| Privilege Escalation leads to trash other users comment without having admin rights. |
Privilege Escalation |
fuzzsqlb0f |
Low |
2021-12-01 |
| Privilege Escalation leads to trash other users comment without having admin rights. |
Privilege Escalation |
fuzzsqlb0f |
Low |
2021-12-01 |
| Subdomain Takeover due to ████████ NS records at us-east4.37signals.com |
Information Disclosure |
nagli |
Medium |
2021-09-17 |
| HTTP Request Smuggling via HTTP/2 |
HTTP Request Smuggling |
neex |
Critical |
2021-08-27 |
| Domain Takeover [3737signals.com] |
Phishing |
mrmax4o4 |
Low |
2021-08-13 |
| Insecure Bundler configuration fetching internal Gems (okra) from Rubygems.org |
Command Injection - Generic |
zofrex |
High |
2021-08-10 |
| Password reset link not expiring after changing password in settings |
Improper Authentication - Generic |
blackbibin |
Low |
2021-08-10 |
| Login session not expire |
Insufficient Session Expiration |
blackbibin |
Low |
2021-08-10 |
| Information Disclosure .htaccess accesible for public |
None supplied |
alone_breecher |
Low |
2021-07-18 |
| Error Page Content Spoofing or Text Injection |
Violation of Secure Design Principles |
princej_76 |
Low |
2021-07-14 |
| User can upload files even after closing his account |
Improper Authentication - Generic |
h4x0r_dz |
No rating |
2021-03-29 |
| DNS Setup allows sending mail on behalf of other customers |
Violation of Secure Design Principles |
aisforarray |
Medium |
2021-02-21 |
| Remote code execution on Basecamp.com |
Command Injection - Generic |
gammarex |
Critical |
2020-11-26 |
| Attachments may be hijacked via AppCache+CookieBombing trick (bc3_production_blobs bucket) |
Business Logic Errors |
hudmi |
High |
2020-11-26 |
| Remote Code Execution in Basecamp Windows Electron App |
Code Injection |
co0sin |
High |
2020-11-19 |
| a very long name in hey.com can prevent anyone from accessing their contacts and probably can cause denial of service |
Denial of Service |
tw4v3sx |
Medium |
2020-11-10 |
| Information Disclosure of Garbage Collection Cycle |
Information Disclosure |
ahmd_halabi |
Low |
2020-11-04 |
| stored XSS in hey.com message content |
Cross-site Scripting (XSS) - Stored |
carbon61 |
Medium |
2020-10-31 |
| CSRF on launchpad.37signals.com OAuth2 authorization endpoint |
Cross-Site Request Forgery (CSRF) |
carbon61 |
High |
2020-10-30 |
| Unauthenticated request smuggling on launchpad.37signals.com |
HTTP Request Smuggling |
hazimaslam |
Critical |
2020-10-28 |
| HTTP request smuggling on Basecamp 2 allows web cache poisoning |
HTTP Request Smuggling |
hazimaslam |
Critical |
2020-10-28 |
| HEY.com email stored XSS |
Cross-site Scripting (XSS) - Stored |
jouko |
Critical |
2020-10-27 |
| Possible DOM XSS on app.hey.com |
Cross-site Scripting (XSS) - DOM |
enigmaticjohn |
High |
2020-10-27 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles