Skip to content

Latest commit

 

History

History
138 lines (137 loc) · 15.6 KB

TOPGRATIPAY.md

File metadata and controls

138 lines (137 loc) · 15.6 KB
Raw

Top reports from Gratipay program at HackerOne:

  1. Saying goodbye to HackerOne and Gratipay. to Gratipay - 92 upvotes, $0
  2. Reflected XSS - gratipay.com to Gratipay - 35 upvotes, $0
  3. Sub Domain Takeover to Gratipay - 16 upvotes, $0
  4. configure a redirect URI for Facebook OAuth to Gratipay - 14 upvotes, $10
  5. SQL TEST to Gratipay - 14 upvotes, $0
  6. i am The bug to Gratipay - 14 upvotes, $0
  7. Application-level DoS on image's "size" parameter. to Gratipay - 14 upvotes, $0
  8. fix bug in username restriction to Gratipay - 13 upvotes, $10
  9. User Supplied links on profile page is not validated and redirected via gratipay. to Gratipay - 12 upvotes, $0
  10. don't leak Server version for assets.gratipay.com to Gratipay - 11 upvotes, $0
  11. Content length restriction bypass can lead to DOS by reading large files on gip.rocks to Gratipay - 11 upvotes, $0
  12. change bank account numbers to Gratipay - 11 upvotes, $0
  13. Limit email address length to Gratipay - 10 upvotes, $1
  14. HTTP trace method is enabled on aspen.io to Gratipay - 10 upvotes, $0
  15. Gratipay rails secret token (secret_key_base) publicly exposed in GitHub to Gratipay - 9 upvotes, $0
  16. upgrade Aspen on inside.gratipay.com to pick up CR injection fix to Gratipay - 8 upvotes, $40
  17. Sub Domain Take over to Gratipay - 8 upvotes, $15
  18. Reflected SQL Execution to Gratipay - 8 upvotes, $0
  19. CSV injection in gratipay.com via payment history export feature. to Gratipay - 8 upvotes, $0
  20. Stored XSS On Statement to Gratipay - 7 upvotes, $40
  21. protect against tabnabbing in statement to Gratipay - 7 upvotes, $10
  22. Host Header Injection/Redirection Attack to Gratipay - 7 upvotes, $0
  23. Avoid "resend verification email" confusion to Gratipay - 6 upvotes, $1
  24. Inadequate/dangerous jQuery behavior to Gratipay - 6 upvotes, $1
  25. Transferring incorrect data to the http://gip.rocks/v1 endpoint with correct Content-Type leads to local paths disclosure through the error message to Gratipay - 6 upvotes, $0
  26. Email Forgery through Mandrillapp SPF to Gratipay - 5 upvotes, $10
  27. Prevent content spoofing on /~username/emails/verify.html to Gratipay - 5 upvotes, $10
  28. suppress version in Server header on gratipay.com or grtp.co to Gratipay - 5 upvotes, $1
  29. Cross Site Scripting In Profile Statement to Gratipay - 5 upvotes, $0
  30. Gratipay uses the random module's cryptographically insecure PRNG. to Gratipay - 5 upvotes, $0
  31. Username can be used to trick the victim on the name of www.gratipay.com to Gratipay - 5 upvotes, $0
  32. Content-Length restriction bypass to heap overflow in gip.rocks. to Gratipay - 5 upvotes, $0
  33. HTTP trace method is enabled on gip.rocks to Gratipay - 5 upvotes, $0
  34. Harden resend throttling to Gratipay - 5 upvotes, $0
  35. clickjacking on https://gratipay.com/on/npm/[text] to Gratipay - 5 upvotes, $0
  36. [gratipay.com] CRLF Injection to Gratipay - 4 upvotes, $40
  37. limit HTTP methods on other domains to Gratipay - 4 upvotes, $1
  38. Content Spoofing/Text Injection to Gratipay - 4 upvotes, $1
  39. Incomplete or No Cache-control and Pragma HTTP Header Set to Gratipay - 4 upvotes, $1
  40. prevent null bytes in email field to Gratipay - 4 upvotes, $0
  41. don't allow directory browsing on grtp.co to Gratipay - 4 upvotes, $0
  42. Secure Pages Include Mixed Content to Gratipay - 4 upvotes, $0
  43. Session Fixation At Logout /Session Misconfiguration to Gratipay - 4 upvotes, $0
