| Add comment on a private Oculus Developer bug report |
Sarmad Hassan (@JubaBaghdad) |
Facebook |
IDOR, Authorization flaw |
- |
10/18/2018 |
| Security teams Internal attachments can be exported via “Export as .zip” feature on HackerOne |
Japz Divino (@japzdivino) |
Hackerone |
Logic flaw |
12,500 |
10/17/2018 |
| XXE in IBM’s MaaS360 Platform |
Cody Wass |
IBM |
XXE |
- |
10/16/2018 |
| Path traversal while uploading results in RCE |
Harsh Jaiswal (@rootxharsh) |
- |
Path traversal, RCE |
- |
10/15/2018 |
| Brave Browser Script Blocker Bypass Vulnerability |
Xiaoyin Liu |
Brave Software |
Script blocker bypass |
- |
10/13/2018 |
| Microsoft CSRF Vulnerability |
Adesh Kolte (@AdeshKolte) |
Microsoft |
CSRF |
$500 |
10/12/2018 |
| [Bug bounty | mail.ru] Access to the admin panel of the partner site and data disclosure of 2 million users |
Max (@iSecMax) |
Mail.ru |
Authentication bypass, Blind XSS |
- |
10/12/2018 |
| Magic XSS with two parameters |
Mahmood Shahabi (@m4shahab1) |
- |
XSS |
- |
10/12/2018 |
| Add description to Instagram Posts on behalf of other users - 6500$ |
Sarmad Hassan (@JubaBaghdad) |
Facebook |
IDOR |
$6,500 |
10/12/2018 |
| Microsoft Edge Remote Code Execution |
Abdulrahman Al-Qabandi (@Qab) |
Microsoft |
RCE |
- |
10/11/2018 |
| Access to staging environment via User-Agent string |
Yasser Gersy (@yassergersy) |
- |
Authentication bypass |
- |
10/10/2018 |
| Symantec Messaging Gateway authentication bypass |
Artem Kondratenko (@artkond) |
Symantec |
Authentication bypass |
- |
10/10/2018 |
| Get as image function pulls any Insights/NRQL data from any New Relic account (IDOR) |
Jon Bottarini |
New Relic |
IDOR |
$2,500 |
10/09/2018 |
| DOM-XSS Bug Affecting Tinder, Shopify, Yelp, and More |
VPN Mentor (@vpnmentor) |
Tinder |
DOM XSS |
- |
10/09/2018 |
| Make any Unit in Facebook Groups Undeletable |
Sarmad Hassan (@JubaBaghdad) |
Facebook |
Logic flaw, IDOR, Authorization flaw |
- |
10/09/2018 |
| [Critical] Bypass CSRF protection on IBM |
Mohamed Sayed (@FlEx0Geek) |
IBM |
CSRF |
- |
10/09/2018 |
| Persistent XSS (unvalidated Open Graph embed) at LinkedIn.com |
Jonathan Bouman (@JonathanBouman) |
LinkedIn |
Stored XSS |
$0, HoF |
10/07/2018 |
| My First 0day Exploit (CSP Bypass + Reflected XSS) #BUGBOUNTY |
Ali Tütüncü(@alicanact60) |
- |
Reflected XSS, CSP bypass |
- |
10/07/2018 |
| Clickjacking in Google Docs and Voice typing feature. |
Raushan Raj (@raushan_rajj) |
Google |
Clickjacking |
$2,337 |
10/05/2018 |
| GoogleMeetRoulette: Joining random meetings |
Martin Vigo (@martin_vigo) |
Google |
Bruteforce, Logic flaw |
- |
10/04/2018 |
| An interesting Google vulnerability that got me 3133.7 reward. |
Ebrahem Hegazy (@Zigoo0) |
Google |
CSRF |
$3,133.7 |
10/04/2018 |
| Persistent XSS (Unvalidated oEmbed) at Medium.com |
Jonathan Bouman (@JonathanBouman) |
Medium |
Stored XSS |
$100 |
10/04/2018 |
| Exploiting an unknown vulnerability |
Abhishek Bundela (@abhibundela) |
- |
Logic flaw, Payment tampering |
- |
10/03/2018 |
| Facebook Bug Bounty: Email Id, Phone Number Can be exposed Through Business Manager |
Rohit kumar (@rohitcoder) |
Facebook |
Logic flaw, Information disclosure |
$3,000 |
10/03/2018 |
| AWS takeover through SSRF in JavaScript |
Gwendal Le Coguic (@gwendallecoguic) |
- |
SSRF |
- |
10/02/2018 |
| Applying a small bypass to steal Facebook Session tokens in Uber |
Samuel (@saamux) |
Uber |
XSS, CSP bypass, OAuth flaw |
- |
10/02/2018 |
| How i found Stored xss on your-domain.redacted.com |
Rudra Sarkar (@rudr4_sarkar) |
- |
XSS |
$0 |
10/02/2018 |
| Collecting Shells by the Sea of NAS Vulnerabilities |
Rick Ramgattie (@RRamgattie) |
Lenovo |
OS command injection, XSS, CSRF |
- |
10/01/2018 |
| Subdomain Takeover via Shopify Vendor ( blog.exchangemarketplace.com ) with Steps |
Mohamed Haron (@m7mdharon) |
Shopify |
Subdomain takeover |
- |
10/01/2018 |
| Google Stored XSS in Payments |
Barış Sağdıç (@brsgdc) |
Google |
Stored XSS |
- |
10/01/2018 |
| How I was able to takeover account’s of an Earning App |
Abbas Wafa |
- |
Information disclosure |
$0 |
10/01/2018 |
| Hacking the Subway Android app |
Wesley Gahr (@wesley_gahr) |
Subway |
Logic flaw, Authorization flaw |
- |
09/28/2018 |
| IDOR, Content Spoofing and Url Redirection via unsubscribe email in Confluent |
Divyanshu Shukla |
Confluent |
IDOR, Content spoofing, Open redirect |
- |
09/28/2018 |
| Just another tale of severe bugs on a private program. |
Siva Krishna Samireddi |
- |
Open redirect, SSRF, IDOR, Logic flaw |
$1,623 |
09/28/2018 |
| #BugBounty — From finding Jenkins instance to Command Execution.Secure your Jenkins Instance! |
Avinash Jain (@logicbomb_1) |
- |
RCE, Exposed Jenkins instance |
- |
09/27/2018 |
| Thick Client — Attacking databases the fun/easy way |
Richard Clifford |
- |
Thick client flaw, Credentials sent over unencrypted channel |
- |
09/26/2018 |
| Arbitrary File Read in one of the largest CRMs |
Richard Clifford |
- |
LFI |
- |
09/26/2018 |
| [XSS] survey.dropbox.com |
Kumar |
Dropbox |
XSS |
$0 |
09/25/2018 |
| Weaponizing XSS Attacking Internal System |
Rahul R |
- |
Blind XSS |
- |
09/25/2018 |
| Subdomain Takeover via Unsecured S3 Bucket Connected to the Website |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
- |
Subdomain takeover |
- |
09/24/2018 |
| How I XSS’ed Uber and Bypassed CSP |
Efkan (@mefkansec) |
Uber |
Reflected XSS |
2,000 |
09/22/2018 |
| R-XSS -> CSRF bypass to account takeover/ |
Nirmal Dahal (@TheNittam) |
- |
Reflected XSS, CSRF bypass |
- |
09/21/2018 |
| Bypassing Firebase authorization to create custom goo.gl subdomains |
Thomas Orlita (@ThomasOrlita) |
Google |
Logic flaw, IDOR |
- |
09/21/2018 |
| Another XSS in Google Colaboratory |
Michał Bentkowski |
Google |
XSS |
- |
09/20/2018 |
| Shopify Athena Bug |
Uranium238 (@uraniumhacker) |
Shopify |
Authorization flaw, Information disclosure |
- |
09/20/2018 |
| Local file inclusion at IKEA.com |
