Skip to content

Latest commit

 

History

History
138 lines (137 loc) · 15.6 KB

TOPGRATIPAY.md

File metadata and controls

138 lines (137 loc) · 15.6 KB

Top reports from Gratipay program at HackerOne:

  1. Saying goodbye to HackerOne and Gratipay. to Gratipay - 92 upvotes, $0
  2. Reflected XSS - gratipay.com to Gratipay - 35 upvotes, $0
  3. i am The bug to Gratipay - 17 upvotes, $0
  4. Sub Domain Takeover to Gratipay - 16 upvotes, $0
  5. configure a redirect URI for Facebook OAuth to Gratipay - 14 upvotes, $10
  6. fix bug in username restriction to Gratipay - 14 upvotes, $0
  7. SQL TEST to Gratipay - 14 upvotes, $0
  8. Application-level DoS on image's "size" parameter. to Gratipay - 14 upvotes, $0
  9. change bank account numbers to Gratipay - 13 upvotes, $0
  10. don't leak Server version for assets.gratipay.com to Gratipay - 12 upvotes, $0
  11. User Supplied links on profile page is not validated and redirected via gratipay. to Gratipay - 12 upvotes, $0
  12. Content length restriction bypass can lead to DOS by reading large files on gip.rocks to Gratipay - 11 upvotes, $0
  13. Reflected SQL Execution to Gratipay - 11 upvotes, $0
  14. Limit email address length to Gratipay - 10 upvotes, $0
  15. HTTP trace method is enabled on aspen.io to Gratipay - 10 upvotes, $0
  16. Gratipay rails secret token (secret_key_base) publicly exposed in GitHub to Gratipay - 9 upvotes, $0
  17. upgrade Aspen on inside.gratipay.com to pick up CR injection fix to Gratipay - 8 upvotes, $40
  18. Stored XSS On Statement to Gratipay - 8 upvotes, $0
  19. Sub Domain Take over to Gratipay - 8 upvotes, $0
  20. CSV injection in gratipay.com via payment history export feature. to Gratipay - 8 upvotes, $0
  21. Host Header Injection/Redirection Attack to Gratipay - 7 upvotes, $0
  22. Session Fixation At Logout /Session Misconfiguration to Gratipay - 7 upvotes, $0
  23. Inadequate/dangerous jQuery behavior to Gratipay - 7 upvotes, $0
  24. protect against tabnabbing in statement to Gratipay - 7 upvotes, $0
  25. Email Forgery through Mandrillapp SPF to Gratipay - 6 upvotes, $10
  26. Avoid "resend verification email" confusion to Gratipay - 6 upvotes, $1
  27. Incomplete or No Cache-control and Pragma HTTP Header Set to Gratipay - 6 upvotes, $0
  28. Transferring incorrect data to the http://gip.rocks/v1 endpoint with correct Content-Type leads to local paths disclosure through the error message to Gratipay - 6 upvotes, $0
  29. [gratipay.com] CRLF Injection to Gratipay - 5 upvotes, $40
  30. Prevent content spoofing on /~username/emails/verify.html to Gratipay - 5 upvotes, $10
  31. suppress version in Server header on gratipay.com or grtp.co to Gratipay - 5 upvotes, $1
  32. Cross Site Scripting In Profile Statement to Gratipay - 5 upvotes, $0
  33. Gratipay uses the random module's cryptographically insecure PRNG. to Gratipay - 5 upvotes, $0
  34. Username can be used to trick the victim on the name of www.gratipay.com to Gratipay - 5 upvotes, $0
  35. Content-Length restriction bypass to heap overflow in gip.rocks. to Gratipay - 5 upvotes, $0
  36. HTTP trace method is enabled on gip.rocks to Gratipay - 5 upvotes, $0
  37. Harden resend throttling to Gratipay - 5 upvotes, $0
  38. clickjacking on https://gratipay.com/on/npm/[text] to Gratipay - 5 upvotes, $0
  39. No Valid SPF Records. to Gratipay - 4 upvotes, $10
  40. HTTP trace method is enabled to Gratipay - 4 upvotes, $5
  41. Content Spoofing/Text Injection to Gratipay - 4 upvotes, $1
  42. weak ssl cipher suites to Gratipay - 4 upvotes, $0
  43. prevent null bytes in email field to Gratipay - 4 upvotes, $0
  44. don't allow directory browsing on grtp.co to Gratipay - 4 upvotes, $0
  45. limit HTTP methods on other domains to Gratipay - 4 upvotes, $0
  46. Cookie HttpOnly Flag Not Set to Gratipay - 4 upvotes, $0
  47. Secure Pages Include Mixed Content to Gratipay - 4 upvotes, $0
  48. nginx version disclosure on downloads.gratipay.com to Gratipay - 4 upvotes, $0
  49. CSP Policy Bypass and javascript execution to Gratipay - 4 upvotes, $0
  50. Missing Certificate Authority Authorization rule to Gratipay - 4 upvotes, $0
  51. Mail spaming to Gratipay - 3 upvotes, $20
  52. Send email asynchronously to Gratipay - 3 upvotes, $10
  53. don't serve hidden files from Nginx to Gratipay - 3 upvotes, $1
  54. stop serving grtp.co over HTTP to Gratipay - 3 upvotes, $1
  55. The POODLE attack (SSLv3 supported) for https://grtp.co/ to Gratipay - 3 upvotes, $0
  56. SPF/DKIM/DMARC for aspen.io to Gratipay - 3 upvotes, $0
  57. Hijacking user session by forcing the use of invalid HTTPs Certificate on images.gratipay.com to Gratipay - 3 upvotes, $0
  58. implement a cross-domain policy for Adobe products to Gratipay - 3 upvotes, $0
  59. strengthen Diffie-Hellman (DH) key exchange parameters in grtp.co to Gratipay - 3 upvotes, $0
  60. The contribution save option seem to be vulnerable to CSRF to Gratipay - 3 upvotes, $0
  61. auto-logout after 20 minutes to Gratipay - 3 upvotes, $0
  62. Reset Link Issue to Gratipay - 3 upvotes, $0
  63. XSS Via Method injection to Gratipay - 3 upvotes, $0
  64. CSRF csrftoken in cookies to Gratipay - 3 upvotes, $0
  65. Certificate signed using SHA-1 to Gratipay - 3 upvotes, $0
  66. Username Restriction is not applied for reserved folders to Gratipay - 3 upvotes, $0
  67. This is a test report to Gratipay - 3 upvotes, $0
  68. Show hide privacy giving receiving on my website to Gratipay - 3 upvotes, $0
  69. limit number of images in statement to Gratipay - 2 upvotes, $1
  70. Possible SQL injection on "Jump to twitter" to Gratipay - 2 upvotes, $0
  71. Vulnerable to clickjacking to Gratipay - 2 upvotes, $0
  72. don't store CSRF tokens in cookies to Gratipay - 2 upvotes, $0
  73. csrf_token cookie don't have the flag "HttpOnly" to Gratipay - 2 upvotes, $0
  74. Content type incorrectly stated to Gratipay - 2 upvotes, $0
  75. URL Given leading to end users ending up in malicious sites to Gratipay - 2 upvotes, $0
  76. X-Content-Type Header Missing For aspen.io to Gratipay - 2 upvotes, $0
  77. CSP "script-src" includes "unsafe-inline" in https://gratipay.com to Gratipay - 2 upvotes, $0
  78. SPF Protection not used, I can hijack your email server to Gratipay - 2 upvotes, $0
  79. don't leak Server version for assets.gratipay.com to Gratipay - 2 upvotes, $0
  80. [gratipay.com] Cross Site Tracing to Gratipay - 2 upvotes, $0
  81. Host Header poisoning on gratipay.com to Gratipay - 2 upvotes, $0
  82. xss to Gratipay - 2 upvotes, $0
  83. Adding Used Primary Email Address to attacker account and Account takeover to Gratipay - 2 upvotes, $0
  84. Bypassing X-frame options to Gratipay - 2 upvotes, $0
  85. DMARC is misconfigured for grtp.co to Gratipay - 1 upvotes, $10
  86. bring grtp.co up to A grade on SSLLabs to Gratipay - 1 upvotes, $1
  87. Authentication errors in server side validaton of E-MAIL to Gratipay - 1 upvotes, $0
  88. grtp.co is vulnerable to http-vuln-cve2011-3192 to Gratipay - 1 upvotes, $0
  89. SPF/DKIM/DMARC for grtp.co to Gratipay - 1 upvotes, $0
  90. Self XSS Protection not used , I can trick users to insert JavaScript to Gratipay - 1 upvotes, $0
  91. DKIM records not present, Email Hijacking is possible to Gratipay - 1 upvotes, $0
