| Story of a FaceBook Page Admin Disclosure bug worth $5000 | Facebook | Information disclosure | $5,000 | Shubham Bhamare |
| Expose the email address of Workplace users | Facebook | IDOR, Information disclosure | $5,000 | Samm0uda |
| XSS on forums.oculusvr.com leads to Oculus and Facebook account takeovers | Facebook | XSS, Account takeover | $30,000 | Samm0uda |
| Hijacking Google Docs Screenshots | Google | XSS, PostMessage flaw | - | Sreeram |
| Facebook page admin disclosure by “Create doc” button | Facebook | Information disclosure | $5,000 | Shubham Bhamare |
| Cookie Tossing to RCE on Google Cloud JupyterLab | Google | Self XSS, DoS, CSRF | $3,133 | S1r1u5 |
| View anyone’s private email and birthday on Instagram | Facebook | Logic flaw | $13,125 | Saugat |
| TikTok Careers Portal Account Takeover | TikTok | CSRF, Open redirect | $2,373 | Lauritz_ |
| $10000 Facebook SSRF | Facebook | SSRF | $10,000 | Amine Aboud |
| How I was able to bypass OTP code requirement in Razer | Razer | OTP Bypass | $1,000 | Ananda Dhakal |
| Disclosure the verified phone number in Checkpoint. | Facebook | Information disclosure | $500 | TienDat |
| How I made 1000$ with AT&T Bug Bounty(H1) | AT&T | CSRF, Account takeover | $1,000 | Adesh Kolte |
| Analysis of CVE-2019-14994 – Jira Service Desk Path Traversal leads to Massive Information Disclosure | Atlassian | Path traversal | $11,000 | Sam Curry |
| Spear texting via parameter injection | - | Parameter tampering | $900 | Kyle |
| Information Disclosure at PayPal and Xoom (PayPal Acquisition) via Simple Google Dork | Paypal | Information disclosure | $1,000 | Yoko Kho |
| Facebook Workplace Privilege Escalation Vulnerability To Change The Post Privacy As Public | Facebook | Privilege escalation | $500 | Guhan Raja |
| Client, not client! | - | LFI | $1,000 | Tung Pun |
| I Could Have Hacked All Uber Accounts- But I Chose to Report it Instead | Uber | Information disclosure | $6,500 | Anand Prakash |
| OTP Manipulation | - | OTP Bypass | $300 | Choudhary |
| How two dead accounts allowed remote crash of any instagram android user | Facebook | DoS | - | Valerio brussani |
| Exploiting File Uploads Pt. 2 – A Tale of a $3k worth RCE. | - | RCE, Unrestricted file upload | $3,000 | HackerOn2Wheels |
| How I could have hacked your Uber account | Uber | Account takeover, IDOR | $6,500 | Anand Prakash |
| How two dead users allowed remote crash of any instagram android user | Facebook | DoS | - | Valerio Brussani |
| How does my recon win $250 in 15 minutes | - | Open redirect | $250 | Hein Thant |
| Exploiting File Uploads Pt. 2 – A Tale of a $3k worth RCE | - | RCE, Unrestricted file upload | $3,000 | HackerOn2Wheels |
| Oculus identity verification bypass through brute-force | Facebook | OTP bypass, Lack of rate limiting | $750 | Dhiraj |
| Chaining Two 0-Days to Compromise An Uber Wordpress | Uber | Stored XSS, SQL injection | - | Julian Ahrens |
| Accessing 2 million Verizon Pay Monthly contracts | Verizon | Authentication bypass, IDOR | - | Daley Bee |
| Telegram addresses another privacy issue | Telegram | Logic flaw, Privacy issue | €2,500 | Dhiraj |
| DOM Based XSS in Private Program | - | DOM XSS | $500 | Moh. Haron |
| XSS in Zoho Mail | Zoho Mail | XSS | $200 | Anas Mahmood |
| Finding Gem in Someone’s Report: Instant $500USD | - | Information disclosure | $500 | Hisoka Morou |
| HTML to PDF converter bug leads to RCE in Facebook server | Facebook | RCE | $1,000 | samm0uda |
| Readme.com Account Takeover | Readme.com | Password reset flaw | $0 | Ankush Goel |