Jonathan Bouman (@JonathanBouman) |
Ikea |
LFI |
$250 |
09/19/2018 |
| Facebook $750 Reward for a Simple Bug |
Aman Shahid (@amansmughal) |
Facebook |
Authentication bypass, Logic flaw |
$750 |
09/18/2018 |
| Chain The Bugs to Pwn an Organisation ( LFI + Unrestricted File Upload = Remote Code Execution ) |
Armaan Pathan (@armaancrockroax) |
- |
LFI, Unrestricted File Upload, RCE |
- |
09/18/2018 |
| Reflected XSS at Philips.com |
Jonathan Bouman (@JonathanBouman) |
Philips |
Reflected XSS |
- |
09/17/2018 |
| XSS Vulnerabilities in Multiple iFrame Busters Affecting Top Tier Sites |
Randy Westergren (@RandyWestergren) |
Google |
XSS |
$0 |
09/17/2018 |
| Vertical escalation of privileges Leading to Sensitive Data Exposure |
Umair Ahmed (@u_ahmedofficial) |
- |
Bruteforce, IDOR, Authorization flaw |
- |
09/16/2018 |
| User Account takeover in India’s largest digital business company |
Minali Arora (@AroraMinali) |
- |
Account takeover, OTP bypass |
- |
09/16/2018 |
| IDOR User Account Takeover By Connecting My Facebook Account with victims Account |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
Facebook |
IDOR |
$1,200 |
09/16/2018 |
| Persistent Cross-Site Scripting on redacted worth $2,000 |
M.Asim Shahzad |
- |
Stored XSS |
$2,000 |
09/15/2018 |
| How I hijacked your account when you opened my cat picture |
Matti Bijnens (@MattiBijnens) |
- |
Logout CSRF |
- |
09/14/2018 |
| Hacking your own antivirus for fun and profit (Safe browsing gone wrong) |
Martin Thirup Christensen (@Mthirup) |
Bullguard |
Reflected XSS |
$0 |
09/14/2018 |
| Subdomain Takeover worth 200$ |
Ali Razzaq (@AliRazzaq_) |
Netlify |
Subdomain takeover |
$200 |
09/14/2018 |
| Reflected DOM XSS and CLICKJACKING on https://silvergoldbull.de/bt.html |
Daniel Maksimovic |
Silver Gold Bull |
DOM XSS, Clickjacking |
- |
09/13/2018 |
| Snooping an Ad Network Admin Panel |
Tomi |
Ad Networks |
Blind XSS |
$100 |
09/13/2018 |
| Subdomain Takeover via Campaignmonitor |
Mohamed Haron (@m7mdharon) |
Campaign Monitor |
Subdomain Takeover |
$900 |
09/11/2018 |
| Open-Redirect Vulnerability in udacity.com |
Anil Tom |
Udacity |
Open redirect |
$0, Swag |
09/11/2018 |
| Hacking a Crypto Debit Card Service |
Muhammad Abdullah |
Plutus |
SQL injection |
- |
09/11/2018 |
| XXE at Bol.com |
Jonathan Bouman (@JonathanBouman) |
Bol.com |
XXE |
$500 (voucher) |
09/11/2018 |
| How to do 55.000+ Subdomain Takeover in a Blink of an Eye |
BuckHacker (@thebuckhacker) |
Shopify |
Subdomain takeover |
- |
09/10/2018 |
| Authentication Bypass Using SQL Injection AutoTrader Webmail – Bug Bounty POC |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
AutoTrader |
SQL injection |
- |
09/10/2018 |
| Making the Facebook app more secure - $8500 bounty |
Ash King |
Facebook |
Open redirect |
$8,500 |
09/09/2018 |
| ZOL Zimbabwe Authentication Bypass to XSS & SQLi Vulnerability – Bug Bounty POC |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
ZOL Zimbabwe |
XSS, SQL injection |
- |
09/09/2018 |
| How I find Open-Redirect Vulnerability in redacted.com (One of the top online payment processing service website) |
M.Asim Shahzad |
- |
Open redirect |
- |
09/09/2018 |
| Disclosure of Facebook Page Admin due to insecure tagging behavior |
Aj Dumanhug (@ajdumanhug) |
Facebook |
Information disclosure, Logic flaw |
- |
09/09/2018 |
| Reflected XSS in Google Code Jam |
Thomas Orlita (@ThomasOrlita) |
Google |
Reflected XSS |
- |
09/08/2018 |
| SQL Injection Vulnerability bootcamp.nutanix.com | Bug Bounty POC |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
Nutanix |
SQL injection |
$0, Swag |
09/08/2018 |
| Bypassing Hotstar Premium with DOM manipulation and some JavaScript |
OpSecX |
Hotstar |
Logic flaw, Payment bypas |
$0 |
09/07/2018 |
| RCE Unsecure Jenkins Instance | Bug Bounty POC |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
- |
RCE |
$0 |
09/07/2018 |
| Write-up - Love story, from closed as informative to $3,500 USD, XSS stored in Yahoo! iOS MaiL app |
@omespino |
Yahoo! |
Stored XSS |
$3,500 |
09/07/2018 |
| Simple Login Brute Force / Current Password Requirement Bypass |
Mandeep Jadon (@1337tr0lls) |
- |
IDOR, Account takeover, Bruteforce |
- |
09/07/2018 |
| #BugBounty — How Naaptol (India’s popular home shopping company) Kept their Millions of User Data at Risk! |
Avinash Jain (@logicbomb_1) |
Naaptol |
IDOR |
- |
09/07/2018 |
| How I could download the source code of an Indian e-commerce website!! |
Minali Arora (@AroraMinali) |
- |
File disclosure, Source code disclosure |
- |
09/05/2018 |
| P1 Vulnerability in 60 seconds |
@Wh11teW0lf |
- |
Information disclosure, File disclosure |
$1,500 |
09/05/2018 |
| Facebook Bug Bounty! {Permission Bug} |
Ali Tütüncü(@alicanact60) |
Facebook |
Authorization flaw, Logic flaw |
$750 |
09/05/2018 |
| Admin Disclosure of Facebook Business all Pages by normal employees: |
Kamal |
Facebook |
Information disclosure |
$0 |
09/02/2018 |
| How I could have launched a spear phishing campaign with Starbucks email servers |
Kyle (@b3nac) |
Starbucks |
Host header injection |
$150 |
09/01/2018 |
| Send request to Martians. Earthlings are already your friends. |
Sagar VD |
Google |
CSRF |
- |
09/01/2018 |
| I Own Your Customers !!! |
Muhammad Abdullah |
- |
Information disclosure, Hardcoded credentials, AWS flaw |
- |
09/01/2018 |
| Pwned Together: Hacking dev.to |
Antony Garand |
Dev.to |
Stored XSS |
$150, HoF |
08/31/2018 |
| $100 Bounty in 300 seconds isn’t bad !!! |
Rohan Chavan (@rohanchavan1918) |
Zoho |
Stored XSS |
$100, HoF |
08/31/2018 |
| Reflected XSS in Django REST Framework Api at MapBox Subdomain |
Mohamed Haron (@m7mdharon) |
Mapbox |
Reflected XSS |
$500 |
08/29/2018 |
| Finding hidden gems vol. 2: REAMDE.md, the story of a bit too helpful readme file |
Mateusz Olejarka |
- |
Information disclosure, Github leak |
$0 |
08/29/2018 |
| A Infinite Loop Story. |
Ashish Kunwar (@D0rkerDevil) |