  92. SPF DNS Record to Gratipay - 1 upvotes, $0
  93. Cookie Does Not Contain The "secure" Attribute to Gratipay - 1 upvotes, $0
  94. An adversary can harvest email address for spamming. to Gratipay - 1 upvotes, $0
  95. Getting Error Message and in use python version 2.7 is exposed. to Gratipay - 1 upvotes, $0
  96. prevent content spoofing on /search to Gratipay - 1 upvotes, $0
  97. text injection in website title to Gratipay - 1 upvotes, $0
  98. don't expose path of Python to Gratipay - 1 upvotes, $0
  99. don't leak server version of grtp.co in error pages to Gratipay - 1 upvotes, $0
  100. Username .. (double dot) should be restricted or handled carefully to Gratipay - 1 upvotes, $0
  101. Cookie:HttpOnly Flag not set to Gratipay - 1 upvotes, $0
  102. User Enumeration to Gratipay - 1 upvotes, $0
  103. POODLE SSLv3.0 to Gratipay - 1 upvotes, $0
  104. Unauthorized access to the slack channel via inside.gratipay.com/appendices/chat to Gratipay - 1 upvotes, $0
  105. Gratipay Website CSP "script-scr" includes "unsafe-inline" to Gratipay - 1 upvotes, $0
  106. Email Spoofing to Gratipay - 1 upvotes, $0
  107. CSP Policy Bypass and javascript execution Still Not Fixed to Gratipay - 1 upvotes, $0
  108. Possible user session hijack by invalid HTTPS certificate on inside.gratipay.com domain to Gratipay - 1 upvotes, $0
  109. Possible User Session Hijack using Invalid HTTPS certificate on inside.gratipay.com domain to Gratipay - 1 upvotes, $0
  110. Insecure Transportation Security Protocol Supported (TLS 1.0) to Gratipay - 1 upvotes, $0
  111. prevent content spoofing on /~username/emails/verify.html to Gratipay - 1 upvotes, $0
  112. Lack of CSRF token validation at server side to Gratipay - 1 upvotes, $0
  113. Login csrf. to Gratipay - 1 upvotes, $0
  114. PHP 5.4.45 is Outdated and Full of Preformance Interupting Arbitrary Code Execution Bugs to Gratipay - 1 upvotes, $0
  115. set Expires header to Gratipay - 1 upvotes, $0
  116. After removing app from facebook app session not expiring. to Gratipay - 1 upvotes, $0
  117. 400 Bad Request [Use a third-party provider to sign in or create an account on Gratipay] to Gratipay - 1 upvotes, $0
  118. Information Disclosure on inside.gratipay.com to Gratipay - 1 upvotes, $0
  119. Missing Certificate Authority Authorization rule to Gratipay - 1 upvotes, $0
  120. set Pragma header to Gratipay - 1 upvotes, $0
  121. XSS found In Your Web to Gratipay - 1 upvotes, $0
  122. nginx SPDY heap buffer overflow for https://grtp.co/ to Gratipay - 0 upvotes, $0
  123. UDP port 5060 (SIP) Open to Gratipay - 0 upvotes, $0
  124. proxy port 7000 and shell port 514 not filtered to Gratipay - 0 upvotes, $0
  125. server calendar and server status available to public to Gratipay - 0 upvotes, $0
  126. self cross site scripting to Gratipay - 0 upvotes, $0
  127. SSl Weak Ciphers to Gratipay - 0 upvotes, $0
  128. x-xss protection header is not set in response header to Gratipay - 0 upvotes, $0
  129. Usernames ending in .json are not restricted to Gratipay - 0 upvotes, $0
  130. Sub domain take over in gratipay.com to Gratipay - 0 upvotes, $0
  131. Directory Listing on grtp.co to Gratipay - 0 upvotes, $0
  132. Submit a non valid syntax email to Gratipay - 0 upvotes, $0
  133. Markdown parsing issue enables insertion of malicious tags to Gratipay - 0 upvotes, $0
  134. Possible Blind SQL injection | Language choice in presentation to Gratipay - 0 upvotes, $0
  135. prevent %2f spoofed URLs in profile statement to Gratipay - 0 upvotes, $0
  136. Broken link for stale DNS entry may be leveraged for Phishing, Misinformation, Serving Malware to Gratipay - 0 upvotes, $0