Fetching Hackerone Public Reports via Python

Hey guys, Long time I have written any blog post on my blog and this lazy sunday looked like a perfect time for doing so.

I was just going through the public reports on Hackerone and thats when I wondered there should be some place where all these reports are listed.

So I wrote a small python script which meets the purpose which you can find at my Github account (https://github.com/upgoingstar/hackerone_public_reports)

There are obviously a few tweaks, but this works well and generates a handy CSV file with following information.

1. Report ID
2. Report URL
3. Bug Title
4. Bounty Reward
5. Reporter
6. Organization
7. Created At
8. Disclosed At

As of today (December 13th, 2015), it gave me 654 public reports. Listed below.

Complete Excel file can be downloaded at this DropBox link.

List of Urls:

Report IDBug Title
98281  --XSS Reflected in test.qiwi.ru
78412  --Cross site scripting
100186  --Transactions visible on Unconfirmed devices
93106  --Subdomain Takeover in http://staging.wepay.com/ pointing to Fastly
91604  --Crossdomain.xml settings on api.imgur.com too open
96467  --Persistent XSS in https://p.imgur.com/albumview.gif and http://p.imgur.com/imageview.gif / post statistics
89624  --Cross-site Scripting https://www.zendesk.com/product/pricing/
96470  --Missing of csrf protection
100829  --Stored-XSS in https://www.coinbase.com/
98083  --No password length restriction denial of service
101450  --XSS in creating tweets
99321  --[CSRF] Activate PayPal Express Checkout
98469  --Email Verification Link can be Used as Password Reset Link!
97510  --Following a User After Favoriting Actually Follows Another User (related to #95243)
95243  --Following a User Actually Follows Another User
97292  --HTTP header injection in info.hackerone.com allows setting cookies for hackerone.com
99708  --Limited CSRF bypass.
100509  --Pre-generation of 2FA secret/backup codes seems like an unnecessary risk
87561  --OAUTH pemission set as true= lead to authorize malicious application
95804  --[api.allodsteam.com] Authentication Data
87577  --Stored XSS on vimeo.com and player.vimeo.com
95932  --user-agent Content spoofing
77076  --GA code not verified on the server side allows sending Verification Documents on behalf of another user
85720  --IDOR on remoing Share
85720  --IDOR on remoing Share
75702  --No rate limit which leads to "Users information Disclosure" including verfification documents etc.
74147  --Potential for financial loss, negative Values for "Buy fee" and "Sell Fee"
57692  --Server responds with the server error logs on account creation
57914  --HTML injection in email sent by romit.io
49974  --The csrf token remains same after user logs in
81201  --Reflective XSS in projects.invisionapp.com
87040  --XSS on OAuth authorize/authenticate endpoint
92353  --CSV Injection in polldaddy.com
98499  --Apps can access 'channels' beta api
96908  --An administrator without the 'Settings' permission is able to see payment gateways
99374  --deleted staff member can add his amazon marketplace web services account to the store.
88881  --XSS: https://light.mail.ru/compose, https://m.mail.ru/compose/[id]/reply _À„Û_ü __„â___µ„â_µ ___¡ „_À_µ„ _ü_¡_È„Î__„Ü__ ___±„Û_¡_á____ „„ã__„Û___ü„Û_____¡_______µ _À_ü„„Î____
95981  --Http Response Splitting - Validate link
98247  --login to any user's cashier account and full account information disclosure
46485  --Problem with OAuth
97948  --Cross-domain AJAX request
97191  --Send AJAX request to external domain
104009  --zend_throw_or_error() format string vulnerability
104033  --tokenizer crash when processing undecodable source code
82725  --Stored XSS in comments
95599  --Cross Site Scripting
97657  --File upload XSS (Java applet) on http://slackatwork.com/
95589  --Privilege escalation and circumvention of permission to limited access user
98259  --'Limited' RCE in certain places where Liquid is accepted
96890  --A 'Full access' administrator is able to see the shop owners user details
97535  --List of devices is accessible regardless of the account limitations
92481  --Accessing Payments page and adding payment methods with limited access accounts
93680  --Missing authorization check on dashboard overviews
89505  --Self-XSS in posts by formatting text as code
96337  --Stored XSS in Slack (weird, trial and error)
97683  --Reflected Self-XSS in Slack
93294  --First & Last Name Disclosure of any Shopify Store Admin
104032  --PyFloat_FromString & PyNumber_Long Buffer Over-reads
95441  --Unauthorized access to any Store Admin's First & Last name
90274  --CSV Excel Macro Injection Vulnerability in export chat logs
104014  --libcurl duphandle read out of bounds
93616  --get users information without full access
93901  --Bypassing password requirement during deletion of accout
96855  --Staff members with no permission to  access domains can access them.
90753  --Content Spoofing
90131  --CSV Excel Macro Injection Vulnerability in export customer tickets
79393  --__„â_¼„Û„Ü„â„Ü__ _«__„„â„Ä_À _¼ _¼__„Û_À__„Û_¡„â_ü____„Ü__ _«_¡____„Ü__.
34686  --__„ö_ü_±_¼_¡ „ã_ü_Ȅ΄â„Û_¡„ _ü_ü
55670  --Fabric.io:  Ex-admin of an organization can delete team members
66121  --XSS at http://vk.com on IE using flash files
80298  --_Õ___µ_«„Û_µ___ü_µ _À„Û___ü_á_____È„Î________ javascript-„„ _µ___¡„Û_ü„ __ „ã„Ä___¼„ _ü_____¡_È_µ _À„Û__„____„â„Û_¡ _ü_á___±„Û_¡_¦_µ___ü__ _____±_ü_È„Î______ ___µ„Û„_ü_ü „_¡__„â_¡
65330  --__µ _«__„„â_¡„â__„à___¡„ _À„Û_____µ„Û_¼_¡ _È_____ü___¡ „_¼_¡___À
1483  --HTML Injection on flickr screename using IOS App
94502  --Some S3 Buckets are world readable (and one is world writeable)
93394  --Unauthenticated access to details of hidden products in any shop via title emuneration
67393  --Enumeration and Guessable Email (OWASP-AT-002)T hrough Login Form
94899  --Paid account can review\download any invoice of any other shop
54631  --Vulnerable to JavaScript injection. (WXS)  (Javascript injection)!
37301  --CSRF Token in cookies!
87168  --www.shopify.com XSS on blog pages via sharing buttons
94230  --Cross-site Scripting in all Zopim
94087  --Arbitrary read on s3://shopify-delivery-app-storage/files
93921  --Unauthorized access to all collections, products, pages from other stores
81736  --XSS in WordPress
93691  --Arbitrary write on s3://shopify-delivery-app-storage/files
57505  --amazon aws s3 bucket content is public :-  http://shopify.com.s3.amazonaws.com/
104011  --AddressSanitizer reports a global buffer overflow in mkgmtime() function
104012  --Integer overflow in unserialize() (32-bits only)
90671  --Privilege escalation vulnerability
90690  --change Login Services settings without owner access
93004  --unauthorized access to all collections name
92050  --Normal User can add new users to group
50941  --A user can enhance their videos with paid tracks without buying the track
92740  --SPF records not found
92350  --CSV Injection
90912  --Inadequate input validation on API endpoint leading to self denial of service and increased system load.
52646  --Insecure direct object reference - have access to deleted DM's
44588  --Email Length Verification
62174  --Internet Explorer Enhanced Protected Mode sandbox escape via a broker vulnerability
66958  --Microsoft Internet Explorer ActiveX Broker Allows EPM Bypass
92453  --unauthorized access to all customers first and last name
92344  --customers password hash leak!!!!
55546  --Open Redirect after login at http://ecommerce.shopify.com
53858  --Insecure Direct Object Reference - access to other user/group DM's
86504  --[CRITICAL] Login To Any Account Linked With Google+ With Email Only
86468  --[https://www.anghami.com/updatemailinfo/] Sql Injection
56626  --Shop admin can change external login services
86022  --Multiple so called  'type juggling' attacks. Most notably PhabricatorUser::validateCSRFToken() is 'bypassable' in certain   cases.
103990  --Null pointer dereference in phar_get_fp_offset()
104008  --Uninitialized pointer in phar_make_dirstream
52708  --Share your channel to any user on vimeo without following him
75357  --Session Cookie without HttpOnly and secure flag set
103992  --Integer overflow in _Unpickler_Read
56936  --Notification request disclose private information about other myshopify accounts
72785  --CSV Injection with the CVS export feature
67660  --Verification code issues for Two-Step Authentication
41240  --POODLE Bug:,, mx4.twitter.com
67557  --Bypass access restrictions from API
56726  --Invitation issue
88395  --Information leakage through Graphviz blocks
60573  --http://fitter1.i.mail.ru/browser/ „â__„Û„à_ü„â Graphite __ ___ü„Û
67161  --Possible xWork classLoader RCE: shared.mail.ru
62544  --http://tp-dev1.tp.smailru.net/
62531  --tt-mac.i.mail.ru: Quagga (Router) : Default password and default enable password
60420  --store-agent.mail.ru: stacked blind injection
44052  --Hadoop Node available to public
49035  --HDFS NameNode Public disclosure:
49139  --scfbp.tng.mail.ru: Heartbleed
49408  --RCE „à_µ„Û_µ_á JDWP
44294  --Heartbleed: my.com ( port 1433
20720  --cloud.mail.ru: File upload XSS using Content-Type header
20391  --m.agent.mail.ru: _Ù___«_«_µ_È„Ü___¡_µ__ j2me app-descriptor
23852  --money.mail.ru: _Á„â„Û_¡_______µ _À_____µ_«_µ___ü_µ SMS
16935  --e.mail.ru: SMS spam with custom content
20616  --e.mail.ru: File upload "Chapito" circus
14033  --connect.mail.ru: SSRF
13195  --auth.mail.ru: XSS in login form
13482  -- money.mail.ru sources disclosure
103994  --Python 3.3 - 3.5 product_setstate() Out-of-bounds Read
84709  --[API ISSUE] agents can Create agents even after they are disabled !
