Bugpoint – Telegram

Bugpoint

999 subscribers

3.73K photos

3.73K links

Latest updates about disclosure bug bounty reports: tech details, impacts, bounties 📣

Rate👇
https://cutt.ly/bugpoint_rate
Feedback👇
https://cutt.ly/bugpoint_feedback

#️⃣ bug bounty disclosed reports
#️⃣ bug bounty write-ups
#️⃣ bug bounty teleg

Download Telegram

About

Blog

Apps

Platform

999 subscribers

SSRF into Shared Runner, by replacing dockerd with malicious server in Executor

👉 https://hackerone.com/reports/809248

🔹 Severity: Medium | 💰 2,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #lucash-dev
🔹 State: 🟢 Resolved
🔹 Disclosed: September 8, 2020, 1:28pm (UTC)

38 views13:30

Members from parent group keep their access level on a subgroup transfer and are invisible

👉 https://hackerone.com/reports/790786

🔹 Severity: High | 💰 4,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #kryword
🔹 State: 🟢 Resolved
🔹 Disclosed: September 8, 2020, 1:44pm (UTC)

39 views13:46

Injection of `http.<url>.*` git config settings leading to SSRF

👉 https://hackerone.com/reports/855276

🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #vakzz
🔹 State: 🟢 Resolved
🔹 Disclosed: September 8, 2020, 1:46pm (UTC)

40 views13:48

EXIF metadata not stripped from JPG group logos

👉 https://hackerone.com/reports/446238

🔹 Severity: Low | 💰 500 USD
🔹 Reported To: GitLab
🔹 Reported By: #jackb898
🔹 State: 🟢 Resolved
🔹 Disclosed: September 8, 2020, 2:02pm (UTC)

42 views14:04

Blind SQL Injection

👉 https://hackerone.com/reports/758654

🔹 Severity: Critical | 💰 2,000 USD
🔹 Reported To: InnoGames
🔹 Reported By: #rzx007x
🔹 State: 🟢 Resolved
🔹 Disclosed: September 8, 2020, 3:04pm (UTC)

40 views15:06

Race Condition when following a user

👉 https://hackerone.com/reports/927384

🔹 Severity: Low
🔹 Reported To: Staging.every.org
🔹 Reported By: #bugra
🔹 State: 🟢 Resolved
🔹 Disclosed: September 9, 2020, 5:51am (UTC)

42 views05:54

damage to the timeline so that comment fields cannot be displayed or not available to all members in the store

👉 https://hackerone.com/reports/971599

🔹 Severity: No Rating
🔹 Reported To: Shopify
🔹 Reported By: #jaka_tingkir
🔹 State: 🟢 Resolved
🔹 Disclosed: September 9, 2020, 4:45pm (UTC)

37 views16:48

Add apps to packages 0, 61, 62 with /store/ajaxpackagemerge

👉 https://hackerone.com/reports/972243

🔹 Severity: High | 💰 2,500 USD
🔹 Reported To: Valve
🔹 Reported By: #njbooher
🔹 State: 🟢 Resolved
🔹 Disclosed: September 9, 2020, 8:07pm (UTC)

38 views20:10

Unauthorized updates to extended_info properties in /store/ajaxpackagesave

👉 https://hackerone.com/reports/815547

🔹 Severity: High | 💰 2,500 USD
🔹 Reported To: Valve
🔹 Reported By: #njbooher
🔹 State: 🟢 Resolved
🔹 Disclosed: September 9, 2020, 8:27pm (UTC)

37 views20:30

Stored XSS on PyPi simple API endpoint

👉 https://hackerone.com/reports/856836

🔹 Severity: Medium | 💰 3,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #vakzz
🔹 State: 🟢 Resolved
🔹 Disclosed: September 9, 2020, 9:57pm (UTC)

38 views22:00

Stored XSS in markdown when redacting references

👉 https://hackerone.com/reports/836649

🔹 Severity: High | 💰 5,000 USD
🔹 Reported To: GitLab
🔹 Reported By: #vakzz
🔹 State: 🟢 Resolved
🔹 Disclosed: September 9, 2020, 9:58pm (UTC)

40 views22:00

Smartsheet employees email disclosure through enpoint after login.

