kinako has reached Level 4 with 75+ unique vulnerabilities discovered and they have proven to us that they understand web application vulnerabilities and how to discover them. If you run a bug bounty/vulnerability disclosure program and you are looking for an active, professional researcher, we recommend considering this user
| Report Title | Event ID | Severity | Vulnerability Type |
|---|---|---|---|
| Referer header reflection leads to Reflective XSS | FirstBlood v2 | Medium | Reflective XSS |
| register.php is still vulenerable to Reflective XSS | FirstBlood v2 | Medium | Reflective XSS |
| logout.php is still vulnearble to Open Redirect | FirstBlood v2 | Low | Open Redirect |
| email value in Modify Appointment Form is still changable | FirstBlood v2 | Medium | Application/Business Logic |
| goto parameter is still vulnerable to Reflective XSS | FirstBlood v2 | Medium | Reflective XSS |
| normal doctor can update other users' password | FirstBlood v2 | CRITICAL | Application/Business Logic |
| Cancelled Appintments is still vulnerable to Stored XSS | FirstBlood v2 | High | Stored XSS |
| non-admin doctor account can use qp.php API | FirstBlood v2 | Medium | Application/Business Logic |
| Modify Appointment Form is vulnerable to Stored XSS | FirstBlood v2 | High | Stored XSS |
| [COLLAB]Vaccination Management portal is vulnerable to Stored XSS | FirstBlood v2 | High | Stored XSS |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles