| DOM XSS in `fizzy.do` import filename preview enables one-click victim account takeover |
Cross-site Scripting (XSS) - DOM |
xavlimsg |
High |
2026-04-14 |
| Improper Access Control in `fizzy.do` import flow allows cross-tenant ActionText reference resolution and data disclosure |
Improper Access Control - Generic |
xavlimsg |
Low |
2026-04-14 |
| Unauthenticated access to private files on app.fizzy.do via Active Storage URLs leads to information disclosure |
Insecure Direct Object Reference (IDOR) |
perxibes |
Low |
2026-03-16 |
| Spam & Clearance checks disabled with existing referenced Message-ID |
Improper Access Control - Generic |
northeastprince |
Low |
2026-01-21 |
| Link unfurling calls out to arbitrary URLs and the private-network guard misses link-local addresses |
Server-Side Request Forgery (SSRF) |
brumbelow |
Medium |
2025-12-22 |
| Improper bot-authentication allows to impersonate any user when sending messages in a room |
Improper Authentication - Generic |
stackered |
High |
2025-11-21 |
| Two click Account Takeover |
Deserialization of Untrusted Data |
fr4via |
High |
2025-11-11 |
| Mutation Based Stored XSS on Trix Editor version latest (2.1.8) |
None supplied |
sudi |
Critical |
2025-06-27 |
| Critical Data Breach - Big Data for all domains |
None supplied |
shezxi |
Medium |
2025-01-14 |
| Stored XSS on trix editor version 2.1.1 |
Cross-site Scripting (XSS) - Stored |
thwin_htet |
High |
2024-11-04 |
| Path traversal in deeplink query parameter can expose any user's private info to a public directory (one click) |
Path Traversal |
fr4via |
Medium |
2024-07-09 |
| Navgraph confusion allows any 3p app to send and read requests from the server at app.hey.com |
Deserialization of Untrusted Data |
fr4via |
Medium |
2024-07-09 |
| Account takeover via insecure intent handling |
Deserialization of Untrusted Data |
fr4via |
Medium |
2024-05-30 |
| AWS keys and user cookie leakage via uninitialized memory leak in outdated librsvg version in Basecamp |
Information Disclosure |
neex |
High |
2023-09-21 |
| Arbitrary write in the application's data folder and arbitrary read of server's replies from 3rd party apps. |
Path Traversal |
fr4via |
High |
2023-06-07 |
| com.basecamp.bc3 Webview Javascript Injection and JS bridge takeover |
Cross-site Scripting (XSS) - DOM |
fr4via |
High |
2022-09-23 |
| RCE via exposed JMX server on jabber.37signals.com/jabber.basecamp.com |
Deserialization of Untrusted Data |
ian |
Low |
2022-04-26 |
| Able to steal bearer token from deep link |
Improper Authentication - Generic |
danielllewellyn |
High |
2022-03-27 |
| Improper Authentication via previous backup code login |
Improper Authentication - Generic |
fuzzsqlb0f |
Medium |
2022-03-24 |
| Privilege Escalation leads to trash other users comment without having admin rights. |
Privilege Escalation |
fuzzsqlb0f |
Low |
2021-12-01 |
| Privilege Escalation leads to trash other users comment without having admin rights. |
Privilege Escalation |
fuzzsqlb0f |
Low |
2021-12-01 |
| Subdomain Takeover due to ████████ NS records at us-east4.37signals.com |
Information Disclosure |
nagli |
Medium |
2021-09-17 |
| HTTP Request Smuggling via HTTP/2 |
HTTP Request Smuggling |
neex |
Critical |
2021-08-27 |
| Domain Takeover [3737signals.com] |
Phishing |
mrmax4o4 |
Low |
2021-08-13 |
| Insecure Bundler configuration fetching internal Gems (okra) from Rubygems.org |
Command Injection - Generic |
zofrex |
High |
2021-08-10 |
| Password reset link not expiring after changing password in settings |
Improper Authentication - Generic |
blackbibin |
Low |
2021-08-10 |
| Login session not expire |
Insufficient Session Expiration |
blackbibin |
Low |
2021-08-10 |
| Information Disclosure .htaccess accesible for public |
None supplied |
alone_breecher |
Low |
2021-07-18 |
| Error Page Content Spoofing or Text Injection |
Violation of Secure Design Principles |
princej_76 |
Low |
2021-07-14 |
| Lack of quarantine macOS attribute(com.apple.quarantine) leads multiple issues including RCE |
None supplied |
hensis |
Medium |
2021-04-22 |
| User can upload files even after closing his account |
Improper Authentication - Generic |
h4x0r_dz |
No rating |
2021-03-29 |
| DNS Setup allows sending mail on behalf of other customers |
Violation of Secure Design Principles |
aisforarray |
Medium |
2021-02-21 |
| Remote code execution on Basecamp.com |
Command Injection - Generic |
gammarex |
Critical |
2020-11-26 |
| Attachments may be hijacked via AppCache+CookieBombing trick (bc3_production_blobs bucket) |
Business Logic Errors |
hudmi |
High |
2020-11-26 |
| Remote Code Execution in Basecamp Windows Electron App |
Code Injection |
co0sin |
High |
2020-11-19 |
| a very long name in hey.com can prevent anyone from accessing their contacts and probably can cause denial of service |
Denial of Service |
tw4v3sx |
Medium |
2020-11-10 |
| Information Disclosure of Garbage Collection Cycle |
Information Disclosure |
ahmd_halabi |
Low |
2020-11-04 |
| stored XSS in hey.com message content |
Cross-site Scripting (XSS) - Stored |
carbon61 |
Medium |
2020-10-31 |
| CSRF on launchpad.37signals.com OAuth2 authorization endpoint |
Cross-Site Request Forgery (CSRF) |
carbon61 |
High |
2020-10-30 |
| Unauthenticated request smuggling on launchpad.37signals.com |
HTTP Request Smuggling |
hazimaslam |
Critical |
2020-10-28 |
| HTTP request smuggling on Basecamp 2 allows web cache poisoning |
HTTP Request Smuggling |
hazimaslam |
Critical |
2020-10-28 |
| HEY.com email stored XSS |
Cross-site Scripting (XSS) - Stored |
jouko |
Critical |
2020-10-27 |
| Possible DOM XSS on app.hey.com |
Cross-site Scripting (XSS) - DOM |
enigmaticjohn |
High |
2020-10-27 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles