Top reports from Gratipay program at HackerOne:
- Saying goodbye to HackerOne and Gratipay. to Gratipay - 92 upvotes, $0
- Reflected XSS - gratipay.com to Gratipay - 35 upvotes, $0
- i am The bug to Gratipay - 17 upvotes, $0
- Sub Domain Takeover to Gratipay - 16 upvotes, $0
- configure a redirect URI for Facebook OAuth to Gratipay - 14 upvotes, $10
- fix bug in username restriction to Gratipay - 14 upvotes, $0
- SQL TEST to Gratipay - 14 upvotes, $0
- Application-level DoS on image's "size" parameter. to Gratipay - 14 upvotes, $0
- change bank account numbers to Gratipay - 13 upvotes, $0
- don't leak Server version for assets.gratipay.com to Gratipay - 12 upvotes, $0
- User Supplied links on profile page is not validated and redirected via gratipay. to Gratipay - 12 upvotes, $0
- Content length restriction bypass can lead to DOS by reading large files on gip.rocks to Gratipay - 11 upvotes, $0
- Reflected SQL Execution to Gratipay - 11 upvotes, $0
- Limit email address length to Gratipay - 10 upvotes, $0
- HTTP trace method is enabled on aspen.io to Gratipay - 10 upvotes, $0
- Gratipay rails secret token (secret_key_base) publicly exposed in GitHub to Gratipay - 9 upvotes, $0
- upgrade Aspen on inside.gratipay.com to pick up CR injection fix to Gratipay - 8 upvotes, $40
- Stored XSS On Statement to Gratipay - 8 upvotes, $0
- Sub Domain Take over to Gratipay - 8 upvotes, $0
- CSV injection in gratipay.com via payment history export feature. to Gratipay - 8 upvotes, $0
- Host Header Injection/Redirection Attack to Gratipay - 7 upvotes, $0
- Session Fixation At Logout /Session Misconfiguration to Gratipay - 7 upvotes, $0
- Inadequate/dangerous jQuery behavior to Gratipay - 7 upvotes, $0
- protect against tabnabbing in statement to Gratipay - 7 upvotes, $0
- Email Forgery through Mandrillapp SPF to Gratipay - 6 upvotes, $10
- Avoid "resend verification email" confusion to Gratipay - 6 upvotes, $1
- Incomplete or No Cache-control and Pragma HTTP Header Set to Gratipay - 6 upvotes, $0
- Transferring incorrect data to the http://gip.rocks/v1 endpoint with correct Content-Type leads to local paths disclosure through the error message to Gratipay - 6 upvotes, $0
- [gratipay.com] CRLF Injection to Gratipay - 5 upvotes, $40
- Prevent content spoofing on /~username/emails/verify.html to Gratipay - 5 upvotes, $10
- suppress version in Server header on gratipay.com or grtp.co to Gratipay - 5 upvotes, $1
- Cross Site Scripting In Profile Statement to Gratipay - 5 upvotes, $0
- Gratipay uses the random module's cryptographically insecure PRNG. to Gratipay - 5 upvotes, $0
- Username can be used to trick the victim on the name of www.gratipay.com to Gratipay - 5 upvotes, $0
- Content-Length restriction bypass to heap overflow in gip.rocks. to Gratipay - 5 upvotes, $0
- HTTP trace method is enabled on gip.rocks to Gratipay - 5 upvotes, $0
- Harden resend throttling to Gratipay - 5 upvotes, $0
- clickjacking on https://gratipay.com/on/npm/[text] to Gratipay - 5 upvotes, $0
- No Valid SPF Records. to Gratipay - 4 upvotes, $10
- HTTP trace method is enabled to Gratipay - 4 upvotes, $5
- Content Spoofing/Text Injection to Gratipay - 4 upvotes, $1
- weak ssl cipher suites to Gratipay - 4 upvotes, $0
- prevent null bytes in email field to Gratipay - 4 upvotes, $0
- don't allow directory browsing on grtp.co to Gratipay - 4 upvotes, $0