- |
DoS |
$100 |
08/29/2018 |
| Reflected Swf XSS at ( https://plugins.svn.wordpress.org ) |
Mohamed Haron (@m7mdharon) |
Wordpress |
Swf XSS, Reflected XSS |
$350 |
08/28/2018 |
| How i found a 1500$ worth Deserialization vulnerability |
Ashish Kunwar (@D0rkerDevil) |
- |
Misconfigured JSF ViewState, Java deserialization |
$1,500 |
08/28/2018 |
| IDOR FACEBOOK: malicious person add people to the “Top Fans” |
Jafar Abo Nada |
Facebook |
IDOR |
- |
08/28/2018 |
| Traversing the Path to RCE |
hawkinsecurity |
- |
Path traversal, RCE |
$0 |
08/27/2018 |
| Uber Bug Bounty: 1000$ for two “high severity” issue |
Peuch |
Uber |
Information disclosure, Github leak |
$1,000 |
08/27/2018 |
| Open Redirection |
negative Wibes |
Pleio |
Open redirection |
- |
08/26/2018 |
| My first valid xss(@Hackerone) |
Jatin Aesthetic |
- |
XSS |
$100 |
08/25/2018 |
| Remote Code Execution on a Facebook server |
Daniel Le Gall |
Facebook |
RCE |
$5,000 |
08/24/2018 |
| Privileged Escalation in Facebook Messenger Rooms |
Jafar Abo Nada |
Facebook |
Privilege escalation, IDOR |
- |
08/24/2018 |
| SQL Injection Vulnerability In University Of Cambridge |
Adesh Kolte (@AdeshKolte) |
Cambridge |
SQL injection |
- |
08/24/2018 |
| Liking GitHub repositories on behalf of other users — Stored XSS in WebComponents.org |
Thomas Orlita (@ThomasOrlita) |
Webcomponents.org |
Stored XSS |
- |
08/23/2018 |
| API key: The real goldmine |
Yumi |
- |
Information disclosure |
- |
08/19/2018 |
| User credential are sent in clear text in Whatsapp web— FIXED | Facebook Bug Bounty |
Thuvarakan Nakarajah |
Facebook (WhatsApp) |
Credentials sent over HTTP |
- |
08/18/2018 |
| YAHOO IDOR -elimination of any comment |
Bada Diaz (@bada77) |
Yahoo |
IDOR |
- |
08/17/2018 |
| 3 Minutes & XSS! |
Ashish Jha |
Edmodo |
XSS |
- |
08/17/2018 |
| IDOR leads to account takeover |
@s0cket7 |
- |
IDOR |
- |
08/16/2018 |
| ICloud.com DOM-Based XSS! #BugBounty |
Musab Alhussein (@musab_alhussein) |
Apple |
DOM XSS |
$0, HOF |
08/14/2018 |
| Another “TicketTrick” story |
Uranium238 (@uraniumhacker) |
Uber |
Logic flaw, TicketTrick |
- |
08/14/2018 |
| XSS at Hubspot and XSS in email areas. |
Friendly (@SkeletorKeys) |
Hubspot, [Private program] |
XSS |
$450 |
08/13/2018 |
| Distorted and Undeletable Posts in Facebook Group |
Sarmad Hassan (@JubaBaghdad) |
Facebook |
Authorization flaw, Logic flaw |
- |
08/12/2018 |
| How I Chained 4 Bugs(Features?) into RCE on Amazon Collaboration System |
Orange Tsai (@orange_8361) |
Amazon |
RCE |
- |
08/11/2018 |
| S3 Bucket Misconfiguration in Amazon |
Divyanshu Shukla |
Amazon |
AWS flaw |
$0 |
08/11/2018 |
| Adminer Script Results to Pwning Server?, Private Bug Bounty Program |
Yasho |
- |
Authentication bypass |
- |
08/11/2018 |
| Misconfigured JIRA setting - Apigee |
Tutorgeeks |
Google, Jira |
Information disclosure |
- |
08/10/2018 |
| [Twitter Bug Bounty] Misconfigured JSON endpoint on ads.twitter.com lead to Access control issue and Information Disclosure of role privileged users. |
Peerzada Fawaz Ahmad Qureshi (@zk34911) |
Twitter |
Authorization flaw, Information disclosure |
$280 |
08/10/2018 |
| Subdomain Takeover: Yet another Starbucks case |
Patrik Hudak |
Starbucks |
Subdomain takeover |
$2,000 |
08/09/2018 |
| From TOMCAT to NT AUTHORITY\SYSTEM |
Rahul R |
- |
Default credentials |
- |
08/09/2018 |
| My Disclosed Report about Basic auth Api details at Reverb.com |
Mohamed Haron (@m7mdharon) |
Reverb |
Information disclosure |
$100 |
08/09/2018 |
| This is how can I spoof ANY Sentry.Io log infinitely and create fake error-logs |
Carlos Daniel Giovanella |
HackerOne, Sentry |
Logs flooding and falsification |
$0 |
08/09/2018 |
| My First Critical Report |
Miguel Corral (@mcorral74) |
- |
Password reset flaw, Account takeover |
$2,500 |
08/08/2018 |
| How I hacked a Crypto Exchange (Bug Bounty Writeup) |
Muhammad Abdullah |
- |
IDOR |
- |
08/07/2018 |
| From data leak to account takeover |
Antony Garand |
- |
Account takeover, Information disclosure, Password reset flaw |
- |
08/07/2018 |
| How I gained commit access to Homebrew in 30 minutes |
Eric Holmes (@vesirin) |
Homebrew |
Information disclosure |
- |
08/07/2018 |
| Sending out phishing e-mails from @microsoft.com |
@si9int |
Microsoft |
HTML injection |
$0 |
08/07/2018 |
| Unauth meetings access |
Uranium238 (@uraniumhacker) |
Google |
Authorization flaw, Logic flaw |
- |
08/06/2018 |
| Self XSS leads to blind XSS and reflected XSS. |
Friendly (@SkeletorKeys) |
- |
Blind XSS, Reflected XSS |
$700 |
08/06/2018 |
| Reflected XSS Primagames.com |
Friendly (@SkeletorKeys) |
Prima Games |
Reflected XSS |
- |
08/06/2018 |
| My First Swag Pack : A Logical Bug on Edmodo |
Abartan Dhakal |
Edmodo |
Logic flaw |
$0, Swag |
08/05/2018 |
| Stored XSS in GameSkinny |
Friendly (@SkeletorKeys) |
GameSkinny |
Stored XSS |
- |
08/03/2018 |
| Blind-XSS in Chrome Experiments - Google (Write Up) |
Evan Ricafort |
Google |
Blind XSS |
$100 |
08/03/2018 |
| #BugBounty — @Paytm Customer Information is at risk — India’s largest digital wallet company |
Avinash Jain (@logicbomb_1) |
Paytm |
IDOR |
- |
08/03/2018 |
| Discovering and Exploiting a Vulnerability in Android’s Personal Dictionary (CVE-2018-9375) |
Daniel Kachakil |
Google |
Privilege escalation, Android flaw |
- |
08/01/2018 |
| Exploiting a Microsoft Edge Vulnerability to Steal Files |
Ziyahan Albeniz |
Microsoft |
SOP bypass |
- |
08/01/2018 |
| Shipt Subdomain TakeOver via HeroKu ( test.shipt.com ) |
Mohamed Haron (@m7mdharon) |
Shipt |
Subdomain takeover |
- |
08/01/2018 |
| Disclose Facebook Internal Server Information With A Strange Poll |
Jane Manchun Wong |
Facebook |
Logic flaw |
- |
08/01/2018 |
| CRLF Injection Into PHP’s cURL Options |
TomNomNom |
- |
CRLF injection |
- |
08/01/2018 |
| How I could access your internal servers, steal and modify your image repository |
PoC || GO |
- |
RCE |
- |
