Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles Judge.me Program Statistics
18 total issues disclosed
$4,800 total paid publicly
Most disclosed (7 disclosures) — Cross-site Scripting (XSS) - Stored
Disclosed Reports
| Report Title | Vulnerability Type | Disclosed By | Severity | Disclosed on |
|---|---|---|---|---|
| Self-XSS due to image URL can be eploited via XSSJacking techniques in review email | None supplied | penguinshelp | Medium | 2023-02-01 |
| HTML INJECTION (STORED) | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | criptex | No rating | 2023-02-01 |
| Improper Access Control in Ali Express Importer | Improper Access Control - Generic | penguinshelp | Medium | 2023-02-01 |
| Stored XSS in Public Profile Reviews | Cross-site Scripting (XSS) - Stored | vj1naruto | None | 2023-02-01 |
| XSS in Widget Review Form Preview in settings | Cross-site Scripting (XSS) - Stored | penguinshelp | Medium | 2022-09-29 |
| Race condition on https://judge.me/people | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | netboom | Low | 2022-08-01 |
| Email templates XSS by filterXSS bypass | Cross-site Scripting (XSS) - Generic | caue | High | 2022-05-25 |
| Blind XSS via Feedback form. | Cross-site Scripting (XSS) - Stored | b3hlull | High | 2022-05-03 |
| Stored XSS in "product type" field executed via product filters | None supplied | chupa__chups | Medium | 2022-04-26 |
| IDOR: leak buyer info & Publish/Hide foreign comments | Insecure Direct Object Reference (IDOR) | chupa__chups | High | 2022-03-31 |
| Stored XSS in Question edit from product name | Cross-site Scripting (XSS) - Stored | chupa__chups | Medium | 2022-03-31 |
| stored XSS on AliExpress Review Importer/Products when delete product | Cross-site Scripting (XSS) - Stored | chupa__chups | Medium | 2022-03-31 |
| Stored XSS in Question edit for product name (bypass #1416672) | Cross-site Scripting (XSS) - Stored | chupa__chups | Medium | 2022-03-31 |
| Log4j RCE on https://judge.me/reviews | Code Injection | bhishma14 | None | 2021-12-21 |
| HTML injection in review content | Command Injection - Generic | 0xteles | None | 2021-12-17 |
| Error Page Content Spoofing or Text Injection | Business Logic Errors | tefa_ | None | 2021-12-13 |
| Stored XSS in Email Templates via link | Cross-site Scripting (XSS) - Stored | rioncool22 | Medium | 2021-11-18 |
| The response shows the nginx version | Information Exposure Through Sent Data | cametome006 | No rating | 2021-11-11 |