66235  --_£„_á___ü____„„â„Î __ _£_¼_¡_á_¡___ü_µ ___µ„„â ___¡ „ã__„â__ + „ã_ü„à_¡ + „É_¡_¼_ü____
104000  --Python xmlparse_setattro() Type Confusion
104001  --time_strftime() Buffer Over-read
56779  --XSS on ecommerce.shopify.com
77319  --Full path disclosure at https://keybase.io/_/api/1.0/invitation_request.json
104002  --Python scan_eol() Buffer Over-read
104003  --Python deque.index() uninitialized memory
75727  --Stored Cross site scripting In developer.zendesk.com
81757  --Self XSS in chat.
104010  --SOAP serialize_function_call() type confusion / RCE
103995  --Use After Free Vulnerability in unserialize() with SplDoublyLinkedList
103996  --Use After Free Vulnerability in unserialize() with SplObjectStorage
103997  --Use After Free Vulnerability in unserialize()
103998  --Use After Free Vulnerability in session deserializer
103999  --Use after free vulnerability in unserialize() with GMP
104007  --Buffer over-read in exif_read_data with TIFF IFD tag
85291  --XSS https://www.shopify.com/signup
47536  --[ishop.qiwi.com] XSS + Misconfiguration
80936  --Private Program and bounty details disclosed as part of JSON search response
79185  --Content spoofing through Referel header
77060  --SMTP protection not used
77060  --SMTP protection not used
81441  --XSS https://delivery.shopifyapps.com/  (Digital Downloads App  in myshopify.com)
76738  --Open redirect filter bypass
67389  --SSRF via 'Insert Image' feature of Products/Collections/Frontpage
104006  --Null pointer deref (segfault) in spl_autoload via ob_start
1203  --XSS in my yahoo
1171  --Security.allowDomain("*") in SWFs on img.autos.yahoo.com allows data theft from Yahoo Mail (and others)
940  --Store XSS Flicker main page
35237  --Gain reputation by creating a duplicate of an existing report
34112  --SMPT Protection not used, I can hijack your email server.
31415  --PoodleBleed
30975  --Improper Verification of email address while saving Account Settings
26866  --Critical : Account removing using CSRF attack
76713  --XSS - Gallery Search Listing
73566  --Reflected XSS in chat
77802  --TCP Source Port Pass Firewall
34084  --Bad extended ascii handling in HTTP 301 redirects of t.co
77221  --Open/Unvalidated Redirect Issue
77081  --Content Sniffing not disabled
80597  --Number of invited researchers disclosed as part of JSON search response
104016  --Dangling pointer in the unserialization of ArrayObject items
104018  --Multiple Use After Free Vulnerabilites in unserialize()
104019  --Files extracted from archive may be placed outside of destination directory
77067  --No rate limiting for sensitive actions (like "forgot password") enables user enumeration
104015  --curl_setopt_array() type confusion
104017  --Arbitrary code execution in str_ireplace function
104004  --Mem out-of-bounds write (segfault) in ZEND_ASSIGN_DIV_SPEC_CV_UNUSED_HANDLER
104005  --null pointer deref (segfault) in zend_eval_const_expr
104024  --array.fromstring Use After Free
38682  --Delayed, fraudulent transactions possible with encrypted Square Reader devices due to lack of server-side verification of device transaction counter
62861  --Bulk Discount App in myshopify.com exposes http://bulkdiscounts.shopifyapps.com vulnerable to XSS
77231  --Weak Cryptographic Hash
77065  --Stealing CSRF Tokens
56494  --Get email ID of any user on hackpad.com
71614  --XSS in Myshopify Admin Site in DISCOUNTS
64963  --API: Bug in method auth.validatePhone
75556  --Accessing title of the report of which you are marked as duplicate
73567  --Attention! Remote Code Execution at http://wpt.ec2.shopify.com/
67220  --Expire User Sessions in Admin Site does not expire user session in Shopify Application in IOS
67377  --SSRF via 'Add Image from URL' feature
58679  --SSL cookie without secure flag set
63888  --Cross site scripting
66151  --Invitation is not properly cancelled while inviting to bug reports.
3370  --Directory traversal attack in view resolver
47223  --Javascript Injection
56002  --Shopify android client all API request's response leakage, including access_token, cookie, response header, response body content
55525  --Open redirection in OAuth
104025  --use after free in load_newobj_ex
55842  --[persistent cross-site scripting] customers can target admins
104023  --bytearray.find Buffer Over-read
39486  --No bruteforce protection leads to enumeration of emails in http://e.mail.ru/
54719  --e.mail.ru stored XSS in agent via sticker (smile)
104021  --audioop.adpcm2lin Buffer Over-read
73259  --Integer overflow in _pickle.c
73260  --Integer overflow in _json_encode_unicode leads to crash
104022  --hotshot pack_string Heap Buffer Overflow
104020  --audioop.lin2adpcm Buffer Over-read
55911  --CSRF token fixation in facebook store app that can lead to adding attacker to victim acc
72331  --XSS at Bulk editing ProductVariants
18845  --Unauthorized Access via Join Email Link
44727  --Insecure Data Storage in Vine Android App
63537  --XSS in https://app.mavenlink.com/workspaces/
52035  --Open redirect in "Language change".
