skype.com & Multiple xss in *.skype.com (2) Jayateertha Guruprasad (@JayateerthaG) Microsoft XSS $0, HoF 04/10/2019
Spokeo Bug bounty Experience Nur A Alam Dipu Spokeo XSS $0 (Can’t reproduce) 04/10/2019
Dell KACE K1000 Remote Code Execution — the Story of Bug K1–18652 Julien Ahrens (@MrTuxracer) Dropbox (Dell KACE vendor) RCE - 04/09/2019
SSRF Tips: SSRF/XSPA in Microsoft’s Bing Webmaster Central Elber Andre (@Elber333) Microsoft SSRF, XSPA - 04/09/2019
Obtaining XSS Using Moodle Features and Minor Bugs Daniel Thatcher Moodle Login CSRF, XSS $0 (VDP) 04/09/2019
XSS “403 forbidden” bypass (Akamai Security )write up Security Executions Code BugHunter - XSS - 04/08/2019
How I got a trip to amsterdam through bug bounty Ninad Mathpati (@ninad_mathpati) - Bruteforce - 04/07/2019
Old but GOLD Dot Dot Slash to Get the Flag — Uber Microservice Ron Chan (@ngalongc) Uber SSRF, Path traversal, Account takeover - 04/07/2019
Email content spoofing at IKEA.com Jonathan Bouman (@JonathanBouman) Ikea Email content spoofing $50 04/06/2019
Edmodo — IDOR to view private files of any class Rohan Pagey (@rohan_x3) Edmodo IDOR - 04/06/2019
Scary Bug in Burp Suite Upstream Proxy Allows Hackers to Hack Hackers Armaan Pathan (@armaancrockroax) PortSwigger MiTM - 04/06/2019
Google Ads — Information Disclosure via null pointer exception Valerio brussani (@val_brux) Google Information disclosure - 04/04/2019
Handlebars template injection and RCE in a Shopify app Mahmoud Gamal (@Zombiehelp54) Shopify SSTI, RCE 10,000 04/04/2019
Leaked Salesforce API access token at IKEA.com Jonathan Bouman (@JonathanBouman) Ikea Information disclosure $250 04/04/2019
DownNotifier SSRF _m_q_t (@_m_q_t) DownNotifier SSRF - 04/04/2019
How I am able to hijack you. terjanq (@terjanq) Google Logic flaw - 04/03/2019
Facebook Vulnerability: Hiding from Facebook Page Admin(s) in /hacked workflow Ritish Kumar Singh Facebook Logic flaw $1,000 04/02/2019
FileZilla Untrusted Search Path & FileZilla ‘fzsftp’ Untrusted Search Path Chris Lyne (@lynerc) FileZilla (EU-FOSSA 2) RCE - 04/02/2019
How I was able to get your facebook private friend list [Responsible Disclosure] Raja Sekar Durairaj Facebook Information disclosure $10,000 04/01/2019
EdM0d0 IDOR Vulnerabilities Pratyush Anjan Sarangi Edmodo IDOR $0, Swag 04/01/2019
Comma is forbidden! No worries!! Inject in insert/update queries without it Ahmed Sultan (@0x4148) - SQL injection $10,000 03/31/2019
Recon in 2 minutes and got $250 easy Cryptographer Snapchat Missing secure flag $250 03/31/2019
How I was able to turn self xss into reflected xss Hein Thant Zin (@H3Lowr) - Reflected XSS $300 03/31/2019
alert(“A tale of 3 XSS!”) Gaurav Narwani (@gauravnarwani97) - XSS - 03/29/2019
My very first bug: a dreaded dupe and then an IDOR jackpot! John H4X00R (@JohnH4X00R) Yahoo IDOR $5,000 03/28/2019
How I could have hijacked a victim’s YouTube notifications! (Google VRP Writeup) Yash Sodha (@y_sodha) Google CSRF $3,133.70 03/26/2019
An Unusual Bug 🐛 on Braintree [PayPal] PRince CHaddha (@princechaddha) Paypal DoS $3,200 03/25/2019
Twitter Denial of Service bug or How i could prevent all followers from reading or accessing literally ANY tweets! Seif Elsallamy Twitter DoS $1,120 03/25/2019
Stored (XSS) on [google.com] Security Executions Code BugHunter Google Stored XSS - 03/25/2019
Stored XSS in the guide’s GameplayVersion (www.dota2.com) Security Executions Code BugHunter Dota 2 Stored XSS $750 03/25/2019
Self (XSS) on [komunitas.bukalapak.com] Security Executions Code BugHunter Bukalapak Self XSS $50 03/25/2019
Reflected (XSS)on [alibabacloud.com] Security Executions Code BugHunter Alibaba Reflected XSS - 03/25/2019
Self (XSS) on [komunitas.bukalapak.com] Komodo Security Google Authorization flaw $500 03/25/2019
Facebook Marketing Confidential Call Transcript Philippe Harewood (@phwd) Facebook Information disclosure $500 03/24/2019
Google Books X-Hacking terjanq (@terjanq) Google XS-Search $1,337 03/21/2019
How to hunt for Malvertising ads on Android Kyle (@B3nac) - Android flaw - 03/21/2019
A real XSS in OLX Bug Bounty Paulo Choupina (@PauloChoupina) OLX Reflected XSS $0 (VDP), HoF 03/21/2019
Slack announcement-only channel post restriction bypass Rodney Beede Slack Authorization flaw, Logic flaw $0, Out of scope 03/20/2019
Disclose private/scheduled streams of any Livestream user due to open .m3u8 endpoint Abss TBH @abss_tbh Livestream Information disclosure $1,000 03/20/2019
Denial of service in Facebook Fizz due to integer overflow (CVE-2019-3560) Kevin Backhouse (@kevin_backhouse) Facebook Integer overflow $10,000 03/19/2019
Discovering a zero day and getting code execution on Mozilla’s AWS Network Shubham Shah (@infosec_au) & Mathias Karlsson (@avlidienbrunn) Mozilla RCE $500 03/19/2019
DoS Across Facebook Endpoints Max Pasqua Facebook DoS $750 03/19/2019
From http:// domain to res:// domain xss by using IE Adobe’s PDF ActiveX plugin Heige (@80vul) Microsoft DOM XSS $0 03/19/2019
Should you be concerned about LastPass uploading your passwords to its server? Avinash Kumar (@itsavinash_) LastPass Information disclosure, Logic flaw - 03/18/2019
Stealing local storage data through XSS Harshad Gaikwad (@h4rsh4d) OLX Reflected XSS $0, HoF 03/17/2019
Disclosure of Pending Roles for any Facebook Page Avinash Kumar (@itsavinash_) Facebook IDOR $4,000 03/16/2019
Target Finds Cross-Site Scripting in Microsoft SharePoint Target Microsoft XSS - 03/15/2019
How I was able to pwned 30000+ user’s webhook gujjuboy10x00 (@vis_hacker) - IDOR - 03/14/2019
Privilege escalation on private program. Imran Parray (@CreedHackers) - Privilege escalation, Information disclosure - 03/14/2019
User Account Takeover [Password Change]— Nice Catch! Rohit kumar (@rohitcoder) - Account takeover, Password reset flaw - 03/14/2019
Write up – $1,000 usd in 5 minutes, xss stored in outlook.com (ios browsers) @omespino Microsoft Stored XSS $1,000 03/14/2019
WordPress 5.1 CSRF to Remote Code Execution Simon Scannell (@scannell_simon) WordPress CSRF, RCE, HTML injection $950 03/13/2019
OLX Bug Bounty: Reflected XSS Mukhammad Akbar (@abaykandotcom) OLX Reflected XSS - 03/13/2019
My First Stored XSS on Edmodo.com ZishanAdThandar (@ZishanAdThandar) Edmodo Stored XSS - 03/13/2019
Hack Your Form-New vector for Blind XSS Youssef A. Mohamed (@GeneralEG64) - Blind XSS, Stored XSS $800 03/13/2019
How I found Blind XSS Vulnerability in redacted.com ssid (@newp_th) - Blind XSS - /27/2019
Inserting malware into anyone’s Google Earth Projects Archive Thomas Orlita (@ThomasOrlita) Google IDOR, XSS, Authorization flaw $0 03/29/2019
Brute Forcing User IDS via CSRF To Delete all Users with CSRF attack. Armaan Pathan (@armaancrockroax) - CSRF, Bruteforce - 03/12/2019
Escalating SSRF to RCE Youssef A. Mohamed (@GeneralEG64) - SSRF, RCE - 03/12/2019
CVE-2018-16794 on fs.thefacebook.com Philippe Harewood (@phwd) Facebook SSRF $1,000 03/11/2019
SQL injection for $50 bounty, but still worth reading!! Ronaldo Messi - SQL injection $50 03/10/2019
Account Takeover Using Cross-Site WebSocket Hijacking (CSWH) Sharan Panegav (@PanegavSharan) - Cross-Site WebSocket Hijacking (CSWH), Account takeover - 03/09/2019
Vimeo SSRF with code execution potential. Harsh Jaiswal (@rootxharsh) Vimeo SSRF $5,000 03/08/2019
Mapping Communication Between Facebook Accounts Using a Browser-Based Side Channel Attack Ron Masas Facebook Side-channel attack, Cross-Site Frame Leakage (CSFL) - 03/07/2019
Facebook Messenger server random memory exposure through corrupted GIF image Dzmitry Lukyanenka (@vulnano) Facebook Information disclosure $10,000 03/06/2019
3 XSS in ProtonMail for iOS Vladimir Metnew (@vladimir_metnew) Apple XSS $1,000 03/06/2019
Fixed : Register any email address on Facebook Account Sameer Rao Facebook Authorization flow - 03/05/2019
Fixed : Brute-force Instagram account’s passwords Sameer Rao Facebook Bruteforce, Rate limiting bypass - 03/05/2019
Facebook exploit – Confirm website visitor identities Tom Anthony (@TomAnthonySEO) Facebook Information disclosure, IDOR $1,000 03/04/2019
Auditing GitHub Repo Wikis for Fun and Profit Smeege (@SmeegeSec) - Misconfigured Github wiki $500 03/04/2019
XSS in Edmodo within 5 Minute (My First Bug Bounty) Vala Keyur (@valakeyur) Edmodo Reflected XSS - 03/04/2019
A simple Account takeover misusing JWT late expiration Scalar (@mrprajapati_360) - Authorization flaw, Logic flaw - 03/03/2019
Bypassing a restrictive JS sandbox Licencia para Hackear Private program, static-eval library JS sandbox breakout, RCE - 03/01/2019
Yet Another (unexpected) Hack for Bounty Pumudu Ruhunage Sli.do Information disclosure $150 03/01/2019
Horizontal Privilege Escalation on Quora which can compromise all users on Quora SpyD3r (@TarunkantG) Quora Privilege escalation - 02/26/2019
[Still work] Redirect Yahoo Subdomain XSS Reflected from americangreetings.com Mohamed Haron (@m7mdharon) Yahoo Reflected XSS - 02/26/2019
How I alert(1) in Azure DevOps SpyD3r (@TarunkantG) Microsoft XSS, CSP bypass - 02/26/2019
Web Cache Deception Attack leads to user info disclosure Kunal pandey (@kunalp94) - Web cache deception, Information disclosure $300 02/25/2019
Chain of hacks leading to Database Compromise! Avinash Jain (@logicbomb_1) - LFI, SSRF - 02/23/2019
Bug Bounty 101 — Always Check The Source Code Mohamed Haron (@m7mdharon) - Lack of rate limiting, Information disclosure - 02/23/2019
Download any organisation Data — S3 amazonaws Misconfiguration Chand Singh (@Chand_42) - Authorization flaw $2,500 02/22/2019
Subdomain Misconfiguration lead to AWS S3 Buckets Reader Mohamed Haron (@m7mdharon) - Subdomain takeover $800 02/22/2019
Exploiting Google Calendars Rojan Rijal (@uraniumhacker) & Brandon Nguyen (@cmdrsnuggle) Uber, Shopify, Netflix Authorization flaw, Information disclosure - 02/22/2019
Swiss_E-Voting_Publications setuid0 (@setuid0) Swiss E-Voting XSS, XXE, RCE, Lack of authentication, Authentication flaw, Hardcoded credentials - 02/21/2019
Abusing autoresponders and email bounces Inti De Ceukelaire (@securinti) Google, Intigriti Information disclosure, Logic flaw - 02/21/2019
Reflected XSS at https://photos.shopify.com/ Ahamed Morad (@Modam3r5 Shopify Reflected XSS $0, Out of scope 02/21/2019
How I Registered Multiple Accounts in PrivateInternetAccess VPN Service for FREE Spade PrivateInternetAccess VPN Logic flaw $1,000 02/20/2019
Bug Writeup: FBCTF IDOR George Osterweil Facebook IDOR $0, Duplicate 02/20/2019
Leakage of Client Secret, Server tokens of all Uber developer applications Anand Prakash (@sehacure) Uber Information disclosure $5,000 02/19/2019
Multiple Stored XSS On Tokopedia Apapedulimu (@Apapedulimu) Tokopedia Stored XSS, Blind XSS - 02/19/2019
Using URI to pop shells via the Discord Client RagSec (@rag_sec) Discord URI abuse, Social engineering $0, Out of scope 02/18/2019
DoS on WAF Protected Sites by Abusing Cookie Anas Mahmood (@AnasIsHere) Upwork DoS $400 02/18/2019
2 Subdomains Takeover via Unbounce in a Private Program Mohamed Haron (@m7mdharon) - Subdomain takeover $0, Duplicate 02/18/2019
Stored XSS on Edmodo Rohit kumar (@rohitcoder) Edmodo Stored XSS $0, Duplicate 02/18/2019
$1.000 SSRF in Slack Elber Andre (@Elber333) Slack SSRF $1,000 02/17/2019
