BugHunters — Bug Bounty Platform

    All Bounties

    Browse 106 vulnerability reports across all programs.

    106 bounties found

    IDCompanyTitleSeverityCategoryStatusRewardSubs
    GOOG-001GoogleStored XSS via malformed Gmail attachment filename
    High
    		XSS
    Open
    		$5,000–$10,0002
    GOOG-002GoogleCSRF on Google Cloud IAM role assignment endpoint
    Critical
    		CSRF
    In Review
    		$10,000–$31,3371
    GOOG-003GoogleOAuth token leakage via redirect_uri mismatch in GCP console
    High
    		Authentication Bypass
    Open
    		$5,000–$10,0000
    MSFT-001MicrosoftPrivilege escalation in Azure Active Directory via Graph API
    Critical
    		Authorization Flaw
    Open
    		$15,000–$250,0000
    MSFT-002MicrosoftRemote code execution in Office 365 macro sandbox escape
    Critical
    		RCE
    In Review
    		$15,000–$250,0003
    MSFT-003MicrosoftSSRF in Azure DevOps pipeline webhook handler
    High
    		SSRF
    Resolved
    		$5,000–$15,0004
    AAPL-001AppleiCloud authentication bypass via manipulated recovery flow
    Critical
    		Authentication Bypass
    Open
    		$50,000–$200,0000
    AAPL-002AppleKernel memory disclosure in macOS Bluetooth stack
    High
    		Data Leakage
    In Review
    		$25,000–$100,0002
    META-001MetaAccount takeover via Facebook OAuth race condition
    Critical
    		Authentication Bypass
    Resolved
    		$30,000–$100,0005
    META-002MetaInstagram API IDOR leaking private profile data
    High
    		IDOR
    Open
    		$10,000–$25,0001
    META-003MetaStored XSS in WhatsApp Web link preview renderer
    High
    		XSS
    Open
    		$10,000–$30,0000
    AMZN-001AmazonSSRF via image processing in product review uploads
    High
    		SSRF
    Open
    		$5,000–$15,0001
    AMZN-002AmazonPrice manipulation via race condition in checkout API
    Critical
    		Business Logic
    In Review
    		$10,000–$25,0002
    TSLA-001TeslaVehicle API command injection via crafted trip name
    High
    		SQL Injection
    Open
    		$5,000–$15,0000
    TSLA-002TeslaAuthentication bypass in Supercharger session management
    Critical
    		Authentication Bypass
    In Review
    		$10,000–$15,0001
    SHOP-001ShopifyCheckout price manipulation via discount code race condition
    Critical
    		Business Logic
    Open
    		$15,000–$50,0000
    SHOP-002ShopifyStored XSS in merchant admin theme editor
    High
    		XSS
    Resolved
    		$5,000–$10,0003
    STRP-001StripePayment intent amount mismatch via concurrent API calls
    Critical
    		Business Logic
    Open
    		$15,000–$50,0000
    STRP-002StripeWebhook signature bypass via timing attack
    High
    		Cryptographic Issue
    In Review
    		$5,000–$15,0002
    CB-001CoinbaseDouble-spend via race condition in withdrawal API
    Critical
    		Business Logic
    Open
    		$50,000–$250,0000
    CB-002CoinbaseIDOR in user portfolio API leaking balances
    High
    		IDOR
    In Review
    		$10,000–$30,0001
    CB-003CoinbaseXSS via crafted token name on Base explorer
    Medium
    		XSS
    Open
    		$2,000–$5,0002
    BNB-001BinanceAPI key privilege escalation via permission bitmask overflow
    Critical
    		Authorization Flaw
    Open
    		$25,000–$100,0000
    BNB-002BinanceOrder book manipulation via WebSocket message injection
    High
    		API Abuse
    In Review
    		$10,000–$25,0001
    KRK-001KrakenWithdrawal address whitelist bypass via API parameter pollution
    Critical
    		Authentication Bypass
    Open
    		$25,000–$100,0000
    KRK-002KrakenInformation disclosure in verbose trading error messages
    Low
    		Information Disclosure
    Resolved
    		$200–$5003
    UNI-001UniswapSmart contract reentrancy in V3 flash loan callback
    Critical
    		Smart Contract
    Open
    		$100,000–$500,0000
    UNI-002UniswapFrontend price display manipulation via crafted token metadata
    Medium
    		Price Manipulation
    In Review
    		$2,000–$5,0002
    OS-001OpenSeaNFT listing price manipulation via Seaport order signature replay
    Critical
    		Smart Contract
    Open
    		$15,000–$50,0000
    OS-002OpenSeaIDOR in collection stats API exposing hidden listings
    Medium
    		IDOR
    Resolved
    		$2,000–$5,0004
    DSC-001DiscordRemote code execution via crafted embed in desktop client
    Critical
    		RCE
    Open
    		$10,000–$20,0000
    DSC-002DiscordOAuth2 token theft via open redirect in authorization flow
    High
    		Open Redirect
    In Review
    		$3,000–$8,0001
    SLK-001SlackMessage content leakage via shared channel API misconfiguration
    High
    		Data Leakage
    Open
    		$3,000–$10,0000
    ZM-001ZoomMeeting takeover via predictable meeting ID generation
    Critical
    		Authentication Bypass
    Resolved
    		$15,000–$50,0006
    ZM-002ZoomScreen share data exfiltration via malicious virtual background
    High
    		Data Leakage
    Open
    		$5,000–$15,0000
    DBX-001DropboxFile access bypass via shared link token prediction
    High
    		Authorization Flaw
    Open
    		$5,000–$15,0001
    GH-001GitHubActions workflow injection via crafted PR title in public repos
    High
    		RCE
    Open
    		$10,000–$30,0000
    GH-002GitHubPrivate repository name disclosure via API error messages
    Medium
    		Information Disclosure
    In Review
    		$1,000–$3,0002
    GH-003GitHubCSRF on repository settings allowing branch protection bypass
    High
    		CSRF
    Open
    		$5,000–$15,0000
    GL-001GitLabCI pipeline secret exfiltration via malicious .gitlab-ci.yml
    Critical
    		Data Leakage
    Open
    		$10,000–$20,0000
    CF-001CloudflareWAF bypass via chunked transfer encoding edge case
    Critical
    		API Abuse
    Open
    		$15,000–$50,0000
    CF-002CloudflareWorkers KV data leakage via timing side-channel
    High
    		Data Leakage
    In Review
    		$5,000–$15,0001
    FIG-001FigmaStored XSS via SVG import in design file
    High
    		XSS
    Open
    		$3,000–$10,0000
    NOT-001NotionIDOR in workspace API allowing unauthorized page access
    High
    		IDOR
    Open
    		$2,000–$5,0001
    CNV-001CanvaSSRF via external image URL in template editor
    High
    		SSRF
    Open
    		$3,000–$10,0000
    RED-001RedditAccount takeover via password reset token prediction
    Critical
    		Authentication Bypass
    In Review
    		$10,000–$20,0002
    RED-002RedditStored XSS in subreddit custom CSS parser
    High
    		XSS
    Open
    		$3,000–$8,0000
    X-001X (Twitter)DM content leakage via API pagination vulnerability
    High
    		Data Leakage
    Open
    		$5,000–$15,0000
    X-002X (Twitter)Account suspension bypass via API parameter manipulation
    Medium
    		Authorization Flaw
    In Review
    		$1,000–$5,0001
    LI-001LinkedInPrivate profile data exposure via recruiter search API
    High
    		Data Leakage
    Open
    		$5,000–$15,0000
    NFLX-001NetflixDRM bypass via modified playback API request headers
    Critical
    		Cryptographic Issue
    In Review
    		$10,000–$20,0001
    NFLX-002NetflixAccount sharing detection bypass via cookie manipulation
    Medium
    		Authentication Bypass
    Open
    		$2,000–$5,0000
    SPOT-001SpotifyPremium feature bypass via modified API client headers
    High
    		Authorization Flaw
    Open
    		$3,000–$10,0000
    UBER-001UberFare manipulation via GPS spoofing in rider API
    Critical
    		Business Logic
    Open
    		$10,000–$50,0000