29420  --Horizontal Privilege Escalation
104028  --Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow)
67132  --XSS at Bulk editing products
67125  --XSS at importing Product List
44513  --RCE due to Web Console IP Whitelist bypass in Rails 4.0 and 4.1
49935  --rails-ujs will send CSRF tokens to other origins
47888  --Reporting user's profile by using another people's ID
73241  --Malformed ECParameters causes infinite loop
66386  --[www.*.myshopify.com] CRLF Injection
66262  --mailto: link injection on https://hackerone.com/directory
63865  --Potential denial of service in hackerone.com/<program>/reward_settings
55716  --Force 500 Internal Server Error on any shop (for one user)
62427  --XSS in myshopify.com Admin site in TAX Overrides
59356  --XSS in dropbox main domain
59659  --Reopen Disable Accounts/ Hidden Access After Disable
56742  --SPF whitelist of mandrill leads to email forgery
63729  --Logic error with notifications: user that has left team continues to receive notifications and can not 'clean' this area on account
55530  --Authentication Failed Mobile version
53628  --XSS in https://hackpad.com/
57603  --API: missing invalidation of OAuth2 Authorization Code during access revocation causes authorization bypass
59015  --Stored XSS in the Shopify Discussion Forums
73258  --Python: imageop Unsafe Arithmetic
46750  --Team admin can change unauthorized team setting (allow_message_deletion)
546  --Logical issues with account settings
575  --Email spoofing
842  --Autocomplete enabled in Paypal preferences
298  --RTL override symbol not stripped from file names
7931  --Issue with remember_user_token
454  --PNG compression DoS
38343  --Issue with password change
37593  --Open Redirect in unmask.sucuri.net
47627  --Email Enumeration (POC)
30238  --New Device confirmation tokens are not properly validated.
36594  --New Device Confirmation, token is valid until not used.
104026  --invalid pointer free() in phar_tar_process_metadata()
57459  --XSS in experts.shopify.com
73249  --Multiple use after free bugs in element module
73253  --Multiple type confusions in unicode error handlers
73256  --PHP yaml_parse/yaml_parse_file/yaml_parse_url Double Free
73257  --PHP yaml_parse/yaml_parse_file/yaml_parse_url Unsafe Deserialization
103993  --Request Hijacking Vulnerability In RubyGems 2.4.6 And Earlier
73240  --Integer overflow in ftp_genlist() resulting in heap overflow
73255  --str_repeat() sign mismatch based memory corruption
104027  --Memory Corruption in phar_parse_tarfile when entry filename starts with null
59179  --Race condition when redeeming coupon codes
60402  --Content Spoofing - External Link Warning Page
43998  --CRITICAL full source code/config disclosure for Cameo
59469  --Fake URL + Additional vectors for homograph attack
59369  --Making any Report Failed to load
59375  --Homograph attack
31082  --Unauthorized Tweeting on behalf of Account Owners
51265  --Flash Cross Domain Policy Bypass by Using File Upload and Redirection - only in Chrome
58630  --Content Spoofing
54610  --Logout any user of same team
46818  --Twitter Card - Parent Window Redirection
53843  --HTTP Response Splitting (CRLF injection) due to headers overflow
52181  --Insecure Direct Object References that allows to read any comment (even if it should be private)
52176  --Insecure Direct Object References in https://vimeo.com/forums
54641  --Captcha Bypass in Snapchat's Geofilter Submission Process
73250  --Multiple use after free bugs in heapq module
73251  --Multiple use after free bugs in json encoding
73252  --Use after free in get_filter
58612  --Homograph attack
52982  --[URGENT ISSUE] Add or Delete the videos in watch later list of any user .
51817  --Post in private groups after getting removed
46747  --Team admin can change unauthorized team setting (require_at_for_mention)
52644  --confirmation bypass of 2FA  devices  while they are deleting
52645  --secretKey  for OTP , is getting leaked in response of a delete request !
5946  --Marking notifications as read CSRF bug
17785  --Denial of Service
9479  --Anti-MIME-Sniffing header X-Content-Type-Options header has not been set.
36211  --Logic Issue with Reputation: Boost Reputation Points
28500  --iOS App can establish Facetime calls without user's permission
49806  --Twitter Ads Campaign information disclosure through admin without any authentication.