07/31/2018 |
| Hacking Imgur for Fun and Profit |
Nathan (@NathOnSecurity) |
Imgur |
Outdated component with a known vulnerability, Information disclosure |
$5,500 |
07/29/2018 |
| 18th Acknowledgement From Microsoft |
Muhammad Muhaddis |
Microsoft |
IDOR |
$0, HOF |
07/29/2018 |
| Yahoo — Two XSSi vulnerabilities chained to steal user information. ($750 Bounty) |
Brian Hyde |
Yahoo |
XSSI |
$750 |
07/29/2018 |
| Microsoft Office 365 Stored XSS |
@Pethuraj |
Microsoft |
Stored XSS |
$0, HOF |
07/29/2018 |
| Making a Blind SQL Injection a Little Less Blind |
TomNomNom |
- |
SQL injection |
- |
07/28/2018 |
| Binary.com ClickJacking Vulnerability — Exploiting HTML5 Security Features |
Ameer Assadi |
Binary.com |
Clickjacking |
- |
07/28/2018 |
| How I found XSS on Amazon? |
Coding_Karma |
Amazon |
XSS |
$0 |
07/26/2018 |
| Exfiltration via CSS Injection |
d0nut |
- |
CSS injection |
- |
07/25/2017 |
| SQL Injection and A silly WAF |
Mahmoud Gamal |
- |
SQL injection |
- |
07/25/2017 |
| Exploitation of Server Side Template Injection with Craft CMS plugin SEOmatic <=3.1.3 [CVE-2018-14716] |
Sebastian (ha.cker.info) |
Private program, SEOmatic CMS plugin |
SSTI |
- |
07/24/2018 |
| Vulnerability in Hangouts Chat a.k.a. how Electron makes open redirect great again |
Michał Bentkowski |
Google |
Open redirect |
$7,500 |
07/24/2018 |
| Finding hidden gems vol. 1: forging OAuth tokens using discovered client id and client secret |
Mateusz Olejarka |
- |
Information disclosure |
$3,133.7 |
07/23/2018 |
| Google Assistant Bug Worth $3133.7 ! |
Circle Ninja |
Google |
Reflective XSS |
$3,133.7 |
07/21/2018 |
| RCE due to ShowExceptions |
Harsh Jaiswal (@rootxharsh) |
- |
RCE |
$5,000 |
07/20/2018 |
| Into the Borg – SSRF inside Google production network |
Enguerran Gillier |
Google |
SSRF |
$13,337 |
07/20/2018 |
| The call is coming from inside the house — DNS rebinding in EOSIO keosd wallet |
François Proulx |
EOSIO |
DNS rebinding |
- |
07/19/2018 |
| RCE on Yahoo Luminate |
Rojan Rijal |
Yahoo |
RCE |
- |
07/19/2018 |
| How I was able to delete 13k+ Microsoft Translator projects |
Haider Mahmood |
Microsoft |
CSRF, IDOR |
$0 |
07/19/2018 |
| Hey Developer, Give me your API keys.!! |
Devansh batham |
Crowdin |
Information disclosure |
Swag, HoF |
07/18/2018 |
| Bypass Admin approval, Mute Member and Posting Permissions for Only admins in Facebook groups |
Sarmad Hassan (@JubaBaghdad) |
Facebook |
Authorization flaw, Logic flaw |
- |
07/18/2018 |
| Hacking thousands of companies through their helpdesk |
Khaled Hassan |
- |
Account takeover, DoS, Logic flaw |
- |
07/17/2018 |
| CVE-2018-13784: PrestaShop 1.6.x Privilege Escalation |
Charles Fol (Ambionics Security) |
PrestaShop |
Privilege escalation, Session flaw |
- |
07/16/2018 |
| WRITE UP – TELEGRAM BUG BOUNTY – WHATSAPP N/A [“Blind” XSS Stored iOS in messengers twins, who really care about your security?] |
@omespino |
Facebook |
Blind Stored XSS |
- |
07/16/2018 |
| Attacking PostgreSQL Database |
Vishnuraj KV |
- |
Bruteforce, Weak credentials |
- |
07/16/2018 |
| Bug Bounty at Bangladeshi Site. |
Shaifullah Shaon |
- |
SQL injection |
BDT 10,000 (~ $120) |
07/15/2018 |
| Should this be public though? |
Rojan Rijal |
Shopify, Uber |
Information disclosure |
$500 |
07/13/2018 |
| XSS in Microsoft subdomain |
Sudhanshu Raj |
Microsoft |
XSS |
- |
07/13/2018 |
| Freelancer.com Bad Design (Full disclosure) |
@si9int |
Freelancer |
Logic flaw |
$0 |
07/13/2018 |
| Freelancer.com XSS (Full disclosure) |
@si9int |
Freelancer |
XSS |
$0 |
07/13/2018 |
| Freelancer.com Text Injection (Full disclosure) |
@si9int |
Freelancer |
Text injection |
$0 |
07/13/2018 |
| The tradeRifle Vulnerability Identified in LBank Mobile Service (CVE-2018-13363) |
PeckShield |
LBank |
MiTM |
- |
07/12/2018 |
| Gsuite Hangouts Chat 5k IDOR |
Cam (@SecretlyHidden1) |
Google |
IDOR |
$5,000 |
07/10/2018 |
| Persistent XSS at AH.nl |
Jonathan Bouman (@JonathanBouman) |
AH.nl |
Stored XSS |
$200 |
07/09/2018 |
| #BugBounty - Compromising User Account- “How I was able to compromise user account via HTTP Parameter Pollution(HPP)” |
Avinash Jain (@logicbomb_1) |
- |
HTTP Parameter Pollution, Password reset flaw, Account takeover |
- |
07/07/2018 |
| Server Side Request Forgery on Vanilla Forums |
Vikash Chaudhary |
Vanilla Forums |
SSRF |
- |
07/07/2018 |
| Latex to RCE, Private Bug Bounty Program |
Yasho |
- |
RCE |
- |
07/06/2018 |
| Buffer Overflow-WhatsApp[Bypass] |
Pratheesh P Narayanan |
Facebook |
Buffer Overflow, DoS |
$500 |
07/06/2018 |
| The $12,000 Intersection between Clickjacking, XSS, and Denial of Service |
Sam Curry |
Bustabit |
Clickjacking, XSS, DoS |
$12,000 |
07/04/2018 |
| Chaining Multiple Vulnerabilities to Gain Admin Access |
Ben Sadeghipour |
- |
IDOR, Account takeover |
- |
07/02/2018 |
| Hacking OKEx/OKCoin for Fun and No Profit! |
E-ARMY [ justice ] |
OKEx, OKCoin |
Information disclosure |
$0 |
07/01/2018 |
| Bug Bounty: Tumblr reCAPTCHA vulnerability write up |
Leigh-Anne Galloway |
Tumblr |
reCAPTCHA bypass, email enumeration, username enumeration |
- |
06/29/2018 |
| Authentication bypass in Cisco Meraki |
takemyhand |
Cisco Meraki |
Authentication bypass |
- |
06/29/2018 |
| 3133.70$ for RCE on *.withgoogle.com subdomain |
E-ARMY [ justice ] |
Google |
RCE |
$3,133.70 |
06/28/2018 |
| 12k$ for simple path traversal on http://web.whatsapp.com |
E-ARMY [ justice ] |
Facebook |
Path traversal |
$12,000 |
06/28/2018 |
| This popular Facebook app publicly exposed your data for years |
Inti De Ceukelaire |
Facebook, Nametests.com |
Information disclosure, Authorization flaw |
$4,000 |
06/28/2018 |
| Take Advantage of Out-of-Scope Domains in Bug Bounty Programs |
Abdullah Hussam (@Abdulahhusam) |
- |
XSS |
$1,250 |
06/27/2018 |
| How re-signing up for an account lead to account takeover |
@zseano |
- |
Logic flaw, Account takeover |
- |
06/26/2018 |