Bypass password confirmation in Facebook “DYI” feature Samm0uda (@samm0uda) Facebook Authorization flaw, IDOR - 02/16/2019 Archived content
Facebook/Workplace Bug Exposed Offsite Employee Events, Sensitive emails Putting Employees at Risk Rohit kumar (@rohitcoder) Facebook Information disclosure $1,000 02/16/2019
Subdomain Takeover via Wufoo Service in a Private Program Mohamed Haron (@m7mdharon) - Subdomain takeover - 02/16/2019
Open Redirect in SLACK Mukhammad Akbar (@abaykandotcom) Slack Open redirect $0, N/A 02/16/2019
Bypassing rate limit abusing misconfiguration rules Daniel V. - Rate limiting bypass - 02/15/2019
Subdomain Takeover via HubSpot Mohamed Haron (@m7mdharon) - Subdomain takeover - 02/15/2019
Souq.com Subdomain Takeover via jazzhr.com service Mohamed Haron (@m7mdharon) Souq.com Subdomain takeover $0, Informative 02/15/2019
Never Stop at Banner Grabbing Gaurav Narwani (@gauravnarwani97) - Information disclosure $241.93 02/14/2019
Third Party Android App Storing Facebook Data Insecurely (Facebook Data Abuse Program) Nightwatch Cybersecurity (@nightwatchcyber) Facebook Information disclosure, Lack of authentication - 02/14/2019
[SSRF] Server Side Request Forgery in a private Program developers.example.com Mohamed Haron (@m7mdharon) - SSRF $200 02/14/2019
Disclose private attachments in Facebook Messenger Infrastructure - 15,000$ Sarmad Hassan (@JubaBaghdad) Facebook IDOR $15,000 02/13/2019
Facebook CSRF protection bypass which leads to Account Takeover Samm0uda (@samm0uda) Facebook CSRF $25,000 02/12/2019 Archived content
Hacking YouTube for #fun and #profit Alexandru Coltuneac (@dekeeu) Google IDOR - 02/12/2019
Export Facebook audience network reports of any business Samm0uda (@samm0uda) Facebook Authorization flaw - 02/12/2019 Archived content
I Found Clickjacking on Google CSE. Is This Important? Mukhammad Akbar (@abaykandotcom) Google Clickjacking $0 02/10/2019
Csrf Bypass Using Cross Frame Scripting Mr.Hacker (@mr_hacker0007) - CSRF - 02/10/2019
How I hacked ASUS? Mustafa Kemal Can (@muskecan) Asus RCE, Unrestricted file upload - 02/09/2019
Setting Up Gitrob and using it to find Leaking Repository of an Employee in a hackerone private program. Sahil Tikoo (@viperbluff) - Information disclosure - 02/09/2019
Design Flaws - Scenario One and Fix Alli-Balogun Faruq (@node_shack) - Logic flaw - 02/08/2019
Paypal’s Security Check Bypassed Anees Khan (@AneesEthical) Paypal Logic flaw $0, N/A 02/08/2019
Internal paths disclosure due to improper exception handling Samm0uda (@samm0uda) Facebook Information disclosure - 02/07/2019 Archived content
Leak of private/in-development app ids, names and translation requests Samm0uda (@samm0uda) Facebook IDOR - 02/07/2019 Archived content
LFI To 10 Servers Pwn Nirmal Dahal (@TheNittam) - LFI, RCE - 02/07/2019
How i was able to dump SqlDB | Simple bug clever idi0t - Directory listing, SQL injection, Authentication bypass - 02/07/2019
Cache Deception: How I discovered a vulnerability in Medium and helped them fix it Yuval Shprinz Medium Cache deception $100, Swag 02/06/2019
Remote Code Execution via Path Traversal in the Device Metadata Authoring Wizard Lee Christensen (@tifkin_) Microsoft Path traversal, RCE - 02/06/2019
Jumping Over The Fence Shahar Albeck - Open redirect - 02/05/2019
How I hacked 40,000 user accounts of Microsoft using 2FA bypass(outlook.live.com) Vartul Goyal (@hackvartul) Microsoft 2FA bypass $0 02/05/2019
Detecting and exploiting mass-assignments in order to manipulate user columns and read private messages Paul (@padannewitz) - Mass assignment $5,000 02/05/2019
Reverse RDP Attack: Code Execution on RDP Clients Eyal Itkin Microsoft Path traversal $0 02/05/2019
A Unique XSS Scenario in SmartSheet || $1000 bounty Rohan Chavan (@rohanchavan1918) Smartsheet Stored XSS $1,000 02/03/2019
How I was able to Extract Information of Other Users- Exploiting IDOR Rupika Luhach (@Rup_Ki_Rani) Knowyourmeds.com IDOR $0, Duplicate 02/02/2019
LFI in Apigee portals [email protected] (@wtm_offensi) Google LFI - 01/31/2019
How I found a simple bug in Facebook without any Test Sarmad Hassan (@JubaBaghdad) Facebook Authorization flaw - 01/31/2019
$7.5k Google Cloud Platform organization issue Ezequiel Pereira (@epereiralopez) Google Logic flaw $7,500 01/30/2019
How I hacked a website integrated w/ Facebook having 1.1 mil. users under 45 seconds. Piyush Raj (@0x48piraj) WeeQuizz Information disclosure $0, No response 01/30/2019
Publish tweets by any other user Kedrisec (@kedrisec) Twitter IDOR $7,560 01/30/2019
Guest blog: Eray Mitrani - Hacking isn’t an exact science Eray Mitrani (@ErayMitrani) - Authorization flaw - 01/29/2019
Protonmail XSS — Stored Chand Singh (@Chand_42) Protonmail Stored XSS, Bruteforce - 01/29/2019
Unsecured access to personal data of a million Leo Express users Thomas Orlita (@ThomasOrlita) Leo Express Authorization flaw, XSS - 01/29/2019
Hijacking accounts by retrieving JWT tokens via unvalidated redirects Shawar Khan (@ShawarkOFFICIAL) - Open redirect, Token theft - 01/27/2019
A short tale of Account verification bypass Satyendra Kumar - Email verification bypass, Authorization flaw - 01/27/2019
Chaining Tricky OAuth Exploitation To Stored XSS Rohan aggarwal (@nahoragg) - Stored XSS, OAuth flaw - 01/27/2019
Misconfiguration-Whatsapp Messenger Pratheesh P Narayanan Facebook Logic flaw $0, Informative 01/26/2019
AntiHack IDOR on Create Submission Syahrul Akbar Rohmani (@sahruldotid) AntiHack.me IDOR $0, Swag 01/26/2019
Facebook Change Product Availability as a PageAnalyst onehackzero Facebook Logic flaw, Authorization flaw - 01/25/2019
How I abused 2FA to maintain persistence after a password change (Google, Microsoft, Instagram, Cloudflare, etc) Luke Berner Google, Microsoft, Facebook Logic flaw, Authentication flaw - 01/25/2019
Magento – RCE & Local File Read with low privilege admin rights Daniel Le Gall Magento LFI, RCE, Path traversal - 01/24/2019
Antihack.me Blind XSS To PHP File Upload Vulnerability SayCure (@SaycureIO) AntiHack.me Blind XSS - 01/24/2019
Privilege Escalation to Highest Admin Privileges Gaurav Narwani (@gauravnarwani97) - IDOR, Privilege escalation - 01/23/2019
Frappé Technologies ERPNext Server Side Template Injection Brian Hyde ERPNext SSTI $0 01/23/2019
Enroll in Facebook Ad-break program without Facebook approval Samm0uda (@samm0uda) Facebook Logic flaw, Authorization flaw - 01/22/2019 Archived content
Disclose page’s admins and its Monetization payout details Samm0uda (@samm0uda) Facebook IDOR, Information disclosure - 01/22/2019 Archived content
Disclose page violations and its eligibility to use Ad-breaks Samm0uda (@samm0uda) Facebook IDOR, Information disclosure - 01/22/2019 Archived content
Disclose Instagram business account linked to a Facebook page Samm0uda (@samm0uda) Facebook IDOR, Information disclosure - 01/22/2019 Archived content
Change payment account of any Facebook commerce page Samm0uda (@samm0uda) Facebook Logic flaw, Authorization flaw - 01/22/2019 Archived content
Expose business email and payment account balance of any Facebook commerce page. Samm0uda (@Samm0uda) Facebook IDOR, Information disclosure - 01/22/2019
Reveal if a Facebook merchant page has pending or completed orders. Samm0uda (@Samm0uda) Facebook IDOR, Information disclosure - 01/22/2019
Bruteforce Instagram account’s passwords (lack of rate limiting protection). Samm0uda (@samm0uda) Facebook Bruteforce, Lack of rate limiting - 01/22/2019
Generate Access Tokens for any Facebook user Samm0uda (@samm0uda) Facebook IDOR - 01/22/2019
Modify users profiles of techprep.fb.com Samm0uda (@samm0uda) Facebook Authorization flaw - 01/22/2019
Uploading files to api.techprep.fb.com Samm0uda (@samm0uda) Facebook File upload XSS - 01/22/2019
Reflected XSS in Zomato Sudhanshu Rajbhar (@sudhanshur705) Zomato Reflected XSS $250 01/21/2019
How I Found and Reporting Vulnerabilities to AntiHack.me by Tomi Tomi (@nahoragg) AntiHack.me IDOR, LFI $0, Swag 01/20/2019
A Simple CORS Misconfig Leaked Private Post Of Twitter, Facebook & Instagram Rohan aggarwal (@nahoragg) - CORS miconfiguration - 01/20/2019
Oauth Misconfiguration lead to complete account takeover Jackson kv (@Jacksonkv22) - CSRF, OAuth flaw, Account takeover - 01/20/2019
XSS Through SWF file! Friendly (@SkeletorKeys) - SWF XSS $200 01/18/2019
Bypass Content Security Policy framing restriction rule - OLX Taha Ibrahim Draidia OLX CSP bypass - 01/17/2019
Command Injection PoC NoGe - Command injection - 01/15/2019
Facebook Vulnerability: Unremovable facebook group admin Ritish Kumar Singh Facebook Logic flaw $500 01/15/2019
#BugBounty How I Hack Billion $ Company Sadiq West - Directory listing $500 01/15/2019
Abusing MySQL clients to get LFI from the server/client Jarkko Vesiluoma (@jvesiluoma) - LFI - 01/15/2019
Gaining access to Uber’s user data through AMPScript evaluation Shubham Shah (@infosec_au) Uber AMPScript injection $23,000 01/14/2019
Turning Self XSS to good XSS via access control Yusuf Yazir (@Hacklad) - Stored XSS, Self XSS - 01/13/2019
Hack Your Form – New vector for Blind XSS Youssef A. Mohamed (@GeneralEG64) Facebook Blind XSS $800 01/13/2019
Workplace Logo ID to workplace owner name Disclosure Facebook Bug Bounty Ajay Gautam (@evilboyajay) Facebook IDOR - 01/11/2019
Facebook PageAnalyst Could Add oneself as Moderator on Group onehackzero Facebook Authorization flaw - 01/11/2019
AntiHack.me Multiple Vulnerabilities Tomi AntiHack.me LFI, IDOR $0, Swag 01/11/2019
View the contact list for a Messenger Kid as a parent-approved contact Philippe Harewood (@phwd) Facebook Authorization flaw - 01/08/2019
Tips for bug bounty beginners from a real life experience Renaud Martinet (@karouf) YNAB XSS, SQL injection $1,500 01/08/2019
When Cookie Hijacking + HTML Injection become dangerous Daniel V. - Cookie Hijacking, HTML Injection - 01/07/2019
Reflected XSS ON ASUS. Thejus Krishnan Asus Reflected XSS $0, HoF 01/06/2019
Stored XSS Via Alternate Text At Zendesk Support Hariharan.s (@DJHARIZ1) Zendesk Stored XSS - 01/06/2019
How I hacked Altervista.org Jacopo Tediosi (@jacopotediosi) Altervista Open redirect $0, HoF 01/05/2019
Facebook Android Application Ash King Facebook Authorization flaw $750 01/05/2019
How I could have taken over any Pinterest account Arnold Anthony (@armold9anthony) Pinterest CSRF, Account takeover $2,400 01/05/2019
How I stumbled upon a Stored XSS(My first bug bounty story). Parth Shah Edmodo Stored XSS - 01/04/2019
Cookie Based Self-XSS to Good XSS Brian Hyde - XSS $616 01/04/2019
Stealing Side-Channel Attack Tokens in Facebook Account Switcher Max Pasqua Facebook Token theft $1,000 01/04/2019
Yes I can see your OTP Vulnerables - IDOR - 01/03/2019
A Tricky Open Redirect Anas Mahmood (@AnasIsHere) - Open Redirect $200 01/03/2019
How I was able to Harvest other Vine users IP address Prial Islam Khan (@prial261) Vine IDOR $5,040 01/02/2019
How i found web shell on AntiHack.me and Awarded Gold Coin And SWAG Rudra Sarkar (@rudr4_sarkar) AntiHack.me RCE - 01/01/2019
A Curious Case From Little To Complete Email Verification Bypass Megaman (@N0_M3ga_Hacks) - Email validation bypass, Authorization flaw - 01/01/2019

Bug bounty writeups published in 2018

Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date Link 2 / Archived content
Tale of a Misconfiguration in Password Reset Shuaib Oladigbolu (@_sawzeeyy) - Password reset flaw - 12/30/2018
Bypassing Access Control in a Program on Hackerone !! Sahil Tikoo (@viperbluff) Hackerone Authorization flaw - 12/30/2018
How I was able to delete Google Gallery Data [IDOR] Yogesh Tantak Google IDOR - 12/30/2018
Abusing ACL Permissions to Overwrite other User’s Uploaded Files/Videos on s3 Bucket Armaan Pathan (@armaancrockroax) - Unrestricted file upload, Authorization flaw - 12/30/2018
How I Takeover Wordpress Admin fiiipay.my Syahrul Akbar Rohmani (@sahruldotid) FiiiPay Account takeover, Default CMS files S$ 300 (~ $408) 12/28/2018
How I Was Able To Takeover All User Account And Admin Panel Dipak kumar Das (@d1pakdas) - IDOR, Account takeover $1,500 12/28/2018
Reflected XSS on ws-na.amazon-adsystem.com(Amazon) ssid (@newp_th) Amazon Reflected XSS - 12/27/2018
From Hunting for a Laptop to Hunting down Remote Code Execution Anil Tom (mr_4nk) Asus RCE, WebDAV flaw $0, HoF 12/27/2018
RCE in nokia.com Sampanna Chimoriya Nokia RCE $0, HoF 12/27/2018
Unauthenticated user can upload an attachment at HackerOne Ahamed Morad (@Modam3r5 Hackerone Authorization flaw $0 (Duplicate) 12/24/2018
Tokopedia Account Takeover Bug Worth 8 Million IDR Ironfirst (@ironfisto) Tokopedia Password reset flaw, Account takeover - 12/24/2018
Server-side Request Forgery in OpenID support Putra Adhari Liberapay SSRF - 12/24/2018
Client side validation strikes again: PIN code bypass ! Davy (@RandoriSec) Netflix, Linxo Client-side validation bypass, Authentication bypass, Authorization flaw - 12/22/2018
How I accidentally found a clickjacking “feature” in Facebook Lasq (@lasq88) Facebook Clickjacking $0 12/21/2018
XSS worm – A creative use of web application vulnerability Nicolas Heiniger (@NicolasHeiniger) Swisscom XSS - 12/21/2018
Facebook BugBounty — Disclosing page members Nirmal Thapa (@tnirmalz) Facebook Information disclosure - 12/20/2018
Story of my two (but actually three) RCEs in SharePoint in 2018 Soroush Dalili (@irsdl) Microsoft RCE $0 12/19/2018
Exploiting Two Endpoints to get Account Takeover Hritik Sharma - Authorization flaw, Privilege escalation - 12/19/2018
Asus’S Admin Panel Auth Bypass Mustafa Khan (@by6153) Asus Authentication bypass - 12/18/2018
WordPress Privilege Escalation through Post Types Simon Scannell Wordpress Privilege escalation, Stored XSS, Object Injection - 12/17/2018
Subdomain Takeover — New Level Valeriy Shevchenko - Subdomain Takeover - 12/17/2018
Reading ASP secrets for $17,000 Sam Curry (@samwcyo) - Local file disclosure (LFD) $17,000 12/16/2018
Accessing VoIP Internal service via Port 8009: Routing traffic through local Apache proxy Ahmed A. Sherif - Information disclosure - 12/16/2018
Self XSS to Interesting Stored XSS Rohan aggarwal (@nahoragg) - Stored XSS - 12/15/2018
How i hacked help desk of a Company Ali Razzaq (@AliRazzaq_) - Ticket Trick - 12/15/2018
Remote Code Execution on a Facebook server Daniel Le Gall phpMyAdmin LFI, RCE, CSRF - 12/14/2018
XSSing Google Code-in thanks to improperly escaped JSON data Thomas Orlita (@ThomasOrlita) Google XSS - 12/14/2018
$3k Bug Bounty - Twitter’s OAuth Mistakes Terence Eden (@edent) Twitter OAuth flaw $2,940 12/14/2018
Unremovable Tags In Facebook Page Reviews Max Pasqua Facebook Logic flaw, DoS $500 12/14/2018
Chaining Two Vulnerabilities to Break Facebook Appointment Times For the Second Time Max Pasqua Facebook Logic flaw, DoS $500 12/14/2018
#BugBounty — “User Account Takeover-I just need your email id to login into your shopping portal account” Avinash Jain (@logicbomb_1) - OAuth flaw, Authentication bypass, Account takeover - 12/13/2018
Exploiting XXE with local DTD files Arseniy Sharoglazov (@_mohemiv) - XXE 12/13/2018
Pilot Into Facebook Group Support Jane Manchun Wong (@wongmjane) Facebook Logic flaw, Authorization flaw $0 12/13/2018
[Open redirect] Developers are lazy(or maybe busy) KatsuragiCSL (@ZuuitterE) - Open redirect $150 12/12/2018
Second bite on GitLab, and some interesting Ruby functions/features Nyangawa Gitlab RCE $10,000 12/12/2018
From blind XXE to root-level file read access Pieter Hiele (@honoki) - Blind XXE - 12/12/2018
How i was able to pwned application by Bypassing Cloudflare WAF gujjuboy10x00 (@vis_hacker) - WAF bypass - 12/12/2018
Microsoft Account Takeover Vulnerability Affecting 400 Million Users Aviva Zacks Facebook Subdomain takeover, OAuth flaw - 12/11/2018
How I could have stolen your photos from Google - my first 3 bug bounty writeups Gergő Turcsányi (@GergoTurcsanyi) Google Parameter tampering, Authorization flaw, IDOR $4,133.7 12/11/2018
How I was able to generate Access Tokens for any Facebook user. Samm0uda (@Samm0uda) Facebook IDOR, Information disclosure - 12/11/2018
Bruteforcing Instagram account’s passwords without limit. Samm0uda (@Samm0uda) Facebook Bruteforce, Lack of rate limiting - 12/11/2018
A Misconfiguration in techprep.fb.com REST API allowed me to modify any user profile. Samm0uda (@Samm0uda) Facebook Authorization flaw - 12/11/2018
How i was able to upload files to api.techprep.fb.com Samm0uda (@Samm0uda) Facebook Unrestricted file upload, XSS - 12/11/2018
Token Brute-Force to Account Take-over to Privilege Escalation to Organization Take-Over Plenum (@plenumlab) - Account takeover, Privilege escalation, Bruteforce - 12/10/2018
My first bug bounty writeup Sampanna Chimoriya Indeed XSS, HTML injection - 12/10/2018
Change Anyone’s profile picture-Exploiting IDOR Rupika Luhach (@Rup_Ki_Rani) - IDOR - 12/09/2018
Proof Of Concept Nokia Cross Site Scripting Adesh Kolte (@AdeshKolte) Nokia XSS $0, HoF 12/09/2018
How I was Able To Bypass Email Verification Muzammil Kayani (@muzammilabbas2) - Information disclosure $200 12/08/2018
RCE in Hubspot with EL injection in HubL Fyoorer (@ƒyoorer) Hubspot RCE - 12/07/2018
Facebook WhiteHat: Able to access group plan even after leaving the group Family guy Facebook Authorization flaw, Logic flaw - 12/06/2018
Billion Laugh Attack in https://sites.google.com Antonio Sanso (@asanso) Google Billion laugh attack, DoS $500 12/05/2018
XSS to XXE in Prince v10 and below (CVE-2018-19858) Corben Leo (@hacker_) - XSS, XXE - 12/05/2018
Complete User Account Takeover on an Android Application Gaurav Narwani (@gauravnarwani97) - Account takeover, OTP bypass, Password reset flaw - 12/04/2018
Taking over Google calendar of a company Daniel V. - Subdomain takeover - 12/04/2018
How to accidentally find a XSS in ProtonMail iOS app SecuNinja (@secuninja) ProtonMail XSS - 12/04/2018
GitHub Desktop RCE (OSX) André Baptista (@0xACB) Github RCE - 12/04/2018
Digging in to SCP Command Injection Dylan Katz (@Plazmaz) JSch Command injection $0 12/03/2018
[BBP系列三] Hijack the JS File of Uber’s Website Chaobin Zhang Uber JS file hijacking $6,000 12/03/2018
Love Story Of A Account Takeover (Chaining Host Header Injection To Takeover Someones Account) Logical Bimboo - Host header injection - 11/30/2018
Story about my first bug bounty Sudhanshu Rajbhar (@sudhanshur705) Alibaba XSS $100 11/30/2018
Exploiting post message to steal and replace user’s cookies Yasser Gersy (@yassergersy) - postMessage flaw - 11/30/2018
Story of Stored Xss Walid Hossain (@NoobWalid) - Stored XSS - 11/28/2018
Broken Authentication — Bug Bounty Vulnerables - Improper session management $50 11/28/2018
IRCTC — Millions of Passenger Details left at huge risk! Avinash Jain (@logicbomb_1) IRCTC Information disclosure, Lack of rate limiting $0 11/28/2018
Pwning eBay - How I Dumped eBay Japan’s Website Source Code David (@slashcrypto) Ebay .git folder disclosure, Source code disclosure $0, HoF 11/28/2018
Instagram Multi-factor authentication Bypass Vishnuraj KV Facebook 2FA bypass - 11/27/2018
Disclose contact_email of any Facebook application Amol Baikar (@AmolBaikar) Facebook Information disclosure - 11/27/2018
XSS on Facebook’s acquisition Oculus CDN Amol Baikar (@AmolBaikar) Facebook XSS $1,500 11/26/2018
XSS on Facebook-Instagram CDN Server bypassing signature protection. Amol Baikar (@AmolBaikar) Facebook XSS $1,500 11/26/2018
Facebook Source Code Disclosure in ads API Amol Baikar (@AmolBaikar) Facebook Source code disclosure - 11/26/2018
From CTFs to Bug Bounty Booty Benji Tobias Tailor Store Information disclosure $200 11/26/2018
XML XSS in *.yandex.ru by Accident Oktavandi (@0ktavandi) Yandex XSS $160 11/26/2018
My Journey To The Google Hall Of Fame Abartan Dhakal (@imhaxormad) Google Open redirect, XSS - 11/25/2018
Stored XSS Vulnerability in Jotform and H1C Private Site Anas Mahmood (@AnasIsHere) - Stored XSS $1,000 11/23/2018
Bypassing Scratch Cards On Google Pay Pratheesh P Narayanan Google Logic flaw $0, Duplicate 11/22/2018
Exploiting SSRF like a Boss — Escalation of an SSRF to Local File Read! Zain Sabahat (@Zain_Sabahat) - SSRF, LFI - 11/22/2018
An interesting XXE in SAP. Zain Sabahat (@Zain_Sabahat) SAP XXE - 11/22/2018
How i Found Information Disclosure on Scribd.com Zerb0a Scribd.com CSRF $0 11/22/2018
How I Hacked Netflix users & Use it free forever Blueberryinfosec (@bbinfosec) Netflix Cookie injection, Privilege escalation $0 11/19/2018
XS-Searching Google’s bug tracker to find out vulnerable source code Luan Herrera (@lbherrera_) Google XS-Search attack, Information disclosure $9,400 11/19/2018
Authentication bypass in NodeJS application — a bug bounty story bl4de (@_bl4de) - Authentication bypass - 11/19/2018
XSS bypass using META tag in realestate.postnl.nl Prial Islam Khan (@prial261) post.nl XSS $0, HoF, Swag 11/18/2018
From Security Misconfiguration to Gaining Access of SMTP server Daniel V. - Phpinfo file disclosure - 11/18/2018
Edmodo XSS Bug Sameer Phad (@sameerphad72) Edmodo XSS - 11/18/2018
Bypassing “How I hacked Google’s bug tracking system itself for $15,600 in bounties.” Gopal Singh (@gopalsinghcse) Google Logic flaw $3,133.70 11/17/2018
How I Managed to Create Unauthorized Comments on Facebook Live Stream Binit Ghimire Facebook Authorization flaw $750 11/16/2018
Microsoft BingPlaces Business - (url) Redirect Vulnerability Benjamin K.M. Microsoft Open redirect - 11/16/2018
XSS in hidden input fields Portswigger - XSS - 11/16/2018
[POC] Cross-Site Scripting on Garuda Indonesia Website Arif-ITSEC111 Garuda Indonesia XSS - 11/16/2018
HackenProof Customer Story: Uklon HackenProof (@hackenproof) Uklon XSS, IDOR, Blind XSS, Account takeover - 11/16/2018
Most common security vulnerabilities in npm static server modules bl4de (@_bl4de) Node.js third-party modules Path traversal, LFI, HTML injection, XSS - 11/16/2018
[email protected] Account Takeover via Cross site request forgery Adesh Kolte (@AdeshKolte) [email protected] CSRF - 11/16/2018
Spoofing file extensions on HackerOne Anurag Jain(@csanuragjain) Hackerone Unrestricted file upload - 11/16/2018
Disclose Page Admins via Gaming Dashboard Bans Philippe Harewood (@phwd) Facebook Information disclosure - 11/15/2018
Facebook Vulnerability: Hiding from the view of Business Admin in the Business Manager Ritish Kumar Singh Facebook Logic flaw, Authorization flaw $500 11/15/2018
How I Discovered XSS that Affects around 20 Uber Subdomains Fady Othman (@Fady_Othman) Uber XSS $2,500 11/14/2018
Breaking Appointments and Job Interview Schedules With Malformed Times Max Pasqua Facebook DoS $500 11/14/2018
Spoof All Domains Containing ‘d’ in Apple Products [CVE-2018-4277] Tencent’s Xuanwu Lab Apple Browser flaw - 11/13/2018
OOB XXE in PrizmDoc (CVE-2018–15805) Nik srivastava PrizmDoc OOB XXE - 11/13/2018
[DOM based XSS] Or why you should not rely on Cloudflare too much KatsuragiCSL (@ZuuitterE) - DOM XSS - 11/13/2018
Patched Facebook Vulnerability Could Have Exposed Private Information About You and Your Friends Ron Masas Facebook CSRF, Information disclosure - 11/13/2018
Chain exploitation of XSS Mikhail Klyuchnikov (@__Mn1__) - DOM XSS, Clickjacking, CSRF 11/12/2018
Clickjacking on Google MyAccount Worth 7,500$ Apapedulimu (@Apapedulimu) Google Clickjacking $7,500 11/11/2018
#bugbounty How I Takeover Microsoft Store. Sadiq West Microsoft Subdomain takeover $0, HoF 11/08/2018
Object name Exposure — ING Bank Responsible Disclosure Program Rohit kumar (@rohitcoder) ING Bank Information disclosure - 11/08/2018
How I earned 5040$ from Twitter by showing a way to Harvest other users IP address Prial Islam Khan (@prial261) Twitter Information disclosure $5,040 11/07/2018
Vine User’s Private information disclosure Prial Islam Khan (@prial261) Vine IDOR, Information disclosure $7,560 11/07/2018
WordPress Design Flaw Leads to WooCommerce RCE Simon Scannell Wordpress RCE - 11/06/2018
XSS in Dynamics 365 Tim Kent (@__timk) Microsoft XSS - 11/06/2018
Evernote For Windows Read Local File and Command Execute Vulnerabilities TongQing Zhu Evernote Stored XSS, LFI, RCE - 11/05/2018
Duplicate but still cool Plenum (@plenumlab) - IDOR, Account takeover - 11/05/2018
Unauthenticated RSFTP to Command Injection Nicodemo Gawronski - Path traversal, RCE - 11/03/2018
Full Account Takeover via Referer Header (OAuth token Steal, Open Redirect Vulnerability Chaining) Muhammad Asim Shahzad - Open redirect, OAuth token theft, Account takeover $1,200 11/03/2018
How Outdated JIRA Instances suffers from multiple security vulnerabilities? Yeasir Arafat Visma XSS, SSRF - 11/03/2018 Archived content
Imagemagick GIF coder vulnerability leads to memory disclosure (Hackerone) Kunal pandey (@kunalp94) Hackerone Imagemagick GIF $500 11/02/2018
Finding hidden gems vol. 3: quick win with .sh file Mateusz Olejarka - Information disclosure, Github leak - 11/01/2018
P1 Like a Boss | Information Disclosure via Github leads to Employee Account Takeover | Bug Bounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) - Information disclosure, Github leak $1,500 11/01/2018 Archived content
Stored XSS in Bug Bounty KatsuragiCSL (@ZuuitterE) - Stored XSS - 11/01/2018
[Open Redirect] When your PoC doesn’t work because of the server load balancers tololovejoi (@tolo7010) - Open redirect $300 11/01/2018
Bypass HackerOne 2FA requirement and reporter blacklist Japz Divino (@japzdivino) Hackerone Logic flaw, 2FA bypass, Authentication flaw $10,000 10/31/2018
It’s all in the detail: Email leak & Account takeover thanks to WayBackMachine & extensive knowledge about the program Zseano (@zseano) - Information disclosure, Authentication bypass, Account takeover - 10/30/2018
IDOR in JWT and the shortest token you will ever see {}.{“uid”: “1234567890”} Plenum (@plenumlab) - IDOR $1,500 10/30/2018
Journey through Google referer leakage bugs. KL Sreeram (@kl_sree) Google Information disclosure, Referer leakage $4,633.7 10/28/2018
#BugBounty — How I was able to download the Source Code of India’s Largest Telecom Service Provider including dozens of more popular websites! Avinash Jain (@logicbomb_1) - .git folder disclosure, Source code disclosure - 10/27/2018
Privilege Escalation like a Boss Jay Jani (@JayJani007) - IDOR - 10/27/2018
How Misconfigured API leaked user private information? Yeasir Arafat - IDOR, Authorization flaw - 10/26/2018
A very useful technique to bypass the CSRF protection for fun and profit. Yeasir Arafat - CSRF - 10/26/2018
CSRF account takeover Explained Automated/Manual — Bug Bounty Vulnerables OpenMenu CSRF, Account takeover $250 10/26/2018
CSRF account takeover in a company worth 1B$ Vulnerables - CSRF, Account takeover $100 10/26/2018
Subdomain takeover dew to missconfigured project settings for Custom domain . Prial Islam Khan (@prial261) Flock Subdomain takeover - 10/25/2018
DoS on Facebook Android app using 65530 characters of ZERO WIDTH NO-BREAK SPACE. Rahul Kankrale (@RahulKankrale) Facebook DoS - 10/25/2018
