X (Formerly Twitter) Bug Bounty Program Statistics

X (Formerly Twitter) Program Statistics

215 total issues disclosed

$319,839 total paid publicly

Most disclosed (34 disclosures) — Cross-site Scripting (XSS) - Generic

Disclosed Reports

Report Title	Vulnerability Type	Disclosed By	Severity	Disclosed on
[Bypass fixed #664038 and #519059] Application settings change settings that have been set by the user	Business Logic Errors	jaka_tingkir	Medium	2021-07-13
Blind XSS on Twitter's internal Big Data panel at █████████████	Cross-site Scripting (XSS) - Stored	iambouali	Critical	2021-07-09
Ability to add arbitrary images/descriptions/titles to ohter people's issues via IDOR on getrevue.co	Insecure Direct Object Reference (IDOR)	mirhat	Critical	2021-05-26
Bypass t.co link shortener in Twitter direct messages	Business Logic Errors	iambouali	Low	2021-05-18
Open Redirect on https://www.twitterflightschool.com/widgets/experience?destination_url=https://evil.com	Open Redirect	nagli	Low	2021-05-04
Github Account hijack through broken link in developer.twitter.com	Phishing	voatz	High	2021-02-04
Read-only application can publish/delete fleets	Privilege Escalation	ryotak	Medium	2021-01-04
Delete direct message history without access the proper conversation_id	Business Logic Errors	soareswallace	Low	2020-11-20
http request smuggling in twitter.com	HTTP Request Smuggling	protostar0	High	2020-11-18
Twitter Media Studio Source Information Disclosure With Analyst Role	Information Disclosure	gokay	Medium	2020-10-26
XSS via referrer parameter	Cross-site Scripting (XSS) - Reflected	keer0k	Medium	2020-10-26
Android WebViews in Twitter app are vulnerable to UXSS due to configuration and CVE-2020-6506	Cross-site Scripting (XSS) - Generic	alesandroortiz	High	2020-09-24
http request smuggling in pscp.tv and periscope.tv	HTTP Request Smuggling	protostar0	High	2020-09-11
Safe Redirect Bypass	Security Through Obscurity	cyanpiny	Low	2020-09-10
Denial of Service \| twitter.com & mobile.twitter.com	Denial of Service	cyanpiny	Medium	2020-09-02
Insufficient validation on Digits bridge	Improper Authentication - Generic	filedescriptor	No rating	2020-08-20
Private list members disclosure via GraphQL	Improper Access Control - Generic	ryotak	Low	2020-08-04
Private list members disclosure via GraphQL	Improper Access Control - Generic	ryotak	Low	2020-08-04
Private list members disclosure via GraphQL	Improper Access Control - Generic	ryotak	Low	2020-08-04
Private list members disclosure via GraphQL	Improper Access Control - Generic	ryotak	Low	2020-08-04
Private list members disclosure via GraphQL	Improper Access Control - Generic	ryotak	Low	2020-08-04
Private list members disclosure via GraphQL	Improper Access Control - Generic	ryotak	Low	2020-08-04
Denial of Service [Chrome]	Denial of Service	cyanpiny	Medium	2020-07-24
Ability to bruteforce mopub account’s password due to lack of rate limitation protection using {ip rotation techniques}	Brute Force	updatelap	Low	2020-07-10
暴力破解用户密码没有速率控制	Unverified Password Change	1735096419	Medium	2020-07-01
Bypassing Digits origin validation which leads to account takeover	Improper Authentication - Generic	filedescriptor	No rating	2020-06-24
character limitation bypass can lead to DoS on Twitter App and 500 Internal Server Error	Denial of Service	exit_n0de	Medium	2020-05-06
Periscope iOS app CSRF in follow action due to deeplink	Cross-Site Request Forgery (CSRF)	mgf15	Low	2020-04-01
User input validation can lead to DOS	Denial of Service	meepmerp	Medium	2020-03-27
Reset password without knowing current password	Weak Password Recovery Mechanism for Forgotten Password	naategh	Low	2020-03-25
Accepting error message on twitter sends you to attacker site	Open Redirect	safehacker_27	Medium	2020-03-13
lack of input validation that can lead Denial of Service (DOS)	Denial of Service	meepmerp	Medium	2020-03-12
NO username used in authenthication to www.mopub.com leading to direct password submission which has unlimited submission rate.	None supplied	adarsh_p	Medium	2020-02-28
Reflected XSS in twitterflightschool.com	Cross-site Scripting (XSS) - Reflected	jubabaghdad	None	2020-02-21
Twitter Source Label allow 'mongolian vowel separator' U+180E (app name)	Phishing	lorenznickel	Low	2020-02-21
Periscope android app deeplink leads to CSRF in follow action	Cross-Site Request Forgery (CSRF)	kunal94	Low	2020-02-21
Bypass Password Authentication for updating email and phone number - Security Vulnerability	Improper Authentication - Generic	jayesh25	High	2020-02-08
Creating malformed URLs via new line character in-between two URLs leads to misrepresented hyperlinks in Tweets/DMs	CRLF Injection	zlz	Low	2020-01-24
protected Tweet settings overwritten by other settings	None supplied	jaka_tingkir	Medium	2020-01-01
CRLF injection	None supplied	s3c	Medium	2019-12-25
