Story of a FaceBook Page Admin Disclosure bug worth $5000 | Facebook | Information disclosure | $5,000 | Shubham Bhamare |
Expose the email address of Workplace users | Facebook | IDOR, Information disclosure | $5,000 | Samm0uda |
XSS on forums.oculusvr.com leads to Oculus and Facebook account takeovers | Facebook | XSS, Account takeover | $30,000 | Samm0uda |
Hijacking Google Docs Screenshots | Google | XSS, PostMessage flaw | - | Sreeram |
Facebook page admin disclosure by “Create doc” button | Facebook | Information disclosure | $5,000 | Shubham Bhamare |
Cookie Tossing to RCE on Google Cloud JupyterLab | Google | Self XSS, DoS, CSRF | $3,133 | S1r1u5 |
View anyone’s private email and birthday on Instagram | Facebook | Logic flaw | $13,125 | Saugat |
TikTok Careers Portal Account Takeover | TikTok | CSRF, Open redirect | $2,373 | Lauritz_ |
$10000 Facebook SSRF | Facebook | SSRF | $10,000 | Amine Aboud |
How I was able to bypass OTP code requirement in Razer | Razer | OTP Bypass | $1,000 | Ananda Dhakal |
Disclosure the verified phone number in Checkpoint. | Facebook | Information disclosure | $500 | TienDat |
How I made 1000$ with AT&T Bug Bounty(H1) | AT&T | CSRF, Account takeover | $1,000 | Adesh Kolte |
Analysis of CVE-2019-14994 – Jira Service Desk Path Traversal leads to Massive Information Disclosure | Atlassian | Path traversal | $11,000 | Sam Curry |
Spear texting via parameter injection | - | Parameter tampering | $900 | Kyle |
Information Disclosure at PayPal and Xoom (PayPal Acquisition) via Simple Google Dork | Paypal | Information disclosure | $1,000 | Yoko Kho |
Facebook Workplace Privilege Escalation Vulnerability To Change The Post Privacy As Public | Facebook | Privilege escalation | $500 | Guhan Raja |
Client, not client! | - | LFI | $1,000 | Tung Pun |
I Could Have Hacked All Uber Accounts- But I Chose to Report it Instead | Uber | Information disclosure | $6,500 | Anand Prakash |
OTP Manipulation | - | OTP Bypass | $300 | Choudhary |
How two dead accounts allowed remote crash of any instagram android user | Facebook | DoS | - | Valerio brussani |
Exploiting File Uploads Pt. 2 – A Tale of a $3k worth RCE. | - | RCE, Unrestricted file upload | $3,000 | HackerOn2Wheels |
How I could have hacked your Uber account | Uber | Account takeover, IDOR | $6,500 | Anand Prakash |
How two dead users allowed remote crash of any instagram android user | Facebook | DoS | - | Valerio Brussani |
How does my recon win $250 in 15 minutes | - | Open redirect | $250 | Hein Thant |
Exploiting File Uploads Pt. 2 – A Tale of a $3k worth RCE | - | RCE, Unrestricted file upload | $3,000 | HackerOn2Wheels |
Oculus identity verification bypass through brute-force | Facebook | OTP bypass, Lack of rate limiting | $750 | Dhiraj |
Chaining Two 0-Days to Compromise An Uber Wordpress | Uber | Stored XSS, SQL injection | - | Julian Ahrens |
Accessing 2 million Verizon Pay Monthly contracts | Verizon | Authentication bypass, IDOR | - | Daley Bee |
Telegram addresses another privacy issue | Telegram | Logic flaw, Privacy issue | €2,500 | Dhiraj |
DOM Based XSS in Private Program | - | DOM XSS | $500 | Moh. Haron |
XSS in Zoho Mail | Zoho Mail | XSS | $200 | Anas Mahmood |
Finding Gem in Someone’s Report: Instant $500USD | - | Information disclosure | $500 | Hisoka Morou |
HTML to PDF converter bug leads to RCE in Facebook server | Facebook | RCE | $1,000 | samm0uda |
Readme.com Account Takeover | Readme.com | Password reset flaw | $0 | Ankush Goel |