| Subdomain Takeover: Starbucks points to Azure |
Patrik Hudak |
Starbucks |
Subdomain takeover |
$2,000 |
06/25/2018 |
| Account Take over via reset password |
Yasser Gersy (@yassergersy) |
- |
Password reset flaw, Account takeover |
$1,500 |
06/25/2018 |
| How I got access to local AWS info via Jira |
Coen Goedegebure |
- |
SSRF |
- |
06/24/2018 |
| Fastest Fix on Open Bug Bounty Platform |
Wen Bin KONG |
Kevag Telekom GmbH |
Reflected XSS, CSRF |
- |
06/24/2018 |
| How I hacked Apple.com (Unrestricted File Upload) |
Jonathan Bouman (@JonathanBouman) |
Apple |
Unrestricted file upload |
- |
06/22/2018 |
| XSS in Google Colaboratory + CSP bypass |
Michał Bentkowski |
Google |
XSS, CSP bypass |
- |
06/21/2018 |
| Using a GitHub app to escalate to an organization owner for a $10,000 bounty |
Tanner |
Github |
Authorization flaw, IDOR |
$10,000 |
06/20/2018 |
| Setting arbitrary request headers in Chromium via CRLF injection |
Michał Bentkowski |
Google |
CRLF injection |
- |
06/20/2018 |
| I discovered a browser bug |
Jake Archibald |
Mozilla, Microsoft |
Browser bug, Range requests flaw |
- |
06/20/2018 |
| [Responsible disclosure] How I could have booked movie tickets through other user accounts |
Bharathvaj Ganesan |
AGS Cinemas |
Password reset flaw, Account takeover, Bruteforce, OTP bypass |
- |
06/18/2018 |
| How i found blind XSS in Apple |
Taha Smily |
Apple |
Blind XSS |
- |
06/18/2018 |
| Reflected Client XSS at Amazon.com |
Jonathan Bouman (@JonathanBouman) |
Amazon |
Reflected XSS |
$0 |
06/15/2018 |
| Yay! 3133.70$ for RCE on *.withgoogle.com subdomain. |
lalka |
Google |
RCE |
$3,133.70 |
06/15/2018 |
| Password reset to full account takeover |
Hamza Bettache |
- |
Password reset flaw, Account takeover |
- |
06/15/2018 |
| Reflected XSS in 360totalsecurity |
Taha Smily |
360totalsecurity |
Reflected XSS |
- |
06/14/2018 |
| The 2.5 BTC Stored XSS |
Khaled Hassan |
- |
Stored XSS |
2.5 BTC |
06/13/2018 |
| How I got paid premium plan for free on many popular websites |
Khaled Hassan |
- |
Logic flaw |
- |
06/13/2018 |
| Vulnerability Netflix (cross-site-scripting) XSS |
Bada Diaz (@bada77) |
Netflix |
Reflected XSS |
- |
06/13/2018 |
| Unvalidated Open Redirect Bol.com |
Jonathan Bouman (@JonathanBouman) |
bol.com |
Open redirect |
$100 in gift cards |
06/12/2018 |
| Full account Takeover via reset password function |
Khaled Hassan |
- |
IDOR, Account takeover, Password reset flaw |
$1,250 |
06/12/2018 |
| Server-Side Spreadsheet Injection – Formula Injection to Remote Code Execution |
Jake Miller |
Google |
CSV injection, Server side spreadsheet injection, Formula injection, RCE |
- |
06/11/2018 |
| How I Found CVE-2018-8819: Out-of-Band (OOB) XXE in WebCTRL |
Darrell Damstedt |
- |
XXE |
$0 |
06/11/2018 |
| [PayPal BBP] I could’ve deleted All SMC messages. Using Brute-Force technique. |
Ayoub Ait Elmokhtar |
Paypal |
CSRF |
- |
06/10/2018 |
| Steam, Fire, and Paste – A Story of UXSS via DOM-XSS & Clickjacking in Steam Inventory Helper |
Matthew Bryan |
Steam Inventory Helper Chrome extension |
DOM XSS, Clickjacking |
- |
06/08/2018 |
| How I was able to list some internal information from PayPal #BugBounty |
Adrien Jeanneau |
Paypal |
Expression Language Injection (JSTL), Information disclosure |
$0 |
06/07/2018 |
| How I found XSS via SSRF vulnerability -Adesh Kolte |
Adesh Kolte (@AdeshKolte) |
CERT-EU, Motorola, Stanford |
SSRF, XSS |
$750 |
06/07/2018 |
| #BugBounty —” Database hacked of India’s Popular Sports company”-Bypassing Host Header to SQL injection to dumping Database — An unusual case of SQL injection. |
Avinash Jain (@logicbomb_1) |
- |
SQL injection |
- |
06/06/2018 |
| Zero to Account Takeover: How I ‘Impersonated’ Someone Else Using Auth0 |
Daniel Svartman |
OAuth |
Logic flaw |
- |
06/05/2018 |
| Searching for XSS found LDAP injection |
Davide Tampellini |
- |
LDAP injection |
- |
06/05/2018 |
| Are you sure this is a trusted email? |
Khaled hassan |
- |
Open mail relay |
$900 |
06/05/2018 |
| Reading Your Emails With A Read&Write Chrome Extension Same Origin Policy Bypass (~8 Million Users Affected) |
Matthew Bryan |
Read&Write Chrome extension |
SOP bypass |
- |
06/05/2018 |
| How I Hacked Fotor & Got “Nothing” |
Somdev Sangwan (D3v) |
Fotor |
SSRF, RFI |
$0 |
06/03/2018 |
| Getting PHP Code Execution and leverage access to panels,databases,server |
Shawar Khan |
- |
Code execution |
- |
06/01/2018 |
| How i converted SSRF to XSS in Jira. |
Ashish Kunwar (@D0rkerDevil) |
- |
SSRF, XSS |
$50 |
06/01/2018 |
| How I Earned $750 Bounty Reward From AT&T bug Bounty -Adesh Kolte |
Adesh Kolte (@AdeshKolte) |
AT&T |
RCE, Clickjacking, XSS, Same Origin Method Execution |
$750 |
06/01/2018 |
| #Bug Bounty — How I booked a rental house for just 1.00 INR — Price Manipulation in Citrus Pay |
Raghavendra Reddy |
- |
Parameter tampering |
- |
05/31/2018 |
| Reflected XSS in Yahoo Subdomain ( hk.movies.yahoo.com ) |
Mohamed Haron (@m7mdharon) |
Yahoo! |
Reflected XSS |
- |
05/30/2018 |
| 5k$ for path traversal on *.paypal-corp.com subdomain |
lalka |
Paypal |
Path traversal |
$5,000 |
05/30/2018 |
| Account Takeover and Blind XSS! Go Pro, get Bugs! |
Tabahi |
- |
IDOR, Stored XSS, Account takeover, Blind XSS |
$3,500 |
05/30/2018 |
| How I found 5 store XSS on a private program. Each worth “1,016.66$” |
Shahzad Sadiq |
- |
Stored XSS |
$5,083.3 |
05/30/2018 |
| How I got hall of fame in two fortune 500 companies — An RCE story… |
Alfie |
- |
RCE |
- |
05/29/2018 |
| How i was able to get admin panel on a private program |
Shahzad Sadiq |
- |
Weak credentials |
$1,500 |
05/29/2018 |
| reCAPTCHA bypass via HTTP Parameter Pollution |
Andres Riancho |
Google |
HTTP parameter pollution, reCAPTCHA bypass |
$500 |
05/28/2018 |
| Persistent XSS to Steal Passwords – Paypal |
Akhil Reni |
Paypal |
Stored XSS |
- |
05/26/2018 |
| Simple IDOR to reject a to-be users invitation via their notification |
Abss TBH |