- limit HTTP methods on other domains to Gratipay - 4 upvotes, $0
- Cookie HttpOnly Flag Not Set to Gratipay - 4 upvotes, $0
- Secure Pages Include Mixed Content to Gratipay - 4 upvotes, $0
- nginx version disclosure on downloads.gratipay.com to Gratipay - 4 upvotes, $0
- CSP Policy Bypass and javascript execution to Gratipay - 4 upvotes, $0
- Missing Certificate Authority Authorization rule to Gratipay - 4 upvotes, $0
- Mail spaming to Gratipay - 3 upvotes, $20
- Send email asynchronously to Gratipay - 3 upvotes, $10
- don't serve hidden files from Nginx to Gratipay - 3 upvotes, $1
- stop serving grtp.co over HTTP to Gratipay - 3 upvotes, $1
- The POODLE attack (SSLv3 supported) for https://grtp.co/ to Gratipay - 3 upvotes, $0
- SPF/DKIM/DMARC for aspen.io to Gratipay - 3 upvotes, $0
- Hijacking user session by forcing the use of invalid HTTPs Certificate on images.gratipay.com to Gratipay - 3 upvotes, $0
- implement a cross-domain policy for Adobe products to Gratipay - 3 upvotes, $0
- strengthen Diffie-Hellman (DH) key exchange parameters in grtp.co to Gratipay - 3 upvotes, $0
- The contribution save option seem to be vulnerable to CSRF to Gratipay - 3 upvotes, $0
- auto-logout after 20 minutes to Gratipay - 3 upvotes, $0
- Reset Link Issue to Gratipay - 3 upvotes, $0
- XSS Via Method injection to Gratipay - 3 upvotes, $0
- CSRF csrftoken in cookies to Gratipay - 3 upvotes, $0
- Certificate signed using SHA-1 to Gratipay - 3 upvotes, $0
- Username Restriction is not applied for reserved folders to Gratipay - 3 upvotes, $0
- This is a test report to Gratipay - 3 upvotes, $0
- Show hide privacy giving receiving on my website to Gratipay - 3 upvotes, $0
- limit number of images in statement to Gratipay - 2 upvotes, $1
- Possible SQL injection on "Jump to twitter" to Gratipay - 2 upvotes, $0
- Vulnerable to clickjacking to Gratipay - 2 upvotes, $0
- don't store CSRF tokens in cookies to Gratipay - 2 upvotes, $0
- csrf_token cookie don't have the flag "HttpOnly" to Gratipay - 2 upvotes, $0
- Content type incorrectly stated to Gratipay - 2 upvotes, $0
- URL Given leading to end users ending up in malicious sites to Gratipay - 2 upvotes, $0
- X-Content-Type Header Missing For aspen.io to Gratipay - 2 upvotes, $0
- CSP "script-src" includes "unsafe-inline" in https://gratipay.com to Gratipay - 2 upvotes, $0
- SPF Protection not used, I can hijack your email server to Gratipay - 2 upvotes, $0
- don't leak Server version for assets.gratipay.com to Gratipay - 2 upvotes, $0
- [gratipay.com] Cross Site Tracing to Gratipay - 2 upvotes, $0
- Host Header poisoning on gratipay.com to Gratipay - 2 upvotes, $0
- xss to Gratipay - 2 upvotes, $0
- Adding Used Primary Email Address to attacker account and Account takeover to Gratipay - 2 upvotes, $0
- Bypassing X-frame options to Gratipay - 2 upvotes, $0
- DMARC is misconfigured for grtp.co to Gratipay - 1 upvotes, $10
- bring grtp.co up to A grade on SSLLabs to Gratipay - 1 upvotes, $1
- Authentication errors in server side validaton of E-MAIL to Gratipay - 1 upvotes, $0
- grtp.co is vulnerable to http-vuln-cve2011-3192 to Gratipay - 1 upvotes, $0
- SPF/DKIM/DMARC for grtp.co to Gratipay - 1 upvotes, $0
- Self XSS Protection not used , I can trick users to insert JavaScript to Gratipay - 1 upvotes, $0
- DKIM records not present, Email Hijacking is possible to Gratipay - 1 upvotes, $0
- SPF DNS Record to Gratipay - 1 upvotes, $0