My First LFI | - | Password reset flaw, Account takeover | $1,000 | Tirtha Mandal |
How I Hacked Instagram Again | Facebook | Password reset flaw, Account takeover | $10,000 | Laxman Muthiyah |
From Github Recon To Account Takeover | - | Information disclosure, Account takeover | - | Dipak Kumar |
One Bug To Rule Them All: Modern Android Password Managers and FLAG_SECURE Misuse | 1Password, Keeper, Dashlane | Information disclosure, Content leak | - | Lorenzo Stella |
Instagram account is reactivated without entering 2FA | Facebook | 2FA bypass, Authentication flaw | $500 | Aman Shahid |
How I upgraded my privileges to the administrator | ok.ru | Privilege escalation | $500 | Sergey Kashatov |
Removing profile pictures for any Facebook user | Facebook | IDOR | $2,500 | Philippe H |
How I was able to earn 1000$ with just 10 minutes | - | Password reset flaw | $1,000 | Ninad Mathpati |
Clickjacking DOM XSS on Google.org | Google | Clickjacking, DOM XSS | - | ThomasOrlita |
Application Level Denial of Service [DoS] using SVG file | - | DoS | $300 | Evan Ricafort |
Writing my Medium blog to complete account takeover | Medium | Stored XSS, Account takeover | $1,000 | Rotem Reiss |
Vulnerability in Hangouts Chat: from open redirect to code execution | Google | Open redirect, RCE | $7,500 | VulnerabilityLabs |
All Secondary users account takeover leads to unauthorized money transfer from paypal business accounts | Paypal | IDOR | $10,500 | Mohd. Haji |
From Sub domain Takeover to Open-Redirect | - | Subdomain takeover | $150 | Anil Tom |
Complete information disclosure using Broken Access Control | - | IDOR, Authorization flaw | $100 | Bhavesh Thakur |
Access portal of Facebook mobile retailers | Facebook | IDOR, Authorization flaw | $500 | Samm0uda |
View orders and financial reports lists for any page shop | Facebook | Authorization flaw | $500 | Samm0uda |
Old GitHub Profile Takeover | Github | Account Takeover | $1,000 | Moh. Haron |
Facebook Oauth Account Takeover | iLotte | RCE, XSS | $150 | Zerb0a |
Solr Injection by abusing Local Parameters | Zomato | Solr Injection | $700 | Ronak Patel |
XSS to RCE in … | Github | RCE, XSS | - | Hungry Bytes |
Reflected XSS in Ebay.com | Ebay | Reflected XSS | $0, HoF | Sukhmeet Singh |
XSS On Twitter [Worth 1120$] | Twitter | XSS | $1,120 | Bywalks |
Intersection between Clickjacking, XSS, and Denial of Service | - | Clickjacking, XSS, DoS | $12,000 | Ashish Mathur |
Microsoft Office 365 - Outlook XSS | Microsoft | XSS | - | Al Qabandi |
Сookie-based XSS exploitation | - | XSS | $2,300 | Max |
How Recon helped me to to find a Facebook domain takeover | Facebook | Subdomain Takeover | $500 | Sudanshu Raj |
CSRF Email Confirmation Vulnerability for Gmail & G-Suite in Facebook | Facebook | CSRF | $3,000 | Lokesh Kumar |
The Bugs Are Out There, Hiding in Plain Sight | - | IDOR, SSRF, Information disclosure | $9,000 | A Bug'z Life |
Man In The Middle on Slack | Slack | MiTM | $500 | Wiard Van Rij |
Site-wide CSRF through GraphQL request TOKOPEDIA | Tokopedia | CSRF | - | Rafie Muhammad |
How I Could Have Hacked Any Instagram Account | Facebook | Race condition, Rate limiting bypass | $30,000 | Laxman Muthiyah |
Cracking my windshield and earning $10,000 on the Tesla | Tesla | Blind XSS | $10,000 | Sam Curry |
Page Admin Disclone (Facebook Android App) | Facebook | Information Disclosure | $500 | Yusuf Furkan |
Command Execution on Jenkins | Jenkins | RCE | $8,000 | Jay Jani |
SQL Injection Bug Bounty POC! | - | SQL Injection | €5,000 | Arif-ITSEC111 |
Tale of account takeover — Sensitive info Disclosure | - | IDOR, Account Takeover | $2,650 | Sakyb |
Page Admin Disclosure | Facebook | Authorization flaw | $1,000 | Ajay Gautam |
Password Reset Vulnerability | - | Account Takeover | $1,200 | Muh Asim Syahzad |
Stored XSS | Indeed | Stored XSS | $1,500 | Tirtha Mandal |
Download Protection Bypass | Google | Browser Flaw | $1,000 | Night Wacth Cyber |
Gain Adfly SMTP Access | Adfly | SSRF | - | Serboa |
Account Takeover CSRF | - | CSRF | $1,000 | Shub Rathore |
$1800 worth Clickjacking | - | Clickjacking | $1,800 | Osama Avvan |
Page Admin Disclosure || Facebook Bug Bounty 2019 | Facebook | Authorization flaw | $1,000 | Ajay Gautam |
Full Account takeover (Insecure Direct Object Reference) | - | IDOR, Account takeover | $1,200 | Muh Asim Shahzad |
About a Sucuri RCE…and How Not to Handle Bug Bounty Reports | Sucuri | RCE | $750 | Julien Ahrens |
Facebook Vulnerability: Unremovable Co-Host in facebook group events | Facebook | Logic Flaw | $500 | Ritish Kumar Singh |
Reflected XSS in Tokopedia Train Ticket | Tokopedia | Reflected XSS | $212 | Jon Bottarini |
Amazon S3 bucket misconfiguration? | Dropbox | AWS Flaw | $1,500 | Muh Asim Shahzad |
Stealing Cookies to Login in any Account | - | Cookie Theft | $900 | Osama Avvan |
Fullscreen API Attack’s Revisited and the FaceBook NA Story | Facebook | Fullscreen API Attack | - | Circle Ninja |
XSSing Google Employees - Blind XSS on googleplex.com | Google | Blind XSS | - | Thomas Orlita |
Microsoft Edge Extensions Host Permission Bypass (CVE-2019-0678) | Microsoft | Browser BUG | $15,000 | Nikhil Mittal |
Bypassing CSP with policy injection | Paypal | CSP Bypass | $900 | Gareth Heyes |
CSRF to Account Takeover worth $750 | - | CSRF, Account Takeover | $750 | Nishant Saurav |
Disclose files content from Facebook internal CDNs | Facebook | Weak Encryption | $12,500 | Samm0uda |
Determine a Facebook user from an email address | Facebook | Information Disclosure | $1,000 | Philippe Harewood |
Local File Inclusion in peering.google.com | Google | LFI | $3,133.7 | Jafar Abo Nada |
LFI on Production Servers in “springboard.google.com” | Google | LFI | $13,337 | Omespino |
Stealing Downloads from Slack Users | Slack | CSRF | - | David Wells |
Bypassing Instagram’s stories restriction | Facebook | Logic Flaw | $500 | Baibhav Anand |
Advanced CORS Exploitation Techniques | - | CORS Misconfiguration | $1,500 | Ayoub |
Stored XSS on Techprofile Microsoft | Microsoft | Stored XSS | - | Moh Ali Syarief |
BLIND SSRF in *.stripe.com due to Sentry Misconfiguration | Stripe | Blind SSRF | - | Oktavandi |
Tale of a Wormable Twitter XSS | Twitter | XSS | $2,940 | 0xSobky |
Facebook’s URL spoofing vulnerability | Facebook | URL Spoofing | $3,000 | Rahul Kankrale |
Bug Hunting in JavaScript Engines | Google | Buffer Overflow | $7,500 | Dimitri Fourny |
Getting access to Zendesk’s Google Cloud | Zendesk | Information Disclosure | $3,000 | Ruby Nealon |
improper access control in Gitlab private project | GitLab | Authorization Flaw | $2,000 | Ricardo Padovani |
Gain access to revenue and traffic data of Shopify stores | Shopify | IDOR | - | Ayoub Fathi |
3 XSS in ProtonMail for iOS | Apple | XSS | $1,000 | Vladimir Metnew |
Server tokens of all Uber developer applications | Uber | Information Disclosure | $5,000 | Anand Prakash |