SOAP- Based Unauthenticated Out-of-Band XML External Entity (OOB-XXE) in a Help Desk Software Nik srivastava - XXE - 10/24/2018
Facebook hidden redirection vulnerability Ege Ken Facebook Open redirect $0 10/24/2018
XSS with HTML and how to convert the HTML into charcode() Arif-ITSEC111 Purinar Logistics XSS - 10/22/2018
Google sites and exploiting same origin policy Raushan Raj (@raushan_rajj) Google SOP bypass $3,133.70 10/22/2018
Cookie-based-injection XSS making exploitable with-out exploiting other Vulns Utkarsh Agrawal - XSS - 10/22/2018
Harvesting all private invites using leave program fast-tracked invitation and [email protected] email forwarding feature Japz Divino (@japzdivino) Hackerone Logic flaw $2,500 & Swag 10/22/2018
A possibility of Account Takeover in Medium Prashant Kumar (@notsoshant) Medium Account takeover, Logic flaw $0 10/20/2018
XSS with PUT in Ghost Blog Derek (@StackCrash) Ghost XSS - 10/19/2018
XSS using a bug in Safari and why blacklists are stupid Linus Särud (@_zulln) Apple DOM XSS - 10/19/2018 Archived content
Add comment on a private Oculus Developer bug report Sarmad Hassan (@JubaBaghdad) Facebook IDOR, Authorization flaw - 10/18/2018
Security teams Internal attachments can be exported via “Export as .zip” feature on HackerOne Japz Divino (@japzdivino) Hackerone Logic flaw $12,500 10/17/2018
XXE in IBM’s MaaS360 Platform Cody Wass IBM XXE - 10/16/2018
Path traversal while uploading results in RCE Harsh Jaiswal (@rootxharsh) - Path traversal, RCE - 10/15/2018
Brave Browser Script Blocker Bypass Vulnerability Xiaoyin Liu Brave Software Script blocker bypass - 10/13/2018
Microsoft CSRF Vulnerability Adesh Kolte (@AdeshKolte) Microsoft CSRF $500 10/12/2018
[Bug bounty | mail.ru] Access to the admin panel of the partner site and data disclosure of 2 million users Max (@iSecMax) Mail.ru Authentication bypass, Blind XSS - 10/12/2018
Magic XSS with two parameters Mahmood Shahabi (@m4shahab1) - XSS - 10/12/2018
Add description to Instagram Posts on behalf of other users - 6500$ Sarmad Hassan (@JubaBaghdad) Facebook IDOR $6,500 10/12/2018
Microsoft Edge Remote Code Execution Abdulrahman Al-Qabandi (@Qab) Microsoft RCE - 10/11/2018
Access to staging environment via User-Agent string Yasser Gersy (@yassergersy) - Authentication bypass - 10/10/2018 Archived content
Symantec Messaging Gateway authentication bypass Artem Kondratenko (@artkond) Symantec Authentication bypass - 10/10/2018
Payment bypass Pratik Yadav (@PratikY9967) - Payment bypass, Logic flaw INR 31000 (~ $442.73) 10/09/2018
Facebook Business Takeover Philippe Harewood (@phwd) Facebook Authorization flaw, Logic flaw $27,500 10/09/2018
Get as image function pulls any Insights/NRQL data from any New Relic account (IDOR) Jon Bottarini (@jon_bottarini) New Relic IDOR $2,500 10/09/2018
DOM-XSS Bug Affecting Tinder, Shopify, Yelp, and More VPN Mentor (@vpnmentor) Tinder DOM XSS - 10/09/2018
Make any Unit in Facebook Groups Undeletable Sarmad Hassan (@JubaBaghdad) Facebook Logic flaw, IDOR, Authorization flaw - 10/09/2018
[Critical] Bypass CSRF protection on IBM Mohamed Sayed (@FlEx0Geek) IBM CSRF - 10/09/2018
Persistent XSS (unvalidated Open Graph embed) at LinkedIn.com Jonathan Bouman (@JonathanBouman) LinkedIn Stored XSS $0, HoF 10/07/2018
My First 0day Exploit (CSP Bypass + Reflected XSS) #BUGBOUNTY Ali Tütüncü(@alicanact60) - Reflected XSS, CSP bypass - 10/07/2018
Blind XML External Entities Out-Of-Band Channel Vulnerability : PayPal Case Study Abdelmoughite Eljoaydi Paypal Blind XXE - 10/05/2018
Clickjacking in Google Docs and Voice typing feature. Raushan Raj (@raushan_rajj) Google Clickjacking $2,337 10/05/2018
GoogleMeetRoulette: Joining random meetings Martin Vigo (@martin_vigo) Google Bruteforce, Logic flaw - 10/04/2018
An interesting Google vulnerability that got me 3133.7 reward. Ebrahem Hegazy (@Zigoo0) Google CSRF $3,133.7 10/04/2018
Persistent XSS (Unvalidated oEmbed) at Medium.com Jonathan Bouman (@JonathanBouman) Medium Stored XSS $100 10/04/2018
Exploiting an unknown vulnerability Abhishek Bundela (@abhibundela) - Logic flaw, Payment tampering - 10/03/2018
Facebook Bug Bounty: Email Id, Phone Number Can be exposed Through Business Manager Rohit kumar (@rohitcoder) Facebook Logic flaw, Information disclosure $3,000 10/03/2018
AWS takeover through SSRF in JavaScript Gwendal Le Coguic (@gwendallecoguic) - SSRF - 10/02/2018
Applying a small bypass to steal Facebook Session tokens in Uber Samuel (@saamux) Uber XSS, CSP bypass, OAuth flaw - 10/02/2018
How i found Stored xss on your-domain.redacted.com Rudra Sarkar (@rudr4_sarkar) - XSS $0 10/02/2018
Collecting Shells by the Sea of NAS Vulnerabilities Rick Ramgattie (@RRamgattie) Lenovo OS command injection, XSS, CSRF - 10/01/2018
Subdomain Takeover via Shopify Vendor ( blog.exchangemarketplace.com ) with Steps Mohamed Haron (@m7mdharon) Shopify Subdomain takeover - 10/01/2018 Archived content
Google Stored XSS in Payments Barış Sağdıç (@brsgdc) Google Stored XSS - 10/01/2018
How I was able to takeover account’s of an Earning App Abbas Wafa - Information disclosure $0 10/01/2018
Hacking the Subway Android app Wesley Gahr (@wesley_gahr) Subway Logic flaw, Authorization flaw - 09/28/2018
IDOR, Content Spoofing and Url Redirection via unsubscribe email in Confluent Divyanshu Shukla Confluent IDOR, Content spoofing, Open redirect - 09/28/2018
Just another tale of severe bugs on a private program. Siva Krishna Samireddi (@le4rner) - Open redirect, SSRF, IDOR, Logic flaw $1,623 09/28/2018
#BugBounty — From finding Jenkins instance to Command Execution.Secure your Jenkins Instance! Avinash Jain (@logicbomb_1) - RCE, Exposed Jenkins instance - 09/27/2018
Thick Client — Attacking databases the fun/easy way Richard Clifford - Thick client flaw, Credentials sent over unencrypted channel - 09/26/2018
Arbitrary File Read in one of the largest CRMs Richard Clifford - LFI - 09/26/2018
[XSS] survey.dropbox.com Kumar Dropbox XSS $0 09/25/2018
Weaponizing XSS Attacking Internal System Rahul R - Blind XSS - 09/25/2018
Subdomain Takeover via Unsecured S3 Bucket Connected to the Website Muhammad Khizer Javed / babayaga47 (@khizer_javed47) - Subdomain takeover - 09/24/2018 Archived content
Responsible disclosure: retrieving a user’s private Facebook friends. Riccardo Padovani (@rpadovani93) Facebook Logic flaw, Authorization flaw, Information disclosure 3,000 09/23/2018
How I XSS’ed Uber and Bypassed CSP Efkan (@mefkansec) Uber Reflected XSS 2,000 09/22/2018
R-XSS -> CSRF bypass to account takeover/ Nirmal Dahal (@TheNittam) - Reflected XSS, CSRF bypass - 09/21/2018
Bypassing Firebase authorization to create custom goo.gl subdomains Thomas Orlita (@ThomasOrlita) Google Logic flaw, IDOR - 09/21/2018
Another XSS in Google Colaboratory Michał Bentkowski Google XSS - 09/20/2018
Shopify Athena Bug Uranium238 (@uraniumhacker) Shopify Authorization flaw, Information disclosure - 09/20/2018
Local file inclusion at IKEA.com Jonathan Bouman (@JonathanBouman) Ikea LFI $250 09/19/2018
Bypassing Authentication Using Javascript Debugger. Mohit Dabas (@mohitdabas08) - Authentication bypass - 09/18/2018
How i bypassed AKAMAI KONA WAF , XSS in overstock.com ! Oktavandi (@0ktavandi) Overstock.com XSS - 09/18/2018
Facebook $750 Reward for a Simple Bug Aman Shahid (@amansmughal) Facebook Authentication bypass, Logic flaw $750 09/18/2018
Chain The Bugs to Pwn an Organisation ( LFI + Unrestricted File Upload = Remote Code Execution ) Armaan Pathan (@armaancrockroax) - LFI, Unrestricted File Upload, RCE - 09/18/2018
Reflected XSS at Philips.com Jonathan Bouman (@JonathanBouman) Philips Reflected XSS - 09/17/2018
XSS Vulnerabilities in Multiple iFrame Busters Affecting Top Tier Sites Randy Westergren (@RandyWestergren) Google XSS $0 09/17/2018
Vertical escalation of privileges Leading to Sensitive Data Exposure Umair Ahmed (@u_ahmedofficial) - Bruteforce, IDOR, Authorization flaw - 09/16/2018
User Account takeover in India’s largest digital business company Minali Arora (@AroraMinali) - Account takeover, OTP bypass - 09/16/2018
IDOR User Account Takeover By Connecting My Facebook Account with victims Account Muhammad Khizer Javed / babayaga47 (@khizer_javed47) Facebook IDOR $1,200 09/16/2018 Archived content
Persistent Cross-Site Scripting on redacted worth $2,000 Muhammad Asim Shahzad - Stored XSS $2,000 09/15/2018
How I hijacked your account when you opened my cat picture Matti Bijnens (@MattiBijnens) - Logout CSRF - 09/14/2018
Hacking your own antivirus for fun and profit (Safe browsing gone wrong) Martin Thirup Christensen (@Mthirup) Bullguard Reflected XSS $0 09/14/2018
Subdomain Takeover worth 200$ Ali Razzaq (@AliRazzaq_) Netlify Subdomain takeover $200 09/14/2018
Reflected DOM XSS and CLICKJACKING on https://silvergoldbull.de/bt.html Daniel Maksimovic Silver Gold Bull DOM XSS, Clickjacking - 09/13/2018
Subdomain Takeover via Campaignmonitor Mohamed Haron (@m7mdharon) Campaign Monitor Subdomain Takeover $900 09/11/2018 Archived content
Open-Redirect Vulnerability in udacity.com Anil Tom (mr_4nk) Udacity Open redirect $0, Swag 09/11/2018
Hacking a Crypto Debit Card Service Muhammad Abdullah Plutus SQL injection - 09/11/2018
XXE at Bol.com Jonathan Bouman (@JonathanBouman) Bol.com XXE $500 (voucher) 09/11/2018
How to do 55.000+ Subdomain Takeover in a Blink of an Eye BuckHacker (@thebuckhacker) Shopify Subdomain takeover - 09/10/2018
Authentication Bypass Using SQL Injection AutoTrader Webmail – Bug Bounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) AutoTrader SQL injection - 09/10/2018 Archived content
Stored XSS Vulnerability in H1C Private site Anas Mahmood (@AnasIsHere) - Stored XSS $900 09/09/2018
Making the Facebook app more secure - $8500 bounty Ash King Facebook Open redirect $8,500 09/09/2018
ZOL Zimbabwe Authentication Bypass to XSS & SQLi Vulnerability – Bug Bounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) ZOL Zimbabwe XSS, SQL injection - 09/09/2018 Archived content
How I find Open-Redirect Vulnerability in redacted.com (One of the top online payment processing service website) Muhammad Asim Shahzad - Open redirect - 09/09/2018
Disclosure of Facebook Page Admin due to insecure tagging behavior Aj Dumanhug (@ajdumanhug) Facebook Information disclosure, Logic flaw - 09/09/2018
Stored XSS Vulnerability in Tumblr Anas Mahmood (@AnasIsHere) Automattic (Tumblr) Stored XSS $1,000 09/08/2018
Reflected XSS in Google Code Jam Thomas Orlita (@ThomasOrlita) Google Reflected XSS - 09/08/2018
SQL Injection Vulnerability bootcamp.nutanix.com | Bug Bounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) Nutanix SQL injection $0, Swag 09/08/2018 Archived content
LFI to 10 servers pwn Nirmal Dahal (@TheNittam) - LFI - 09/07/2018
Bypassing Hotstar Premium with DOM manipulation and some JavaScript OpSecX Hotstar Logic flaw, Payment bypas $0 09/07/2018
RCE Unsecure Jenkins Instance | Bug Bounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) - RCE $0 09/07/2018 Archived content
Write-up - Love story, from closed as informative to $3,500 USD, XSS stored in Yahoo! iOS MaiL app @omespino Yahoo! Stored XSS $3,500 09/07/2018
Simple Login Brute Force / Current Password Requirement Bypass Mandeep Jadon (@1337tr0lls) - IDOR, Account takeover, Bruteforce - 09/07/2018
#BugBounty — How Naaptol (India’s popular home shopping company) Kept their Millions of User Data at Risk! Avinash Jain (@logicbomb_1) Naaptol IDOR - 09/07/2018
How I could download the source code of an Indian e-commerce website!! Minali Arora (@AroraMinali) - File disclosure, Source code disclosure - 09/05/2018
P1 Vulnerability in 60 seconds @Wh11teW0lf - Information disclosure, File disclosure $1,500 09/05/2018
Facebook Bug Bounty! {Permission Bug} Ali Tütüncü(@alicanact60) Facebook Authorization flaw, Logic flaw $750 09/05/2018
Admin Disclosure of Facebook Business all Pages by normal employees: Kamal Facebook Information disclosure $0 09/02/2018
How I could have launched a spear phishing campaign with Starbucks email servers Kyle (@b3nac) Starbucks Host header injection $150 09/01/2018
Send request to Martians. Earthlings are already your friends. Sagar VD Google CSRF - 09/01/2018
I Own Your Customers !!! Muhammad Abdullah - Information disclosure, Hardcoded credentials, AWS flaw - 09/01/2018
Pwned Together: Hacking dev.to Antony Garand Dev.to Stored XSS $150, HoF 08/31/2018
$100 Bounty in 300 seconds isn’t bad !!! Rohan Chavan (@rohanchavan1918) Zoho Stored XSS $100, HoF 08/31/2018
Reflected XSS in Django REST Framework Api at MapBox Subdomain Mohamed Haron (@m7mdharon) Mapbox Reflected XSS $500 08/29/2018 Archived content
Finding hidden gems vol. 2: REAMDE.md, the story of a bit too helpful readme file Mateusz Olejarka - Information disclosure, Github leak $0 08/29/2018
A Infinite Loop Story. Ashish Kunwar (@D0rkerDevil) - DoS $100 08/29/2018
A $1000 Bounty Gaurav Narwani (@gauravnarwani97) - Information disclosure $1,000 08/28/2018 Archived content
Reflected Swf XSS at ( https://plugins.svn.wordpress.org ) Mohamed Haron (@m7mdharon) Wordpress Swf XSS, Reflected XSS $350 08/28/2018 Archived content
How i found a 1500$ worth Deserialization vulnerability Ashish Kunwar (@D0rkerDevil) - Misconfigured JSF ViewState, Java deserialization $1,500 08/28/2018
IDOR FACEBOOK: malicious person add people to the “Top Fans” Jafar Abo Nada Facebook IDOR - 08/28/2018
Traversing the Path to RCE hawkinsecurity - Path traversal, RCE $0 08/27/2018
Uber Bug Bounty: 1000$ for two “high severity” issue Peuch Uber Information disclosure, Github leak $1,000 08/27/2018
Open Redirection negative Wibes Pleio Open redirection - 08/26/2018
My first valid xss(@Hackerone) Jatin Aesthetic (@techyfreakk) - XSS $100 08/25/2018
Remote Code Execution on a Facebook server Daniel Le Gall Facebook RCE $5,000 08/24/2018
Privileged Escalation in Facebook Messenger Rooms Jafar Abo Nada Facebook Privilege escalation, IDOR - 08/24/2018
SQL Injection Vulnerability In University Of Cambridge Adesh Kolte (@AdeshKolte) Cambridge SQL injection - 08/24/2018
Liking GitHub repositories on behalf of other users — Stored XSS in WebComponents.org Thomas Orlita (@ThomasOrlita) Webcomponents.org Stored XSS - 08/23/2018
API key: The real goldmine Yumi - Information disclosure - 08/19/2018
Privileged Escalation in Facebook Messenger Rooms Jafar Abo Nada (@Jafar_Abo_Nada) Facebook Authorization flaw, Privilege escalation - 08/18/2018
User credential are sent in clear text in Whatsapp web— FIXED | Facebook Bug Bounty Thuvarakan Nakarajah Facebook (WhatsApp) Credentials sent over HTTP - 08/18/2018
YAHOO IDOR -elimination of any comment Bada Diaz (@bada77) Yahoo IDOR - 08/17/2018
3 Minutes & XSS! Ashish Jha Edmodo XSS - 08/17/2018
IDOR leads to account takeover @s0cket7 - IDOR - 08/16/2018
ICloud.com DOM-Based XSS! #BugBounty Musab Alhussein Apple DOM XSS $0, HOF 08/14/2018
Another “TicketTrick” story Uranium238 (@uraniumhacker) Uber Logic flaw, TicketTrick - 08/14/2018
XSS at Hubspot and XSS in email areas. Friendly (@SkeletorKeys) Hubspot, [Private program] XSS $450 08/13/2018
IDOR leads to getting Access tokens of users linked to Google Drive on Edmodo Aagam shah (@neutrinoguy) Edmodo IDOR - 08/12/2018
Distorted and Undeletable Posts in Facebook Group Sarmad Hassan (@JubaBaghdad) Facebook Authorization flaw, Logic flaw - 08/12/2018
How I Chained 4 Bugs(Features?) into RCE on Amazon Collaboration System Orange Tsai (@orange_8361) Amazon RCE - 08/11/2018
S3 Bucket Misconfiguration in Amazon Divyanshu Shukla Amazon AWS flaw $0 08/11/2018
Adminer Script Results to Pwning Server?, Private Bug Bounty Program Yasho (@YShahinzadeh) - Authentication bypass - 08/11/2018
