Skip to content

Latest commit

 

History

History
143 lines (139 loc) · 15.6 KB

TOPGRATIPAY.md

File metadata and controls

143 lines (139 loc) · 15.6 KB
Raw

Back

Top reports from Gratipay program at HackerOne:

  1. Saying goodbye to HackerOne and Gratipay. to Gratipay - 91 upvotes, $0
  2. Reflected XSS - gratipay.com to Gratipay - 35 upvotes, $0
  3. Sub Domain Takeover to Gratipay - 16 upvotes, $0
  4. SQL TEST to Gratipay - 14 upvotes, $0
  5. Application-level DoS on image's "size" parameter. to Gratipay - 14 upvotes, $0
  6. configure a redirect URI for Facebook OAuth to Gratipay - 13 upvotes, $10
  7. fix bug in username restriction to Gratipay - 13 upvotes, $10
  8. User Supplied links on profile page is not validated and redirected via gratipay. to Gratipay - 12 upvotes, $0
  9. don't leak Server version for assets.gratipay.com to Gratipay - 11 upvotes, $0
  10. change bank account numbers to Gratipay - 11 upvotes, $0
  11. i am The bug to Gratipay - 11 upvotes, $0
  12. Limit email address length to Gratipay - 10 upvotes, $1
  13. HTTP trace method is enabled on aspen.io to Gratipay - 10 upvotes, $0
  14. Content length restriction bypass can lead to DOS by reading large files on gip.rocks to Gratipay - 10 upvotes, $0
  15. Gratipay rails secret token (secret_key_base) publicly exposed in GitHub to Gratipay - 9 upvotes, $0
  16. upgrade Aspen on inside.gratipay.com to pick up CR injection fix to Gratipay - 8 upvotes, $40
  17. CSV injection in gratipay.com via payment history export feature. to Gratipay - 8 upvotes, $0
  18. Stored XSS On Statement to Gratipay - 7 upvotes, $40
  19. Sub Domain Take over to Gratipay - 7 upvotes, $15
  20. protect against tabnabbing in statement to Gratipay - 7 upvotes, $10
  21. Avoid "resend verification email" confusion to Gratipay - 6 upvotes, $1
  22. Inadequate/dangerous jQuery behavior to Gratipay - 6 upvotes, $1
  23. Host Header Injection/Redirection Attack to Gratipay - 6 upvotes, $0
  24. Transferring incorrect data to the http://gip.rocks/v1 endpoint with correct Content-Type leads to local paths disclosure through the error message to Gratipay - 6 upvotes, $0
  25. Reflected SQL Execution to Gratipay - 6 upvotes, $0
  26. Email Forgery through Mandrillapp SPF to Gratipay - 5 upvotes, $10
  27. Prevent content spoofing on /~username/emails/verify.html to Gratipay - 5 upvotes, $10
  28. suppress version in Server header on gratipay.com or grtp.co to Gratipay - 5 upvotes, $1
  29. Cross Site Scripting In Profile Statement to Gratipay - 5 upvotes, $0
  30. Gratipay uses the random module's cryptographically insecure PRNG. to Gratipay - 5 upvotes, $0
  31. Username can be used to trick the victim on the name of www.gratipay.com to Gratipay - 5 upvotes, $0
  32. Content-Length restriction bypass to heap overflow in gip.rocks. to Gratipay - 5 upvotes, $0
  33. HTTP trace method is enabled on gip.rocks to Gratipay - 5 upvotes, $0
  34. Harden resend throttling to Gratipay - 5 upvotes, $0
  35. clickjacking on https://gratipay.com/on/npm/[text] to Gratipay - 5 upvotes, $0
  36. limit HTTP methods on other domains to Gratipay - 4 upvotes, $1
  37. Content Spoofing/Text Injection to Gratipay - 4 upvotes, $1
  38. Incomplete or No Cache-control and Pragma HTTP Header Set to Gratipay - 4 upvotes, $1
  39. prevent null bytes in email field to Gratipay - 4 upvotes, $0
  40. don't allow directory browsing on grtp.co to Gratipay - 4 upvotes, $0
  41. Secure Pages Include Mixed Content to Gratipay - 4 upvotes, $0
  42. Session Fixation At Logout /Session Misconfiguration to Gratipay - 4 upvotes, $0
  43. CSP Policy Bypass and javascript execution to Gratipay - 4 upvotes, $0
  44. [gratipay.com] CRLF Injection to Gratipay - 3 upvotes, $40
  45. No Valid SPF Records. to Gratipay - 3 upvotes, $10
  46. Send email asynchronously to Gratipay - 3 upvotes, $10
  47. HTTP trace method is enabled to Gratipay - 3 upvotes, $5
  48. SPF/DKIM/DMARC for aspen.io to Gratipay - 3 upvotes, $2
  49. The POODLE attack (SSLv3 supported) for https://grtp.co/ to Gratipay - 3 upvotes, $1
  50. Hijacking user session by forcing the use of invalid HTTPs Certificate on images.gratipay.com to Gratipay - 3 upvotes, $1
  51. strengthen Diffie-Hellman (DH) key exchange parameters in grtp.co to Gratipay - 3 upvotes, $1
  52. stop serving grtp.co over HTTP to Gratipay - 3 upvotes, $1
  53. auto-logout after 20 minutes to Gratipay - 3 upvotes, $1
  54. The contribution save option seem to be vulnerable to CSRF to Gratipay - 3 upvotes, $0
  55. Reset Link Issue to Gratipay - 3 upvotes, $0
  56. Cookie HttpOnly Flag Not Set to Gratipay - 3 upvotes, $0
  57. Certificate signed using SHA-1 to Gratipay - 3 upvotes, $0
  58. Username Restriction is not applied for reserved folders to Gratipay - 3 upvotes, $0
  59. nginx version disclosure on downloads.gratipay.com to Gratipay - 3 upvotes, $0
  60. This is a test report to Gratipay - 3 upvotes, $0
  61. Show hide privacy giving receiving on my website to Gratipay - 3 upvotes, $0
  62. don't serve hidden files from Nginx to Gratipay - 2 upvotes, $1
  63. limit number of images in statement to Gratipay - 2 upvotes, $1
  64. Vulnerable to clickjacking to Gratipay - 2 upvotes, $0
  65. don't store CSRF tokens in cookies to Gratipay - 2 upvotes, $0
  66. XSS Via Method injection to Gratipay - 2 upvotes, $0
  67. CSRF csrftoken in cookies to Gratipay - 2 upvotes, $0
  68. Content type incorrectly stated to Gratipay - 2 upvotes, $0
  69. URL Given leading to end users ending up in malicious sites to Gratipay - 2 upvotes, $0
  70. CSP "script-src" includes "unsafe-inline" in https://gratipay.com to Gratipay - 2 upvotes, $0
  71. don't leak Server version for assets.gratipay.com to Gratipay - 2 upvotes, $0
  72. [gratipay.com] Cross Site Tracing to Gratipay - 2 upvotes, $0
  73. xss to Gratipay - 2 upvotes, $0
  74. Information Disclosure on inside.gratipay.com to Gratipay - 2 upvotes, $0
  75. Bypassing X-frame options to Gratipay - 2 upvotes, $0
  76. Mail spaming to Gratipay - 1 upvotes, $20
  77. DMARC is misconfigured for grtp.co to Gratipay - 1 upvotes, $10
  78. prevent content spoofing on /search to Gratipay - 1 upvotes, $10
  79. prevent content spoofing on /~username/emails/verify.html to Gratipay - 1 upvotes, $10
  80. SPF DNS Record to Gratipay - 1 upvotes, $5
  81. SPF/DKIM/DMARC for grtp.co to Gratipay - 1 upvotes, $2
  82. Cookie Does Not Contain The "secure" Attribute to Gratipay - 1 upvotes, $1
  83. Possible SQL injection on "Jump to twitter" to Gratipay - 1 upvotes, $1
  84. don't leak server version of grtp.co in error pages to Gratipay - 1 upvotes, $1
  85. bring grtp.co up to A grade on SSLLabs to Gratipay - 1 upvotes, $1
  86. weak ssl cipher suites to Gratipay - 1 upvotes, $0
  87. grtp.co is vulnerable to http-vuln-cve2011-3192 to Gratipay - 1 upvotes, $0
  88. An adversary can harvest email address for spamming. to Gratipay - 1 upvotes, $0
  89. Getting Error Message and in use python version 2.7 is exposed. to Gratipay - 1 upvotes, $0
  90. text injection in website title to Gratipay - 1 upvotes, $0
  91. don't expose path of Python to Gratipay - 1 upvotes, $0
  92. implement a cross-domain policy for Adobe products to Gratipay - 1 upvotes, $0
  93. Username .. (double dot) should be restricted or handled carefully to Gratipay - 1 upvotes, $0
  94. Cookie:HttpOnly Flag not set to Gratipay - 1 upvotes, $0
  95. csrf_token cookie don't have the flag "HttpOnly" to Gratipay - 1 upvotes, $0
  96. User Enumeration to Gratipay - 1 upvotes, $0
  97. POODLE SSLv3.0 to Gratipay - 1 upvotes, $0
  98. Unauthorized access to the slack channel via inside.gratipay.com/appendices/chat to Gratipay - 1 upvotes, $0
  99. Gratipay Website CSP "script-scr" includes "unsafe-inline" to Gratipay - 1 upvotes, $0
  100. X-Content-Type Header Missing For aspen.io to Gratipay - 1 upvotes, $0
  101. Email Spoofing to Gratipay - 1 upvotes, $0
  102. CSP Policy Bypass and javascript execution Still Not Fixed to Gratipay - 1 upvotes, $0
  103. Possible user session hijack by invalid HTTPS certificate on inside.gratipay.com domain to Gratipay - 1 upvotes, $0
  104. Possible User Session Hijack using Invalid HTTPS certificate on inside.gratipay.com domain to Gratipay - 1 upvotes, $0
  105. Lack of CSRF token validation at server side to Gratipay - 1 upvotes, $0
  106. Login csrf. to Gratipay - 1 upvotes, $0
  107. Host Header poisoning on gratipay.com to Gratipay - 1 upvotes, $0
  108. After removing app from facebook app session not expiring. to Gratipay - 1 upvotes, $0
  109. 400 Bad Request [Use a third-party provider to sign in or create an account on Gratipay] to Gratipay - 1 upvotes, $0
  110. Missing Certificate Authority Authorization rule to Gratipay - 1 upvotes, $0
  111. XSS found In Your Web to Gratipay - 1 upvotes, $0
  112. Adding Used Primary Email Address to attacker account and Account takeover to Gratipay - 1 upvotes, $0
  113. DKIM records not present, Email Hijacking is possible to Gratipay - 0 upvotes, $10
  114. Self XSS Protection not used , I can trick users to insert JavaScript to Gratipay - 0 upvotes, $5
  115. Authentication errors in server side validaton of E-MAIL to Gratipay - 0 upvotes, $0
  116. nginx SPDY heap buffer overflow for https://grtp.co/ to Gratipay - 0 upvotes, $0
  117. UDP port 5060 (SIP) Open to Gratipay - 0 upvotes, $0
  118. proxy port 7000 and shell port 514 not filtered to Gratipay - 0 upvotes, $0
  119. server calendar and server status available to public to Gratipay - 0 upvotes, $0
  120. self cross site scripting to Gratipay - 0 upvotes, $0
  121. Insecure Transportation Security Protocol Supported (TLS 1.0) to Gratipay - 0 upvotes, $0
  122. SSl Weak Ciphers to Gratipay - 0 upvotes, $0
  123. x-xss protection header is not set in response header to Gratipay - 0 upvotes, $0
  124. Usernames ending in .json are not restricted to Gratipay - 0 upvotes, $0
  125. Sub domain take over in gratipay.com to Gratipay - 0 upvotes, $0
  126. SPF Protection not used, I can hijack your email server to Gratipay - 0 upvotes, $0
  127. Directory Listing on grtp.co to Gratipay - 0 upvotes, $0
  128. Submit a non valid syntax email to Gratipay - 0 upvotes, $0
  129. Markdown parsing issue enables insertion of malicious tags to Gratipay - 0 upvotes, $0
  130. Possible Blind SQL injection | Language choice in presentation to Gratipay - 0 upvotes, $0
  131. PHP 5.4.45 is Outdated and Full of Preformance Interupting Arbitrary Code Execution Bugs to Gratipay - 0 upvotes, $0
  132. prevent %2f spoofed URLs in profile statement to Gratipay - 0 upvotes, $0
  133. set Expires header to Gratipay - 0 upvotes, $0
  134. Missing Certificate Authority Authorization rule to Gratipay - 0 upvotes, $0
  135. set Pragma header to Gratipay - 0 upvotes, $0
  136. Broken link for stale DNS entry may be leveraged for Phishing, Misinformation, Serving Malware to Gratipay - 0 upvotes, $0

Back