56828  --SSRF vulnerablity in app webhooks
50786  --A user can add videos to other user's private groups
57163  --Open-redirect on hackerone.com
52042  --HTTP Response Splitting (CRLF injection) in report_story
73248  --Tokenizer crash when processing undecodable source code
52822  --XSS with Time-of-Day Format
49561  --Vimeo + & Vimeo PRO Unautorised Tax bypass
56511  --IDOR expire other user sessions
54779  --Missing spf flags for myshopify.com
73245  --Type Confusion Vulnerability in SoapClient
73237  --Buffer Over flow when parsing tar/zip/phar in phar_set_inode
73238  --Buffer Over-read in unserialize when parsing Phar
73246  --Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER
73247  --php_stream_url_wrap_http_ex() type-confusion vulnerability
50884  --Bypass pin(4 digit passcode on your android app)
43988  --twitter android app Fragment Injection
50885  --CVE-2014-0224 openssl ccs vulnerability
42582  --Vimeo.com - Reflected XSS Vulnerability
46916  --Markdown parsing issue enables insertion of malicious tags and event handlers
26962  --open redirect in rfc6749
31756  --Drupal 7 pre auth sql injection and remote code execution
47779  --Heap overflow in H. Spencer‰Ûªs regex library on 32 bit systems
54733  --Sandboxed iframes don't show confirmation screen
47932  --Privilege Escalation at invite feature @hackpad.com
53098  --XSS in twitter.com/safety/unsafe_link_warning
49759  --Open Redirect leak of authenticity_token lead to full account take over.
41469  --Error stack trace
43850  --abusing Thumbnails(https://vimeo.com/upload/select_thumb) to see a private video
47940  --Team admin can add billing contacts
50170  --FREAK: Factoring RSA_EXPORT Keys to Impersonate TLS Servers
21034  --Invoice Details activate JS that filled in
46429  --Team member invitations to sandboxed teams are not invalidated consistently
47140  --Leakage of sensitive wallet tokens to third party sites
29471  --Privilege Escalation
47495  --Same Origin Policy bypass
36986  --[Stored XSS] vine.co - profile page
53088  --SSRF vulnerability (access to metadata server on EC2 and OpenStack)
47227  --Race condition in workers may cause an exploitable double free by abusing bytearray.compress()
47012  --Adobe Flash Player Out-of-Bound Access Vulnerability
47232  --Use after free during the StageVideoAvailabilityEvent can result in arbitrary code execution
47234  --Use After Free in Flash MessageChannel.send can cause arbitrary code execution
46618  --Frictionless Transferring of Wallet Ownership
31554  --Singup Page HTML Injection Vulnerability
55018  --Segmentation fault for invalid PSS parameters
49652  --Improperly validated fields allows injection of arbitrary HTML via spoofed React objects
73239  --ZIP Integer Overflow leads to writing past heap boundary
73235  --Use After Free Vulnerability in unserialize()
73244  --Use after free vulnerability in unserialize() with DateInterval
2497  --Reflective XSS can be triggered in IE
73236  --X509_to_X509_REQ NULL pointer deref
50752  --open redirect sends authenticity_token to any website or (ip address)
35287  --getting emails of users/removing them from victims account [using typical attack]
46954  --Red October 1511493148.cloud.vimeo.com
29234  --Credit Card Validation Issue
48065  --open authentication bug
50829  --A user can post comments on other user's private videos
50776  --A user can edit comments even after video comments are disabled
31408  --Adobe Flash Player Out-of-Bound Read/Write Vulnerability
30567  --Adobe Flash Player MP4 Use-After-Free Vulnerability
36279  --Adobe Flash Player MP4 Use-After-Free Vulnerability
6002  --Stored XSS in Slack.com
6002  --Stored XSS in Slack.com
50134  --XSS in original referrer after follow
43672  --player.vimeo.com - Reflected XSS Vulnerability
42584  --Vimeo.com - reflected xss vulnerability
43065  --Fabric.io - an app admin can delete team members from other user apps
55030  --SoapClient's __call() type confusion through unserialize()
43770  --Ability to Download Music Tracks Without Paying (Missing permission check on`/musicstore/download`)
48100  --Bad Write in TTF font parsing (win32k.sys)
48422  --Team member invitations to sandboxed teams are not invalidated consistently (v2)
44864  --Unsecure data in "device" response - OTP
44555  --Notification Emails: IP + Content-Spoofing
55029  --Use after free vulnerability in unserialize() with DateTimeZone
48682  --Taking over a Business Account Admin
47472  --CSP Bypass: Click handler for links with data-method="post" can cause authenticity_token to be sent off domain
48690  --Remotely removing credit cards from business accounts!
