Bug Bounty

HackerOne Bug Bounty Disclosure: leaked-credentials-emails-and-passwords-etc–x-matrix

April 16, 2025

Company Name: WakaTime Company HackerOne URL: https://hackerone.com/wakatime Submitted By:0x_matrixLink to Submitters Profile:https://hackerone.com/0x_matrix Report Title:Leaked credentials ( emails and passwords ,...

HackerOne Bug Bounty Disclosure: -csv-injection-in-shared-passwords-leads-to-complete-private-vault-exfiltration-stomper

April 12, 2025

Company Name: 1Password - Enterprise Password Manager Company HackerOne URL: https://hackerone.com/1password Submitted By:stomper4Link to Submitters Profile:https://hackerone.com/stomper4 Report Title:#**CSV Injection in...

HackerOne Bug Bounty Disclosure: direct-ip-access-to-website-ryomenshuvro

April 11, 2025

Company Name: Lichess Company HackerOne URL: https://hackerone.com/lichess Submitted By:ryomenshuvroLink to Submitters Profile:https://hackerone.com/ryomenshuvro Report Title:Direct IP Access to WebsiteReport Link:https://hackerone.com/reports/3068485Date Submitted:11...

HackerOne Bug Bounty Disclosure: -click-cross-site-scripting-via-custom-configuration-in-safelistsanitizer-leonsirio

April 9, 2025

Company Name: Ruby on Rails Company HackerOne URL: https://hackerone.com/rails Submitted By:leonsirioLink to Submitters Profile:https://hackerone.com/leonsirio Report Title:1-Click Cross-Site Scripting via Custom...

HackerOne Bug Bounty Disclosure: -part-non-production-api-endpoints-for-the-datazone-service-fail-to-log-to-cloudtrail-resulting-in-silent-permission-enumeration-nick-frichette-dd

April 8, 2025

Company Name: AWS VDP Company HackerOne URL: https://hackerone.com/aws_vdp Submitted By:nick_frichette_ddLink to Submitters Profile:https://hackerone.com/nick_frichette_dd Report Title:(Part 2) Non-Production API Endpoints for...

HackerOne Bug Bounty Disclosure: disclosure-of-git-metadata-and-springboot-actuator-information-jf-x-r

April 7, 2025

Company Name: Adobe Company HackerOne URL: https://hackerone.com/adobe Submitted By:jf0x0rLink to Submitters Profile:https://hackerone.com/jf0x0r Report Title:Disclosure of git metadata and springboot actuator...

HackerOne Bug Bounty Disclosure: information-disclouser-from-url-parameter-access-lead-to-account-takeover-eneri

April 7, 2025

Company Name: KHealth Company HackerOne URL: https://hackerone.com/khealth Submitted By:eneriLink to Submitters Profile:https://hackerone.com/eneri Report Title:Information disclouser from URL parameter "access" lead...

HackerOne Bug Bounty Disclosure: no-rate-limiting-on-form-register-growler

March 28, 2025

Company Name: Informatica Company HackerOne URL: https://hackerone.com/informatica Submitted By:growler09Link to Submitters Profile:https://hackerone.com/growler09 Report Title:No rate limiting on formReport Link:https://hackerone.com/reports/2583500Date Submitted:28...

HackerOne Bug Bounty Disclosure: http-response-header-injection-in-shopify-pitchfork-rack-ooooooo-q

March 27, 2025

Company Name: Shopify Company HackerOne URL: https://hackerone.com/shopify Submitted By:ooooooo_qLink to Submitters Profile:https://hackerone.com/ooooooo_q Report Title:HTTP Response Header Injection in shopify/pitchfork +...

HackerOne Bug Bounty Disclosure: cloudflare-waf-bypass-origin-ip-exposure-aaravhex

March 27, 2025

Company Name: Hemi VDP Company HackerOne URL: https://hackerone.com/hemi_labs_vdp Submitted By:aaravhexLink to Submitters Profile:https://hackerone.com/aaravhex Report Title:Cloudflare WAF Bypass - Origin IP...

HackerOne Bug Bounty Disclosure: null-pointer-dereference-by-crafted-response-from-ai-model-canalun

March 26, 2025

Company Name: Brave Software Company HackerOne URL: https://hackerone.com/brave Submitted By:canalunLink to Submitters Profile:https://hackerone.com/canalun Report Title:Null Pointer Dereference by Crafted Response...

