| 750 | Novel Pipeline Vulnerability Discovered; Rust Found Vulnerable |
Supply chain attack |
GitHub
Rust |
Noam Dotan |
Bug Bounty | 2022-12-01 | 2023-06-13 |
| 743 | [WRITE-UP] Irremovable comments on the FB Lite app | A story of a simple FB Lite bug that I found just by observation (Bounty: 500 USD) |
Logic flaw |
Meta / Facebook |
Shubham Bhamare (@theshubh77) |
Bug Bounty | 2022-12-02 | 2023-06-13 |
| 679 | How I was able to steal users credentials via Swagger UI DOM-XSS |
DOM XSS
Old components with known vulnerabilities |
NA |
Mohamed Reda (@M0x0101) |
Bug Bounty | 2022-12-18 | 2023-06-13 |
| 655 | CRLF Injection — xxx$ — How was it possible for me to earn a bounty with the Cloudflare WAF? |
CRLF injection |
NA |
Proviesec (@proviesec) |
Bug Bounty | 2022-12-24 | 2023-06-13 |
| 574 | How I identified and reported vulnerabilities in Oracle and the rewards of responsible disclosure:From Backup Leak to Hall of Fame |
Information disclosure |
Oracle |
ParagBagul |
Bug Bounty | 2023-01-18 | 2023-06-13 |
| 555 | How i was able to get critical bug on google by get full access on [Google Cloud BI Hackathon] |
Information disclosure |
Google |
Orwa Atyat (@GodfatherOrwa) |
Bug Bounty | 2023-01-22 | 2023-06-13 |
| 527 | How I was able to find 4 Cross-site scripting (XSS) on vulnerability disclosure program ? |
XSS |
NA |
DrakenKun |
Bug Bounty | 2023-01-29 | 2023-06-13 |
| 521 | Unserializable, But Unreachable: Remote Code Execution On vBulletin |
RCE
Insecure deserialization
Security code review |
vBulletin |
Charles Fol (@cfreal_) |
Bug Bounty | 2023-01-31 | 2023-06-13 |
| 509 | Exploits Explained: Java JMX’s Exploitation Problems and Resolutions |
RCE |
NA |
Nicolas Krassas (@Dinosn) |
Bug Bounty | 2023-02-02 | 2023-06-13 |
| 496 | I was able to see likes count even though it was hidden by the victim | YouTube App 16.15.35 |
Logic flaw |
Google (Youtube) |
R ando (@Rando02355205) |
Bug Bounty | 2023-02-05 | 2023-06-13 |
| 494 | How we made $120k bug bounty in a year with good automation |
XSS
Security misconfiguration
Log4shell
Debug mode enabled |
NA |
Dawid Moczadło (@kannthu1) |
Bug Bounty | 2023-02-06 | 2023-06-13 |
| 477 | Exploits Explained: Default Credentials Still a Problem Today |
Default credentials |
NA |
Popeax |
Bug Bounty | 2023-02-09 | 2023-06-13 |
| 421 | Multiple vulnerabilities in Dell Unisphere for PowerMax vApp, VASA Provider vApp and Solutions Enabler vApp CVE-2022-45103 / CVE-2022-45104 |
Parameter injection
Arbitrary file read
RCE |
Dell |
Antoine Carrincazeaux |
Bug Bounty | 2023-02-21 | 2023-06-13 |
| 386 | Grand Theft Auto - A peek of BLE relay attack |
Bluetooth
BLE
Car hacking |
NA |
@Kevin2600 |
Bug Bounty | 2023-02-27 | 2023-06-13 |
| 358 | Web Cache Poisoning - Capability to disable/deface the app.██████████.com (A tale of poisoning through the layers of caching) |
Web cache poisoning |
NA |
Ankit Singh (@AnkitCuriosity) |
Bug Bounty | 2023-03-03 | 2023-06-13 |
| 351 | Microsoft Word RTF Font Table Heap Corruption |
Memory corruption |
Microsoft (Office) |
Joshua J. Drake (@jduck) |
Bug Bounty | 2023-03-05 | 2023-06-13 |
| 347 | Exposing Users Table From a Leaky GraphQL Query |
GraphQL
Authorization flaw
Broken Access Control |
NA |
Inderjeet Singh - encodedguy (@3nc0d3dGuY) |
Bug Bounty | 2023-03-06 | 2023-06-13 |
| 314 | The story of how I was able to chain SSRF with Command Injection Vulnerability |
SSRF
OS command injection
RCE |
NA |
Raj Qureshi (@RajQureshi9) |
Bug Bounty | 2023-03-12 | 2023-06-13 |
| 215 | How I was able to change password of any corporate user |
Account takeover
Password reset
Authentication bypass |
NA |
CH3TAN |
Bug Bounty | 2023-04-09 | 2023-06-13 |
| 200 | TOPdesk vulnerable to XML Signature Wrapping Attacks |
XML Signature Wrapping
SAML
SSO |
TOPdesk |
Paulo A. Silva (@pauloasilva_com) |
Bug Bounty | 2023-04-12 | 2023-06-13 |
| 196 | From Django Debug Mode to PII Data Leak of more than 500+ Employees due Broken Access Control and IDOR |
Debug mode enabled
IDOR
Information disclosure
JWT
Broken Access Control
Exposed registration page |
NA |
Aayush Vishnoi (@AayushVishnoi10) |
Bug Bounty | 2023-04-14 | 2023-06-13 |
| 194 | From payload to 300$ bounty: A story of CRLF injection and responsible disclosure on HackerOne |
CRLF injection |
NA |
Karthikeyan.V (@karthithehacker) |
Bug Bounty | 2023-04-16 | 2023-06-13 |
| 188 | [Responsible Disclosure] How we could have deleted any Linkedin post |
IDOR |
LinkedIn |
Anand Prakash (@anandpraka_sh) |
Bug Bounty | 2023-04-18 | 2023-06-13 |
| 171 | GhostToken – Exploiting GCP application infrastructure to create invisible, unremovable trojan app on Google accounts |
Cloud
OAuth
Authorization bypass |
Google (GCP) |
Astrix Security (@AstrixSecurity) |
Bug Bounty | 2023-04-20 | 2023-06-13 |
| 139 | Azure Devops CICD Pipelines - Command Injection With Parameters, Variables And A Discussion On Runner Hijacking |
CI/CD
OS command injection
RCE |
Microsoft (Azure DevOps Pipelines) |
Sana Oshika (@bigshika) |
Bug Bounty | 2023-05-01 | 2023-06-13 |