38007  --Subdomain Takeover using blog.greenhouse.io pointing to Hubspot
42587  --Vimeo.com Insecure Direct Object References Reset Password
48516  --Redirect URL in /intent/ functionality is not properly escaped
44512  --XSS on any site that includes the moogaloop flash player | deprecated embed code
46397  --Insecure Direct Object Reference vulnerability
29263  --Redirect while opening link in new tabs
44492  --Flaw in login with twitter to steal Oauth tokens
41856  --HTML/XSS rendered in Android App of Crashlytics through fabric.io
44909  --weird bug ! ( missing validation on new email verfication )
43602  --Buying ondemand videos that  0.1  and sometimes for free
42240  --chrome allows POST requests with custom headers using flash + 307 redirect
30004  --CSRF on adding clients
30015  --CSRF on adding a calendar event
44888  --Improper way of validating a program
55017  --Multiple Python integer overflows
103991  --mod_lua: Crash in websockets PING handling
46072  --Vulnerability with the way \ escaped characters in <http://danlec.com> style links are rendered
45368  --ftp upload of video allows naming that is not sanitized as the manual naming
45484  --XSS on Vimeo
104013  --heap buffer overflow in enchant_broker_request_dict()
55028  --Free called on unitialized pointer in exif.c
55033  --Use after free vulnerability in unserialize()
39428  --Phabricator Phame Blog Skins Local File Inclusion
38189  --xss in /browse/contacts/
6017  --Facebook Takeover using Slack using 302 from files.slack.com with access_token
11919  --Stored XSS on http://top.mail.ru
38965  --Phabricator Diffusion application allows unauthorized users to delete mirrors
42702  --APIs for channels allow HTML entities that may cause XSS issue
73242  --libcurl: URL request injection
42236  --URGENT - Subdomain Takeover on users.tweetdeck.com , the same issue  of report #32825
73234  --out of bounds read crashes php-cgi
20049  --Cross-site Scripting in mailing (username)
35363  --[static.qiwi.com] XSS proxy.html
30852  --Relateiq SSLv3 deprecated protocol vulnerability.
32519  --XSS in fabric.io
14127  --SSRF on https://whitehataudit.slack.com/account/photo
27468  --Reflected XSS in widget script thru cookie
36319  --[qiwi.com] /oauth/confirm.action XSS
30011  --square google calendar integration CSRF,https://squareup.com/appointments/business/settings(state parameter not checking properly)
39631  --Open redirection in fabric.io
36450  --[send.qiwi.ru] Soap-based XXE vulnerability /soapserver/
35413  --[send.qiwi.ru] XSS at auth?login=
43443  --PyUnicode_FromFormatV crasher
32570  --OpenSSL HeartBleed (CVE-2014-0160)
12583  --XXE and SSRF on webmaster.mail.ru
11927  --Stored XSS on http://cards.mail.ru
11410  --XSS in https://e.mail.ru/cgi-bin/lstatic (Limited use)
8846  --localStorage ___µ „à_ü„„â_ü„℁„ _À__„_È_µ __„Ü„É___«_¡
26935  --XSS via .eml file
9921  --Time based sql injection
28832  --touch.mail.ru XSS via message id
38232  --Breaking Bugs as team member
33083  --Backup of wordpress configuration file found. Leaking database users/passwords
33091  --DOM Cross-Site Scripting ( XSS )
37622  --XSS in www.eobot.com(IE9 only)
5314  --Coinbase Android Application - Bitcoin Wallet Leaks OAuth Response Code
43440  --Arbitrary file existence disclosure in Action Pack
20873  --rsync hash collisions may allow an attacker to corrupt or modify files
33935  --File Name Enumeration
29360  --XSS platform.twitter.com | video-js metadata
29331  --No email verification on username change
29328  --XSS platform.twitter.com
29288  --Usage of HTTP for exporting graph data as images
27704  --malicious file upload
27704  --malicious file upload
27511  --ads.twitter.com xss
27357  --Editing Client Details of other People
26825  --Full path disclosure at ads.twitter.com
26700  --CRITICAL Account takeover via AngularJS template injection in connect.squareup.com
26527  --XSS in Client Past Activity
25332  --XSS [BookFresh]
9919  --SQL injection [_«„Ü„Û_¼_¡ __ _«___ü_¦_¼_µ „ã__„Û„Ä___¡]
36264  --mod_proxy_fcgi buffer overflow
27166  --Missing Rate Limiting on https://twitter.com/account/complete
501  --TLS Virtual Host Confusion
32825  --URGENT - Subdomain Takeover on media.vine.co due to unclaimed domain pointing to AWS
31168  --Cryptographic Side Channel in OAuth Library
27987  --Window Opener Property Bug
18501  --Session Fixation
28865  --Redirect FILTER bypass in report/comment
28150  --Cross site scripting on ads.twitter.com
15412  --Leaking CSRF token over HTTP resulting in CSRF protection bypass
31383  --Ability to see common response titles of other teams (limited)
27389  --Reflected XSS in connect.square.com
14552  --Session fixation in wepay.com
29491  --homograph attack. IDNs displayed in unicode in bug reports and on external link warning page
12497  --Adobe Flash Player FileReference Use-after-Free Vulnerability
27651  --Flash Local Sandbox Bypass
25334  --Open Redirect [FreshBook]
38170  --Misc Python bugs (Memory Corruption & Use After Free)
23098  --Blind SQL injection in www.bookfresh.com
29480  --Unvalidated Channel names causes IRC Command Injection
7121  --Persistent Cross Site Scripting within the IRCCloud Pastebin
29839  --GNU Bourne-Again Shell (Bash) 'Shellshock' Vulnerability
27404  --Delete Credit Cards from any Twitter Account in ads.twitter.com [New Vulnerability]
27846  --Stored xss
8082  --Password Reset Bug
