Skip to content

Latest commit

 

History

History
138 lines (137 loc) · 15.6 KB

TOPGRATIPAY.md

File metadata and controls

138 lines (137 loc) · 15.6 KB
Raw

Top reports from Gratipay program at HackerOne:

  1. Saying goodbye to HackerOne and Gratipay. to Gratipay - 92 upvotes, $0
  2. Reflected XSS - gratipay.com to Gratipay - 35 upvotes, $0
  3. Sub Domain Takeover to Gratipay - 16 upvotes, $0
  4. i am The bug to Gratipay - 16 upvotes, $0
  5. configure a redirect URI for Facebook OAuth to Gratipay - 14 upvotes, $10
  6. SQL TEST to Gratipay - 14 upvotes, $0
  7. Application-level DoS on image's "size" parameter. to Gratipay - 14 upvotes, $0
  8. fix bug in username restriction to Gratipay - 13 upvotes, $0
  9. don't leak Server version for assets.gratipay.com to Gratipay - 12 upvotes, $0
  10. User Supplied links on profile page is not validated and redirected via gratipay. to Gratipay - 12 upvotes, $0
  11. Content length restriction bypass can lead to DOS by reading large files on gip.rocks to Gratipay - 11 upvotes, $0
  12. change bank account numbers to Gratipay - 11 upvotes, $0
  13. Limit email address length to Gratipay - 10 upvotes, $0
  14. HTTP trace method is enabled on aspen.io to Gratipay - 10 upvotes, $0
  15. Reflected SQL Execution to Gratipay - 10 upvotes, $0
  16. Gratipay rails secret token (secret_key_base) publicly exposed in GitHub to Gratipay - 9 upvotes, $0
  17. upgrade Aspen on inside.gratipay.com to pick up CR injection fix to Gratipay - 8 upvotes, $40
  18. Sub Domain Take over to Gratipay - 8 upvotes, $15
  19. CSV injection in gratipay.com via payment history export feature. to Gratipay - 8 upvotes, $0
  20. protect against tabnabbing in statement to Gratipay - 7 upvotes, $10
  21. Stored XSS On Statement to Gratipay - 7 upvotes, $0
  22. Host Header Injection/Redirection Attack to Gratipay - 7 upvotes, $0
  23. Email Forgery through Mandrillapp SPF to Gratipay - 6 upvotes, $10
  24. Avoid "resend verification email" confusion to Gratipay - 6 upvotes, $1
  25. Inadequate/dangerous jQuery behavior to Gratipay - 6 upvotes, $1
  26. Transferring incorrect data to the http://gip.rocks/v1 endpoint with correct Content-Type leads to local paths disclosure through the error message to Gratipay - 6 upvotes, $0
  27. Prevent content spoofing on /~username/emails/verify.html to Gratipay - 5 upvotes, $10
  28. suppress version in Server header on gratipay.com or grtp.co to Gratipay - 5 upvotes, $1
  29. Incomplete or No Cache-control and Pragma HTTP Header Set to Gratipay - 5 upvotes, $1
  30. Cross Site Scripting In Profile Statement to Gratipay - 5 upvotes, $0
  31. Gratipay uses the random module's cryptographically insecure PRNG. to Gratipay - 5 upvotes, $0
  32. Session Fixation At Logout /Session Misconfiguration to Gratipay - 5 upvotes, $0
  33. Username can be used to trick the victim on the name of www.gratipay.com to Gratipay - 5 upvotes, $0
  34. Content-Length restriction bypass to heap overflow in gip.rocks. to Gratipay - 5 upvotes, $0
  35. HTTP trace method is enabled on gip.rocks to Gratipay - 5 upvotes, $0
  36. Harden resend throttling to Gratipay - 5 upvotes, $0
  37. clickjacking on https://gratipay.com/on/npm/[text] to Gratipay - 5 upvotes, $0
  38. [gratipay.com] CRLF Injection to Gratipay - 4 upvotes, $40
  39. No Valid SPF Records. to Gratipay - 4 upvotes, $10
  40. HTTP trace method is enabled to Gratipay - 4 upvotes, $5
  41. Content Spoofing/Text Injection to Gratipay - 4 upvotes, $1
  42. prevent null bytes in email field to Gratipay - 4 upvotes, $0
  43. don't allow directory browsing on grtp.co to Gratipay - 4 upvotes, $0