    UBER-002UberDriver identity verification bypass in onboarding flow
    High
    		Authentication Bypass
    In Review
    		$5,000–$15,0002
    ABNB-001AirbnbPayment diversion via host payout API manipulation
    Critical
    		Business Logic
    Open
    		$10,000–$25,0000
    PP-001PayPalTransaction amount modification via concurrent API race condition
    Critical
    		Business Logic
    Open
    		$15,000–$30,0000
    PP-002PayPalVenmo private transaction exposure via API enumeration
    High
    		IDOR
    Resolved
    		$5,000–$10,0005
    SQ-001Block (Square)Cash App payment interception via deep link hijacking
    Critical
    		Authentication Bypass
    Open
    		$10,000–$15,0000
    RH-001RobinhoodOptions trading restriction bypass via API parameter injection
    High
    		Authorization Flaw
    Open
    		$5,000–$15,0000
    RH-002RobinhoodPortfolio value manipulation via stale price cache
    Medium
    		Price Manipulation
    In Review
    		$2,000–$5,0001
    REV-001RevolutCurrency exchange rate arbitrage via API timing exploit
    Critical
    		Business Logic
    Open
    		$5,000–$10,0000
    AXM-001Axiom TradePrivate key extraction via malicious token metadata in wallet connector
    Critical
    		Authentication Bypass
    Open
    		$20,000–$75,0000
    AXM-002Axiom TradeOrder spoofing via unsigned transaction injection in limit order flow
    Critical
    		Business Logic
    Open
    		$20,000–$75,0000
    AXM-003Axiom TradeFront-running attack via MEV exposure in trade execution API
    Critical
    		Smart Contract
    In Review
    		$20,000–$75,0001
    AXM-004Axiom TradeIDOR on copy trading — subscribe to private strategy without approval
    High
    		Authorization Flaw
    Open
    		$5,000–$20,0000
    AXM-005Axiom TradeCORS misconfiguration exposes authenticated trade history to third-party origins
    High
    		Data Leakage
    Open
    		$5,000–$20,0000
    AXM-006Axiom TradeSlippage bypass via manipulated price oracle in swap router
    Critical
    		Price Manipulation
    Open
    		$20,000–$75,0000
    AXM-007Axiom TradeAPI rate limit bypass enabling high-frequency scraping of order book
    Medium
    		API Abuse
    Open
    		$1,000–$5,0002
    AXM-008Axiom TradeXSS via unsanitized token symbol in portfolio P&L display
    High
    		XSS
    Open
    		$5,000–$20,0000
    ARKM-001Arkham IntelligenceIDOR on Intel Exchange — access rival analyst's private intel reports
    Critical
    		Authorization Flaw
    Open
    		$20,000–$100,0000
    ARKM-002Arkham IntelligenceAPI key leakage via GraphQL introspection on entity resolution endpoint
    High
    		Data Leakage
    Open
    		$5,000–$20,0001
    ARKM-003Arkham IntelligenceSSRF via webhook URL parameter in alert subscription flow
    Critical
    		SSRF
    In Review
    		$20,000–$100,0002
    ARKM-004Arkham IntelligenceAddress labeling spoofing via crafted ENS metadata injection
    High
    		Business Logic
    Open
    		$5,000–$20,0000
    ARKM-005Arkham IntelligenceStored XSS in custom dashboard widget via unsanitized token name
    High
    		XSS
    Open
    		$5,000–$20,0000
    ARKM-006Arkham IntelligenceARKM token transfer bypass via signature replay on Intel Exchange
    Critical
    		Smart Contract
    Open
    		$20,000–$100,0000
    ARKM-007Arkham IntelligenceRate limit bypass on bulk address lookup API
    Medium
    		API Abuse
    Open
    		$1,000–$5,0000
    ARKM-008Arkham IntelligenceAuthentication bypass via JWT algorithm confusion on /api/v2/user
    Critical
    		Authentication Bypass
    Open
    		$20,000–$100,0000
    ARKM-009Arkham IntelligencePrivate entity attribution data exposed via misconfigured S3 bucket
    Critical
    		Data Leakage
    In Review
    		$20,000–$100,0003
