TTS Bug Bounty Program Statistics

View program

37 total issues disclosed

$12,450 total paid publicly

Most disclosed (5 disclosures) — Violation of Secure Design Principles

Disclosed Reports

Report Title Vulnerability Type Disclosed By Severity Disclosed on
Wordpress Users Disclosure (/wp-json/wp/v2/users/) on Information Disclosure nagli Medium 2020-07-28
Blind SSRF on Endpoint Use of Inherently Dangerous Function mariuszpoplawski Medium 2020-07-10
Limited LFI Remote File Inclusion mariuszpoplawski Medium 2020-07-09
HTTP Request Smuggling on HTTP Request Smuggling puppykok High 2020-05-13
open redirect in Open Redirect timwhite Low 2020-05-12
SSRF/XSPA in Server-Side Request Forgery (SSRF) haxta4ok00 Medium 2020-05-05
Cache poisoning DoS to various TTS assets Violation of Secure Design Principles nathand High 2020-03-12
Stealing Users OAuth Tokens through redirect_uri parameter Open Redirect manshum12 High 2019-10-01
Nginx misconfiguration leading to direct PHP source code download Information Disclosure tolo7010 High 2019-07-29
SQL injection in via User-agent SQL Injection harisec Critical 2019-03-22
Multiple Bugs in endpoint leads to send custom messages to Anyone None supplied nuke11 Medium 2018-11-13
Redirect on authorization allows account compromise Improper Authentication - Generic cablej_dds Critical 2018-11-06
Defacement of via web cache poisoning to stored DOMXSS Cross-site Scripting (XSS) - Stored albinowax High 2018-11-01
[] Open Redirect Open Redirect bobrov Low 2018-11-01
SSH server compatible with several vulnerable cryptographic algorithms Use of a Broken or Risky Cryptographic Algorithm northivanastan Medium 2018-03-02
CI for [] can be logged in and accessible Improper Access Control - Generic kunal94 Critical 2018-02-07
Subdomain Takeover Privilege Escalation picklepwns High 2017-11-28
2FA bypass - confirmation tokens don't expire Improper Access Control - Generic muskecan Medium 2017-11-17
Error Page Content Spoofing or Text Injection None supplied dennis95 No rating 2017-11-17
CSRF in generating a new Personal Key Cross-Site Request Forgery (CSRF) streaak2 Medium 2017-11-17
CSRF to change Account Security Keys on Cross-Site Request Forgery (CSRF) zk34911 Medium 2017-11-01
Cross-Site Request Forgery on the Federalist API (all endpoints), using Flash file on the attacker's host Cross-Site Request Forgery (CSRF) sp1d3rs Medium 2017-09-28
Homo graphs attack Violation of Secure Design Principles ninjan None 2017-09-20
[] Leak Valid API With out Verification - Improper Authentication - Generic lawrenceamer None 2017-09-20
Information disclosure (system username) in the x-amz-meta-s3cmd-attrs response header on Information Disclosure sp1d3rs Low 2017-09-16
Reflected XSS on the (WAF bypass+ Chrome XSS Auditor bypass+ works in all browsers) Cross-site Scripting (XSS) - Reflected sp1d3rs Medium 2017-09-15
HTML injection (with XSS possible) on the using media_url attribute Cross-site Scripting (XSS) - Reflected sp1d3rs Medium 2017-09-15
Server Side Misconfiguration (EMAIL SPOOFING) Improper Authentication - Generic swag01 None 2017-09-14
Email Spoofing - SPF record set to Neutral Violation of Secure Design Principles ramakanthk35 None 2017-09-06
Subdomain take-over of {REDACTED} Privilege Escalation jackds High 2017-09-06
{REDACTED} subdomain takeover. Violation of Secure Design Principles edoverflow High 2017-09-06 vulnerable to Sweet32 attack Man-in-the-Middle r0p3 Medium 2017-09-06
Double Stored Cross-Site scripting in the admin panel Cross-site Scripting (XSS) - Stored sp1d3rs Medium 2017-09-05
[IDOR] The authenticated user can restart website build or view build logs on any another Federalist account Insecure Direct Object Reference (IDOR) sp1d3rs Medium 2017-09-05
Race condition on the Federalist API endpoints can lead to the Denial of Service attack Violation of Secure Design Principles sp1d3rs Low 2017-09-05
The user, who was deleted from Github Organization, still can access all functions of federalist, in case he didn't do logout Improper Authentication - Generic sp1d3rs Medium 2017-09-05
The Federalsit session cookie (federalist.sid) is not properly invalidated - backdoor access to the account is possible Insufficient Session Expiration sp1d3rs Low 2017-09-05