| My First LFI | - | Password reset flaw, Account takeover | $1,000 | Tirtha Mandal |
| How I Hacked Instagram Again | Facebook | Password reset flaw, Account takeover | $10,000 | Laxman Muthiyah |
| From Github Recon To Account Takeover | - | Information disclosure, Account takeover | - | Dipak Kumar |
| One Bug To Rule Them All: Modern Android Password Managers and FLAG_SECURE Misuse | 1Password, Keeper, Dashlane | Information disclosure, Content leak | - | Lorenzo Stella |
| Instagram account is reactivated without entering 2FA | Facebook | 2FA bypass, Authentication flaw | $500 | Aman Shahid |
| How I upgraded my privileges to the administrator | ok.ru | Privilege escalation | $500 | Sergey Kashatov |
| Removing profile pictures for any Facebook user | Facebook | IDOR | $2,500 | Philippe H |
| How I was able to earn 1000$ with just 10 minutes | - | Password reset flaw | $1,000 | Ninad Mathpati |
| Clickjacking DOM XSS on Google.org | Google | Clickjacking, DOM XSS | - | ThomasOrlita |
| Application Level Denial of Service [DoS] using SVG file | - | DoS | $300 | Evan Ricafort |
| Writing my Medium blog to complete account takeover | Medium | Stored XSS, Account takeover | $1,000 | Rotem Reiss |
| Vulnerability in Hangouts Chat: from open redirect to code execution | Google | Open redirect, RCE | $7,500 | VulnerabilityLabs |
| All Secondary users account takeover leads to unauthorized money transfer from paypal business accounts | Paypal | IDOR | $10,500 | Mohd. Haji |
| From Sub domain Takeover to Open-Redirect | - | Subdomain takeover | $150 | Anil Tom |
| Complete information disclosure using Broken Access Control | - | IDOR, Authorization flaw | $100 | Bhavesh Thakur |
| Access portal of Facebook mobile retailers | Facebook | IDOR, Authorization flaw | $500 | Samm0uda |
| View orders and financial reports lists for any page shop | Facebook | Authorization flaw | $500 | Samm0uda |
| Old GitHub Profile Takeover | Github | Account Takeover | $1,000 | Moh. Haron |
| Facebook Oauth Account Takeover | iLotte | RCE, XSS | $150 | Zerb0a |
| Solr Injection by abusing Local Parameters | Zomato | Solr Injection | $700 | Ronak Patel |
| XSS to RCE in … | Github | RCE, XSS | - | Hungry Bytes |
| Reflected XSS in Ebay.com | Ebay | Reflected XSS | $0, HoF | Sukhmeet Singh |
| XSS On Twitter [Worth 1120$] | Twitter | XSS | $1,120 | Bywalks |
| Intersection between Clickjacking, XSS, and Denial of Service | - | Clickjacking, XSS, DoS | $12,000 | Ashish Mathur |
| Microsoft Office 365 - Outlook XSS | Microsoft | XSS | - | Al Qabandi |
| Сookie-based XSS exploitation | - | XSS | $2,300 | Max |
| How Recon helped me to to find a Facebook domain takeover | Facebook | Subdomain Takeover | $500 | Sudanshu Raj |
| CSRF Email Confirmation Vulnerability for Gmail & G-Suite in Facebook | Facebook | CSRF | $3,000 | Lokesh Kumar |
| The Bugs Are Out There, Hiding in Plain Sight | - | IDOR, SSRF, Information disclosure | $9,000 | A Bug'z Life |
| Man In The Middle on Slack | Slack | MiTM | $500 | Wiard Van Rij |
| Site-wide CSRF through GraphQL request TOKOPEDIA | Tokopedia | CSRF | - | Rafie Muhammad |
| How I Could Have Hacked Any Instagram Account | Facebook | Race condition, Rate limiting bypass | $30,000 | Laxman Muthiyah |
| Cracking my windshield and earning $10,000 on the Tesla | Tesla | Blind XSS | $10,000 | Sam Curry |
| Page Admin Disclone (Facebook Android App) | Facebook | Information Disclosure | $500 | Yusuf Furkan |
| Command Execution on Jenkins | Jenkins | RCE | $8,000 | Jay Jani |