25281  --Change Any username and profile link in hackerone
10554  --Bypassing 2FA for BTC transfers
14631  --Clickjacking at https://www.mavenlink.com/ main website
25160  --Open redirection on secure.phabricator.com
16330  --Multiple issues in looking-glass software (aka from web to BGP injections)
18698  --Resubmitted with POC #18685 Password reset CSRF
15762  --SQL Injection on 11x11.mail.ru
23386  --Redirect while opening links in new tabs
10468  --SQL inj
23363  --Forgot Password Issue
17160  --Password Policy issue (Weak Protect)
22093  --Content Spoofing all Integrations in https://team.slack.com/services/new/
2622  --URL redirection flaw
2559  --Broken Authentication (including Slack OAuth bugs)
18295  --source code disclosure
16718  --Open Redirect login account
21248  --Content spoofing at Stripe Integrations
16568  --Failed Certificate Validation On Custom Server (Register)
21110  --Clickjacking
7813  --readble .htaccess + Source Code Disclosure  (+ .SVN repository)
6704  --Open Proxy, http://www.smushit.com/ysmush.it/, 4/09/14, #SpringClean
2168  --XSS on Every sports.yahoo.com page
6702  --CSRF Token is missing on DELETE message option on  http://baseball.fantasysports.yahoo.com/b1/127146/messages
6665  --Comment Spoofing  at  http://suggestions.yahoo.com/detail/?prop=directory&fid=97721
6700  --CSRF Token missing on  http://baseball.fantasysports.yahoo.com/b1/127146/messages
16414  --Yahoo Sports Fantasy Golf (Join Public Group)
12708  --Testing for user enumeration (OWASP‰ÛAT‰Û002) - https://gh.bouncer.login.yahoo.com
7266  --XSS in https://hk.user.auctions.yahoo.com
11414  --Infrastructure and Application Admin Interfaces (OWASP‰ÛCM‰Û007)
18507  --CSRF on email address operations. Also performing unintended operations.
10081  --SQL
18691  --XSS in editor by any user
13959  --privilege escalation
17506  --Default /docs folder of PHPBB3 installation on gamesnet.yahoo.com
2625  --Stored XSS in username.slack.com
2439  --Cross Site Scripting (XSS) - app.relateiq.com
12685  --Authorization issue on creative.yahoo.com
18279  --Yahoo! Reflected XSS
5442  --XSS in Yahoo! Web Analytics
6195  --reflected XSS, http://extprodweb11.cc.gq1.yahoo.com/, 4/8/14, #SpringClean
6674  --REMOTE CODE EXECUTION/LOCAL FILE INCLUSION/XSPA/SSRF, view-source:http://sb*.geo.sp1.yahoo.com/, 4/6/14, #SpringClean
8284  --information disclosure (LOAD BALANCER + URI XSS)
8281  --https://caldav.calendar.yahoo.com/ - XSS (STORED)
7608  --invite1.us2.msg.vip.bf1.yahoo.com/ - CSRF/email disclosure
2598  --http://conf.member.yahoo.com configuration file disclosure
6194  --Significant Information Disclosure/Load balancer access, http://extprodweb11.cc.gq1.yahoo.com/, 4/8/14, #SpringClean
21210  --privilege escalation
17474  --Broken Authentication and Session Management
18721  --Multiple Full Path Disclosure (FPD) Vulnerability on Dccompendium.com domain
18389  --Backend source code disclosure on 404 pages
17896  --Clickjacking: X-Frame-Options header missing
21069  --Login CSRF
6268  --Cross-origin issue on rmaiauth.ads.vip.bf1.yahoo.com
6322  --Header injection on rmaitrack.ads.vip.bf1.yahoo.com
17903  --Error page Cross-site scripting
2628  --CSRF vulnerability on https://sehacure.slack.com/account/settings
16571  --SSRF (Portscan) via Register Function (Custom Server)
17383  --Category- Broken Authentication and Session Management (leads to account compromise if some conditions are met)
10563  --CSRF on "Set as primary" option on the accounts page
4409  --TRACE disclosure attack may be possible
17688  --LZ4 Core
21150  --Flash XSS  on swfupload.swf showing at app.mavenlink.com
14570  --Login password guessing attack
15852  --Non Validation of session after password reset
10373  --Bypassing Same Origin Policy With JSONP APIs and Flash
6182  --captcha missing
20861  --moderate: mod_deflate denial of service
15166  --Password reset token not expiring
12588  --XSS in a file or folder name
13286  --Host Header Injection - irccloud.com
10801  --report a reflected XSS
14699  --Open Redirect
28445  --SPL ArrayObject/SPLObjectStorage Unserialization Type Confusion Vulnerabilities
17909  --XSS on Home page
28449  --Active Record SQL Injection Vulnerability Affecting PostgreSQL
28450  --Active Record SQL Injection Vulnerability Affecting PostgreSQL
17540  --Reflected XSS in Pastebin-view
35102  --Locale::parseLocale Double Free
20671  --integer overflow in 'buffer' type allows reading memory
13748  --Potential denial of service in hackerone.com/teams/new
13388  --Linux PI futex self-requeue bug
15362  --Flash Sandbox Bypass
16392  --Abusing daemon logs for Privilege escalation under certain scenarios
16315  --Abusing VCS control on phabricator
15785  --Session not invalidated after password reset
7264  --Bypass of the Clickjacking protection on Flickr using data URL in iframes
9318  --Home page reflected XSS
8724  --Clickjacking
10829  --CSRF in function "Set as primary" on  accounts page
7369  --2 factor authentication design flaw
4461  --Server Side Request Forgery
9774  --Stored XSS Found
6353  --Wildcard DNS in website
10037  --SQL inj
11861  --SQL injection update.mail.ru
2575  --Slack OAuth2 "redirect_uri" Bypass
10297  --Stored XSS in slack.com (integrations)
5933  --Multiple Issues related to registering applications
6883  --Bruteforcing irccloud login
2617  --Stored XSS in www.slack-files.com
7041  --iOS application does not destroy session upon logout.
