Grammarly Bug Bounty Program Statistics | BugBountyHunter.com

Grammarly Program Statistics

16 total issues disclosed

$44,550 total paid publicly

Most disclosed (4 disclosures) — Information Disclosure

Disclosed Reports

Report Title	Vulnerability Type	Disclosed By	Severity	Disclosed on
Bypassing the Grammarly plagiarism checker by simply replacing characters in the source text	Business Logic Errors	evilksandr	None	2021-10-28
Ability to DOS any organization's SSO and open up the door to account takeovers	Improper Authentication - Generic	cache-money	High	2021-04-15
Config override using non-validated query parameter allows at least reflected XSS by injecting configuration into state	Business Logic Errors	fransrosen	Medium	2021-03-01
Unauthenticated users can access all food.grammarly.io user's data	Improper Access Control - Generic	cript0nauta	Low	2020-08-10
Grammarly Keyboard for Android "Authorization Code with PKCE" flow implementation vulnerability that allows account takeover	Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)	tomtenisse	Medium	2020-07-24
Account takeover through the combination of cookie manipulation and XSS	Cross-site Scripting (XSS) - Stored	k4r4koyun	High	2019-12-03
Permissive CORS policy trusting arbitrary extensions origin	Improper Access Control - Generic	foobar7	Medium	2019-11-06
Lack of CSRF header validation at https://g-mail.grammarly.com/profile	Information Disclosure	orlserg	Medium	2019-10-31
Previously created sessions continue being valid after MFA activation	Improper Access Control - Generic	brdoors3	Medium	2019-08-19
“email” MFA mode allows bypassing MFA from victim’s device when the device trust is not expired	Improper Authentication - Generic	l1nkworld	Medium	2019-08-12
Handling of `tracking` command allows making arbitrary blind requests with user's cookies from Grammarly Extension's origin	None supplied	metnew	Critical	2019-08-01
`socket` command allows sending data over WebSockets to arbitrary origins from Grammarly Extension	None supplied	metnew	High	2019-07-15
Grammarly Keyboard for Android <4.1 leaks user input through logs (except for sensitive input fields)	Information Exposure Through Debug Information	lukasstefanko	Low	2019-06-03
Employee's GitHub Token Found In Travis CI Build Logs	Information Disclosure	karimpwnz	High	2019-05-22
Employee's GitHub Token Found In Travis CI Build Logs	Information Disclosure	karimpwnz	High	2019-05-22
Employee's GitHub Token Found In Travis CI Build Logs	Information Disclosure	karimpwnz	High	2019-05-22