WePay |
IDOR |
- |
05/24/2018 |
| How I was able to see any private album passwrod in Picturepush — IDOR |
Murtada Kamil |
PicturePush |
IDOR |
- |
05/23/2018 |
| #BugBounty — ”How I was able to hack any user account via password reset?” |
Bikash Gupta |
- |
IDOR, Account takeover, Password reset flaw |
- |
05/23/2018 |
| RCE by uploading a web.config |
003random |
- |
RCE |
- |
05/22/2018 |
| AWS Security Flaw which can grant admin access! |
Sharath AV |
Amazon |
Authorization flaw |
- |
05/22/2018 |
| Getting read access on Edmodo Production Server by exploiting SSRF |
Shawar Khan |
Edmodo |
SSRF |
- |
05/21/2018 |
| Self-XSS + CSRF to Stored XSS |
Renwa |
- |
Self XSS, CSRF, STored XSS |
- |
05/20/2018 |
| $36k Google App Engine RCE |
Ezequiel Pereira |
Google |
RCE |
$36,337 |
05/20/2018 |
| Fastest Fix on Open Bug Bounty Platform |
Wen Bin KONG |
Kevag Telekom GmbH |
XSS, CSRF |
- |
05/19/2018 |
| How i got 100$ from one private website |
Aayush Pokhrel |
- |
Information disclosure |
$100 |
05/19/2018 |
| How i HACKED admin account via password reset IDOR function of one private currency exchanger site |
Aayush Pokhrel |
- |
IDOR, Password reset flaw, Account takeover |
- |
05/19/2018 |
| Stored XSS in Yahoo and all subdomains! |
Hakim Bencella |
Microsoft |
Stored XSS |
$1,500 |
05/19/2018 |
| Xss in Microsoft |
hacker_eth |
Microsoft |
XSS |
- |
05/18/2018 |
| How I was able to get subscription of $120/year For Free |
Muhammad Khizer Javed / babayaga47 (@khizer_javed47) |
wetransfer.com |
Payment bypass |
$500 |
05/18/2018 |
| Whatsapp- DOS vulnerability on Android/iOS/Web |
Pratheesh P Narayanan |
Facebook |
DoS |
$500 |
05/15/2018 |
| HSTS Bypass Vulnerability in IE Preview |
Xiaoyin Liu |
Microsoft |
HSTS bypass |
$0 |
05/15/2018 |
| How I used a simple Google query to mine passwords from dozens of public Trello boards |
Kushagra Pathak |
Trello |
Authorization flaw, Information disclosure |
$0 |
05/09/2018 |
| Internet Safety for Kids & Families — Trend Micro Bypass DOM XSS |
Honc (@honcbb) |
Trend Micro |
DOM XSS |
$0, HoF |
05/08/2018 |
| Asus Control Center – An Information Disclosure and a database connection Clear-Text password leakage Vulnerability |
Mohamed A. Baset |
Asus |
Authorization flaw, Information disclosure |
- |
05/08/2018 |
| Ubisoft | Blind XSS to customer support panel takeover |
Hx01 |
Ubisoft |
Blind XSS |
- |
05/06/2018 |
| A Five Minute SQL-I |
Ashish Jha |
- |
SQL injection |
- |
05/06/2018 |
| How I Got Paid $0 From the India’s largest online gifting portal — Bug Bounty Program |
Hariom Vashisth |
- |
Price manipulation, Parameter tampering |
$0 |
05/05/2018 |
| $4500 bounty - How I got lucky |
Eray Mitrani |
- |
Subdomain takeover |
$4,500 |
05/03/2018 |
| Disclose Private Video Thumbnail from Facebook WorkPlace |
Sarmad Hassan (@JubaBaghdad) |
Facebook |
IDOR |
$3,000 |
05/03/2018 |
| Multiple security vulnerabilities in domains belonging to Google |
Sysdreams |
Google |
Broken access control, Directory traversal, Stored XSS |
- |
04/30/2018 |
| How I found 2.9 RCE at Yahoo! Bug Bounty program |
Kedrisec |
Yahoo |
RCE |
- |
04/30/2018 |
| #BugBounty — How I was able to bypass firewall to get RCE and then went from server shell to get root user account! |
Avinash Jain (@logicbomb_1) |
- |
RCE |
- |
04/29/2018 |
| Stored XSS in Yahoo! |
Shahzada AL Shahriar Khan |
Yahoo |
Stored XSS |
$2000 |
04/27/2018 |
| How I earned 60K+ from private program |
Siva Krishna Samireddi |
- |
Open redirect, subdomain takeover, XSS, HTTP parameter pollution |
60,000 INR (approx. $880) |
04/25/2018 |
| The Unknown Hero-App Logic Bugs |
Circle Ninja |
Canva |
Logic flaw |
- |
04/25/2018 |
| XSS “403 forbidden” bypass write up |
Nur A Alam Dipu |
- |
XSS |
- |
04/25/2018 |
| DOM XSS in Google VRView library |
Federico Fazzi |
Google |
DOM XSS |
$3,133.7 |
04/23/2018 |
| Three Cases, Three Open Redirect Bypasses |
Mohammed Eldeeb (@malcolmx0x) |
- |
Open redirect |
- |
04/22/2017 |
| Turning Self-XSS into non-Self Stored-XSS via Authorization Issue at “PayPal Tech-Support and Brand Central Portal |
YoKo Kho |
Paypal |
Stored XSS |
- |
04/21/2018 |
| Mangobaaz hacked | XSS to credentials exposure to pwn |
Hx01 |
MangoBaaz |
Reflected XSS |
$0 |
04/19/2018 |
| #BugBounty — ”Journey from LFI to RCE!!!”-How I was able to get the same in one of the India’s popular property buy/sell company. |
Avinash Jain (@logicbomb_1) |
- |
LFI, RCE |
- |
04/19/2018 |
| Bypassing the Current Password Protection at PayPal TechSupport Portal |
YoKo Kho |
Paypal |
Authorization flaw, Account takeover |
- |
04/19/2018 |
| Ribose — IDOR with Simple CSRF Bypass — Unrestricted Changes and Deletion to other Photo Profile |
YoKo Kho |
Ribose |
IDOR |
- |
04/18/2018 |
| How I Get the Name of the Hotel (and other Data) that you ever Stay - Personal Data Leaks: Private Bug Bounty Program |
YoKo Kho |
- |
IDOR |
- |
04/18/2018 |
| From an error message to DB disclosure |
Yumi |
- |
Hardcoded credentials |
- |
04/17/2018 |
| Spoof an user to create a description of a group in Flickr |
Samuel (@saamux) |
Yahoo (Flickr) |
IDOR |
- |
04/16/2018 |
| Bypassing Captcha Like a Boss |
Ak1T4 |
- |
Captcha bypass |
$xxx |
04/16/2018 |
| #SecurityBreach — ”How I was able to book hotel room for 1.50₹!” |
Hariom Vashisth |
- |
CORS flaw |
- |
04/15/2018 |
| Bypass CSP by Abusing XSS Filter in Edge |
Xiaoyin Liu |
Microsoft |
CSP bypass |
$1,500 |
04/15/2018 |
| How I hacked companies related to the crypto currency and earned $60,000 |
Max (@iSecMax) |
okex.com, livecoin.net, [private program] |
Authorization flaw, CSRF, IDOR, Stored XSS, HTML injection |
$59,400 |
04/14/2018 |
| How I bypassed Ebay process on redirect |
Mohamed Sayed (@FlEx0Geek) |
Ebay |
Open redirect |
$0 |
04/13/2018 |
| Hijacking User’s Private Information access_token from Microsoft Office360 facebook App |
Mohamed A. Baset |
Microsoft |
Logic flaw |
$0 |