HackerOne Bug Bounty Disclosure: twitter-broken-link-hijacking-in-thewild-com-yunxohang

March 24, 2025

Company Name: Autodesk Company HackerOne URL: https://hackerone.com/autodesk Submitted By:yunxohangLink to Submitters Profile:https://hackerone.com/yunxohang Report Title:Twitter broken link hijacking in thewildcomReport Link:https://hackerone.com/reports/3035275Date...

HackerOne Bug Bounty Disclosure: cache-poisoning-allows-zero-interaction-store-xss-samark

March 22, 2025

Company Name: Trendyol Company HackerOne URL: https://hackerone.com/trendyol Submitted By:samark19Link to Submitters Profile:https://hackerone.com/samark19 Report Title:Cache Poisoning Allows Zero Interaction Store XSSReport...

HackerOne Bug Bounty Disclosure: ssrf-in-autodesk-rendering-leading-to-account-takeover-metereorpreter

March 18, 2025

Company Name: Autodesk Company HackerOne URL: https://hackerone.com/autodesk Submitted By:metereorpreterLink to Submitters Profile:https://hackerone.com/metereorpreter Report Title:SSRF in Autodesk Rendering leading to account...

HackerOne Bug Bounty Disclosure: django-debug-mode-enabled-information-disclosure-on-api-wwm-dev-autodesk-com-khoof

March 18, 2025

Company Name: Autodesk Company HackerOne URL: https://hackerone.com/autodesk Submitted By:khoofLink to Submitters Profile:https://hackerone.com/khoof Report Title:Django Debug Mode Enabled - Information Disclosure...

HackerOne Bug Bounty Disclosure: -fa-bypass-leads-to-impersonation-of-legimate-users-dedoxd

March 14, 2025

Company Name: Drugs.com Company HackerOne URL: https://hackerone.com/drugs_com Submitted By:dedoxd2Link to Submitters Profile:https://hackerone.com/dedoxd2 Report Title:2FA Bypass leads to impersonation of legimate...

HackerOne Bug Bounty Disclosure: stored-cross-site-scripting-found-in-custom-integration-app-on-hxxps-admin-b-autodesk-com-the-white-evil

March 14, 2025

Company Name: Autodesk Company HackerOne URL: https://hackerone.com/autodesk Submitted By:the-white-evilLink to Submitters Profile:https://hackerone.com/the-white-evil Report Title:Stored Cross-Site Scripting found in custom integration...

HackerOne Bug Bounty Disclosure: cgi-scripts-wordlist-entry-for-windmail-exe-has-payload-that-sends-arbitrary-file-read-result-to-third-party-floyd

March 13, 2025

Company Name: PortSwigger Web Security Company HackerOne URL: https://hackerone.com/portswigger Submitted By:floydLink to Submitters Profile:https://hackerone.com/floyd Report Title:cgi scripts wordlist entry for...

HackerOne Bug Bounty Disclosure: domain-highlighting-on-external-link-warning-is-not-working-on-chrome-microsoft-edge-browsers-on-mobile-sarthakbhingare

March 13, 2025

Company Name: HackerOne Company HackerOne URL: https://hackerone.com/security Submitted By:sarthakbhingare015Link to Submitters Profile:https://hackerone.com/sarthakbhingare015 Report Title:Domain highlighting on External link warning is...

HackerOne Bug Bounty Disclosure: stored-cross-site-scripting-in-mercadopago-com-ar-elmago

March 13, 2025

Company Name: MercadoLibre Company HackerOne URL: https://hackerone.com/mercadolibre Submitted By:elmagoLink to Submitters Profile:https://hackerone.com/elmago Report Title:Stored Cross-Site Scripting in mercadopagocomarReport Link:https://hackerone.com/reports/1955485Date Submitted:13...

HackerOne Bug Bounty Disclosure: sqli-in-url-paths-almuntadhar

March 6, 2025

Company Name: MTN Group Company HackerOne URL: https://hackerone.com/mtn_group Submitted By:almuntadharLink to Submitters Profile:https://hackerone.com/almuntadhar Report Title:SQLi | in URL pathsReport Link:https://hackerone.com/reports/2958619Date...

HackerOne Bug Bounty Disclosure: use-after-free-read-in-curl-multi-perform-with-doh-and-proxy-options-and-resolve-timeouts-catenacyber

March 6, 2025

Company Name: curl Company HackerOne URL: https://hackerone.com/curl Submitted By:catenacyberLink to Submitters Profile:https://hackerone.com/catenacyber Report Title:Use after free (read) in curl_multi_perform with...