- Cookie Does Not Contain The "secure" Attribute to Gratipay - 1 upvotes, $0
- An adversary can harvest email address for spamming. to Gratipay - 1 upvotes, $0
- Getting Error Message and in use python version 2.7 is exposed. to Gratipay - 1 upvotes, $0
- prevent content spoofing on /search to Gratipay - 1 upvotes, $0
- text injection in website title to Gratipay - 1 upvotes, $0
- don't expose path of Python to Gratipay - 1 upvotes, $0
- don't leak server version of grtp.co in error pages to Gratipay - 1 upvotes, $0
- Username .. (double dot) should be restricted or handled carefully to Gratipay - 1 upvotes, $0
- Cookie:HttpOnly Flag not set to Gratipay - 1 upvotes, $0
- User Enumeration to Gratipay - 1 upvotes, $0
- POODLE SSLv3.0 to Gratipay - 1 upvotes, $0
- Unauthorized access to the slack channel via inside.gratipay.com/appendices/chat to Gratipay - 1 upvotes, $0
- Gratipay Website CSP "script-scr" includes "unsafe-inline" to Gratipay - 1 upvotes, $0
- Email Spoofing to Gratipay - 1 upvotes, $0
- CSP Policy Bypass and javascript execution Still Not Fixed to Gratipay - 1 upvotes, $0
- Possible user session hijack by invalid HTTPS certificate on inside.gratipay.com domain to Gratipay - 1 upvotes, $0
- Possible User Session Hijack using Invalid HTTPS certificate on inside.gratipay.com domain to Gratipay - 1 upvotes, $0
- Insecure Transportation Security Protocol Supported (TLS 1.0) to Gratipay - 1 upvotes, $0
- prevent content spoofing on /~username/emails/verify.html to Gratipay - 1 upvotes, $0
- Lack of CSRF token validation at server side to Gratipay - 1 upvotes, $0
- Login csrf. to Gratipay - 1 upvotes, $0
- PHP 5.4.45 is Outdated and Full of Preformance Interupting Arbitrary Code Execution Bugs to Gratipay - 1 upvotes, $0
- set Expires header to Gratipay - 1 upvotes, $0
- After removing app from facebook app session not expiring. to Gratipay - 1 upvotes, $0
- 400 Bad Request [Use a third-party provider to sign in or create an account on Gratipay] to Gratipay - 1 upvotes, $0
- Information Disclosure on inside.gratipay.com to Gratipay - 1 upvotes, $0
- Missing Certificate Authority Authorization rule to Gratipay - 1 upvotes, $0
- set Pragma header to Gratipay - 1 upvotes, $0
- XSS found In Your Web to Gratipay - 1 upvotes, $0
- nginx SPDY heap buffer overflow for https://grtp.co/ to Gratipay - 0 upvotes, $0
- UDP port 5060 (SIP) Open to Gratipay - 0 upvotes, $0
- proxy port 7000 and shell port 514 not filtered to Gratipay - 0 upvotes, $0
- server calendar and server status available to public to Gratipay - 0 upvotes, $0
- self cross site scripting to Gratipay - 0 upvotes, $0
- SSl Weak Ciphers to Gratipay - 0 upvotes, $0
- x-xss protection header is not set in response header to Gratipay - 0 upvotes, $0
- Usernames ending in .json are not restricted to Gratipay - 0 upvotes, $0
- Sub domain take over in gratipay.com to Gratipay - 0 upvotes, $0
- Directory Listing on grtp.co to Gratipay - 0 upvotes, $0
- Submit a non valid syntax email to Gratipay - 0 upvotes, $0
- Markdown parsing issue enables insertion of malicious tags to Gratipay - 0 upvotes, $0
- Possible Blind SQL injection | Language choice in presentation to Gratipay - 0 upvotes, $0
- prevent %2f spoofed URLs in profile statement to Gratipay - 0 upvotes, $0
- Broken link for stale DNS entry may be leveraged for Phishing, Misinformation, Serving Malware to Gratipay - 0 upvotes, $0