4638  --Duplicate of #4550
2652  --Stored XSS in Channel Chat
7531  --Login CSRF can be bypassed (Similar approach to previous one).
2777  --Reflected Xss
7779  --Local File Include on marketing-dam.yahoo.com
6877  --Unsecure cookies, cookie flag secure not set
7036  --Bug in iOS application which could lead to unauthorised access.
6935  --Missing X-Content-Type-Options
2421  --Value of JSESSIONID  and XSRF token parameter in cookie remains same before and after login
6872  --Sign up CSRF
5786  --Coinbase Android Security Vulnerabilities
4256  --XSS Vulnerability (my.yahoo.com)
4561  --Stored XSS in Slackbot Direct Messages
9391  --Xss in CampTix Event Ticketing
7357  --Host Header is not validated resulting in Open Redirect
9375  --Stored XSS in all fields in Basic Google Maps Placemarks Settings
6907  --Session Token is not Verified while changing Account Setting's which Result In account Takeover
6871  --Login CSRF
3441  --Captcha Bypass With Extension
2427  --XSRF token problem
5928  --Uncontrolled Resource Consumption with XMPP-Layer Compression
3986  --Securing sensitive pages from SearchBots
2584  --Weird Bug - Ability to see partial of other user's notification
742  --A password reset page does not properly validate the authenticity token at the server side.
477  --Flawed account creation process allows registration of usernames corresponding to existing file names
288  --Session Management
353  --Session not expired on logout
6350  --creating titleless and non-closable bugs
2140  --Flash local-with-fileaccess Sandbox Bypass
4114  --Persistent XSS: Editor link
3930  --OAuth Stealing Attack (New)
3921  --Control character allowed in username
3596  --OAuth access_token stealing in Phabricator
3455  --flash content type sniff vulnerability in api.slack.com
7803  --Security bypass could lead to information disclosure
6626  --TLS heartbeat read overrun
4836  --From Unrestricted File Upload to Remote Command Execution
2735  --HTML injection in "Invite Collaborators"
3356  --UnAuthorized Editorial Publishing to Blogs
1533  --Flickr: Invitations disclosure (resend feature)
1538  --SQLi on http://sports.yahoo.com/nfl/draft
6389  --Integer overflow in strop.expandtabs
1675  --Local file inclusion
2228  --Login CSRF using Twitter OAuth
2233  --Bypass auth.email-domains (2)
2224  --Bypass auth.email-domains
4690  --SPDY heap buffer overflow
4689  --SPDY memory corruption
914  --XSS Yahoo Messenger Via Calendar.Yahoo.Com
3039  --SQL Injection ON HK.Promotion
2127  --HK.Yahoo.Net Remote Command Execution
3227  --Control Characters Not Stripped From Username on Signup
6380  --Same Origin Security Bypass Vulnerability
916  --Cross-site scripting on the main page of flickr by tagging a user.
2221  --CSS leaks SCSS debug info
2170  --Flash double free vulnerability leads to code execution
809  --Improperly implemented password recovery link functionality
18849  --OSX ATS arbitrary free issue may lead to App Sandbox bypass
18850  --OSX ATS memory corruption may lead to App Sandbox bypass
774  --Log in a user to another account
727  --Switching the user to the attacker's account
737  --Improper session management
738  --Information disclosure (reset password token) and changing the user's password
1509  --DNS Misconfiguration
713  --Upload profile photo from URL
18851  --.NET Type Traversal Vulnerability
1356  --PHP Heap Overflow Vulnerability in imagecrop()
960  --Linux 3.4+: arbitrary write with CONFIG_X86_X32
2107  --Handling of jar: URIs bypasses AllowScriptAccess=never
2245  --Win32k Window Handle Vulnerability (EoP)
547  --CSRF login
120  --Missing SPF for hackerone.com
284  --Broken Authentication and session management OWASP A2
487  --DNS Cache Poisoning
523  --PHP openssl_x509_parse() Memory Corruption Vulnerability
2106  --Flash type confusion vulnerability leads to code execution
390  --Pixel flood attack
400  --GIF flooding
280  --Real impersonation
321  --CSP not consistently applied
499  --Ruby: Heap Overflow in Floating Point Parsing
500  --OpenSSH: Memory corruption in AES-GCM support