IDOR in report download functionality on ads.tiktok.com

👉 https://hackerone.com/reports/1559739

🔹 Severity: Low | 💰 500 USD
🔹 Reported To: TikTok
🔹 Reported By: #f_m
🔹 State: 🟢 Resolved
🔹 Disclosed: July 22, 2022, 11:48pm (UTC)

Rack CVE-2022-30122: Denial of Service Vulnerability in Rack Multipart Parsing

👉 https://hackerone.com/reports/1627159

🔹 Severity: Medium | 💰 2,400 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #ooooooo_q
🔹 State: 🟢 Resolved
🔹 Disclosed: July 23, 2022, 3:20am (UTC)

reflected XSS on panther.com

👉 https://hackerone.com/reports/1601140

🔹 Severity: Medium | 💰 250 USD
🔹 Reported To: Panther Labs
🔹 Reported By: #ibrahimatix0x01
🔹 State: 🟢 Resolved
🔹 Disclosed: July 23, 2022, 5:19am (UTC)

[doc.rt.informaticacloud.com] Arbitrary File Reading via Double URL Encode

👉 https://hackerone.com/reports/232371

🔹 Severity: High
🔹 Reported To: Informatica
🔹 Reported By: #bigbear_
🔹 State: 🟢 Resolved
🔹 Disclosed: July 23, 2022, 11:03am (UTC)

[doc.rt.informaticacloud.com] Reflected XSS via Stack Strace

👉 https://hackerone.com/reports/232320

🔹 Severity: High
🔹 Reported To: Informatica
🔹 Reported By: #bigbear_
🔹 State: 🟢 Resolved
🔹 Disclosed: July 23, 2022, 11:03am (UTC)

CVE-2022-27781: CERTINFO never-ending busy-loop

👉 https://hackerone.com/reports/1606039

🔹 Severity: Low | 💰 480 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #sybr
🔹 State: 🟢 Resolved
🔹 Disclosed: July 24, 2022, 7:31pm (UTC)

Node.js - DLL Hijacking on Windows

👉 https://hackerone.com/reports/1636566

🔹 Severity: High | 💰 3,000 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #yakirka
🔹 State: 🟢 Resolved
🔹 Disclosed: July 25, 2022, 6:30pm (UTC)

Race condition in faucet when using starport

👉 https://hackerone.com/reports/1438052

🔹 Severity: Critical | 💰 5,000 USD
🔹 Reported To: Cosmos
🔹 Reported By: #cyberboy
🔹 State: 🟢 Resolved
🔹 Disclosed: July 26, 2022, 5:47pm (UTC)

HTML Injection via Email Share

👉 https://hackerone.com/reports/1490311

🔹 Severity: Low | 💰 500 USD
🔹 Reported To: TikTok
🔹 Reported By: #lu3ky-13
🔹 State: 🟢 Resolved
🔹 Disclosed: July 27, 2022, 1:46am (UTC)

Off-by-slash vulnerability in nodejs.org and iojs.org

👉 https://hackerone.com/reports/1650273

🔹 Severity: Medium | 💰 1,200 USD
🔹 Reported To: Internet Bug Bounty
🔹 Reported By: #nagaro
🔹 State: 🟢 Resolved
🔹 Disclosed: July 28, 2022, 8:25am (UTC)

Acronis True Image Local Privilege Escalation Due To Race Condition In Application Verification

👉 https://hackerone.com/reports/1251464

🔹 Severity: High | 💰 250 USD
🔹 Reported To: Acronis
🔹 Reported By: #vkas-afk
🔹 State: 🟢 Resolved
🔹 Disclosed: July 28, 2022, 10:32am (UTC)

Hijack all emails sent to any domain that uses Cloudflare Email Forwarding

👉 https://hackerone.com/reports/1419341

🔹 Severity: Critical | 💰 6,000 USD
🔹 Reported To: Cloudflare Public Bug Bounty
🔹 Reported By: #albertspedersen
🔹 State: 🟢 Resolved
🔹 Disclosed: July 28, 2022, 4:35pm (UTC)