Misconfigured JIRA setting - Apigee Tutorgeeks Google, Jira Information disclosure - 08/10/2018 Archived content
[Twitter Bug Bounty] Misconfigured JSON endpoint on ads.twitter.com lead to Access control issue and Information Disclosure of role privileged users. Peerzada Fawaz Ahmad Qureshi (@zk34911) Twitter Authorization flaw, Information disclosure $280 08/10/2018
Subdomain Takeover: Yet another Starbucks case Patrik Hudak Starbucks Subdomain takeover $2,000 08/09/2018
From TOMCAT to NT AUTHORITY\SYSTEM Rahul R - Default credentials - 08/09/2018
My Disclosed Report about Basic auth Api details at Reverb.com Mohamed Haron (@m7mdharon) Reverb Information disclosure $100 08/09/2018 Archived content
This is how can I spoof ANY Sentry.Io log infinitely and create fake error-logs Carlos Daniel Giovanella HackerOne, Sentry Logs flooding and falsification $0 08/09/2018
My First Critical Report Miguel Corral (@mcorral74) - Password reset flaw, Account takeover $2,500 08/08/2018
How I hacked a Crypto Exchange (Bug Bounty Writeup) Muhammad Abdullah - IDOR - 08/07/2018
From data leak to account takeover Antony Garand - Account takeover, Information disclosure, Password reset flaw - 08/07/2018
How I gained commit access to Homebrew in 30 minutes Eric Holmes (@vesirin) Homebrew Information disclosure - 08/07/2018
Sending out phishing e-mails from @microsoft.com @si9int Microsoft HTML injection $0 08/07/2018
Unauth meetings access Uranium238 (@uraniumhacker) Google Authorization flaw, Logic flaw - 08/06/2018
Self XSS leads to blind XSS and reflected XSS. Friendly (@SkeletorKeys) - Blind XSS, Reflected XSS $700 08/06/2018
Reflected XSS Primagames.com Friendly (@SkeletorKeys) Prima Games Reflected XSS - 08/06/2018
My First Swag Pack : A Logical Bug on Edmodo Abartan Dhakal Edmodo Logic flaw $0, Swag 08/05/2018
Stored XSS in GameSkinny Friendly (@SkeletorKeys) GameSkinny Stored XSS - 08/03/2018
Blind-XSS in Chrome Experiments - Google (Write Up) Evan Ricafort (@evanricafort) Google Blind XSS $100 08/03/2018
#BugBounty — @Paytm Customer Information is at risk — India’s largest digital wallet company Avinash Jain (@logicbomb_1) Paytm IDOR - 08/03/2018
Discovering and Exploiting a Vulnerability in Android’s Personal Dictionary (CVE-2018-9375) Daniel Kachakil Google Privilege escalation, Android flaw - 08/01/2018
Exploiting a Microsoft Edge Vulnerability to Steal Files Ziyahan Albeniz Microsoft SOP bypass - 08/01/2018
Shipt Subdomain TakeOver via HeroKu ( test.shipt.com ) Mohamed Haron (@m7mdharon) Shipt Subdomain takeover - 08/01/2018 Archived content
Disclose Facebook Internal Server Information With A Strange Poll Jane Manchun Wong (@wongmjane) Facebook Logic flaw - 08/01/2018
CRLF Injection Into PHP’s cURL Options TomNomNom - CRLF injection - 08/01/2018
How I could access your internal servers, steal and modify your image repository PoC || GO - RCE - 07/31/2018
Hacking Imgur for Fun and Profit Nathan (@NathOnSecurity) Imgur Outdated component with a known vulnerability, Information disclosure $5,500 07/29/2018
18th Acknowledgement From Microsoft Muhammad Muhaddis Microsoft IDOR $0, HOF 07/29/2018
Yahoo — Two XSSi vulnerabilities chained to steal user information. ($750 Bounty) Brian Hyde Yahoo XSSI $750 07/29/2018
Microsoft Office 365 Stored XSS @Pethuraj Microsoft Stored XSS $0, HOF 07/29/2018
Making a Blind SQL Injection a Little Less Blind TomNomNom - SQL injection - 07/28/2018
Binary.com ClickJacking Vulnerability — Exploiting HTML5 Security Features Ameer Assadi Binary.com Clickjacking - 07/28/2018
How I found XSS on Amazon? Coding_Karma Amazon XSS $0 07/26/2018
Exfiltration via CSS Injection d0nut - CSS injection - 07/25/2018
SQL Injection and A silly WAF Mahmoud Gamal (@Zombiehelp54) - SQL injection - 07/25/2018
Exploitation of Server Side Template Injection with Craft CMS plugin SEOmatic <=3.1.3 [CVE-2018-14716] Sebastian (ha.cker.info) Private program, SEOmatic CMS plugin SSTI - 07/24/2018
Vulnerability in Hangouts Chat a.k.a. how Electron makes open redirect great again Michał Bentkowski Google Open redirect $7,500 07/24/2018
Finding hidden gems vol. 1: forging OAuth tokens using discovered client id and client secret Mateusz Olejarka - Information disclosure $3,133.7 07/23/2018
IDOR FACEBOOK: malicious person add people to the “Top Fans” Jafar Abo Nada (@Jafar_Abo_Nada) Facebook IDOR - 07/21/2018
Unclaimed Medium Publication takeover in WeTransfer Prial Islam Khan (@prial261) WeTransfer Medium publication takeover $100 07/21/2018
Google Assistant Bug Worth $3133.7 ! Circle Ninja (@circleninja) Google Reflective XSS $3,133.7 07/21/2018
RCE due to ShowExceptions Harsh Jaiswal (@rootxharsh) - RCE $5,000 07/20/2018
Into the Borg – SSRF inside Google production network Enguerran Gillier (@opnsec) Google SSRF $13,337 07/20/2018
The call is coming from inside the house — DNS rebinding in EOSIO keosd wallet François Proulx EOSIO DNS rebinding - 07/19/2018
RCE on Yahoo Luminate Rojan Rijal (@uraniumhacker) <td markdown="span">Yahoo RCE - 07/19/2018
How I was able to delete 13k+ Microsoft Translator projects Haider Mahmood Microsoft CSRF, IDOR $0 07/19/2018
Hey Developer, Give me your API keys.!! Devansh batham Crowdin Information disclosure Swag, HoF 07/18/2018
Bypass Admin approval, Mute Member and Posting Permissions for Only admins in Facebook groups Sarmad Hassan (@JubaBaghdad) Facebook Authorization flaw, Logic flaw - 07/18/2018
Hacking thousands of companies through their helpdesk Khaled Hassan - Account takeover, DoS, Logic flaw - 07/17/2018
CVE-2018-13784: PrestaShop 1.6.x Privilege Escalation Charles Fol (Ambionics Security) PrestaShop Privilege escalation, Improper session management - 07/16/2018
WRITE UP – TELEGRAM BUG BOUNTY – WHATSAPP N/A [“Blind” XSS Stored iOS in messengers twins, who really care about your security?] @omespino Facebook Blind Stored XSS - 07/16/2018
Attacking PostgreSQL Database Vishnuraj KV - Bruteforce, Weak credentials - 07/16/2018
Bug Bounty at Bangladeshi Site. Shaifullah Shaon - SQL injection BDT 10,000 (~ $120) 07/15/2018
Should this be public though? Rojan Rijal (@uraniumhacker) <td markdown="span">Shopify, Uber Information disclosure $500 07/13/2018
XSS in Microsoft subdomain Sudhanshu Rajbhar (@sudhanshur705) Microsoft XSS - 07/13/2018
The tradeRifle Vulnerability Identified in LBank Mobile Service (CVE-2018-13363) PeckShield LBank MiTM - 07/12/2018
Gsuite Hangouts Chat 5k IDOR Cam (@SecretlyHidden1) Google IDOR $5,000 07/10/2018
Persistent XSS at AH.nl Jonathan Bouman (@JonathanBouman) AH.nl Stored XSS $200 07/09/2018
#BugBounty - Compromising User Account- “How I was able to compromise user account via HTTP Parameter Pollution(HPP)” Avinash Jain (@logicbomb_1) - HTTP Parameter Pollution, Password reset flaw, Account takeover - 07/07/2018
Server Side Request Forgery on Vanilla Forums Vikash Chaudhary Vanilla Forums SSRF - 07/07/2018
Latex to RCE, Private Bug Bounty Program Yasho (@YShahinzadeh) - RCE - 07/06/2018
The $12,000 Intersection between Clickjacking, XSS, and Denial of Service Sam Curry (@samwcyo) Bustabit Clickjacking, XSS, DoS $12,000 07/04/2018
Chaining Multiple Vulnerabilities to Gain Admin Access Ben Sadeghipour (@nahamsec) - IDOR, Account takeover - 07/02/2018
Bug Bounty: Tumblr reCAPTCHA vulnerability write up Leigh-Anne Galloway (@L_AGalloway) Automattic (Tumblr) reCAPTCHA bypass, email enumeration, username enumeration - 06/29/2018
Authentication bypass in Cisco Meraki Ameya (@iamTakeMyHand) Cisco Meraki Authentication bypass - 06/29/2018
This popular Facebook app publicly exposed your data for years Inti De Ceukelaire (@securinti) Facebook, Nametests.com Information disclosure, Authorization flaw $4,000 06/28/2018
Take Advantage of Out-of-Scope Domains in Bug Bounty Programs Abdullah Hussam (@Abdulahhusam) - XSS $1,250 06/27/2018
How re-signing up for an account lead to account takeover @zseano - Logic flaw, Account takeover - 06/26/2018
Subdomain Takeover: Starbucks points to Azure Patrik Hudak Starbucks Subdomain takeover $2,000 06/25/2018
Account Take over via reset password Yasser Gersy (@yassergersy) - Password reset flaw, Account takeover $1,500 06/25/2018 Archived content
How I got access to local AWS info via Jira Coen Goedegebure - SSRF - 06/24/2018
Fastest Fix on Open Bug Bounty Platform Wen Bin KONG Kevag Telekom GmbH Reflected XSS, CSRF - 06/24/2018
How I hacked Apple.com (Unrestricted File Upload) Jonathan Bouman (@JonathanBouman) Apple Unrestricted file upload - 06/22/2018
XSS in Google Colaboratory + CSP bypass Michał Bentkowski Google XSS, CSP bypass - 06/21/2018
Using a GitHub app to escalate to an organization owner for a $10,000 bounty Tanner Github Authorization flaw, IDOR $10,000 06/20/2018
Setting arbitrary request headers in Chromium via CRLF injection Michał Bentkowski Google CRLF injection - 06/20/2018
I discovered a browser bug Jake Archibald Mozilla, Microsoft Browser bug, Range requests flaw - 06/20/2018
[Responsible disclosure] How I could have booked movie tickets through other user accounts Bharathvaj Ganesan AGS Cinemas Password reset flaw, Account takeover, Bruteforce, OTP bypass - 06/18/2018
How i found blind XSS in Apple Taha Smily Apple Blind XSS - 06/18/2018
Reflected Client XSS at Amazon.com Jonathan Bouman (@JonathanBouman) Amazon Reflected XSS $0 06/15/2018
Yay! 3133.70$ for RCE on *.withgoogle.com subdomain. lalka Google RCE $3,133.70 06/15/2018
Password reset to full account takeover Hamza Bettache - Password reset flaw, Account takeover - 06/15/2018
Reflected XSS in 360totalsecurity Taha Smily 360totalsecurity Reflected XSS - 06/14/2018
The 2.5 BTC Stored XSS Khaled Hassan - Stored XSS 2.5 BTC 06/13/2018
How I got paid premium plan for free on many popular websites Khaled Hassan - Logic flaw - 06/13/2018
Vulnerability Netflix (cross-site-scripting) XSS Bada Diaz (@bada77) Netflix Reflected XSS - 06/13/2018
Unvalidated Open Redirect Bol.com Jonathan Bouman (@JonathanBouman) bol.com Open redirect $100 in gift cards 06/12/2018
Full account Takeover via reset password function Khaled Hassan - IDOR, Account takeover, Password reset flaw $1,250 06/12/2018
Server-Side Spreadsheet Injection – Formula Injection to Remote Code Execution Jake Miller Google CSV injection, Server side spreadsheet injection, Formula injection, RCE - 06/11/2018
How I Found CVE-2018-8819: Out-of-Band (OOB) XXE in WebCTRL Darrell Damstedt - XXE $0 06/11/2018
[PayPal BBP] I could’ve deleted All SMC messages. Using Brute-Force technique. Ayoub Ait Elmokhtar Paypal CSRF - 06/10/2018
Steam, Fire, and Paste – A Story of UXSS via DOM-XSS & Clickjacking in Steam Inventory Helper Matthew Bryan Steam Inventory Helper Chrome extension DOM XSS, UXSS, Clickjacking - 06/08/2018
How I was able to list some internal information from PayPal #BugBounty Adrien Jeanneau Paypal Expression Language Injection (JSTL), Information disclosure $0 06/07/2018
How I found XSS via SSRF vulnerability -Adesh Kolte Adesh Kolte (@AdeshKolte) CERT-EU, Motorola, Stanford SSRF, XSS $750 06/07/2018
#BugBounty —” Database hacked of India’s Popular Sports company”-Bypassing Host Header to SQL injection to dumping Database — An unusual case of SQL injection. Avinash Jain (@logicbomb_1) - SQL injection - 06/06/2018
Zero to Account Takeover: How I ‘Impersonated’ Someone Else Using Auth0 Daniel Svartman OAuth Logic flaw - 06/05/2018
Searching for XSS found LDAP injection Davide Tampellini - LDAP injection - 06/05/2018
Are you sure this is a trusted email? Khaled hassan - Open mail relay $900 06/05/2018
Reading Your Emails With A Read&Write Chrome Extension Same Origin Policy Bypass (~8 Million Users Affected) Matthew Bryan Read&Write Chrome extension SOP bypass - 06/05/2018
How I Hacked Fotor & Got “Nothing” Somdev Sangwan (s0md3v) Fotor SSRF, RFI $0 06/01/2018 Archived content
Getting PHP Code Execution and leverage access to panels,databases,server Shawar Khan (@ShawarkOFFICIAL) - Code execution - 06/01/2018
How i converted SSRF to XSS in Jira. Ashish Kunwar (@D0rkerDevil) - SSRF, XSS $50 06/01/2018
How I Earned $750 Bounty Reward From AT&T bug Bounty -Adesh Kolte Adesh Kolte (@AdeshKolte) AT&T RCE, Clickjacking, XSS, Same Origin Method Execution $750 06/01/2018
#Bug Bounty — How I booked a rental house for just 1.00 INR — Price Manipulation in Citrus Pay Raghavendra Reddy - Parameter tampering - 05/31/2018
Reflected XSS in Yahoo Subdomain ( hk.movies.yahoo.com ) Mohamed Haron (@m7mdharon) Yahoo! Reflected XSS - 05/30/2018 Archived content
5k$ for path traversal on *.paypal-corp.com subdomain lalka Paypal Path traversal $5,000 05/30/2018
Account Takeover and Blind XSS! Go Pro, get Bugs! Tabahi - IDOR, Stored XSS, Account takeover, Blind XSS $3,500 05/30/2018
How I found 5 store XSS on a private program. Each worth “1,016.66$” Shahzad Sadiq - Stored XSS $5,083.3 05/30/2018
How I got hall of fame in two fortune 500 companies — An RCE story… Alfie - RCE - 05/29/2018
How i was able to get admin panel on a private program Shahzad Sadiq - Weak credentials $1,500 05/29/2018
reCAPTCHA bypass via HTTP Parameter Pollution Andres Riancho Google HTTP parameter pollution, reCAPTCHA bypass $500 05/28/2018
Persistent XSS to Steal Passwords – Paypal Akhil Reni Paypal Stored XSS - 05/26/2018
Simple IDOR to reject a to-be users invitation via their notification Abss TBH @abss_tbh WePay IDOR - 05/24/2018
How I was able to see any private album passwrod in Picturepush — IDOR Murtada Kamil PicturePush IDOR - 05/23/2018
#BugBounty — ”How I was able to hack any user account via password reset?” Bikash Gupta - IDOR, Account takeover, Password reset flaw - 05/23/2018
RCE by uploading a web.config 003random - RCE - 05/22/2018
AWS Security Flaw which can grant admin access! Sharath AV Amazon Authorization flaw - 05/22/2018
Getting read access on Edmodo Production Server by exploiting SSRF Shawar Khan (@ShawarkOFFICIAL) Edmodo SSRF - 05/21/2018
Self-XSS + CSRF to Stored XSS Renwa - Self XSS, CSRF, STored XSS - 05/20/2018
$36k Google App Engine RCE Ezequiel Pereira (@epereiralopez) Google RCE $36,337 05/20/2018
Fastest Fix on Open Bug Bounty Platform Wen Bin KONG Kevag Telekom GmbH XSS, CSRF - 05/19/2018
How i got 100$ from one private website Aayush Pokhrel (@aayushpok) - Information disclosure $100 05/19/2018
How i HACKED admin account via password reset IDOR function of one private currency exchanger site Aayush Pokhrel (@aayushpok) - IDOR, Password reset flaw, Account takeover - 05/19/2018
Stored XSS in Yahoo and all subdomains! Hakim Bencella Microsoft Stored XSS $1,500 05/19/2018
Xss in Microsoft hacker_eth Microsoft XSS - 05/18/2018
How I was able to get subscription of $120/year For Free Muhammad Khizer Javed / babayaga47 (@khizer_javed47) wetransfer.com Payment bypass $500 05/18/2018
Whatsapp- DOS vulnerability on Android/iOS/Web Pratheesh P Narayanan Facebook DoS $500 05/15/2018
HSTS Bypass Vulnerability in IE Preview Xiaoyin Liu Microsoft HSTS bypass $0 05/15/2018
How I used a simple Google query to mine passwords from dozens of public Trello boards Kushagra Pathak Trello Authorization flaw, Information disclosure $0 05/09/2018
Internet Safety for Kids & Families — Trend Micro Bypass DOM XSS Honc (@honcbb) Trend Micro DOM XSS $0, HoF 05/08/2018
Asus Control Center – An Information Disclosure and a database connection Clear-Text password leakage Vulnerability Mohamed A. Baset Asus Authorization flaw, Information disclosure - 05/08/2018
Ubisoft | Blind XSS to customer support panel takeover Hx01 Ubisoft Blind XSS - 05/06/2018
A Five Minute SQL-I Ashish Jha - SQL injection - 05/06/2018
How I Got Paid $0 From the India’s largest online gifting portal — Bug Bounty Program Hariom Vashisth - Price manipulation, Parameter tampering $0 05/05/2018
$4500 bounty - How I got lucky Eray Mitrani - Subdomain takeover $4,500 05/03/2018
Disclose Private Video Thumbnail from Facebook WorkPlace Sarmad Hassan (@JubaBaghdad) Facebook IDOR $3,000 05/03/2018
Stealing money from one account to another account Ajay Gautam (@evilboyajay) - Logic flaw - 05/02/2018
Story Of a Stored XSS Bypass Prial Islam Khan (@prial261) Zerocopter Open redirect - 04/30/2018
Multiple security vulnerabilities in domains belonging to Google Sysdreams Google Broken access control, Directory traversal, Stored XSS - 04/30/2018
How I found 2.9 RCE at Yahoo! Bug Bounty program Kedrisec (@kedrisec) Yahoo RCE - 04/30/2018
#BugBounty — How I was able to bypass firewall to get RCE and then went from server shell to get root user account! Avinash Jain (@logicbomb_1) - RCE - 04/29/2018
Reflected XSS on Stack Overflow ssid (@newp_th) Stack Overflow Reflected XSS - 04/27/2018
Stored XSS in Yahoo! Shahzada AL Shahriar Khan Yahoo Stored XSS $2000 04/27/2018
Bypassing the Confirmation Email for Newsletter (bof.nl) Mohammed Israil (@mdisrail2468) Bits of Freedom Authorization flaw, IDOR $0, Swag 04/26/2018
How I earned 60K+ from private program Siva Krishna Samireddi (@le4rner) - Open redirect, subdomain takeover, XSS, HTTP parameter pollution 60,000 INR (approx. $880) 04/25/2018
The Unknown Hero-App Logic Bugs Circle Ninja (@circleninja) Canva Logic flaw - 04/25/2018
XSS “403 forbidden” bypass write up Nur A Alam Dipu - XSS - 04/25/2018
How we got LFI in apache Drill (Recon like a boss) gujjuboy10x00 (@vis_hacker) - LFI - 04/23/2018
DOM XSS in Google VRView library Federico Fazzi Google DOM XSS $3,133.7 04/23/2018
Three Cases, Three Open Redirect Bypasses Mohammed Eldeeb (@malcolmx0x) - Open redirect - 04/22/2017
Turning Self-XSS into non-Self Stored-XSS via Authorization Issue at “PayPal Tech-Support and Brand Central Portal YoKo Kho (@YoKoAcc) Paypal Stored XSS - 04/21/2018
Story Of a Stored XSS Bypass Prial Islam Khan (@prial261) - Stored XSS - 04/21/2018
Mangobaaz hacked | XSS to credentials exposure to pwn Hx01 MangoBaaz Reflected XSS $0 04/19/2018
#BugBounty — ”Journey from LFI to RCE!!!”-How I was able to get the same in one of the India’s popular property buy/sell company. Avinash Jain (@logicbomb_1) - LFI, RCE - 04/19/2018
Bypassing the Current Password Protection at PayPal TechSupport Portal YoKo Kho (@YoKoAcc) Paypal Authorization flaw, Account takeover - 04/19/2018
Google Bug: Posting on groups as any user’s behalf ssid (@newp_th) Google Email spoofing $0 04/18/2018
Whatsapp user’s IP disclosure with Link Preview feature Rahul Kankrale (@RahulKankrale) Facebook Information disclosure $0 (won’t fix) 04/18/2018
Ribose — IDOR with Simple CSRF Bypass — Unrestricted Changes and Deletion to other Photo Profile YoKo Kho (@YoKoAcc) Ribose IDOR - 04/18/2018
How I Get the Name of the Hotel (and other Data) that you ever Stay - Personal Data Leaks: Private Bug Bounty Program YoKo Kho (@YoKoAcc) - IDOR - 04/18/2018
IDOR (at Private Bug Bounty Program) that could Leads to Personal Data Leaks YoKo Kho (@YokoAcc) - IDOR - 04/17/2018
How I got stored XSS using file upload gujjuboy10x00 (@vis_hacker) - Stored XSS - 04/17/2018
From an error message to DB disclosure Yumi - Hardcoded credentials - 04/17/2018
Spoof an user to create a description of a group in Flickr Samuel (@saamux) Yahoo (Flickr) IDOR - 04/16/2018
Bypassing Captcha Like a Boss Ak1T4 (@akita_zen) - Captcha bypass $xxx 04/16/2018
#SecurityBreach — ”How I was able to book hotel room for 1.50₹!” Hariom Vashisth - CORS flaw - 04/15/2018
Bypass CSP by Abusing XSS Filter in Edge Xiaoyin Liu Microsoft CSP bypass $1,500 04/15/2018
How I hacked companies related to the crypto currency and earned $60,000 Max (@iSecMax) okex.com, livecoin.net, [private program] Authorization flaw, CSRF, IDOR, Stored XSS, HTML injection $59,400 04/14/2018
How I bypassed Ebay process on redirect Mohamed Sayed (@FlEx0Geek) Ebay Open redirect $0 04/13/2018
Hijacking User’s Private Information access_token from Microsoft Office360 facebook App Mohamed A. Baset Microsoft Logic flaw $0 04/13/2018
Please email me your password Jasmin Laundry - Blind XSS, Blind SQL injection, SMTP header injection, Account takeover - 04/11/2018
How I broke into Google Issue Tracker Abhishek Bundela (@abhibundela) Google Logic flaw, Authorization flaw $0 04/10/2018
Source Code Analysis in YSurvey — Luminate bug Rojan Rijal (@uraniumhacker) <td markdown="span">Yahoo Authentication bypass, Authorization flaw, SQL injection - 04/10/2018
Piercing the veil: Server Side Request Forgery to NIPRNet access Alyssa Herrera (@Alyssa_Herrera_) DoD SSRF - 04/09/2018
Stealing HttpOnly Cookie via XSS Yasser Gersy (@yassergersy) - XSS - 04/08/2018 Archived content
Reflected XSS on www.zomato.com By Mustafa Hasan Mohamed Haron (@m7mdharon) Zomato Reflected XSS $100 04/07/2018 Archived content
“Exploiting a Single Parameter” Hisham Mir (@Hishammir1) - SSRF, XSS $2,500 04/06/2018
Link injection on 2 Twitter Subdomain Mohamed Haron (@m7mdharon) Twitter Link injection $280 04/01/2018 Archived content
Avinash Jain (@logicbomb_1) - IDOR - 04/05/2018
How I caught Multiple vulnerabilities in Udemy.com, But not rewarded for serious XSS vulnerability :( Satyendra Shrivastava Udemy XSS, HTML injection - 04/05/2018
Directory Listing To Sensitive Files Exposure Hx01 - Directory listing - 04/04/2018
Facebook BugBounty: Intercept incoming friend requests of Victim add/accept to your facebook account Family guy Facebook Authorization flaw - 04/02/2018
My Best Small Report Bounty Report in Private Program ( Django REST framework Admin Login ByPass ) Mohamed Haron (@m7mdharon) - SQL injection, Auth bypass, Account takeover $2,000 04/01/2018 Archived content
XSS in Yahoo Subdomain Mohamed Haron (@m7mdharon) Yahoo! Flash XSS $600 03/31/2018 Archived content
XSS In sports.tw.campaign.yahoo.net Mohamed Haron (@m7mdharon) Yahoo! Reflected XSS - 03/31/2018 Archived content
How I hacked one cryptocurrency service Valeriy Shevchenko PayKassa Blind XSS, Reflected XSS, CSRF $300 03/31/2018
How I Could Have Promoted Any Facebook Page For Free. Anees Khan Facebook Logic flaw $0 03/30/2018
View Insights for Any Facebook Marketplace Product Jane Manchun Wong (@wongmjane) Facebook Authorization flaw - 03/29/2018
Creating Test Conversion using any App Joshua Regio Facebook Web parameter tampering $3,000 03/27/2018
Google bug bounty for security exploit that influences search results Tom Anthony (@TomAnthonySEO) Google Logic flaw $5,000 03/27/2018
Reflected XSS Moogaloop SWF ( Version < 6.2.x ) Mohamed Haron (@m7mdharon) Vimeo Flash XSS, Reflected XSS - 03/26/2018 Archived content
Misconfiguration of Demographics Privacy in a Page Mark Christian Deduyo Facebook Logic flaw $750 03/26/2018
#BugBounty — Rewarded by securing vulnerabilities in Bookmyshow (India’s largest online movie & event booking portal) Avinash Jain (@logicbomb_1) BookMyShow Host header attack, IDOR - 03/25/2018
Hacking Oracle in 5 Minutes Rahul R Oracle Directory listing - 03/25/2018
Google adwords 3133.7$ Stored XSS Emad Shanab Google Stored XSS $3,133.7 03/21/2018
Leaking WordPress CSRF Tokens for Fun, $1337 bounty, and CVE-2017-5489 Abdullah Hussam (@Abdulahhusam) Wordpress CSRF $1337 03/15/2018
#BugBounty — “Let me reset your password and login into your account “-How I was able to Compromise any User Account via Reset Password Functionality Avinash Jain (@logicbomb_1) - Logic flaw, Password reset flaw, Account takeover - 03/14/2018
Dox Facebook Employees Behind “Did You Know” Questions Jane Manchun Wong (@wongmjane) Facebook Information disclosure - 03/13/2018
Union Based Sql injection Write up ->A private Company Site Nur A Alam Dipu - SQL injection - 03/12/2018
How I hacked 74k users of a website. Utkarsh Agrawal - Authentication flaw - 03/11/2018
How I hacked 74k users of a website. Utkarsh Agrawal - Authorization flaw - 03/11/2018
Getting any Facebook user’s friend list and partial payment card details Josip Franjkovic Facebook Information disclosure, IDOR - 03/09/2018
Stored XSS, and SSRF in Google using the Dataset Publishing Language Craig Arendt (@signalchaos) Google Stored XSS, SSRF $18,337 03/07/2018
Clickjackings in Google worth 12644.7$ Raushan Raj (@raushan_rajj) Google Clickjacking $12,644.7 03/06/2018
Facebook Bug Bounty Reports Raushan Raj (@raushan_rajj) Facebook Authorization flaw, Logic flaw, Information disclosure $6,000 03/06/2018
#BugBounty — How I could book cab using your wallet money in India’s largest auto transportation company! Avinash Jain (@logicbomb_1) - OTP bypass - 03/05/2018
How I found A Surprising XSS Vulnerability on Oracle NetSuite ? Circle Ninja (@circleninja) Oracle XSS - 03/02/2018
The 2.5mins or 2.5k$ hawk-eye bug – A Facebook Pages Admins Disclosure Vulnerability! Mohamed A. Baset Facebook Information disclosure $2,500 02/25/2018
Re-dressing Instagram – Leaking Application Tokens via Instagram ClickJacking Vulnerability! Mohamed A. Baset Facebook Clickjacking - 02/25/2018
How i Hacked into a bugcrowd. public program Vishnuraj KV - RCE - 02/25/2018
#BugBounty — API keys leakage, Source code disclosure in India’s largest e-commerce health care company. Avinash Jain (@logicbomb_1) - Path traversal - 02/25/2018
How I was able to delete any image in Facebook community question forum Sarmad Hassan (@JubaBaghdad) Facebook IDOR $1500 02/24/2018
Bypassing Google’s authentication to access their Internal Admin panels Vishnu Prasad P G Google Authentication bypass $13,337 02/24/2018
The Fuzz…The Bug..The Action – A Race Condition bug in Facebook Chat Groups leads to spy on conversations! Seif Elsallamy Facebook Race condition - 02/23/2018
Modifying any Ad Space and Placement Joshua Regio Facebook IDOR - 02/22/2018
POODLE SSLv3 bug on multiple twitter smtp servers @omespino Twitter Cryptographic issues $280 02/21/2018
Google bugs stories and the shiny pixelbook. Missoum Said (@missoum1307) Google DOM XSS, Stored XSS, Logic flaw, Reflected XSS, CSRF $6,250 02/20/2018
How I hacked Tinder accounts using Facebook’s Account Kit and earned $6,250 in bounties Anand Prakash (@sehacure) Tinder, Facebook Account takeover, Authorization flaw $6,250 02/20/2018
Exploiting CORS Miss configuration using XSS Noman Shaikh - CORS misconfiguration - 02/18/2018
#BugBounty — Exploiting CRLF Injection can lands into a nice bounty Avinash Jain (@logicbomb_1) - CRLF injection $250 02/17/2018
How I was able to remotely crash any android user’s instagram app and was paid a mere 500$ for it. Waleed Ahmed Facebook Android, DoS $500 02/15/2018
#BugBounty — “How I was able to shop for free!”- Payment Price Manipulation Avinash Jain (@logicbomb_1) - Web parameter tampering / Price manipulation - 02/11/2018
Oracle Cross Site Scripting Vulnerability -Adesh Kolte Adesh Kolte (@AdeshKolte) Oracle Reflected XSS - 02/10/2018
Stored XSS on Snapchat Mrityunjoy Snapchat Stored XSS - 02/09/2018
I figured out a way to hack any of Facebook’s 2 billion accounts, and they paid me a $15,000 bounty for it Anand Prakash (@sehacure) Facebook Bruteforce, Account takeover $15,000 02/09/2018
Taking over Facebook accounts using Free Basics partner portal Josip Franjkovic Facebook Information disclosure, IDOR - 02/07/2018
Bug bounty left over (and rant) Part III (Google and Twitter) Antonio Sanso (@asanso) Google, Twitter OAuth flaw, Authentication flaw, Information disclosure $5,540 02/06/2018
How I gained access to Sony’s database Rahul R Sony - $0 02/06/2018
SQL injection with load file and into outfile NoGe - SQL injection $750 02/05/2018
How I found IDOR on Twitter’s Acquisition – Mopub.com Jay Jani (@JayJani007) Twitter IDOR - 02/05/2018
Facebook mailto injection leads to social engineering & spam attack Rahul Kankrale (@RahulKankrale) Facebook Mailto injection $0 (won’t fix) 02/03/2018
#BugBounty — ”I don’t need your current password to login into your account” - How could I completely takeover any user’s account in an online classified ads company. Avinash Jain (@logicbomb_1) - Authentication bypass - 02/03/2018
Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART 2) Mohammed Abdul Raheem - IDOR $3000 02/03/2018
Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) Mohammed Abdul Raheem - IDOR $3000 02/02/2018
Internal IPs disclosure @omespino Nokia Internal IP disclosure - 02/02/2018
How I was able to Bypass XSS Protection on HackerOne’s Private Program Jay Jani (@JayJani007) - XSS - 02/02/2018
Getting access to prompt debug dialog and serialized tool on main website facebook.com @omespino Facebook Debug info disclosure - 01/31/2018
How I was able to Download Any file from Web server! hammadhassan924 - XSS, IDOR $450 01/27/2018
How I got 22000$ worth ethereum Shubham Gupta - Blind XSS ~22,000 Ethereum 01/26/2018
JSON CSRF attack on a Social Networking Site[Hackerone Platform] Sahil Tikoo (@viperbluff) Badoo CSRF $280 01/26/2018
Here’s how I could’ve ridden for free with Uber Anand Prakash (@sehacure) Uber Logic flaw $5,000 01/26/2018
Full Account Takeover through CORS with connection Sockets Samuel (@saamux) - CORS misconfiguration, Account takeover - 01/25/2018
[Yahoo Bug Bounty] Unauthorized Access to Unisphere Management Server Debugging Facility on https://bf1-uaddbcx-002.data.bf1.yahoo.com/Debug/ Peerzada Fawaz Ahmad Qureshi (@zk34911) Yahoo Authorization flaw $300 01/25/2018
No RCE? Then SSH to the box! Jasmin Laundry - LFI, Directory traversal, RCE - 01/25/2018
Reflected XSS + Possible Server Side Template Injection in HubSpot CMS ( All Websites Uses HubSpot was affected ) Mohamed Haron (@m7mdharon) Hubspot Reflected XSS - 01/24/2018 Archived content
#BugBounty @ Linkedln-How I was able to bypass Open Redirection Protection Avinash Jain (@logicbomb_1) LinkedIn Open redirect - 01/24/2018
Asus Cross Site Scrpting And Directory Listing Vulnerability Adesh Kolte (@AdeshKolte) Asus Directory listing, XSS - 01/23/2018
File Disclosure via .DS_Store file (macOS) @omespino Facebook Directory listing - 01/23/2018
Internshala Bug in Internshala Student Partner Circle Ninja (@circleninja) Internshala Bruteforce $0 01/20/2018
Reflected File Download ( RFD ) in www.Google.com Mohamed Haron (@m7mdharon) Google Reflected File Download $0 01/18/2018 Archived content
$1800 in less than an hour. yappare (@yappare) Indeed CSRF, XSS $1,800 01/17/2018
Reflected XSS via AngularJS Template Injection Taha Ibrahim Draidia Hostinger Reflected XSS, CSTI - 01/17/2018
#BugBounty — AWS S3 added to my “Bucket” list! Avinash Jain (@logicbomb_1) - AWS flaws - 01/16/2018
View the bug subscriptions for any Oculus User Philippe Harewood (@phwd) Facebook IDOR - 01/15/2018
Hacking Facebook accounts using CSRF in Oculus-Facebook integration Josip Franjkovic Facebook CSRF - 01/15/2018
#BugBounty — How I was able to delete anyone’s account in an Online Car Rental Company Avinash Jain (@logicbomb_1) - CSRF, Web parameter tampering - 01/14/2018
Google Tez XSS @Pethuraj Google XSS $3,133.7 01/13/2018
#BugBounty — How I was able to read chat of users in an Online travel portal Avinash Jain (@logicbomb_1) - IDOR - 01/10/2018
RCE Vulnerabilite in Yahoo Subdomain! ( Yahoo! RCE via Spring Engine SSTI ) By tghawkins Mohamed Haron (@m7mdharon) Yahoo! RCE $8,000 01/05/2018 Archived content
Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) Mohammed Abdul Raheem - IDOR $3,000 02/04/2018
F**k you Thomas” - ToyTalk bug bounty writeup Jahmel Harris ToyTalk Authentication bypass, HTML injection - 01/04/2018
Content Injection in DuoLingo’s TinyCards App for Android [CVE-2017-16905] Nightwatch Cyber (@nightwatchcyber) DuoLingo Content injection - 01/04/2018
Abusing internal API to achieve IDOR in New Relic Jon Bottarini (@jon_bottarini) New Relic IDOR $1000 01/02/2018

