Elastic Bug Bounty Program Statistics | BugBountyHunter.com

You are viewing our old website

We are busy working on a brand new website and platform. All of the content on this website is considered out-dated, however challenges and our members section are working as before. Stay tuned for updates!

Elastic Program Statistics

15 total issues disclosed

$29,044 total paid publicly

Most disclosed (2 disclosures) — Improper Access Control - Generic

Disclosed Reports

Report Title	Vulnerability Type	Disclosed By	Severity	Disclosed on
blind Server-Side Request Forgery (SSRF) allows scanning internal ports	Server-Side Request Forgery (SSRF)	lu3ky-13	Medium	2023-05-05
Synthetics Recorder: Code injection when recording website with malicious content	Code Injection	dee-see	High	2023-04-08
Default password on 34.120.209.175	Weak Cryptography for Passwords	newspaper	Medium	2022-11-18
CSRF in AppSearch allows creation of "curations"	Cross-Site Request Forgery (CSRF)	dee-see	Medium	2022-11-17
Fix for CVE-2021-22151 (Kibana path traversal issue) can be bypassed on Windows	Path Traversal	dee-see	Low	2021-11-15
CVE-2021-40870 on [52.204.160.31]	Code Injection	fdeleite	Critical	2021-10-06
Critical \|\| Unrestricted access to private Github repos and properties of Elastic through leaked token of Elastic employee	Cleartext Storage of Sensitive Information	prateek_0490	Critical	2021-09-01
Prototype Pollution leads to XSS on https://blog.swiftype.com/#__proto__[asd]=alert(document.domain)	Cross-site Scripting (XSS) - DOM	s1r1u5	High	2021-08-16
Improper authorization on `/api/as/v1/credentials/` for Dev Role User with Limited Engine Access	Improper Access Control - Generic	superman85	High	2021-08-03
[Swiftype] - Stored XSS via document field `url` triggers on `https://app.swiftype.com/engines/<engine>/document_types/<type>/documents/<id>`	Cross-site Scripting (XSS) - Stored	superman85	High	2021-08-03
Improper authorization on `/api/as/v1/credentials/` allows any App Search user to access all API keys and escalate privileges	Improper Access Control - Generic	dee-see	High	2021-06-02
RCE hazard in reporting (via Chromium)	Privilege Escalation	alexbrasetvik	Critical	2021-05-26
XXE in Enterprise Search's App Search web crawler	XML External Entities (XXE)	dee-see	Critical	2021-04-29
Remote Code Execution in coming Kibana 7.7.0	Privilege Escalation	alexbrasetvik	Critical	2021-04-19
Over-Privileged API Credentials for Elastic Agent	Violation of Secure Design Principles	captaingeech	Medium	2021-03-29