Public vulnerability reports are security gold – everyone benefits from the shared knowledge. There are over 1600 publicly disclosed vulnerability reports on HackerOne, with more added each day. For every company or hacker that shares a report – thank you! The internet and all of us are safer because of your generous actions.
And so today we reveal — drumroll, please — the 5 Most Viewed HackerOne Vulnerability Reports of 2016 (so far).
#5: Tweet Deck XSS -Persistent- Group DM name
This XSS bug earned Wesecureapp $2,520 from Twitter. Why such an odd number? It’s a multiple of 140, which is the number of characters allowed in a Tweet.
#4: RCE by Flask Jinja2 Template Injection
This RCE from orange earned $10,000. Look at the timestamps to see how quickly Uber jumped on this and fixed it. Hackers, look how quickly they pay!
#3: Arbritrary file Upload on AirMax was the biggest earner on this list — $18,000. There was a great collaboration between 93c08539 and the company that allowed ample time for affected devices to be updated safely.
#2: DOM based XSS via Wistia embedding
This amazing find was matched with a blazing fast fix — 7 hours. It earned reactors08 a $1,152 bug bounty.
And at #1. By a lot: SSRF in https://imgur.com/vidgif/url
This was reported by Aesteral , part of HackerOne’s 90-90 Club (90+ percentile in Signal and Impact). It lit up the web stats the weekend it went public and all of HackerOne marveled at how widely it was read. Aesteral was awarded $2,000 for this clearly written and effective report.
Do you have any favorites from the list ? Tell us about it on Twitter! #h1buglove.
― Rajesh F. Krishnan
unicc reddit the dump furniture store near me