HackerOne Bug Bounty Disclosure: exposing-debug-log-file-leads-to-server-full-path-disclosure-kanon

March 6, 2025

Company Name: Autodesk Company HackerOne URL: https://hackerone.com/autodesk Submitted By:kanon4Link to Submitters Profile:https://hackerone.com/kanon4 Report Title:Exposing debuglog file leads to server full...

HackerOne Bug Bounty Disclosure: cve-on-payapps-com-khoof

March 5, 2025

Company Name: Autodesk Company HackerOne URL: https://hackerone.com/autodesk Submitted By:khoofLink to Submitters Profile:https://hackerone.com/khoof Report Title:CVE-2023-5561 on PayappscomReport Link:https://hackerone.com/reports/2997549Date Submitted:05 March 2025...

Bug Bounty

HackerOne Bug Bounty Disclosure: leaked-credentials-emails-and-passwords-etc–x-matrix

HackerOne Bug Bounty Disclosure: -csv-injection-in-shared-passwords-leads-to-complete-private-vault-exfiltration-stomper

HackerOne Bug Bounty Disclosure: direct-ip-access-to-website-ryomenshuvro

HackerOne Bug Bounty Disclosure: -click-cross-site-scripting-via-custom-configuration-in-safelistsanitizer-leonsirio

HackerOne Bug Bounty Disclosure: -part-non-production-api-endpoints-for-the-datazone-service-fail-to-log-to-cloudtrail-resulting-in-silent-permission-enumeration-nick-frichette-dd

HackerOne Bug Bounty Disclosure: disclosure-of-git-metadata-and-springboot-actuator-information-jf-x-r

HackerOne Bug Bounty Disclosure: information-disclouser-from-url-parameter-access-lead-to-account-takeover-eneri

HackerOne Bug Bounty Disclosure: no-rate-limiting-on-form-register-growler

HackerOne Bug Bounty Disclosure: http-response-header-injection-in-shopify-pitchfork-rack-ooooooo-q

HackerOne Bug Bounty Disclosure: cloudflare-waf-bypass-origin-ip-exposure-aaravhex

HackerOne Bug Bounty Disclosure: null-pointer-dereference-by-crafted-response-from-ai-model-canalun

HackerOne Bug Bounty Disclosure: twitter-broken-link-hijacking-in-thewild-com-yunxohang

HackerOne Bug Bounty Disclosure: cache-poisoning-allows-zero-interaction-store-xss-samark

HackerOne Bug Bounty Disclosure: ssrf-in-autodesk-rendering-leading-to-account-takeover-metereorpreter

HackerOne Bug Bounty Disclosure: django-debug-mode-enabled-information-disclosure-on-api-wwm-dev-autodesk-com-khoof

HackerOne Bug Bounty Disclosure: -fa-bypass-leads-to-impersonation-of-legimate-users-dedoxd

HackerOne Bug Bounty Disclosure: stored-cross-site-scripting-found-in-custom-integration-app-on-hxxps-admin-b-autodesk-com-the-white-evil

HackerOne Bug Bounty Disclosure: cgi-scripts-wordlist-entry-for-windmail-exe-has-payload-that-sends-arbitrary-file-read-result-to-third-party-floyd

HackerOne Bug Bounty Disclosure: domain-highlighting-on-external-link-warning-is-not-working-on-chrome-microsoft-edge-browsers-on-mobile-sarthakbhingare

HackerOne Bug Bounty Disclosure: stored-cross-site-scripting-in-mercadopago-com-ar-elmago

HackerOne Bug Bounty Disclosure: sqli-in-url-paths-almuntadhar

HackerOne Bug Bounty Disclosure: use-after-free-read-in-curl-multi-perform-with-doh-and-proxy-options-and-resolve-timeouts-catenacyber

HackerOne Bug Bounty Disclosure: exposing-debug-log-file-leads-to-server-full-path-disclosure-kanon

HackerOne Bug Bounty Disclosure: cve-on-payapps-com-khoof

[NITROGEN] – Ransomware Victim: Progressive Auto Group

[INCRANSOM] – Ransomware Victim: CF Construction Ltd

[INCRANSOM] – Ransomware Victim: www[.]marvimundo[.]com

CVE Alert: CVE-2025-51657

CVE Alert: CVE-2025-7626

You may have missed