Bug Lists

Lists Of Bug Bounty Writeups

TITLEPROGRAMVULNERABILITYREWARDAUTHOR
All Secondary users account takeover leads to unauthorized money transfer from paypal business accountsPaypalIDOR$10,500Mohd. Haji
From Sub domain Takeover to Open-Redirect-Subdomain takeover$150Anil Tom
Complete information disclosure using Broken Access Control-IDOR, Authorization flaw$100Bhavesh Thakur
Access portal of Facebook mobile retailersFacebookIDOR, Authorization flaw$500Samm0uda
View orders and financial reports lists for any page shopFacebookAuthorization flaw$500Samm0uda
Old GitHub Profile TakeoverGithubAccount Takeover$1,000Moh. Haron
Facebook Oauth Account TakeoveriLotteRCE, XSS$150Zerb0a
Solr Injection by abusing Local ParametersZomatoSolr Injection$700Ronak Patel
XSS to RCE in …GithubRCE, XSS-Hungry Bytes
Reflected XSS in Ebay.comEbayReflected XSS$0, HoFSukhmeet Singh
XSS On Twitter [Worth 1120$]TwitterXSS$1,120Bywalks
Intersection between Clickjacking, XSS, and Denial of Service-Clickjacking, XSS, DoS$12,000Ashish Mathur
Microsoft Office 365 - Outlook XSSMicrosoftXSS-Al Qabandi
Сookie-based XSS exploitation-XSS$2,300Max
How Recon helped me to to find a Facebook domain takeoverFacebookSubdomain Takeover$500Sudanshu Raj
CSRF Email Confirmation Vulnerability for Gmail & G-Suite in FacebookFacebookCSRF$3,000Lokesh Kumar
The Bugs Are Out There, Hiding in Plain Sight-IDOR, SSRF, Information disclosure$9,000A Bug'z Life
Man In The Middle on SlackSlackMiTM$500Wiard Van Rij
Site-wide CSRF through GraphQL request TOKOPEDIATokopediaCSRF-Rafie Muhammad
How I Could Have Hacked Any Instagram AccountFacebookRace condition, Rate limiting bypass$30,000Laxman Muthiyah
Cracking my windshield and earning $10,000 on the TeslaTeslaBlind XSS$10,000Sam Curry
Page Admin Disclone (Facebook Android App)FacebookInformation Disclosure$500Yusuf Furkan
Command Execution on JenkinsJenkinsRCE$8,000Jay Jani
SQL Injection Bug Bounty POC!-SQL Injection€5,000Arif-ITSEC111
Tale of account takeover — Sensitive info Disclosure-IDOR, Account Takeover$2,650Sakyb
Page Admin DisclosureFacebookAuthorization flaw$1,000Ajay Gautam
Password Reset Vulnerability-Account Takeover$1,200Muh Asim Syahzad
Stored XSSIndeedStored XSS$1,500Tirtha Mandal
Download Protection BypassGoogleBrowser Flaw$1,000Night Wacth Cyber
Gain Adfly SMTP AccessAdflySSRF-Serboa
Account Takeover CSRF-CSRF$1,000Shub Rathore
$1800 worth Clickjacking-Clickjacking$1,800Osama Avvan
Page Admin Disclosure || Facebook Bug Bounty 2019FacebookAuthorization flaw$1,000Ajay Gautam
Full Account takeover (Insecure Direct Object Reference)-IDOR, Account takeover$1,200Muh Asim Shahzad
About a Sucuri RCE…and How Not to Handle Bug Bounty ReportsSucuriRCE$750Julien Ahrens
Facebook Vulnerability: Unremovable Co-Host in facebook group eventsFacebookLogic Flaw$500Ritish Kumar Singh
Reflected XSS in Tokopedia Train TicketTokopediaReflected XSS$212Jon Bottarini
Amazon S3 bucket misconfiguration?DropboxAWS Flaw$1,500Muh Asim Shahzad
Stealing Cookies to Login in any Account-Cookie Theft$900Osama Avvan
Fullscreen API Attack’s Revisited and the FaceBook NA StoryFacebookFullscreen API Attack-Circle Ninja
XSSing Google Employees - Blind XSS on googleplex.comGoogleBlind XSS-Thomas Orlita
Microsoft Edge Extensions Host Permission Bypass (CVE-2019-0678)MicrosoftBrowser BUG$15,000Nikhil Mittal
Bypassing CSP with policy injectionPaypalCSP Bypass$900Gareth Heyes
CSRF to Account Takeover worth $750-CSRF, Account Takeover$750Nishant Saurav
Disclose files content from Facebook internal CDNsFacebookWeak Encryption$12,500Samm0uda
Determine a Facebook user from an email addressFacebookInformation Disclosure$1,000Philippe Harewood
Local File Inclusion in peering.google.comGoogleLFI$3,133.7Jafar Abo Nada
LFI on Production Servers in “springboard.google.com”GoogleLFI$13,337Omespino
Stealing Downloads from Slack UsersSlackCSRF-David Wells
Bypassing Instagram’s stories restrictionFacebookLogic Flaw$500Baibhav Anand
Advanced CORS Exploitation Techniques-CORS Misconfiguration$1,500Ayoub
Stored XSS on Techprofile MicrosoftMicrosoftStored XSS-Moh Ali Syarief
BLIND SSRF in *.stripe.com due to Sentry MisconfigurationStripeBlind SSRF-Oktavandi
Tale of a Wormable Twitter XSSTwitterXSS$2,9400xSobky
Facebook’s URL spoofing vulnerabilityFacebookURL Spoofing$3,000Rahul Kankrale
Bug Hunting in JavaScript EnginesGoogleBuffer Overflow$7,500Dimitri Fourny
Getting access to Zendesk’s Google CloudZendeskInformation Disclosure$3,000Ruby Nealon
improper access control in Gitlab private projectGitLabAuthorization Flaw$2,000Ricardo Padovani
Gain access to revenue and traffic data of Shopify storesShopifyIDOR-Ayoub Fathi
3 XSS in ProtonMail for iOSAppleXSS$1,000Vladimir Metnew
Server tokens of all Uber developer applicationsUberInformation Disclosure$5,000Anand Prakash