Top 100 paid reports from HackerOne:
- Github access token exposure to Shopify - $50000, 1210 upvotes
- [Pre-Submission][H1-4420-2019] API access to Phabricator on code.uberinternal.com from leaked certificate in git repo to Uber - $39999, 346 upvotes
- Незащищённый экземпляр Zeppelin to Mail.ru - $35000, 169 upvotes
- Remote Command Execution via Github import to GitLab - $33510, 304 upvotes
- RCE via the DecompressedArchiveSizeValidator and Project BulkImports (behind feature flag) to GitLab - $33510, 299 upvotes
- RCE via npm misconfig -- installing internal libraries from the public registry to PayPal - $30000, 859 upvotes
- Arbitrary file read via the bulk imports UploadsPipeline to GitLab - $29000, 299 upvotes
- Exposed Kubernetes API - RCE/Exposed Creds to Snapchat - $25000, 1139 upvotes
- Server Side Request Forgery (SSRF) via Analytics Reports to HackerOne - $25000, 443 upvotes
- SQL Injection in report_xml.php through countryFilter[] parameter to Valve - $25000, 370 upvotes
- RepositoryPipeline allows importing of local git repos to GitLab - $22300, 64 upvotes
- access list owner can escalate his role to the highest roles to Teleport - $21000, 255 upvotes
- Potential pre-auth RCE on Twitter VPN to X (Formerly Twitter) - $20160, 1196 upvotes
- Bypass for #488147 enables stored XSS on https://paypal.com/signin again to PayPal - $20000, 2599 upvotes
- Account takeover via leaked session cookie to HackerOne - $20000, 1552 upvotes
- Arbitrary file read via the UploadsRewriter when moving and issue to GitLab - $20000, 1455 upvotes
- Getting all the CD keys of any game to Valve - $20000, 616 upvotes
- [phpobject in cookie] Remote shell/command execution to Pornhub - $20000, 607 upvotes
- RCE when removing metadata with ExifTool to GitLab - $20000, 486 upvotes
- RCE via unsafe inline Kramdown options when rendering certain Wiki pages to GitLab - $20000, 415 upvotes
- bd-j exploit chain to PlayStation - $20000, 264 upvotes
- Steal private objects of other projects via project import to GitLab - $20000, 225 upvotes
- Github Apps can use Scoped-User-To-Server Tokens to Obtain Full Access to User's Projects in Project V2 GraphQL api to GitHub - $20000, 188 upvotes
- Private objects exposed through project import to GitLab - $20000, 112 upvotes
- Stored XSS on https://paypal.com/signin via cache poisoning to PayPal - $18900, 662 upvotes
- Oracle Webcenter Sites administrative and hi-privilege access available directly from the internet (/cs/Satellite) to LocalTapiola - $18000, 264 upvotes
- Struct type confusion RCE to shopify-scripts - $18000, 8 upvotes
- Full Response SSRF via Google Drive to Dropbox - $17576, 302 upvotes
- Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO to Shopify - $16000, 1851 upvotes
- Stored XSS in markdown via the DesignReferenceFilter to GitLab - $16000, 282 upvotes
- Arbitrary file read during project import to GitLab - $16000, 182 upvotes
- Token leak in security challenge flow allows retrieving victim's PayPal email and plain text password to PayPal - $15300, 1356 upvotes
- Ability to bypass partner email confirmation to take over any store given an employee email to Shopify - $15250, 236 upvotes
- [Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Shopify - $15000, 878 upvotes
- Websites Can Run Arbitrary Code on Machines Running the 'PlayStation Now' Application to PlayStation - $15000, 758 upvotes
- Delete anyone's content spotlight remotely. to Snapchat - $15000, 713 upvotes
- Time-Based SQL injection at city-mobil.ru to Mail.ru - $15000, 631 upvotes
- Open prod Jenkins instance to Snapchat - $15000, 425 upvotes
- file read on MCS servers via supplying a QCOW2 image with external backing file to Mail.ru - $15000, 222 upvotes
- Incorrect authorization to the intelbot service leading to ticket information to TikTok - $15000, 203 upvotes
- [mcs.mail.ru] Пользователь с ролью наблюдателя может создавать ключи доступа для очереди сообщений (sqs.mcs.mail.ru) to Mail.ru - $15000, 147 upvotes
- Leaked JFrog Artifactory username and password exposed on GitHub - https://snapchat.jfrog.io to Snapchat - $15000, 124 upvotes
- Stored XSS via Kroki diagram to GitLab - $13950, 272 upvotes
- Stored XSS in Notes (with CSP bypass for gitlab.com) to GitLab - $13950, 148 upvotes
- New /add_contacts /remove_contacts quick commands susseptible to XSS from Customer Contact firstname/lastname fields to GitLab - $13950, 83 upvotes
- XSS in ZenTao integration affecting self hosted instances without strict CSP to GitLab - $13950, 75 upvotes
- Mass Accounts Takeover Without any user Interaction at https://app.taxjar.com/ to Stripe - $13000, 177 upvotes
- An attacker can archive and unarchive any structured scope object on HackerOne to HackerOne - $12500, 310 upvotes
- Spring Actuator endpoints publicly available and broken authentication to LY Corporation - $12500, 225 upvotes
- View Titles of Private Reports with pending email invitation to HackerOne - $12500, 224 upvotes
- Remote vulnerabilities in spp to PlayStation - $12500, 161 upvotes
- Git flag injection - local file overwrite to remote code execution to GitLab - $12000, 762 upvotes
