Bug Bounty

hackerone

HackerOne Bug Bounty Disclosure: fs-fchown-fchmod-bypasses-permission-model–xpl-r-r

July 9, 2024

Company Name: Node.js Company HackerOne URL: https://hackerone.com/nodejs Submitted By:4xpl0r3rLink to Submitters Profile:https://hackerone.com/4xpl0r3r Report Title:fsfchown/fchmod bypasses permission modelReport Link:https://hackerone.com/reports/2472071Date Submitted:09 July...

Read MoreRead more about HackerOne Bug Bounty Disclosure: fs-fchown-fchmod-bypasses-permission-model–xpl-r-r
hackerone

HackerOne Bug Bounty Disclosure: navgraph-confusion-allows-any-p-app-to-send-and-read-requests-from-the-server-at-app-hey-com-fr-via

July 9, 2024

Company Name: Basecamp Company HackerOne URL: https://hackerone.com/basecamp Submitted By:fr4viaLink to Submitters Profile:https://hackerone.com/fr4via Report Title:Navgraph confusion allows any 3p app to...

Read MoreRead more about HackerOne Bug Bounty Disclosure: navgraph-confusion-allows-any-p-app-to-send-and-read-requests-from-the-server-at-app-hey-com-fr-via
hackerone

HackerOne Bug Bounty Disclosure: path-traversal-in-deeplink-query-parameter-can-expose-any-user-s-private-info-to-a-public-directory-one-click-fr-via

July 9, 2024

Company Name: Basecamp Company HackerOne URL: https://hackerone.com/basecamp Submitted By:fr4viaLink to Submitters Profile:https://hackerone.com/fr4via Report Title:Path traversal in deeplink query parameter can...

Read MoreRead more about HackerOne Bug Bounty Disclosure: path-traversal-in-deeplink-query-parameter-can-expose-any-user-s-private-info-to-a-public-directory-one-click-fr-via
hackerone

HackerOne Bug Bounty Disclosure: incorrect-deep-link-validation-leading-to-unresponsive-application-and-device-fr-via

July 6, 2024

Company Name: Flickr Company HackerOne URL: https://hackerone.com/flickr Submitted By:fr4viaLink to Submitters Profile:https://hackerone.com/fr4via Report Title:Incorrect Deep-link validation leading to unresponsive application...

Read MoreRead more about HackerOne Bug Bounty Disclosure: incorrect-deep-link-validation-leading-to-unresponsive-application-and-device-fr-via
hackerone

HackerOne Bug Bounty Disclosure: authentication-registration-bypass-in-newspack-extended-access-xurizaemon

July 5, 2024

Company Name: Automattic Company HackerOne URL: https://hackerone.com/automattic Submitted By:xurizaemon0Link to Submitters Profile:https://hackerone.com/xurizaemon0 Report Title:Authentication & Registration Bypass in Newspack Extended...

Read MoreRead more about HackerOne Bug Bounty Disclosure: authentication-registration-bypass-in-newspack-extended-access-xurizaemon
hackerone

HackerOne Bug Bounty Disclosure: default-admin-account-lead-to-full-access-control-at-hxxps-desk-demo-fareharbor-engineering-tuantv

July 3, 2024

Company Name: Booking.com Company HackerOne URL: https://hackerone.com/bookingcom Submitted By:tuantv89Link to Submitters Profile:https://hackerone.com/tuantv89 Report Title:Default Admin Account lead to full access...

Read MoreRead more about HackerOne Bug Bounty Disclosure: default-admin-account-lead-to-full-access-control-at-hxxps-desk-demo-fareharbor-engineering-tuantv
hackerone

HackerOne Bug Bounty Disclosure: unlimited-fake-rate-to-the-passenger-in-city-to-city-affected-endpoint-api-v-reviews-ride-id-driver-bugsv

July 2, 2024

Company Name: inDrive Company HackerOne URL: https://hackerone.com/indrive Submitted By:bugsv2Link to Submitters Profile:https://hackerone.com/bugsv2 Report Title:Unlimited fake rate to the passenger in...

Read MoreRead more about HackerOne Bug Bounty Disclosure: unlimited-fake-rate-to-the-passenger-in-city-to-city-affected-endpoint-api-v-reviews-ride-id-driver-bugsv
hackerone

HackerOne Bug Bounty Disclosure: account-takeover-arbitrary-file-read-and-deletion-partial-code-execution-intent-redirection-through-com-mercadopago-wallet-splash-splashactivity-fr-via

June 28, 2024

Company Name: MercadoLibre Company HackerOne URL: https://hackerone.com/mercadolibre Submitted By:fr4viaLink to Submitters Profile:https://hackerone.com/fr4via Report Title:Account Takeover / Arbitrary File read and...

Read MoreRead more about HackerOne Bug Bounty Disclosure: account-takeover-arbitrary-file-read-and-deletion-partial-code-execution-intent-redirection-through-com-mercadopago-wallet-splash-splashactivity-fr-via
hackerone

HackerOne Bug Bounty Disclosure: local-file-disclosure-on-the-hxxps-edu-leads-to-the-full-source-code-disclosure-and-credentials-leak-sp-d-rs

June 27, 2024

Company Name: U.S. Dept Of Defense Company HackerOne URL: https://hackerone.com/deptofdefense Submitted By:sp1d3rsLink to Submitters Profile:https://hackerone.com/sp1d3rs Report Title:Local File Disclosure on...

Read MoreRead more about HackerOne Bug Bounty Disclosure: local-file-disclosure-on-the-hxxps-edu-leads-to-the-full-source-code-disclosure-and-credentials-leak-sp-d-rs
hackerone

HackerOne Bug Bounty Disclosure: idor-leading-unauthenticated-attacker-to-download-documents-discloses-pii-of-users-and-soldiers-via-hxxps-www-download-aspx-id-htus-berserker

June 27, 2024

Company Name: U.S. Dept Of Defense Company HackerOne URL: https://hackerone.com/deptofdefense Submitted By:berserker1999Link to Submitters Profile:https://hackerone.com/berserker1999 Report Title:IDOR leading unauthenticated attacker...

Read MoreRead more about HackerOne Bug Bounty Disclosure: idor-leading-unauthenticated-attacker-to-download-documents-discloses-pii-of-users-and-soldiers-via-hxxps-www-download-aspx-id-htus-berserker
hackerone

HackerOne Bug Bounty Disclosure: subdomain-takeover-of-ci-support-booking-com-pointing-to-zendesk-jub-bs

June 25, 2024

Company Name: Booking.com Company HackerOne URL: https://hackerone.com/bookingcom Submitted By:jub0bsLink to Submitters Profile:https://hackerone.com/jub0bs Report Title:Subdomain takeover of ci-supportbookingcom (pointing to Zendesk)Report...

Read MoreRead more about HackerOne Bug Bounty Disclosure: subdomain-takeover-of-ci-support-booking-com-pointing-to-zendesk-jub-bs

You may have missed

image

[MEDUSA] – Ransomware Victim: Simon Property Group

November 8, 2025
image

CVE Alert: CVE-2025-12399 – alexreservations – Alex Reservations: Smart Restaurant Booking

November 8, 2025
image

CVE Alert: CVE-2025-12099 – academylms – Academy LMS – WordPress LMS Plugin for Complete eLearning Solution

November 8, 2025
image

CVE Alert: CVE-2025-9334 – codesolz – Better Find and Replace – AI-Powered Suggestions

November 8, 2025
image

CVE Alert: CVE-2025-11967 – getwpfunnels – Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more

November 8, 2025