  44. CSP Policy Bypass and javascript execution to Gratipay - 4 upvotes, $0
  45. No Valid SPF Records. to Gratipay - 3 upvotes, $10
  46. Send email asynchronously to Gratipay - 3 upvotes, $10
  47. HTTP trace method is enabled to Gratipay - 3 upvotes, $5
  48. SPF/DKIM/DMARC for aspen.io to Gratipay - 3 upvotes, $2
  49. The POODLE attack (SSLv3 supported) for https://grtp.co/ to Gratipay - 3 upvotes, $1
  50. Hijacking user session by forcing the use of invalid HTTPs Certificate on images.gratipay.com to Gratipay - 3 upvotes, $1
  51. don't serve hidden files from Nginx to Gratipay - 3 upvotes, $1
  52. strengthen Diffie-Hellman (DH) key exchange parameters in grtp.co to Gratipay - 3 upvotes, $1
  53. stop serving grtp.co over HTTP to Gratipay - 3 upvotes, $1
  54. auto-logout after 20 minutes to Gratipay - 3 upvotes, $1
  55. The contribution save option seem to be vulnerable to CSRF to Gratipay - 3 upvotes, $0
  56. Reset Link Issue to Gratipay - 3 upvotes, $0
  57. CSRF csrftoken in cookies to Gratipay - 3 upvotes, $0
  58. Cookie HttpOnly Flag Not Set to Gratipay - 3 upvotes, $0
  59. Certificate signed using SHA-1 to Gratipay - 3 upvotes, $0
  60. Username Restriction is not applied for reserved folders to Gratipay - 3 upvotes, $0
  61. nginx version disclosure on downloads.gratipay.com to Gratipay - 3 upvotes, $0
  62. This is a test report to Gratipay - 3 upvotes, $0
  63. Show hide privacy giving receiving on my website to Gratipay - 3 upvotes, $0
  64. limit number of images in statement to Gratipay - 2 upvotes, $1
  65. weak ssl cipher suites to Gratipay - 2 upvotes, $0
  66. Vulnerable to clickjacking to Gratipay - 2 upvotes, $0
  67. don't store CSRF tokens in cookies to Gratipay - 2 upvotes, $0
  68. implement a cross-domain policy for Adobe products to Gratipay - 2 upvotes, $0
  69. XSS Via Method injection to Gratipay - 2 upvotes, $0
  70. Content type incorrectly stated to Gratipay - 2 upvotes, $0
  71. URL Given leading to end users ending up in malicious sites to Gratipay - 2 upvotes, $0
  72. CSP "script-src" includes "unsafe-inline" in https://gratipay.com to Gratipay - 2 upvotes, $0
  73. don't leak Server version for assets.gratipay.com to Gratipay - 2 upvotes, $0
  74. [gratipay.com] Cross Site Tracing to Gratipay - 2 upvotes, $0
  75. Host Header poisoning on gratipay.com to Gratipay - 2 upvotes, $0
  76. xss to Gratipay - 2 upvotes, $0
  77. Information Disclosure on inside.gratipay.com to Gratipay - 2 upvotes, $0
  78. Bypassing X-frame options to Gratipay - 2 upvotes, $0
  79. Mail spaming to Gratipay - 1 upvotes, $20
  80. DMARC is misconfigured for grtp.co to Gratipay - 1 upvotes, $10
  81. prevent content spoofing on /search to Gratipay - 1 upvotes, $10
  82. prevent content spoofing on /~username/emails/verify.html to Gratipay - 1 upvotes, $10
  83. SPF DNS Record to Gratipay - 1 upvotes, $5
  84. SPF/DKIM/DMARC for grtp.co to Gratipay - 1 upvotes, $2
  85. Cookie Does Not Contain The "secure" Attribute to Gratipay - 1 upvotes, $1
  86. Possible SQL injection on "Jump to twitter" to Gratipay - 1 upvotes, $1
  87. don't leak server version of grtp.co in error pages to Gratipay - 1 upvotes, $1
  88. bring grtp.co up to A grade on SSLLabs to Gratipay - 1 upvotes, $1
  89. grtp.co is vulnerable to http-vuln-cve2011-3192 to Gratipay - 1 upvotes, $0
  90. An adversary can harvest email address for spamming. to Gratipay - 1 upvotes, $0
  91. Getting Error Message and in use python version 2.7 is exposed. to Gratipay - 1 upvotes, $0
  92. text injection in website title to Gratipay - 1 upvotes, $0
  93. don't expose path of Python to Gratipay - 1 upvotes, $0