Bug bounty writeups published in 2017

</tr>
Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date
Stealing $10,000 Yahoo Cookies! Tabahi Yahoo CORS flaw $10,000 12/30/2017
Jumping to the hell with 10 attempts to bypass devil’s WAF Ak1T4 (@akita_zen) - XSS - 12/27/2017
Microsoft SharePoint’s ‘Follow’ Feature XSS (CVE-2017–8514) -Adesh Kolte Adesh Kolte (@AdeshKolte) Microsoft XSS - 12/21/2017
Account Takeover Due to Misconfigured Login with Facebook/Google Bhavuk Jain (@bhavukjain1) Google, Facebook Account takeover, Authorization flaw - 12/20/2017
P4 to P2 - The story of one blind SSRF Mikhail Klyuchnikov (@__Mn1__) - Blind SSRF - 12/19/2017
Unrestricted File Upload to RCE | Bug Bounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) Facebook RCE - 12/19/2017
Don’t Trust the Host Header for Sending Password Reset Emails Jack Cable Mavenlink Password reset flaw, Account takeover $1,500 12/13/2017
How I was able to takeover Facebook account Ameer Hamza Facebook Authentication bypass $0 12/10/2017
Using App Ads Helper as an Analytic User Joshua Regio Facebook Authorization flaw $500 12/09/2017
Bug Bounty: Fastmail Brian Hyde Fastmail Read-only access to private server files, Blind SSRF/Blind XXE $3000 12/08/2017
How I Was Able To See The Bounty Balance Of Any Bug Bounty Program In HackerOne Cj Legacion Hackerone Logic flaw $0 12/06/2017
Getting a RCE — CTF Way Uranium238 (@uraniumhacker) - RCE - 12/05/2017
DEV XSS Protection bypass made my quickest bounty ever!! Yeasir Arafat - XSS $150 12/03/2017
LFI to Command Execution: Deutche Telekom Bug Bounty Daniel Maksimovic Deutche Telekom LFI, RCE - 11/30/2017
Image removal vulnerability in Facebook polling feature Pouya Darabi (@Pouyadarabi) Facebook IDOR $10,000 11/25/2017
Story of bypassing Referer Header to make open redirect Mohammed Eldeeb (@malcolmx0x) - Open redirect - 11/22/2017
Taking note: XSS to RCE in the Simplenote Electron client Yasin Soliman (@SecurityYasin) Automattic XSS, RCE - 11/22/2017
Amazon Bypass Open Redirect Honc (@honcbb) Amazon Open redirect - 11/19/2017
VMware Official VCDX Reflected XSS Honc (@honcbb) VMware Reflected XSS - 11/19/2017
UBER Wildcard Subdomain Takeover | BugBounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) Uber Subdomain takeover - 11/20/2017
Account Take Over Vulnerability in Google acquisition [Famebit] Hassan Khan Yusufzai Google CSRF - 11/17/2017
Transforming a Domain into the Matrix (an open redirect story) Ak1T4 (@akita_zen) - Open redirect - 11/17/2017
SQL in everywhere. Utkarsh Agrawal - SQL injection $0 11/16/2017
Why I walked away from $30,000 of DJI bounty money Kevin Finisterre DJI AWS flaw $0 11/16/2017
SQL in everywhere. Utkarsh Agrawal - SQL injection $0 11/16/2017
Bypassing Crossdomain Policy and Hit Hundreds of Top Alexa Sites Ak1T4 (@akita_zen) - CSRF - 11/16/2017
How signing up for an account with an @company.com email can have unexpected results @zseano - Logic flaw - 11/15/2017
How I Pwned a company using IDOR & Blind XSS Osama Ansari - IDOR, Blind XSS - 11/15/2017
From Recon to DOM-Based XSS Abdelfattah Ibrahim - DOM XSS - 11/11/2017
Stealing bitcoin wallet backups from blockchain.info Shashank Blockchain.info Logic flaw $1,600 11/11/2017
How to delete all company progress by one “rm” command in AWS s3 Buckets Valeriy Shevchenko - AWS flaw $0 11/09/2017
Local File Read via XSS in Dynamically Generated PDF Rahul Maini - XSS, LFI - 11/08/2017
From SSRF to Local File Disclosure Tung Pun - SSRF, Local File Disclosure $0 11/08/2017
Get your Microsoft account hijacked by simply clicking connect button -Adesh Kolte Adesh Kolte (@AdeshKolte) Microsoft Stored XSS - 11/06/2017
Open redirect in informatica (BugBounty) Vulnerables Informatica Open redirect - 11/06/2017
Multiple Intel Vulnerabilities-Adesh Kolte Adesh Kolte (@AdeshKolte) Intel Open redirect, Directory listing - 11/05/2017
Non-persistent XSS at Microsoft -Adesh Kolte Adesh Kolte (@AdeshKolte) Microsoft Reflected XSS - 11/05/2017
CRLF injection in blockchain.info Shashank Blockchain.info CRLF injection $1,600 11/05/2017
Accessing Localhost via Vhost Muhammad Khizer Javed / babayaga47 (@khizer_javed47) - vhost flaw - 11/04/2017
Senstive Information Leak Lead To join any Organisation Shivbihari Pandey (@ninja_pandit_) - Information disclosure - 11/04/2017
Accessing Localhost via Vhost | VIRTUAL HOST ENUMERATION | BugBounty POC Muhammad Khizer Javed / babayaga47 (@khizer_javed47) - vHost enumeration - 11/04/2017
[Facebook Bug Bounty] How I was able to enumerate Instagram Accounts who had enabled 2FA (Two Step Verification) for additional protection Peerzada Fawaz Ahmad Qureshi (@zk34911) Facebook Logic flaw $500 11/03/2017
App Maker and Colaboratory: a stored Google XSS double-bill Yasin Soliman (@SecurityYasin) Google Stored XSS - 11/01/2017
How I hacked Google’s bug tracking system itself for $15,600 in bounties Alex Birsan Google Logic flaws $15,600 10/30/2017
Abusing new Claps feature in Medium Sai Krishna Kothapalli Medium IDOR $0 10/29/2017
Slack SAML authentication bypass Antonio Sanso (@asanso) Slack Authentication bypass $3,000 10/26/2017
How i found an SSRF in Yahoo! Guesthouse (Recon Wins) Th3G3nt3lman Yahoo SSRF - 10/20/2017
Taking over every Ad on OLX (automated), an IDOR story Roderick Schaefer OLX IDOR - 10/18/2017
Sensitive data exposure by requesting a resource with a different content type Yogendra Jaiswal (Vulnholic) - Information disclosure - 10/17/2017
How I hacked all the [REDACT] Agents accounts Neeraj Sonaniya - Default credentials $100 10/17/2017
Reading Internal Files using SSRF vulnerability Neeraj Sonaniya - SSRF - 10/16/2017
DOM XSS – auth.uber.com StamOne_ Uber DOM XSS - 10/14/2017
How I was Able to see someone’s all private files with a single file share link through Atom feed & Never Give Up #togetherwehitharder HackerOne Yogendra Jaiswal (Vulnholic) - Information disclosure - 10/13/2017
Leaking Amazon.com CSRF Tokens Using Service Worker API Abdullah Hussam (@Abdulahhusam) Amazon CSRF $0 10/11/2017
Bugcrowd’s Domain & Subdomain Takeover vulnerability! Muhammad Khizer Javed / babayaga47 (@khizer_javed47) Bugcrowd Subdomain takeover $600 10/10/2017
Exploiting Insecure Cross Origin Resource Sharing ( CORS ) | api.artsy.net Muhammad Khizer Javed / babayaga47 (@khizer_javed47) Artsy CORS flaw - 10/10/2017
Subdomain Takeover Through Expired Cloudfront Distribution Muhammad Khizer Javed / babayaga47 (@khizer_javed47) Lamborghini Subdomain takeover - 10/10/2017
Facebook GraphQL CSRF Philippe Harewood (@phwd) Facebook CSRF $7,500 10/08/2017
How I Was Able To View Private Tweets Of Any Private Twitter Account Cj Legacion Twitter IDOR - 10/06/2017
How I could have mass uploaded from every Flickr account! Jazzy (@ret2got) Yahoo Bruteforce $4,000 10/05/2017
Device Authorization Bypass! Hassan Khan Yusufzai - Authorization flaw - 09/25/2017
Filter Bypass to Reflected XSS on https://finance.yahoo.com (mobile version) Samuel (@saamux) Yahoo Reflected XSS - 09/24/2017
900$ XSS in yahoo ( Recon Wins ) Th3G3nt3lman Yahoo XSS $900 09/24/2017
How i bypassed Practo’s firewall and triggered a XSS. Vipin Chaudhary Practo XSS - 09/23/2017
IDOR – Execute JavaScript into anyone account Shubham Gupta Terapeak IDOR, Stored XSS - 09/21/2017
Stored XSS to Full Information disclosure Shubham Gupta Terapeak Stored XSS $750 09/21/2017
Luminate Internal Privilege Escalation — Admin to Owner Rojan Rijal (@uraniumhacker) <td markdown="span">Yahoo Authorization flaw - 09/21/2017
All About Hackerone Private Program Terapeak Shubham Gupta Terapeak IDOR, Reflected XSS $0 09/20/2017
This domain is my domain — G Suite A record vulnerability Rojan Rijal (@uraniumhacker) <td markdown="span">Google Domain takeover - 09/20/2017
Multiple vulnerabilities in Oracle EBS Shubham Gupta - SQL injection, XXE, XSS - 09/19/2017
First bounty, time to step up my game Roderick Schaefer - SOME - 09/19/2017
Exploiting a Single Request for Multiple Vulnerabilities Osama Ansari - Stored XSS, Reflected XSS, SSRF, Command injection - 09/19/2017
Story of a Parameter Specific XSS! Rahul Maini - XSS - 09/19/2017
Chaining Self XSS with UI Redressing is Leading to Session Hijacking (PWN users like a boss) Armaan Pathan - Self XSS, Clickjacking - 09/18/2017
Stored XSS] with arbitrary cookie installation Arbaz Hussain - XSS - 09/17/2017
URL Whitelist Bypass - Accounts Google (accounts.google.com) - VRP Manuel Sousa (@manuelvsousa) Google Open redirect $0 (Duplicate), HoF 09/10/2017
How I hacked hundreds of companies through their helpdesk Inti De Ceukelaire (@securinti) Gitlab, Slack, Yammer, Kayako, Zendesk & more Logic flaw, Ticket Trick $5,000 09/10/2017
Bypassing Facebook Profile Picture Guard Security. Armaan Pathan Facebook Authorization flaw $0 09/09/2017
Phishing with history.back() open redirect Brian Hyde - Open redirect - 09/09/2017
Reflective XSS and Open Redirect on Indeed.com subdomain Syntax Error Indeed Reflective XSS, Open redirect - 09/04/2017
How I found Reflective XSS in Yahoo Subdomain Syntax Error Yahoo Reflective XSS - 09/03/2017
IDOR on HackerOne Hacker Review “What Program Say” Japz Divino Hackerone IDOR $0, Swag 09/02/2017
Don’t just alert(1) , Because XSS is for fun…!! Armaan Pathan Optimizely XSS $0 09/02/2017
My write up about UBER Cross-site scripting by help of KNOXSS Emad Shanab Uber Reflected XSS $500 09/02/2017
Stealing 0Auth Token (MITM) Arbaz Hussain - OAuth flaw - 09/01/2017
Reflected XSS in Yahoo! Shahzada AL Shahriar Khan Yahoo Reflected XSS $700 08/31/2017
Uber XSS via Cookie Chaobin Zhang Uber XSS $5,000 08/30/2017
Luminate Store Basics defacement and potential takeover Rojan Rijal (@uraniumhacker) <td markdown="span">Yahoo CSRF, Improper session management - 08/30/2017
Developer Luminate IDOR Rojan Rijal (@uraniumhacker) <td markdown="span">Yahoo IDOR - 08/30/2017
Developer Luminate IDOR Uranium238 (@uraniumhacker) Yahoo IDOR - 08/30/2017
Luminate Store Basics defacement and potential takeover Uranium238 (@uraniumhacker) Yahoo CSRF - 08/30/2017
Improper Storage of Private Project’s Files Arbaz Hussain - IDOR - 08/30/2017
Bypassing Rate Limit Protection by spoofing originating IP Arbaz Hussain - Bruteforce - 08/30/2017
Upgrade from LFI to RCE via PHP Sessions Julien Ahrens - LFI, RCE - 08/28/2017
Pre-domain wildcard CORS Exploitation Arbaz Hussain - CORS flaw $1000 08/26/2017
Facebook stories disclose Facebook friend list Philippe Harewood (@phwd) Facebook Logic flaw, Authorization flaw - 08/24/2017
Password Not Provided - Compromising Any Flurry User’s Account [Yahoo Bug Bounty] Jack Cable Yahoo Authentication flaw, Account takeover - 08/15/2017
Accidentally typo to bypass administration access yappare (@yappare) - Authentication bypass - 08/13/2017
Reflected XSS on www.yahoo.com Samuel (@saamux) Yahoo Reflected XSS - 08/12/2017
Chain the vulnerabilities and take your report impact on the moon (CSRF to HTML INJECTION which results OPEN REDIRECT and could steal USER CREDENTIALS) Armaan Pathan Legal Robot CSRF, HTML injection $40 08/12/2017
Armaan Patha Armaan Pathan Facebook IDOR $2,000 08/11/2017
Getting access to 25k employees details Sahil Ahamad - Exposed registration page $2500 08/11/2017
How to confirm a Google user’s specific email address (Bug Bounty Submission) Tom Anthony (@TomAnthonySEO) Google Logic flaw $0 08/09/2017
XSS Because of wrong Content-type Header Noman Shaikh Internshala XSS - 08/04/2017
Business Logic Vulnerabilities Series: How I became invisible and immune to blocking on Instagram! Ali Kabeel Facebook Logic flaw - 07/31/2017
How i found massive information disclosure of 1500 famous people Valeriy Shevchenko - Information disclosure - 07/31/2017
Referer Based XSS Arbaz Hussain - XSS - 07/30/2017
How we invented the Tesla DOM DOOM XSS Detectify Labs Tesla DOM XSS - 07/27/2017
Disabling New Emails From Facebook Without Email Owner Interaction Zahid Ali Facebook Logic flaw, Authorization flaw $0 07/26/2017
Rolling around and Bypassing Facebook’s Linkshim protection on iOS Seif Elsallamy Facebook Open redirect $0 07/26/2017
Stored XSS on Rockstar Game Arbaz Hussain Rockstar Games XSS $1,000 07/26/2017
Open Redirect In Flock | My First Swag pack Noman Shaikh Flock Open redirect - 07/24/2017
May the Shells be with You - A Star Wars RCE Adventure! Andy Gill - RCE - 07/22/2017
How i was able to bypass strong xss protection in well known website. (imgur.com) Armaan Pathan Imgur XSS $250 07/21/2017
Missing Authorization check in Facebook Pages Manager Arbaz Hussain Facebook Authorization flaw $1,000 07/20/2017
Race Condition bypassing team limit Arbaz Hussain - Race condition - 07/20/2017
Self XSS to Good XSS Clickjacking Arbaz Hussain - XSS, Clickjacking $300 07/20/2017
Business Logic Vulnerabilities Series: A brief on Abusing Invitation Systems Ali Kabeel Facebook Logic flaw - 07/19/2017
That Escalated Quickly : From partial CSRF to reflected XSS to complete CSRF to Stored XSS Mandeep Jadon (@1337tr0lls) - CSRF, Reflected XSS, Stored XSS - 07/19/2017
Xss using dynamically generated js file Arbaz Hussain - XSS $150 07/19/2017
Exploiting Misconfigured CORS on popular BTC Site Arbaz Hussain - CORS flaw - 07/19/2017
Stealing Access Token of One-drive Integration By Chaining CSRF Vulnerability Arbaz Hussain - OAuth flaw, CSRF - 07/18/2017
IDOR While Connecting Social Account in Hackster.io Arbaz Hussain Hackster.io IDOR - 07/18/2017
Bypassing XSS Filtering at Anchor Tag Arbaz Hussain - XSS $500 07/18/2017
ctrl+c & ctrl+v to Steal SESSIONID Arbaz Hussain - Clickjacking $100 07/18/2017
How to find internal subdomains? YQL, Yahoo! and bug bounty. Wojciech Yahoo Information disclosure $0 07/16/2017
Hey UserID x, what’s your secret token? Broken API enables me to leak/modify any users personal information @zseano - IDOR, Account takeover - 07/13/2017
Fabric.io API permission apocalypse – Privilege Escalations wesecureapp Twitter Authorization flaw, Account takeover - 07/10/2017
How we tookover shopify accounts with one single click wesecureapp Shopify Stored XSS - 07/10/2017
XSS by tossing cookies wesecureapp Microsoft, Twitter XSS - 07/10/2017
How a simple IDOR become a $4K User Impersonation vulnerability Shahmeer Amir (@Shahmeer_Amir) - IDOR $4,250 07/08/2017
Coinbase AngularJS DOM XSS via Kiteworks Pauloas yibelo Coinbase DOM XSS - 07/08/2017
Medium Content Spoofing Leads to XSS Abdullah Hussam (@Abdulahhusam) Medium Content spoofing, Stored XSS - 07/08/2017
Managed Apps and Music: a tale of two XSSes in Google Play Yasin Soliman (@SecurityYasin) Google XSS - 07/07/2017
Making an XSS triggered by CSP bypass on Twitter. tbmnull Twitter XSS, CSP bypass - 07/06/2017
OpenProject Session Management Security Vulnerability aka CVE-2017-11667 Mohamed A. Baset OpenProject Improper session management - 06/30/2017
Posting on groups as people whenever their email was known by an attacker Zahid Ali Facebook Authorization flaw $7,500 06/29/2017
Escalating XSS in PhantomJS Image Rendering to SSRF/Local-File Read Brett Buerhaus - XSS, SSRF, LFI - 06/29/2017
CVE-2017-10711: Reflected XSS vulnerability in SimpleRisk – Open Source Risk Management System Mohamed A. Baset SimpleRisk Reflected XSS - 06/28/2017
Road to (unauthenticated) recovery: downloading GitHub SSO bypass codes Yasin Soliman (@SecurityYasin) Github Authorization flaw - 06/25/2017
Authentication bypass on Uber’s Single Sign-On via subdomain takeover Arne Swinnen Uber Subdomain takeover, Authentication bypass $4,500 06/25/2017
Stored XSS in the heart of the Russian email provider giant (Mail.ru) Seif Elsallamy Mail.ru Stored XSS $600 06/24/2017
Yahoo Small Business (Luminate) and the Not-So-Secret Keys Tommy DeVoss / dawgyg (@thedawgyg) Yahoo Blind SSRF $9,000 06/23/2017
How I Built An XSS Worm On Atmail Jake Miller Atmail XSS - 06/23/2017
Authentication bypass on Airbnb via OAuth tokens theft Arne Swinnen Airbnb OAuth flaw, Login CSRF, Open redirect, Authentication bypass $5,000 06/22/2017
How I hacked 23.900.000 tumblr domains at once :) Ak1T4 (@akita_zen) Automattic (Tumblr) IDOR $0 06/19/2017
XSS on Bugcrowd and so many other website’s main Domain Bull Bugcrowd Reflected XSS $600 06/14/2017
Vulnerability in Metasploit Project aka CVE-2017-5244 Mohamed A. Baset Rapid7 CSRF - 06/12/2017
Godaddy XSS affects parked domains redirector/processor! Mohamed A. Baset GoDaddy Reflected XSS - 06/11/2017
Let’s steal some tokens! Mahmoud Gamal (@Zombiehelp54) Google, Shopify, [Private program] CSRF, XSS, Account takeover $1,000 06/11/2017
WHATSAPP — DOS VULNERABILITY IN IOS & ANDROID Vishnu Prasad P G Facebook DOS $500 06/07/2017
From JS to another JS files lead to authentication bypass yappare (@yappare) - Authentication bypass - 06/06/2017
How I got 5500$ from Yahoo for RCE Th3G3nt3lman Yahoo RCE $5,500 06/04/2017
Django Privilege Escalation – Zero To Superuser Sean Melia - Privilege escalation - 06/01/2017
XSS on Google{5.000$}-Google Vulnerability Reward Program (VRP) - Google Stored XSS $5,000 05/30/2017
Pivoting from blind SSRF to RCE with HashiCorp Consul Peter Adkins - Blind SSRF, RCE - 05/29/2017
A pair of Plotly bugs: Stored XSS and AWS Metadata SSRF Yasin Soliman (@SecurityYasin) Plotly Stored XSS, SSRF - 05/25/2017
Hacking the NHS for Fun and No Profit Nathan (@NathOnSecurity) NHS SQL injection, LFI $0 05/22/2017
One Cloud-based Local File Inclusion = Many Companies affected Francisco Correa (@panchocosil) Oracle Responsys, Facebook, Linkedin, Dropbox Directory traversal - 05/17/2017
Find Mingle Suggestions for any Facebook User (Revisited) Philippe Harewood (@phwd) Facebook Logic flaw, Authorization flaw - 05/11/2017
I got emails — G Suite Vulnerability Rojan Rijal (@uraniumhacker) <td markdown="span">Google, Yelp, Facebook Logic flaw, Email takeover - 05/05/2017
AWS S3 bucket misconfiguration - Paytm Tutorgeeks (@tutorgeeks) Paytm AWS flaw $0, HoF 04/18/2017
Inspect Element leads to Stripe Account Lockout Authentication Bypass Jon Bottarini (@jon_bottarini) Stripe Authentication bypass $500 04/03/2017
Airbnb – Web to App Phone Notification IDOR to view Everyone’s Airbnb Messages Brett Buerhaus (@bbuerhaus), Ben Sadeghipour (@nahamsec) Airbnb IDOR - 03/31/2017
Hundreds of hundreds sub-secdomains hack3d! (including Hacker0ne) Ak1T4 (@akita_zen) Hackerone Subdomain takeover $1,000 03/28/2017
Critical information disclosure on Wappalyzer.com Davide Tampellini Wappalyzer Information disclosure - 03/24/2017
Near universal XSS in McAfee Web Gateway Olivier Arteau McAfee XSS - 03/17/2017
Penetrating PornHub – XSS vulns galore (plus a cool shirt!) Jon Bottarini (@jon_bottarini) PornHub XSS $250 03/16/2017
Airbnb – Ruby on Rails String Interpolation led to Remote Code Execution Brett Buerhaus (@bbuerhaus), Ben Sadeghipour (@nahamsec) Airbnb RCE - 03/13/2017
How I found a $5,000 Google Maps XSS (by fiddling with Protobuf) Marin Moulinier Google XSS $5,000 03/09/2017
Airbnb – Chaining Third-Party Open Redirect into Server-Side Request Forgery (SSRF) via LivePerson Chat Brett Buerhaus (@bbuerhaus), Ben Sadeghipour (@nahamsec) Airbnb Open redirect, SSRF, Path traversal - 03/09/2017
Airbnb – When Bypassing JSON Encoding, XSS Filter, WAF, CSP, and Auditor turns into Eight Vulnerabilities Brett Buerhaus (@bbuerhaus), Ben Sadeghipour (@nahamsec) Airbnb XSS, CSP bypass - 03/08/2017
Ok Google, Give Me All Your Internal DNS Information! Julien Ahrens Google SSRF - 03/01/2017
Hacking Slack using postMessage and WebSocket-reconnect to steal your precious token Frans Rosén Slack postMessage flaw, Violation of Secure Design Principles 3,000 02/28/2017
How I got your phone number through Facebook Inti De Ceukelaire (@securinti) Facebook Logic flaw - 02/20/2017
How I bypassed State Bank of India OTP. Neeraj Sonaniya State Bank of India OTP bypass $0 02/20/2017
How I was able to remove your Instagram Phone number Neeraj Sonaniya Facebook Bruteforce $1,000 02/20/2017
From RSS to XXE: feed parsing on Hootsuite Yasin Soliman (@SecurityYasin) Hootsuite XSS, XXE - 02/17/2017
SQL injection in an UPDATE query - a bug bounty story! Mahmoud Gamal (@Zombiehelp54) - SQL injection - 02/17/2017
Lightweight markup: a trio of persistent XSS in GitLab Yasin Soliman (@SecurityYasin) Gitlab Stored XSS - 02/15/2017
Vulnerabilities in Facebook Login Approval Form Zahid Ali Facebook Authorization flaw, Logic flaw $2,250 02/14/2017
Facebook Account Recovery Form (CONFLICTING) Zahid Ali Facebook Logic flaw $1,000 02/13/2017
Bypassed Facebook Phone Number Security Zahid Ali Facebook Authorization flaw, Logic flaw, Information disclosure $3,000 02/10/2017
This domain is my domain - G Suite A record vulnerability White Hats - Nepal Google, Uber Subdomain takeover, Authorization flaw - 02/07/2017
Facebook Groups Hack Zahid Ali Facebook Authorization flaw, Logic flaw $3,000 02/04/2017
Cross Site Request Forgery in Facebook Zahid Ali Facebook CSRF $1,000 02/04/2017
I got emails - G Suite Vulnerability Uranium238 (@uraniumhacker) / White Hats - Nepal Google, Facebook, Yelp Logic flaw, Authorization flaw - 02/02/2017
12k$ for simple path traversal on http://web.whatsapp.com lalka Facebook Path traversal $12,000 01/31/2017
How I could have compromised any account on one of the biggest startup based in California Prateek Tiwari - Account takeover, IDOR, Password reset flaw - 01/28/2017
0day writeup: XXE in uber.com - Uber XXE $9,000 01/24/2017
How I could have Hacked IIT Guwahati’s website Sai Krishna Kothapalli IIT Guwahati Unrestricted file upload - 12/09/2017
My first bug on @facebook bug bounty program. lalka Facebook SQL injection - 01/03/2017