👉 https://hackerone.com/reports/880089

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Smartsheet
🔹 Reported By: #soareswallace
🔹 State: 🟢 Resolved
🔹 Disclosed: September 9, 2020, 10:15pm (UTC)

41 views22:18

SSRF at https://cognitive.topcoder.com leads to AWS instance metadata due to vulnerable email subscription feature

👉 https://hackerone.com/reports/876424

🔹 Severity: Critical
🔹 Reported To: Topcoder
🔹 Reported By: #mase289
🔹 State: 🟢 Resolved
🔹 Disclosed: September 10, 2020, 12:42pm (UTC)

40 views12:44

THX Tuneup Survey feedback disclosure via Google cached content for apps.thx.com

👉 https://hackerone.com/reports/751729

🔹 Severity: Low | 💰 200 USD
🔹 Reported To: Razer
🔹 Reported By: #jackb898
🔹 State: 🟢 Resolved
🔹 Disclosed: September 10, 2020, 4:04pm (UTC)

41 views16:06

bypass the [OKTA] login redirect can lead to disclosing limited-information about the sub-domain at [ shiptsec.com ]

👉 https://hackerone.com/reports/968699

🔹 Severity: Low | 💰 200 USD
🔹 Reported To: Shipt
🔹 Reported By: #tester1231233
🔹 State: 🟢 Resolved
🔹 Disclosed: September 10, 2020, 4:23pm (UTC)

44 views16:26

Safe Redirect Bypass

👉 https://hackerone.com/reports/945990

🔹 Severity: Low | 💰 560 USD
🔹 Reported To: Twitter
🔹 Reported By: #cyanpiny
🔹 State: 🟢 Resolved
🔹 Disclosed: September 10, 2020, 4:57pm (UTC)

46 views17:00

Team object in GraphQL disclosed private_comment

👉 https://hackerone.com/reports/978143

🔹 Severity: Medium | 💰 2,500 USD
🔹 Reported To: HackerOne
🔹 Reported By: #haxta4ok00
🔹 State: 🟢 Resolved
🔹 Disclosed: September 10, 2020, 7:05pm (UTC)

50 views19:08

Unsafe deserialization in Nexus Repository helm plugin

👉 https://hackerone.com/reports/917843

🔹 Severity: Critical
🔹 Reported To: Central Security Project
🔹 Reported By: #c0d3p1ut0s
🔹 State: 🟢 Resolved
🔹 Disclosed: September 10, 2020, 10:07pm (UTC)

45 views22:10

http request smuggling in pscp.tv and periscope.tv

👉 https://hackerone.com/reports/713285

🔹 Severity: High | 💰 560 USD
🔹 Reported To: Twitter
🔹 Reported By: #protostar0
🔹 State: 🟢 Resolved
🔹 Disclosed: September 10, 2020, 10:52pm (UTC)

49 views22:54

Blind HTTP GET SSRF via website icon fetch (bypass of pull#812)

👉 https://hackerone.com/reports/925527

🔹 Severity: Low
🔹 Reported To: Bitwarden
🔹 Reported By: #shielder
🔹 State: 🟢 Resolved
🔹 Disclosed: September 11, 2020, 1:24pm (UTC)

40 views13:26

Cache poisoning via X-Forwarded-Host in www.shopify.com/partners/blog

👉 https://hackerone.com/reports/977851

🔹 Severity: Low | 💰 1,000 USD
🔹 Reported To: Shopify
🔹 Reported By: #dakitu
🔹 State: 🟢 Resolved
🔹 Disclosed: September 11, 2020, 5:03pm (UTC)

35 views17:06