04/13/2018 |
| Please email me your password |
Jasmin Laundry |
- |
Blind XSS, Blind SQL injection, SMTP header injection, Account takeover |
- |
04/11/2018 |
| How I broke into Google Issue Tracker |
Abhishek Bundela (@abhibundela) |
Google |
Logic flaw, Authorization flaw |
$0 |
04/10/2018 |
| Source Code Analysis in YSurvey — Luminate bug |
Rojan Rijal |
Yahoo |
Authentication bypass, Authorization flaw, SQL injection |
- |
04/10/2018 |
| Piercing the veil: Server Side Request Forgery to NIPRNet access |
Alyssa Herrera (@Alyssa_Herrera_) |
DoD |
SSRF |
- |
04/09/2018 |
| Stealing HttpOnly Cookie via XSS |
Yasser Gersy (@yassergersy) |
- |
XSS |
- |
04/08/2018 |
| Reflected XSS on www.zomato.com By Mustafa Hasan |
Mohamed Haron (@m7mdharon) |
Zomato |
Reflected XSS |
$100 |
04/07/2018 |
| “Exploiting a Single Parameter” |
Hisham Mir (@Hishammir1) |
- |
SSRF, XSS |
$2,500 |
04/06/2018 |
| Link injection on 2 Twitter Subdomain |
Mohamed Haron (@m7mdharon) |
Twitter |
Link injection |
$280 |
04/01/2018 |
|
Avinash Jain (@logicbomb_1) |
- |
IDOR |
- |
04/05/2018 |
| How I caught Multiple vulnerabilities in Udemy.com, But not rewarded for serious XSS vulnerability :( |
Satyendra Shrivastava |
Udemy |
XSS, HTML injection |
- |
04/05/2018 |
| Directory Listing To Sensitive Files Exposure |
Hx01 |
- |
Directory listing |
- |
04/04/2018 |
| My Best Small Report Bounty Report in Private Program ( Django REST framework Admin Login ByPass ) |
Mohamed Haron (@m7mdharon) |
- |
SQL injection, Auth bypass, Account takeover |
$2,000 |
04/01/2018 |
| XSS in Yahoo Subdomain |
Mohamed Haron (@m7mdharon) |
Yahoo! |
Flash XSS |
$600 |
03/31/2018 |
| XSS In sports.tw.campaign.yahoo.net |
Mohamed Haron (@m7mdharon) |
Yahoo! |
Reflected XSS |
- |
03/31/2018 |
| How I hacked one cryptocurrency service |
Valeriy Shevchenko |
PayKassa |
Blind XSS, Reflected XSS, CSRF |
$300 |
03/31/2018 |
| How I Could Have Promoted Any Facebook Page For Free. |
Anees Khan |
Facebook |
Logic flaw |
$0 |
03/30/2018 |
| View Insights for Any Facebook Marketplace Product |
Jane Manchun Wong |
Facebook |
Authorization flaw |
- |
03/29/2018 |
| Creating Test Conversion using any App |
Joshua Regio |
Facebook |
Web parameter tampering |
$3,000 |
03/27/2018 |
| Google bug bounty for security exploit that influences search results |
Tom Anthony |
Google |
Logic flaw |
$5,000 |
03/27/2018 |
| Reflected XSS Moogaloop SWF ( Version < 6.2.x ) |
Mohamed Haron (@m7mdharon) |
Vimeo |
Flash XSS, Reflected XSS |
- |
03/26/2018 |
| Misconfiguration of Demographics Privacy in a Page |
Mark Christian Deduyo |
Facebook |
Logic flaw |
$750 |
03/26/2018 |
| #BugBounty — Rewarded by securing vulnerabilities in Bookmyshow (India’s largest online movie & event booking portal) |
Avinash Jain (@logicbomb_1) |
BookMyShow |
Host header attack, IDOR |
- |
03/25/2018 |
| Hacking Oracle in 5 Minutes |
Rahul R |
Oracle |
Directory listing |
- |
03/25/2018 |
| Google adwords 3133.7$ Stored XSS |
Emad Shanab |
Google |
Stored XSS |
$3,133.7 |
03/21/2018 |
| Leaking WordPress CSRF Tokens for Fun, $1337 bounty, and CVE-2017-5489 |
Abdullah Hussam (@Abdulahhusam) |
Wordpress |
CSRF |
$1337 |
03/15/2018 |
| #BugBounty — “Let me reset your password and login into your account “-How I was able to Compromise any User Account via Reset Password Functionality |
Avinash Jain (@logicbomb_1) |
- |
Logic flaw, Password reset flaw, Account takeover |
- |
03/14/2018 |
| Dox Facebook Employees Behind “Did You Know” Questions |
Jane Manchun Wong |
Facebook |
Information disclosure |
- |
03/13/2018 |
| Union Based Sql injection Write up ->A private Company Site |
Nur A Alam Dipu |
- |
SQL injection |
- |
03/12/2018 |
| How I hacked 74k users of a website. |
Utkarsh Agrawal |
- |
Authorization flaw |
- |
03/11/2018 |
| Getting any Facebook user’s friend list and partial payment card details |
Josip Franjkovic |
Facebook |
Information disclosure, IDOR |
- |
03/09/2018 |
| Stored XSS, and SSRF in Google using the Dataset Publishing Language |
Craig Arendt (@signalchaos) |
Google |
Stored XSS, SSRF |
$18,337 |
03/07/2018 |
| Clickjackings in Google worth 12644.7$ |
Raushan Raj (@raushan_rajj) |
Google |
Clickjacking |
$12,644.7 |
03/06/2018 |
| Facebook Bug Bounty Reports |
Raushan Raj (@raushan_rajj) |
Facebook |
Authorization flaw, Logic flaw, Information disclosure |
$6,000 |
03/06/2018 |
| #BugBounty — How I could book cab using your wallet money in India’s largest auto transportation company! |
Avinash Jain (@logicbomb_1) |
- |
OTP bypass |
- |
03/05/2018 |
| How I found A Surprising XSS Vulnerability on Oracle NetSuite ? |
Circle Ninja |
Oracle |
XSS |
- |
03/02/2018 |
| The 2.5mins or 2.5k$ hawk-eye bug – A Facebook Pages Admins Disclosure Vulnerability! |
Mohamed A. Baset |
Facebook |
Information disclosure |
$2,500 |
02/25/2018 |
| Re-dressing Instagram – Leaking Application Tokens via Instagram ClickJacking Vulnerability! |
Mohamed A. Baset |
Facebook |
Clickjacking |
- |
02/25/2018 |
| How i Hacked into a bugcrowd. public program |
Vishnuraj KV |
- |
RCE |
- |
02/25/2018 |
| #BugBounty — API keys leakage, Source code disclosure in India’s largest e-commerce health care company. |
Avinash Jain (@logicbomb_1) |
- |
Path traversal |
- |
02/25/2018 |
| How I was able to delete any image in Facebook community question forum |
Sarmad Hassan (@JubaBaghdad) |
Facebook |
IDOR |
$1500 |
02/24/2018 |
| Bypassing Google’s authentication to access their Internal Admin panels |
Vishnu Prasad P G |
Google |
Authentication bypass |
$13,337 |
02/24/2018 |
| The Fuzz…The Bug..The Action – A Race Condition bug in Facebook Chat Groups leads to spy on conversations! |
Seif Elsallamy |
Facebook |
Race condition |
- |
02/23/2018 |
| Modifying any Ad Space and Placement |
Joshua Regio |
Facebook |
IDOR |
- |
02/22/2018 |
| POODLE SSLv3 bug on multiple twitter smtp servers |
@omespino |
Twitter |
Cryptographic issues |