- Local files could be overwritten in GitLab, leading to remote command execution to GitLab - $12000, 536 upvotes
- Project Template functionality can be used to copy private project data, such as repository, confidential issues, snippets, and merge requests to GitLab - $12000, 439 upvotes
- Bypass of GitLab CI runner slash fix in YAML validation to GitLab - $12000, 355 upvotes
- JSON serialization of any Project model results in all Runner tokens being exposed through Quick Actions to GitLab - $12000, 354 upvotes
- Path traversal, to RCE to GitLab - $12000, 136 upvotes
- Account Takeover via Authentication Bypass in TikTok Account Recovery to TikTok - $12000, 108 upvotes
- Path traversal in Nuget Package Registry to GitLab - $12000, 83 upvotes
- Arbitrary Code Execution via npm misconfiguration – installing internal libraries from the public registry to LY Corporation - $11500, 278 upvotes
- Exfiltrate and mutate repository and project data through injected templated service to GitLab - $11000, 734 upvotes
- IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users to PayPal - $10500, 727 upvotes
- Ability to DOS any organization's SSO and open up the door to account takeovers to Grammarly - $10500, 227 upvotes
- Use-After-Free In IPV6_2292PKTOPTIONS leading To Arbitrary Kernel R/W Primitives to PlayStation - $10000, 721 upvotes
- Access to multiple production Grafana dashboards to Snapchat - $10000, 449 upvotes
- touch.mail.ru / e.mail.ru memory content disclosure to Mail.ru - $10000, 409 upvotes
- gitlab-workhorse bypass in Gitlab::Middleware::Multipart allowing files in
allowed_paths
to be read to GitLab - $10000, 400 upvotes - SQL injection at fleet.city-mobil.ru to Mail.ru - $10000, 372 upvotes
- RCE on shared.mail.ru due to "widget" plugin to Mail.ru - $10000, 359 upvotes
- SSRF on project import via the remote_attachment_url on a Note to GitLab - $10000, 343 upvotes
- Partial disclosure of report activity through new "Export as .zip" feature to HackerOne - $10000, 340 upvotes
- Double Payout via PayPal to Coinbase - $10000, 296 upvotes
- SOCK_RAW sockets reachable from Webkit process allows triggering double free in IP6_EXTHDR_CHECK to PlayStation - $10000, 283 upvotes
- Deserialization of untrusted data at https://www.redtube.com/media/hls?s=data to Pornhub - $10000, 271 upvotes
- size_t-to-int vulnerability in exFAT leads to memory corruption via malformed USB flash drives to PlayStation - $10000, 265 upvotes
- Malformed NAV file leads to buffer overflow and code execution in Left4Dead2.exe to Valve - $10000, 264 upvotes
- Information Disclosure in /skills call to HackerOne - $10000, 259 upvotes
- Publicly exposed SVN repository, ht.pornhub.com to Pornhub - $10000, 211 upvotes
- read new emails from any inbox IOS APP in notification center to Mail.ru - $10000, 186 upvotes
- Authentication bypass on gist.github.com through SSH Certificates to GitHub - $10000, 165 upvotes
- CSRF protection bypass in GitHub Enterprise management console to GitHub - $10000, 140 upvotes
- Use-after-free in setsockopt IPV6_2292PKTOPTIONS (CVE-2020-7457) to PlayStation - $10000, 129 upvotes
- uber.com may RCE by Flask Jinja2 Template Injection to Uber - $10000, 111 upvotes
- Using gossip to drain miner wallets to Zilliqa - $10000, 111 upvotes
- Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via RCE in ghe-update-check to GitHub - $10000, 72 upvotes
- Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via nomad template injection and audit-forward to GitHub - $10000, 68 upvotes
- Privilege Escalation to Root SSH Access via Pre-Receive Hook Environment in GitHub Enterprise Server to GitHub - $10000, 63 upvotes
- Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via nomad template injection to GitHub - $10000, 53 upvotes
- Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via RCE in syslog-ng to GitHub - $10000, 52 upvotes
- OneLogin authentication bypass on WordPress sites to Uber - $10000, 51 upvotes
- Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via RCE in collectd to GitHub - $10000, 37 upvotes
- Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via RCE in actions-console to GitHub - $10000, 34 upvotes
- Invalid handling of zero-length heredoc identifiers leads to infinite loop in the sandbox to shopify-scripts - $10000, 23 upvotes
- Crash: Overwriting NoMethodError with a builtin class crashes/corrupts memory to shopify-scripts - $10000, 20 upvotes
- RCE hazard in reporting (via Chromium) to Elastic - $10000, 20 upvotes
- Segfault and/or potential unwanted (byte)code execution with "break" and "||=" inside a loop to shopify-scripts - $10000, 13 upvotes
- Buffer overflow in mrb_time_asctime to shopify-scripts - $10000, 13 upvotes
- Certain inputs cause tight C-level recursion leading to process stack overflow to shopify-scripts - $10000, 11 upvotes
- Broken handling of maximum number of method call arguments leads to segfault to shopify-scripts - $10000, 10 upvotes
- Crash: Initialize Decimal with itself triggers an assertion to shopify-scripts - $10000, 9 upvotes