Bug bounty writeups published in 2016

Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date
IDOR in Facebook’s Acquisition (Parse) Venkatesh Sivakumar Facebook IDOR - 12/11/2016
The Orphaned Internet – Taking Over 120K Domains via a DNS Vulnerability in AWS, Google Cloud, Rackspace and Digital Ocean Matthew Bryan Google, Amazon, Rackspace, Digital Ocean Domain name takeover $1,337 12/05/2016
Authentication bypass on Ubiquity’s Single Sign-On via subdomain takeover Arne Swinnen Ubiquity Networks Subdomain takeover, Authentication bypass $500 11/29/2016
Bypassing Ebay XSS Protection to launch XSS by Nirmal Dahal Nirmal Dahal / White Hats - Nepal Ebay Reflective XSS - 11/18/2016
Svg XSS in Unifi v5.0.2 Shubham Gupta Ubiquity Networks Stored XSS - 11/13/2016
Stored XSS in UniFi v4.8.12 Controller Shubham Gupta Ubiquity Networks Stored XSS - 11/12/2016
Rewriting a photo not owned by the session user in Moments App (Revisited) Philippe Harewood (@phwd) Facebook Logic flaw, Authorization flaw - 10/27/2016
Leak Private Videos [Vimeo Bug Bounty] Abdullah Hussam (@Abdulahhusam) Vimeo Logic flaw, Authorization flaw $0 10/23/2016
Open Redirect Scanner with Uber.com Ak1T4 (@akita_zen) Uber Open redirect - 10/10/2016
Command Injection Without Spaces Fyoorer (@ƒyoorer) - Command injection - 10/02/2016
gif it time it’ll come to you - Finding More Holes in The Hub Andy Gill Pornhub XSS $0 10/01/2016
Persisting on Pornhub Andy Gill Pornhub Stored XSS $1,500 09/23/2016
Link Injection Manipulation at admin.google.com Ak1T4 (@akita_zen) Google Link injection - 09/23/2016
Vine Re-auth Bypass [Twitter Bug Bounty] Abdullah Hussam (@Abdulahhusam) Twitter Authentication flaw $420 09/21/2016
Bug Bounty : Account Takeover Vulnerability POC Rakesh Mane - OAuth flaw, account takeover, Stored self-XSS - 09/16/2016
How I snooped into your private Slack messages [Slack Bug bounty worth $2,500] Uranium238 (@uraniumhacker) / White Hats - Nepal Slack Subdomain takeover - 09/13/2016
Decoding a $😱,000.00 htpasswd bounty Patrik Fehrenbach (@ITSecurityguard) - .htpasswd misconfiguration $x,000 09/08/2016
Internet Explorer has a URL problem File Descriptor Github, Google OAuth flaw, RPO, XSS - 09/06/2016
Reading Uber’s Internal Emails [Uber Bug Bounty report worth $10,000] White Hats - Nepal Uber Subdomain takeover $10,000 09/05/2016
RCE In AddThis White Hats - Nepal AddThis RCE - 09/04/2016
PornHub: Email Confirmation Bypass Vaxo Dai (@___0x00) / White Hats - Nepal PornHub Email confirmation bypass $0 09/04/2016
Turning Self-XSS into Good XSS v2: Challenge Completed but Not Rewarded - Uber XSS, Arbitrary cookie installation $1,000 08/29/2016
[demo.paypal.com] Node.js code injection (RCE) Michael Stepankin (@artsploit) Paypal RCE - 08/19/2016
Swf XSS (Dom Based Xss) Shubham Gupta Ubiquiti Networks Flash XSS, DOM XSS - 07/31/2016
Xss filter bypass in Yahoo dev.flurry.com Shubham Gupta Yahoo! XSS - 07/31/2016
XSS on Flickr Shubham Gupta Yahoo! XSS $400, HoF 07/31/2016
CSV Injection -> Meterpreter on Pornhub Andy Gill Pornhub CSV injection $500 07/29/2016
Messenger.com Site-Wide CSRF Jack Whitton Facebook CSRF - 07/26/2016
BMW Vulnerabilities – Hijack Cars ConnectedDrive™ Service! Mohamed A. Baset BMW Clickjacking, CSRF - 07/24/2016
Remote Code Execution (RCE) on Microsoft’s ‘signout.live.com’ Peter Adkins Microsoft RCE $0 07/24/2016
How we broke PHP, hacked Pornhub and earned $20,000 Ruslan Habalov, cutz & Dario Weißer Pornhub RCE, Use-after-free $20,000 07/23/2016
Twitter’s Vine Source code dump - $10080 @avicoder Twitter Source code disclosure, Information disclosure $10,080 07/22/2016
Stealing Facebook access_tokens using CSRF in device login flow Josip Franjkovic Facebook CSRF, OAuth flaw, Information disclosure - 07/19/2016
How I Could Steal Money from Instagram, Google and Microsoft Arne Swinnen Google, Microsoft, Facebook Logic flaw $2,500 07/15/2016
Race conditions on the web Josip Franjkovic Cobalt.io, Facebook, Mega.nz, Keybase Race condition $8,450 07/12/2016
TopCoder.com Vulnerabilities – A tail of site-wide bugs leads to accounts compromise & payments hijacking Mohamed A. Baset Topcoder.com CSRF, Account takeover, Payment hijacking - 06/28/2016
Uber Hacking: How we found out who you are, where you are and where you went Vitor “r0t” Oliveira (@r0t1v) Uber Bruteforce, Information disclosure, Logic flaw, IDOR $18,000 06/24/2016
Medium Full Account Takeover By One Click Abdullah Hussam (@Abdulahhusam) Medium XSS $100 06/23/2016
Two vulnerabilities makes an Exploit!! (XSS and CSRF in Bing) Sai Krishna Kothapalli Microsoft XSS, CSRF - 06/10/2016
Why you shouldn’t share links on Facebook Inti De Ceukelaire (@securinti) Facebook - $0 06/09/2016
Popping the Pornhub Cherry Andy Gill Pornhub Information disclosure $2,500 06/07/2016
RunKeeper Stored XSS Vulnerability – Where worms are able to run too! Mohamed A. Baset RunKeeper Stored XSS, CSRF - 06/06/2016
InstaBrute: Two Ways to Brute-force Instagram Account Credentials Arne Swinnen Facebook Bruteforce, User enumeration $5,000 05/19/2016
Microsoft Yammer Clickjacking – Exploiting HTML5 Security Features Mohamed A. Baset Microsoft Clickjacking - 05/18/2016
When your privacy disclosure is a “feature” not a “bug” – Badoo & HotorNot failure! Mohamed A. Baset Badoo, Hot or not Information disclosure $0 05/17/2016
Sleeping stored Google XSS Awakens a $5000 Bounty Patrik Fehrenbach (@ITSecurityguard) Google Stored XSS $5000 05/17/2016
How I bypassed Facebook CSRF once again! Pouya Darabi (@Pouyadarabi) Facebook CSRF $7,500 05/17/2016
Facebook Vulnerability – a “Cute Bug” that reveals the “likes” of deleted posts regardless of their privacy settings Mohamed Aty Facebook Logic flaw $0 05/13/2016
Fiverr.com Full Accounts Takeover – A Vulnerability Puts $50 Million Company At Risk Mohamed A. Baset Fiverr CSRF - 05/13/2016
FirefoxOS Find My Device Service Clickjacking Bug results in Changing PINs, Wiping and Locking Phones! Mohamed A. Baset Mozilla Clickjacking - 05/12/2016
Poisoning the Well – Compromising GoDaddy Customer Support With Blind XSS Matthew Bryant GoDaddy Blind XSS - 05/08/2016
Facebook movies recommendation vulnerability – A bug capable of erasing all your important notifications! Mohamed A. Baset Facebook Logic flaw, DoS - 05/05/2016
WhatsApp Clickjacking Vulnerability – Yet another web client failure! Mohamed A. Baset Facebook Clickjacking - 05/04/2016
Official Telegram Web Client ClickJacking Vulnerability – When crypto is strong and client is weak Mohamed A. Baset Telegram Clickjacking - 04/28/2016
Facebook ClickJacking – How we put a new dress on Facebook UI Mohamed A. Baset Facebook Clickjacking - 04/22/2016
ESEA Server-Side Request Forgery and Querying AWS Meta Data Brett Buerhaus ESEA SSRF $1,000 04/18/2016
Yahoo Login Protection Seal – Stored CSS Injection Brett Buerhaus Yahoo Stored CSS injection $0 04/18/2016
Facebook Invitees Email Address Disclosure Shahar Albeck Facebook Information disclosure - 04/03/2016
Obtaining Login Tokens for an Outlook, Office or Azure Account Jack Whitton Microsoft CSRF - 04/03/2016
How I Could Compromise 4% (Locked) Instagram Accounts Arne Swinnen Facebook IDOR, DoS, Authorization flaw $5,000 03/27/2016
Uber Bug Bounty: Turning Self-XSS into Good-XSS Jack Whitton Uber XSS - 03/22/2016
Command injection which got me “6000$” from #Google Venkatesh Sivakumar Google Command injection $6,000 03/15/2016
Hacking Magento eCommerce For Fun And 17.000 USD Venkatesh Sivakumar Ebay Information disclosure, LFI, RFI $17,000 03/03/2016
Ubiquiti Bug Bounty: UniFi v3.2.10 Generic CSRF Protection Bypass Julien Ahrens Ubiquiti Networks CSRF $500 02/23/2016
How I Hacked [Oculus] OAuth +Ebay +IBM Abdullah Hussam (@Abdulahhusam) Facebook, Ebay, IBM, AnswerHub Unrestricted file upload, XSS $0 02/12/2016
A Hilarious ESET Broken Authentication Vulnerability (one click free purchase) Mohamed A. Baset ESET Authentication flaw, SQL injection - 02/12/2016
How I got access to millions of [redacted] accounts Bitquark - RFI² - 02/09/2016
An XSS on Facebook via PNGs & Wonky Content Types Jack Whitton Facebook XSS - 01/27/2016
[manager.paypal.com] Remote Code Execution Vulnerability Michael Stepankin (@artsploit) Paypal RCE - 01/25/2016
Broken Access Control in bingmapsportal !!! Sai Krishna Kothapalli Microsoft Broken access control - 01/23/2016
Click Jacking in bingmapsportal Sai Krishna Kothapalli Microsoft Clickjacking - 01/23/2016

Bug bounty writeups published in 2015

Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date
Leaking API keys in Bing Maps Portal Sai Krishna Kothapalli Microsoft IDOR - 12/31/2015
Instagram’s Million Dollar Bug Wesley Wineberg Facebook RCE $2,500 12/27/2015
Cloudflare WAF XSS Abdullah Hussam (@Abdulahhusam) Cloudflare XSS $0 11/16/2015
Open Redirect in Linkedin and Yahoo Vitor “r0t” Oliveira (@r0t1v) Linkedin, Yahoo Open redirect - 24/09/2015
XSS vulnerability in Google image search Mahmoud Gamal (@Zombiehelp54) Google XSS - 09/18/2015
XSS to RCE in … Neil Hakuna Matatall - XSS, RCE - 09/08/2015
CVE-2014-7216: A Journey Through Yahoo’s Bug Bounty Program Julien Ahrens Yahoo Buffer Overflow $0 09/03/2015
Blind SQL Inejction [Hootsuite] Abdullah Hussam (@Abdulahhusam) Hootsuite Blind SQL injection - 08/01/2015
One Payload to XSS Them All! Abdullah Hussam (@Abdulahhusam) Adobe Flash XSS - 08/03/2015
Bypassing Google Authentication on Periscope’s Administration Panel Jack Whitton Google Authentication bypass - 07/20/2015
The easiest bug bounties I have ever won Josip Franjkovic Facebook IDOR - 13/07/2015
Bypass ad account roles vulnerability 2015 Pouya Darabi (@Pouyadarabi) Facebook Authorization flaw $8,000 05/15/2015
Race conditions on Facebook, DigitalOcean and others (fixed) Josip Franjkovic Facebook, DigitalOcean, LastPass Race condition - 04/27/2015
How I bypassed Facebook CSRF Protection Pouya Darabi (@Pouyadarabi) Facebook CSRF $15,000 04/09/2015
Neglected DNS records exploited to takeover subdomains Yassine Aboukir (@Yassineaboukir) Heroku Subdomain takeover - 02/20/2015
Google.com – Mobile Feedback URL Redirect Regex/Validation Flaw Brett Buerhaus Google Open redirect $500 02/03/2015
Flickr API Explorer – Force users to execute any API request. Brett Buerhaus Yahoo CSRF $100 02/03/2015
admin.google.com Reflected Cross-Site Scripting (XSS) Brett Buerhaus Google Reflected XSS $5,000 01/21/2015
Yahoo – Root Access SQL Injection – tw.yahoo.com Brett Buerhaus Yahoo SQL injection - 01/15/2015
Papyal XML Upload Cross Site Scripting Vulnerability Patrik Fehrenbach (@ITSecurityguard) Paypal XSS - 01/07/2015

Bug bounty writeups published in 2014

Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date
How I discovered a 1000$ open redirect in Facebook Yassine Aboukir (@Yassineaboukir) Facebook Open redirect $1,000 12/30/2014
Reflected Cross Site Scripting at Paypal.com Patrik Fehrenbach (@ITSecurityguard) Paypal Reflected XSS - 12/15/2014
Malicious redirect on mailroom.prezi.com Patrik Fehrenbach (@ITSecurityguard) Prezi Open redirect $500 12/10/2014
Reading local files from Facebook’s server (fixed) Josip Franjkovic Facebook LFI, Arbitrary File upload - 12/06/2014
Google Bug Bounty: Nice Catch on Google Cloud Platform Live Julien Ahrens Google Reflected XSS - 11/20/2014
Reflected Cross Site Scripting BillMeLater Patrik Fehrenbach (@ITSecurityguard) BillMeLater Reflected XSS $0 11/17/2014
Paypal stored XSS + Security bypass Patrik Fehrenbach (@ITSecurityguard) Paypal Stored XSS - 11/11/2014
Paypal DOM XSS main domain Patrik Fehrenbach (@ITSecurityguard) Paypal DOM XSS - 11/05/2014
The 5000$ Google XSS Patrik Fehrenbach (@ITSecurityguard) Google XSS $5000 10/31/2014
Facebook Bug Bounty: secondary damage (revisited) why I really like reporting to Facebook too :) Philippe Harewood (@phwd) Facebook Logic flaw, AUthorization flaw - 10/30/2014
Yahoo phpinfo.php disclosure Patrik Fehrenbach (@ITSecurityguard) Yahoo Information disclosure - 10/16/2014
Step-by-step: exploiting SQL injection(s) in Oculus’ website. Josip Franjkovic Facebook SQL injection - 09/05/2014
Popping a shell on the Oculus developer portal Bitquark Facebook SQL injection, CSRF, RCE, IDOR $30,000 08/31/2014
Flickr XSRF to Change Photo Details Abdullah Hussam (@Abdulahhusam) Yahoo XSRF - 08/06/2014
Facebook – Stored Cross-Site Scripting (XSS) – Badges Brett Buerhaus Facebook Stored XSS - 01/16/2014
ebay bug bounty Matthew Bryant Ebay Reflected XSS - 06/06/2014
Prezi (map.prezi.com) Path Traversal Patrik Fehrenbach (@ITSecurityguard) Prezi Path traversal $1000 05/21/2014
Magix Bug Bounty: magix.com (RCE, SQLi) and xara.com (LFI, XSS) Julien Ahrens Magix RCE, SQLI, LFI, XSS - 04/26/2014
A Tale of 7 Vulnerabilities Patrik Fehrenbach (@ITSecurityguard) Paypal Stored XSS, Reflected XSS, Default credentials, Privilege escalation $0 04/20/2014
Facebook – Send Notifications to any User Exploit Brett Buerhaus Facebook Logic flaw - 04/07/2014
Google Exploit – Steal Account Login Email Addresses Tom Anthony (@TomAnthonySEO) Google Information disclosure $1,337 03/08/2014
Tesla Motors blind SQL injection Bitquark Tesla Motors SQL injection - 02/23/2014
How I hacked Github again. Egor Homakov (homakov) Github Open redirect, Account takeover, Information disclosure $4,000 02/07/2014

Bug bounty writeups published in 2013

Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date
Google Sites: A Tale of Five Vulnerabilities Bitquark Google XSS, LFI, HTML injection $13,034.80 12/30/2013
Waze arbitrary file upload Shashank Waze Arbitrary file upload $100 12/25/2013
Imgur xss Shashank Imgur XSS - 12/19/2013
Abusing CORS for an XSS on Flickr Jack Whitton Yahoo XSS - 12/12/2013
Heroku Directory Transversal Shashank Heroku Directory traversal - 12/03/2013
XSS - Google Groups (groups.google.com) - Vulnerability Reward Program Manuel Sousa (@manuelvsousa) Google Reflected XSS $3,133.7 11/30/2013
Oracle xss Shashank Oracle XSS - 11/17/2013
Instagram’s One-Click Privacy Switch Jack Whitton Facebook CSRF - 10/31/2013
Nokia email app pwnage Shashank Nokia XSS - 10/22/2013
LFI in Nokia maps Shashank Nokia LFI - 10/22/2013
Facebook bug bounty: secondary damage (one report that leads to more bugs), fairness, and why I really like reporting to Facebook Josip Franjkovic Facebook CSRF - 10/21/2013
Content Types and XSS: Facebook Studio Jack Whitton Facebook XSS - 10/21/2013
Facebook CSRF leading to full account takeover (fixed) Josip Franjkovic Facebook CSRF, Account takeover $8,450 10/18/2013
PayPal Bug Bounty: PayPaltech.com E-Mail Injection Julien Ahrens Paypal Email injection - 09/26/2013
Removing Covers Images on Friendship Pages, on Facebook Jack Whitton Facebook Authorization flaw - 09/25/2013
SQL injections in Nokia sites. Josip Franjkovic Nokia SQL injection $0, 1 Nokia Lumia 820 07/30/2013
How I found my way into Instagram’s Ganglia, and a bug with Facebook likes. Josip Franjkovic Facebook Reflected XSS, IDOR - 07/23/2013
Admob creative image cross-site scripting vulnerability Bitquark Google XSS - 07/19/2013
Amazon packaging feedback cross-site scripting vulnerability Bitquark Amazon XSS $0 07/03/2013
Hijacking a Facebook Account with SMS Jack Whitton Facebook Authorization flaw, account takeover $20,000 06/26/2013
Overwriting Banner Images on Etsy Jack Whitton Etsy Authorization flaw - 05/21/2013
PayPal Bug Bounty: PayPaltech.com XSS Julien Ahrens Paypal XSS - 04/13/2013
Stealing Facebook Access Tokens with a Double Submit Jack Whitton Facebook CSRF, OAuth flaw - 04/13/2013
How I Rewarded with USD?K Just With a Simple Search Form yappare (@yappare) Paypal SQL injection - 04/11/2013
Framing, Part 1: Click-Jacking Etsy Jack Whitton Etsy Clickjacking - 02/05/2013
Persistent XSS on myworld.ebay.com Jack Whitton Ebay XSS - 01/27/2013
Google.com cross site scripting and privilege escalation in Consumer Surveys Josip Franjkovic Google Stored XSS, Authorization flaw - 01/03/2013

Bug bounty writeups published in 2012

Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date
My Experience with the PayPal Bug Bounty Programme Jack Whitton Paypal CSRF $750 10/12/2012

Bug bounty writeups with unknown publication date

Title & URL Author Bug bounty program Vulnerability Reward $$$ Publication date
Parameter pollution bug at twitter Mert (@mertistaken) Twitter HPP - -
G Suite - Device Management XSS Uranium238 (@uraniumhacker) Google XSS - -
Auth Issues Uranium238 (@uraniumhacker) Google Authentication flaw, Logic flaw - -
Multiple XSS Uranium238 (@uraniumhacker) Google Stored XSS - -
Blind XSS against a Googler Uranium238 (@uraniumhacker) Google Blind XSS - -
Stored XSS on biz.waze.com Uranium238 (@uraniumhacker) Google XSS - -
CSRF ‘protection’ bypass on xvideos @zseano xvideos CSRF - -
Open URL redirects to grab FB OAuth Tokens @zseano Auto Trader Open redirect $0 -
XML XSS via POST @zseano - XSS - -
$10k host header Ezequiel Pereira (@epereiralopez) Google Authorization flaw $10,000 -
$7.5k Google services mix-up Ezequiel Pereira (@epereiralopez) Google Logic flaw $7,500 -
$5k Service dependencies Ezequiel Pereira (@epereiralopez) Google Logic flaw $5,000 -
$500 getClass Ezequiel Pereira (@epereiralopez) Google Java vulnerability $500 -