  44. limit HTTP methods on other domains to Gratipay - 4 upvotes, $0
  45. Secure Pages Include Mixed Content to Gratipay - 4 upvotes, $0
  46. nginx version disclosure on downloads.gratipay.com to Gratipay - 4 upvotes, $0
  47. CSP Policy Bypass and javascript execution to Gratipay - 4 upvotes, $0
  48. Send email asynchronously to Gratipay - 3 upvotes, $10
  49. Hijacking user session by forcing the use of invalid HTTPs Certificate on images.gratipay.com to Gratipay - 3 upvotes, $1
  50. don't serve hidden files from Nginx to Gratipay - 3 upvotes, $1
  51. stop serving grtp.co over HTTP to Gratipay - 3 upvotes, $1
  52. auto-logout after 20 minutes to Gratipay - 3 upvotes, $1
  53. The POODLE attack (SSLv3 supported) for https://grtp.co/ to Gratipay - 3 upvotes, $0
  54. SPF/DKIM/DMARC for aspen.io to Gratipay - 3 upvotes, $0
  55. strengthen Diffie-Hellman (DH) key exchange parameters in grtp.co to Gratipay - 3 upvotes, $0
  56. The contribution save option seem to be vulnerable to CSRF to Gratipay - 3 upvotes, $0
  57. Reset Link Issue to Gratipay - 3 upvotes, $0
  58. CSRF csrftoken in cookies to Gratipay - 3 upvotes, $0
  59. Cookie HttpOnly Flag Not Set to Gratipay - 3 upvotes, $0
  60. Certificate signed using SHA-1 to Gratipay - 3 upvotes, $0
  61. Username Restriction is not applied for reserved folders to Gratipay - 3 upvotes, $0
  62. This is a test report to Gratipay - 3 upvotes, $0
  63. Show hide privacy giving receiving on my website to Gratipay - 3 upvotes, $0
  64. limit number of images in statement to Gratipay - 2 upvotes, $1
  65. weak ssl cipher suites to Gratipay - 2 upvotes, $0
  66. Vulnerable to clickjacking to Gratipay - 2 upvotes, $0
  67. don't store CSRF tokens in cookies to Gratipay - 2 upvotes, $0
  68. implement a cross-domain policy for Adobe products to Gratipay - 2 upvotes, $0
  69. XSS Via Method injection to Gratipay - 2 upvotes, $0
  70. Content type incorrectly stated to Gratipay - 2 upvotes, $0
  71. URL Given leading to end users ending up in malicious sites to Gratipay - 2 upvotes, $0
  72. X-Content-Type Header Missing For aspen.io to Gratipay - 2 upvotes, $0
  73. CSP "script-src" includes "unsafe-inline" in https://gratipay.com to Gratipay - 2 upvotes, $0
  74. don't leak Server version for assets.gratipay.com to Gratipay - 2 upvotes, $0
  75. [gratipay.com] Cross Site Tracing to Gratipay - 2 upvotes, $0
  76. Host Header poisoning on gratipay.com to Gratipay - 2 upvotes, $0
  77. xss to Gratipay - 2 upvotes, $0
  78. Information Disclosure on inside.gratipay.com to Gratipay - 2 upvotes, $0
  79. Missing Certificate Authority Authorization rule to Gratipay - 2 upvotes, $0
  80. Bypassing X-frame options to Gratipay - 2 upvotes, $0
  81. Mail spaming to Gratipay - 1 upvotes, $20
  82. DMARC is misconfigured for grtp.co to Gratipay - 1 upvotes, $10
  83. Cookie Does Not Contain The "secure" Attribute to Gratipay - 1 upvotes, $1
  84. Possible SQL injection on "Jump to twitter" to Gratipay - 1 upvotes, $1
  85. don't leak server version of grtp.co in error pages to Gratipay - 1 upvotes, $1
  86. bring grtp.co up to A grade on SSLLabs to Gratipay - 1 upvotes, $1
  87. grtp.co is vulnerable to http-vuln-cve2011-3192 to Gratipay - 1 upvotes, $0
  88. SPF/DKIM/DMARC for grtp.co to Gratipay - 1 upvotes, $0
  89. SPF DNS Record to Gratipay - 1 upvotes, $0
  90. An adversary can harvest email address for spamming. to Gratipay - 1 upvotes, $0
  91. Getting Error Message and in use python version 2.7 is exposed. to Gratipay - 1 upvotes, $0
  92. prevent content spoofing on /search to Gratipay - 1 upvotes, $0
  93. text injection in website title to Gratipay - 1 upvotes, $0
  94. don't expose path of Python to Gratipay - 1 upvotes, $0
  95. Username .. (double dot) should be restricted or handled carefully to Gratipay - 1 upvotes, $0
  96. Cookie:HttpOnly Flag not set to Gratipay - 1 upvotes, $0
  97. csrf_token cookie don't have the flag "HttpOnly" to Gratipay - 1 upvotes, $0
  98. User Enumeration to Gratipay - 1 upvotes, $0
  99. POODLE SSLv3.0 to Gratipay - 1 upvotes, $0
  100. Unauthorized access to the slack channel via inside.gratipay.com/appendices/chat to Gratipay - 1 upvotes, $0
  101. Gratipay Website CSP "script-scr" includes "unsafe-inline" to Gratipay - 1 upvotes, $0
  102. Email Spoofing to Gratipay - 1 upvotes, $0
  103. CSP Policy Bypass and javascript execution Still Not Fixed to Gratipay - 1 upvotes, $0
  104. Possible user session hijack by invalid HTTPS certificate on inside.gratipay.com domain to Gratipay - 1 upvotes, $0
  105. Possible User Session Hijack using Invalid HTTPS certificate on inside.gratipay.com domain to Gratipay - 1 upvotes, $0
  106. Insecure Transportation Security Protocol Supported (TLS 1.0) to Gratipay - 1 upvotes, $0
  107. prevent content spoofing on /~username/emails/verify.html to Gratipay - 1 upvotes, $0
  108. Lack of CSRF token validation at server side to Gratipay - 1 upvotes, $0
  109. SPF Protection not used, I can hijack your email server to Gratipay - 1 upvotes, $0
  110. Login csrf. to Gratipay - 1 upvotes, $0
  111. PHP 5.4.45 is Outdated and Full of Preformance Interupting Arbitrary Code Execution Bugs to Gratipay - 1 upvotes, $0
  112. set Expires header to Gratipay - 1 upvotes, $0
  113. After removing app from facebook app session not expiring. to Gratipay - 1 upvotes, $0
  114. 400 Bad Request [Use a third-party provider to sign in or create an account on Gratipay] to Gratipay - 1 upvotes, $0
  115. Missing Certificate Authority Authorization rule to Gratipay - 1 upvotes, $0
  116. set Pragma header to Gratipay - 1 upvotes, $0
  117. XSS found In Your Web to Gratipay - 1 upvotes, $0
  118. Adding Used Primary Email Address to attacker account and Account takeover to Gratipay - 1 upvotes, $0
  119. DKIM records not present, Email Hijacking is possible to Gratipay - 0 upvotes, $10
  120. Self XSS Protection not used , I can trick users to insert JavaScript to Gratipay - 0 upvotes, $5
  121. Authentication errors in server side validaton of E-MAIL to Gratipay - 0 upvotes, $0
  122. nginx SPDY heap buffer overflow for https://grtp.co/ to Gratipay - 0 upvotes, $0
  123. UDP port 5060 (SIP) Open to Gratipay - 0 upvotes, $0
  124. proxy port 7000 and shell port 514 not filtered to Gratipay - 0 upvotes, $0
  125. server calendar and server status available to public to Gratipay - 0 upvotes, $0
  126. self cross site scripting to Gratipay - 0 upvotes, $0
  127. SSl Weak Ciphers to Gratipay - 0 upvotes, $0
  128. x-xss protection header is not set in response header to Gratipay - 0 upvotes, $0
  129. Usernames ending in .json are not restricted to Gratipay - 0 upvotes, $0
  130. Sub domain take over in gratipay.com to Gratipay - 0 upvotes, $0
  131. Directory Listing on grtp.co to Gratipay - 0 upvotes, $0
  132. Submit a non valid syntax email to Gratipay - 0 upvotes, $0
  133. Markdown parsing issue enables insertion of malicious tags to Gratipay - 0 upvotes, $0
  134. Possible Blind SQL injection | Language choice in presentation to Gratipay - 0 upvotes, $0
  135. prevent %2f spoofed URLs in profile statement to Gratipay - 0 upvotes, $0
  136. Broken link for stale DNS entry may be leveraged for Phishing, Misinformation, Serving Malware to Gratipay - 0 upvotes, $0