    BM-001BubblemapsWallet graph data poisoning via crafted on-chain metadata
    Critical
    		Data Leakage
    Open
    		$10,000–$50,0000
    BM-002BubblemapsAPI key leakage via CORS misconfiguration on data endpoints
    High
    		Data Leakage
    Open
    		$5,000–$15,0001
    BM-003BubblemapsSSRF via token contract address parameter in enrichment API
    Critical
    		SSRF
    In Review
    		$10,000–$50,0002
    BM-004BubblemapsStored XSS in bubble label rendering via token symbol injection
    High
    		XSS
    Open
    		$5,000–$15,0000
    BM-005BubblemapsRate limit bypass on /api/v2/bubble-map endpoint
    Medium
    		API Abuse
    Open
    		$1,000–$5,0000
    BM-006BubblemapsSmart contract supply tracking manipulation via forked chain data
    Critical
    		Business Logic
    Open
    		$10,000–$50,0000
    BM-007BubblemapsAuthentication bypass on private map share link
    High
    		Authentication Bypass
    Open
    		$5,000–$15,0000
    BM-008BubblemapsSQL injection via chain filter parameter in analytics API
    Critical
    		SQL Injection
    Open
    		$10,000–$50,0000
    DS-001DexScreenerXSS via token name rendering on pair page
    Critical
    		XSS
    Open
    		$5,000–$15,0000
    DS-002DexScreenerCSRF on watchlist API endpoint
    High
    		CSRF
    In Review
    		$2,000–$5,0003
    DS-003DexScreenerAPI rate-limit bypass on /tokens/v1 endpoint
    High
    		API Abuse
    Open
    		$2,000–$5,0001
    DS-004DexScreenerFake price display via manipulated LP data
    Critical
    		Price Manipulation
    Resolved
    		$5,000–$15,0005
    DS-005DexScreenerWebSocket feed injection causing stale chart data
    Medium
    		Data Leakage
    Open
    		$500–$2,0000
    AAVE-001AaveFlash loan oracle manipulation via price feed delay
    Critical
    		Smart Contract
    Open
    		$50,000–$250,0000
    AAVE-002AaveGHO facilitator cap bypass via reentrancy in mint function
    Critical
    		Smart Contract
    In Review
    		$50,000–$250,0001
    LINK-001ChainlinkOracle price manipulation via compromised data source aggregation
    Critical
    		Smart Contract
    Open
    		$25,000–$100,0000
    MATIC-001PolygonBridge fund extraction via crafted merkle proof
    Critical
    		Smart Contract
    Open
    		$50,000–$100,0000
    MATIC-002PolygonzkEVM state transition verification bypass
    Critical
    		Smart Contract
    In Review
    		$50,000–$100,0001
    SOL-001Solana FoundationValidator consensus manipulation via crafted vote transactions
    Critical
    		Smart Contract
    Open
    		$100,000–$400,0000
    SOL-002Solana FoundationSPL Token account authority hijack via program upgrade
    Critical
    		Authorization Flaw
    In Review
    		$50,000–$200,0001
    ETH-001Ethereum FoundationConsensus layer attestation forging via BLS signature malleability
    Critical
    		Cryptographic Issue
    Open
    		$100,000–$500,0000
    ARB-001ArbitrumSequencer censorship via crafted transaction batching
    High
    		Business Logic
    Open
    		$10,000–$50,0000
    DYDX-001dYdXLiquidation price manipulation via oracle delay exploit
    Critical
    		Price Manipulation
    Open
    		$25,000–$150,0000
    INCH-0011inchSwap routing manipulation extracting excess user tokens
    Critical
    		Smart Contract
    Open
    		$15,000–$50,0000
    JUP-001JupiterQuote API manipulation returning inflated swap amounts
    High
    		API Abuse
    Open
    		$5,000–$20,0000
    JUP-002JupiterDCA order front-running via predictable execution timing
    Medium
    		Business Logic
    In Review
    		$2,000–$10,0001
    RAY-001RaydiumConcentrated liquidity pool drain via tick manipulation
    Critical
    		Smart Contract
    Open
    		$15,000–$50,0000