  94. Username .. (double dot) should be restricted or handled carefully to Gratipay - 1 upvotes, $0
  95. Cookie:HttpOnly Flag not set to Gratipay - 1 upvotes, $0
  96. csrf_token cookie don't have the flag "HttpOnly" to Gratipay - 1 upvotes, $0
  97. User Enumeration to Gratipay - 1 upvotes, $0
  98. POODLE SSLv3.0 to Gratipay - 1 upvotes, $0
  99. Unauthorized access to the slack channel via inside.gratipay.com/appendices/chat to Gratipay - 1 upvotes, $0
  100. Gratipay Website CSP "script-scr" includes "unsafe-inline" to Gratipay - 1 upvotes, $0
  101. X-Content-Type Header Missing For aspen.io to Gratipay - 1 upvotes, $0
  102. Email Spoofing to Gratipay - 1 upvotes, $0
  103. CSP Policy Bypass and javascript execution Still Not Fixed to Gratipay - 1 upvotes, $0
  104. Possible user session hijack by invalid HTTPS certificate on inside.gratipay.com domain to Gratipay - 1 upvotes, $0
  105. Possible User Session Hijack using Invalid HTTPS certificate on inside.gratipay.com domain to Gratipay - 1 upvotes, $0
  106. Lack of CSRF token validation at server side to Gratipay - 1 upvotes, $0
  107. Login csrf. to Gratipay - 1 upvotes, $0
  108. PHP 5.4.45 is Outdated and Full of Preformance Interupting Arbitrary Code Execution Bugs to Gratipay - 1 upvotes, $0
  109. set Expires header to Gratipay - 1 upvotes, $0
  110. After removing app from facebook app session not expiring. to Gratipay - 1 upvotes, $0
  111. 400 Bad Request [Use a third-party provider to sign in or create an account on Gratipay] to Gratipay - 1 upvotes, $0
  112. Missing Certificate Authority Authorization rule to Gratipay - 1 upvotes, $0
  113. set Pragma header to Gratipay - 1 upvotes, $0
  114. XSS found In Your Web to Gratipay - 1 upvotes, $0
  115. Adding Used Primary Email Address to attacker account and Account takeover to Gratipay - 1 upvotes, $0
  116. DKIM records not present, Email Hijacking is possible to Gratipay - 0 upvotes, $10
  117. Self XSS Protection not used , I can trick users to insert JavaScript to Gratipay - 0 upvotes, $5
  118. Authentication errors in server side validaton of E-MAIL to Gratipay - 0 upvotes, $0
  119. nginx SPDY heap buffer overflow for https://grtp.co/ to Gratipay - 0 upvotes, $0
  120. UDP port 5060 (SIP) Open to Gratipay - 0 upvotes, $0
  121. proxy port 7000 and shell port 514 not filtered to Gratipay - 0 upvotes, $0
  122. server calendar and server status available to public to Gratipay - 0 upvotes, $0
  123. self cross site scripting to Gratipay - 0 upvotes, $0
  124. Insecure Transportation Security Protocol Supported (TLS 1.0) to Gratipay - 0 upvotes, $0
  125. SSl Weak Ciphers to Gratipay - 0 upvotes, $0
  126. x-xss protection header is not set in response header to Gratipay - 0 upvotes, $0
  127. Usernames ending in .json are not restricted to Gratipay - 0 upvotes, $0
  128. Sub domain take over in gratipay.com to Gratipay - 0 upvotes, $0
  129. SPF Protection not used, I can hijack your email server to Gratipay - 0 upvotes, $0
  130. Directory Listing on grtp.co to Gratipay - 0 upvotes, $0
  131. Submit a non valid syntax email to Gratipay - 0 upvotes, $0
  132. Markdown parsing issue enables insertion of malicious tags to Gratipay - 0 upvotes, $0
  133. Possible Blind SQL injection | Language choice in presentation to Gratipay - 0 upvotes, $0
  134. prevent %2f spoofed URLs in profile statement to Gratipay - 0 upvotes, $0
  135. Missing Certificate Authority Authorization rule to Gratipay - 0 upvotes, $0
  136. Broken link for stale DNS entry may be leveraged for Phishing, Misinformation, Serving Malware to Gratipay - 0 upvotes, $0