| SQL Injection Bug Bounty POC! | - | SQL Injection | €5,000 | Arif-ITSEC111 |
| Tale of account takeover — Sensitive info Disclosure | - | IDOR, Account Takeover | $2,650 | Sakyb |
| Page Admin Disclosure | Facebook | Authorization flaw | $1,000 | Ajay Gautam |
| Password Reset Vulnerability | - | Account Takeover | $1,200 | Muh Asim Syahzad |
| Stored XSS | Indeed | Stored XSS | $1,500 | Tirtha Mandal |
| Download Protection Bypass | Google | Browser Flaw | $1,000 | Night Wacth Cyber |
| Gain Adfly SMTP Access | Adfly | SSRF | - | Serboa |
| Account Takeover CSRF | - | CSRF | $1,000 | Shub Rathore |
| $1800 worth Clickjacking | - | Clickjacking | $1,800 | Osama Avvan |
| Page Admin Disclosure || Facebook Bug Bounty 2019 | Facebook | Authorization flaw | $1,000 | Ajay Gautam |
| Full Account takeover (Insecure Direct Object Reference) | - | IDOR, Account takeover | $1,200 | Muh Asim Shahzad |
| About a Sucuri RCE…and How Not to Handle Bug Bounty Reports | Sucuri | RCE | $750 | Julien Ahrens |
| Facebook Vulnerability: Unremovable Co-Host in facebook group events | Facebook | Logic Flaw | $500 | Ritish Kumar Singh |
| Reflected XSS in Tokopedia Train Ticket | Tokopedia | Reflected XSS | $212 | Jon Bottarini |
| Amazon S3 bucket misconfiguration? | Dropbox | AWS Flaw | $1,500 | Muh Asim Shahzad |
| Stealing Cookies to Login in any Account | - | Cookie Theft | $900 | Osama Avvan |
| Fullscreen API Attack’s Revisited and the FaceBook NA Story | Facebook | Fullscreen API Attack | - | Circle Ninja |
| XSSing Google Employees - Blind XSS on googleplex.com | Google | Blind XSS | - | Thomas Orlita |
| Microsoft Edge Extensions Host Permission Bypass (CVE-2019-0678) | Microsoft | Browser BUG | $15,000 | Nikhil Mittal |
| Bypassing CSP with policy injection | Paypal | CSP Bypass | $900 | Gareth Heyes |
| CSRF to Account Takeover worth $750 | - | CSRF, Account Takeover | $750 | Nishant Saurav |
| Disclose files content from Facebook internal CDNs | Facebook | Weak Encryption | $12,500 | Samm0uda |
| Determine a Facebook user from an email address | Facebook | Information Disclosure | $1,000 | Philippe Harewood |
| Local File Inclusion in peering.google.com | Google | LFI | $3,133.7 | Jafar Abo Nada |
| LFI on Production Servers in “springboard.google.com” | Google | LFI | $13,337 | Omespino |
| Stealing Downloads from Slack Users | Slack | CSRF | - | David Wells |
| Bypassing Instagram’s stories restriction | Facebook | Logic Flaw | $500 | Baibhav Anand |
| Advanced CORS Exploitation Techniques | - | CORS Misconfiguration | $1,500 | Ayoub |
| Stored XSS on Techprofile Microsoft | Microsoft | Stored XSS | - | Moh Ali Syarief |
| BLIND SSRF in *.stripe.com due to Sentry Misconfiguration | Stripe | Blind SSRF | - | Oktavandi |
| Tale of a Wormable Twitter XSS | Twitter | XSS | $2,940 | 0xSobky |
| Facebook’s URL spoofing vulnerability | Facebook | URL Spoofing | $3,000 | Rahul Kankrale |
| Bug Hunting in JavaScript Engines | Google | Buffer Overflow | $7,500 | Dimitri Fourny |
| Getting access to Zendesk’s Google Cloud | Zendesk | Information Disclosure | $3,000 | Ruby Nealon |
| improper access control in Gitlab private project | GitLab | Authorization Flaw | $2,000 | Ricardo Padovani |
| Gain access to revenue and traffic data of Shopify stores | Shopify | IDOR | - | Ayoub Fathi |
| 3 XSS in ProtonMail for iOS | Apple | XSS | $1,000 | Vladimir Metnew |
| Server tokens of all Uber developer applications | Uber | Information Disclosure | $5,000 | Anand Prakash |