Twitter Account hijack through broken link in https://runpanther.io

👉 https://hackerone.com/reports/1607429

🔹 Severity: Low | 💰 100 USD
🔹 Reported To: Panther Labs
🔹 Reported By: #prakash142
🔹 State: 🟢 Resolved
🔹 Disclosed: July 28, 2022, 4:57pm (UTC)

Channel statistics up-to-date

🥇Total awarded amount - 💰2,994,628
🥈Total bug reports - 3,350
🥉Total reporters - 1,654

Reports counts by severity rating:

🔵 medium - 1333
🟠 high - 689
🟢 low - 659
🔴 critical - 359
🟤 none - 310

Top 10 participants by vulnerabilities found:

#skavans < 34 < 💰68,911
#nyymi < 33 < 💰21,320
#rtod < 33 < 💰11,200
#jon_bottarini < 32 < 💰36,773
#nagli < 31 < 💰4,961
#luchua < 26 < 💰47,700
#executor < 23 < 💰9,100
#ihsinme < 22 < 💰25,650
#lu3ky-13 < 21 < 💰4,048
#d3lla < 20 < 💰9,900

Top 10 teams by resolved reports:

Mail.ru > 305 > 💰314,033
U.S. Dept Of Defense > 290 > 💰8,000
GitHub Security Lab > 158 > 💰203,750
Shopify > 139 > 💰256,050
Nextcloud > 128 > 💰20,575
GitLab > 97 > 💰405,160
curl > 87 > 💰16,700
New Relic > 82 > 💰104,490
Acronis > 80 > 💰12,837
HackerOne > 68 > 💰63,501

HTML Injection via TikTok Ads Email Share

👉 https://hackerone.com/reports/1376990

🔹 Severity: Medium | 💰 1,000 USD
🔹 Reported To: TikTok
🔹 Reported By: #lu3ky-13
🔹 State: 🟢 Resolved
🔹 Disclosed: July 28, 2022, 10:08pm (UTC)

@nextcloud/logger NPM package brings vulnerable ansi-regex version

👉 https://hackerone.com/reports/1607601

🔹 Severity: Low
🔹 Reported To: Nextcloud
🔹 Reported By: #ro0telqayser
🔹 State: 🟢 Resolved
🔹 Disclosed: July 29, 2022, 10:18am (UTC)

Send Fax from Anyone's HelloFax Account Due to Misconfigured Email Validation

👉 https://hackerone.com/reports/1428385

🔹 Severity: High | 💰 4,913 USD
🔹 Reported To: Dropbox
🔹 Reported By: #sayaanalam
🔹 State: 🟢 Resolved
🔹 Disclosed: July 29, 2022, 5:18pm (UTC)

Possible to make restricted files public on Phabricator via Diffusion

👉 https://hackerone.com/reports/1560717

🔹 Severity: No Rating | 💰 2,000 USD
🔹 Reported To: Phabricator
🔹 Reported By: #dyls
🔹 State: 🟢 Resolved
🔹 Disclosed: July 29, 2022, 10:37pm (UTC)

Open redirection at https://smartreports.mtncameroon.net

👉 https://hackerone.com/reports/1530396

🔹 Severity: Low
🔹 Reported To: MTN Group
🔹 Reported By: #vulnera
🔹 State: 🟢 Resolved
🔹 Disclosed: July 30, 2022, 1:38am (UTC)

Corsa Site Scripting Vulnerability (XSS)

👉 https://hackerone.com/reports/1650210

🔹 Severity: High
🔹 Reported To: Hyperledger
🔹 Reported By: #bhaskar_ram
🔹 State: 🔴 N/A
🔹 Disclosed: July 30, 2022, 2:37pm (UTC)

Open S3 Bucket Accessible by any Aws User

👉 https://hackerone.com/reports/1654145

🔹 Severity: No Rating
🔹 Reported To: GoCD
🔹 Reported By: #khalidou
🔹 State: 🟢 Resolved
🔹 Disclosed: July 31, 2022, 3:02am (UTC)