$280 |
02/21/2018 |
| Google bugs stories and the shiny pixelbook. |
Missoum Said (@missoum1307) |
Google |
DOM XSS, Stored XSS, Logic flaw, Reflected XSS, CSRF |
$6,250 |
02/20/2018 |
| How I hacked Tinder accounts using Facebook’s Account Kit and earned $6,250 in bounties |
Anand Prakash (@sehacure) |
Tinder, Facebook |
Account takeover, Authorization flaw |
$6,250 |
02/20/2018 |
| Exploiting CORS Miss configuration using XSS |
Noman Shaikh |
- |
CORS misconfiguration |
- |
02/18/2018 |
| #BugBounty — Exploiting CRLF Injection can lands into a nice bounty |
Avinash Jain (@logicbomb_1) |
- |
CRLF injection |
$250 |
02/17/2018 |
| How I was able to remotely crash any android user’s instagram app and was paid a mere 500$ for it. |
Waleed Ahmed |
Facebook |
Android, DoS |
$500 |
02/15/2018 |
| #BugBounty — “How I was able to shop for free!”- Payment Price Manipulation |
Avinash Jain (@logicbomb_1) |
- |
Web parameter tampering / Price manipulation |
- |
02/11/2018 |
| Oracle Cross Site Scripting Vulnerability -Adesh Kolte |
Adesh Kolte (@AdeshKolte) |
Oracle |
Reflected XSS |
- |
02/10/2018 |
| Stored XSS on Snapchat |
Mrityunjoy |
Snapchat |
Stored XSS |
- |
02/09/2018 |
| I figured out a way to hack any of Facebook’s 2 billion accounts, and they paid me a $15,000 bounty for it |
Anand Prakash (@sehacure) |
Facebook |
Bruteforce, Account takeover |
$15,000 |
02/09/2018 |
| Taking over Facebook accounts using Free Basics partner portal |
Josip Franjkovic |
Facebook |
Information disclosure, IDOR |
- |
02/07/2018 |
| How I gained access to Sony’s database |
Rahul R |
Sony |
- |
$0 |
02/06/2018 |
| SQL injection with load file and into outfile |
NoGe |
- |
SQL injection |
$750 |
02/05/2018 |
| How I found IDOR on Twitter’s Acquisition – Mopub.com |
janijay007 |
Twitter |
IDOR |
- |
02/05/2018 |
| Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) |
Mohammed Abdul Raheem |
- |
IDOR |
$3000 |
02/04/2018 |
| #BugBounty — ”I don’t need your current password to login into your account” - How could I completely takeover any user’s account in an online classified ads company. |
Avinash Jain (@logicbomb_1) |
- |
Authentication bypass |
- |
02/03/2018 |
| Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART 2) |
Mohammed Abdul Raheem |
- |
IDOR |
$3000 |
02/03/2018 |
| Internal IPs disclosure |
@omespino |
Nokia |
Internal IP disclosure |
- |
02/02/2018 |
| How I was able to Bypass XSS Protection on HackerOne’s Private Program |
janijay007 |
- |
XSS |
- |
02/02/2018 |
| Getting access to prompt debug dialog and serialized tool on main website facebook.com |
@omespino |
Facebook |
Debug info disclosure |
- |
01/31/2018 |
| How I was able to Download Any file from Web server! |
hammadhassan924 |
- |
XSS, IDOR |
$450 |
01/27/2018 |
| How I got 22000$ worth ethereum |
Shubham Gupta |
- |
Blind XSS |
~22,000 Ethereum |
01/26/2018 |
| JSON CSRF attack on a Social Networking Site[Hackerone Platform] |
Sahil Tikoo (@viperbluff) |
Badoo |
CSRF |
$280 |
01/26/2018 |
| Here’s how I could’ve ridden for free with Uber |
Anand Prakash (@sehacure) |
Uber |
Logic flaw |
$5,000 |
01/26/2018 |
| Full Account Takeover through CORS with connection Sockets |
Samuel (@saamux) |
- |
CORS misconfiguration, Account takeover |
- |
01/25/2018 |
| [Yahoo Bug Bounty] Unauthorized Access to Unisphere Management Server Debugging Facility on https://bf1-uaddbcx-002.data.bf1.yahoo.com/Debug/ |
Peerzada Fawaz Ahmad Qureshi (@zk34911) |
Yahoo |
Authorization flaw |
$300 |
01/25/2018 |
| No RCE? Then SSH to the box! |
Jasmin Laundry |
- |
LFI, Directory traversal, RCE |
- |
01/25/2018 |
| Reflected XSS + Possible Server Side Template Injection in HubSpot CMS ( All Websites Uses HubSpot was affected ) |
Mohamed Haron (@m7mdharon) |
Hubspot |
Reflected XSS |
- |
01/24/2018 |
| #BugBounty @ Linkedln-How I was able to bypass Open Redirection Protection |
Avinash Jain (@logicbomb_1) |
LinkedIn |
Open redirect |
- |
01/24/2018 |
| Asus Cross Site Scrpting And Directory Listing Vulnerability |
Adesh Kolte (@AdeshKolte) |
Asus |
Directory listing, XSS |
- |
01/23/2018 |
| File Disclosure via .DS_Store file (macOS) |
@omespino |
Facebook |
Directory listing |
- |
01/23/2018 |
| Internshala Bug in Internshala Student Partner |
Circle Ninja |
Internshala |
Bruteforce |
$0 |
01/20/2018 |
| Reflected File Download ( RFD ) in www.Google.com |
Mohamed Haron (@m7mdharon) |
Google |
Reflected File Download |
$0 |
01/18/2018 |
| $1800 in less than an hour. |
@yappare |
Indeed |
CSRF, XSS |
$1,800 |
01/17/2018 |
| Reflected XSS via AngularJS Template Injection |
Taha Ibrahim Draidia |
Hostinger |
Reflected XSS |
- |
01/17/2018 |
| #BugBounty — AWS S3 added to my “Bucket” list! |
Avinash Jain (@logicbomb_1) |
- |
AWS flaws |
- |
01/16/2018 |
| View the bug subscriptions for any Oculus User |
Philippe Harewood |
Facebook |
IDOR |
- |
01/15/2018 |
| Hacking Facebook accounts using CSRF in Oculus-Facebook integration |
Josip Franjkovic |
Facebook |
CSRF |
- |
01/15/2018 |
| #BugBounty — How I was able to delete anyone’s account in an Online Car Rental Company |
Avinash Jain (@logicbomb_1) |
- |
CSRF, Web parameter tampering |
- |
01/14/2018 |
| Google Tez XSS |
@Pethuraj |
Google |
XSS |
$3,133.7 |
01/13/2018 |
| #BugBounty — How I was able to read chat of users in an Online travel portal |
Avinash Jain (@logicbomb_1) |
- |
IDOR |
- |
01/10/2018 |
| RCE Vulnerabilite in Yahoo Subdomain! ( Yahoo! RCE via Spring Engine SSTI ) By tghawkins |
Mohamed Haron (@m7mdharon) |
Yahoo! |
RCE |
$8,000 |
01/05/2018 |
| Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) |
Mohammed Abdul Raheem |
- |
IDOR |
$3,000 |
02/04/2018 |
| F**k you Thomas” - ToyTalk bug bounty writeup |
Jahmel Harris |
ToyTalk |
Authentication bypass, HTML injection |
- |
01/04/2018 |
| Abusing internal API to achieve IDOR in New Relic |
Jon Bottarini |
New Relic |
IDOR |
$1000 |
01/02/2018 |