CRLF injection	None supplied	s3c	Medium	2019-12-25
XSS on https://app.mopub.com/reports/custom/add/ [new-d1]	None supplied	c00lbugs	No rating	2019-12-07
Viral Direct Message Clickjacking via link truncation leading to capture of both Google credentials & installation of malicious 3rd party Twitter App	UI Redressing (Clickjacking)	slickrockweb	High	2019-10-31
Ability to perform actions (Tweet, Retweet, DM) and other actions, unauthenticated, on any account with SMS enabled.	Business Logic Errors	antisocial_eng	Critical	2019-09-27
XSS and Open Redirect on MoPub Login	Open Redirect	jackb898	No rating	2019-09-25
Github Token Leaked publicly for https://github.com/mopub	Cleartext Storage of Sensitive Information	moro139	Medium	2019-08-16
Potential pre-auth RCE on Twitter VPN	OS Command Injection	orange	Critical	2019-08-10
Potential pre-auth RCE on Twitter VPN	OS Command Injection	orange	Critical	2019-08-10
Potential pre-auth RCE on Twitter VPN	OS Command Injection	orange	Critical	2019-08-10
Twitter Periscope Clickjacking Vulnerability	UI Redressing (Clickjacking)	eo420	Medium	2019-07-10
Verify any unused email address	Improper Access Control - Generic	seifelsallamy	No rating	2019-06-24
IDOR and statistics leakage in Orders	Insecure Direct Object Reference (IDOR)	updatelap	Medium	2019-06-14
Twitter ID exposure via error-based side-channel attack	Privacy Violation	terjanq	Medium	2019-05-17
XSS via Direct Message deeplinks	Cross-site Scripting (XSS) - DOM	0xsobky	No rating	2019-05-09
XSS and cache poisoning via upload.twitter.com on ton.twitter.com	Cross-site Scripting (XSS) - Generic	filedescriptor	No rating	2019-05-02
[Urgent] Invalidating OAuth2 Bearer token makes TweetDeck unavailable	Denial of Service	filedescriptor	No rating	2019-04-25
Insufficient OAuth callback validation which leads to Periscope account takeover	Improper Authentication - Generic	filedescriptor	No rating	2019-04-10
Stored XSS on reports.	Cross-site Scripting (XSS) - Stored	giddsec	High	2019-04-01
url that twitter mobile site can not load	Denial of Service	seifelsallamy	Low	2019-03-19
Takeover of Twitter-owned domain at mobileapplinking.com	Business Logic Errors	healdb	None	2019-02-28
Changing email address on Twitter for Android unsets "Protect your Tweets"	Privacy Violation	nyuszika7h	Low	2019-01-18
[staging-engineering.gnip.com] Publicly accessible GIT directory	Information Disclosure	bobrov	Medium	2018-11-01
Account Takeover in Periscope TV	Cross-site Scripting (XSS) - Generic	ngalog	High	2018-09-06
Account Takeover in Periscope TV	Cross-site Scripting (XSS) - Generic	ngalog	High	2018-09-06
Incorrect param parsing in Digits web authentication	Improper Authentication - Generic	filedescriptor	No rating	2018-08-18
Improper session handling on web browsers	Insufficient Session Expiration	arjuniet	Medium	2018-06-27
No Rate Limit in email leads to huge Mass mailings	Business Logic Errors	trabajoduro_2	Low	2018-06-02
Highly wormable clickjacking in player card	UI Redressing (Clickjacking)	filedescriptor	No rating	2018-05-18
Highly wormable clickjacking in player card	UI Redressing (Clickjacking)	filedescriptor	No rating	2018-05-18
ms5 debug page exposing internal info (internal IPs, headers)	Information Exposure Through Debug Information	lukeberner	Medium	2018-05-11
[sms-be-vip.twitter.com] vulnerable to Jetleak	Information Disclosure	molejarka	No rating	2018-04-02
Urgent : Unauthorised Access to Media content of all Direct messages and protected tweets(Indirect object reference)	Improper Authentication - Generic	vijay_kumar1110	High	2018-03-22
CVE-2017-15277 on Profile page	Information Disclosure	emitrani	Low	2018-03-08
Persistent DOM-based XSS in https://help.twitter.com via localStorage	Cross-site Scripting (XSS) - Stored	harisec	Medium	2018-02-24
POODLE SSLv3 bug on multiple twitter smtp servers (mx3.twitter.com,199.59.148.204,199.16.156.108 and 199.59.148.204)	Cryptographic Issues - Generic	omespino	No rating	2018-02-22
Blind XSS in Mobpub Marketplace Admin Production \| Sentry via demand.mopub.com (User-Agent)	Cross-site Scripting (XSS) - Stored	harisec	High	2018-02-17
Improper Host Detection During Team Up on tweetdeck.twitter.com	None supplied	avinash_	No rating	2018-01-04
Open Redirect Protection Bypass	Open Redirect	avinash_	No rating	2017-12-23
Listing of Amazon S3 Bucket accessible to any amazon authenticated user (metrics.pscp.tv)	Information Disclosure	segumarc	No rating	2017-11-19
Opportunity to obtain private tweets through search widget preview caches	Business Logic Errors	csanuragjain	No rating	2017-11-11
CSRF in twitterflightschool.com ( CAN POST ON TIMELINE WITHOUT USER PERMISSION)	Cross-Site Request Forgery (CSRF)	cymtrick	No rating	2017-11-06
[CRITICAL] Full account takeover using CSRF	Cross-Site Request Forgery (CSRF)	yipman	High	2017-11-03
Unauthorized Access to Protected Tweets via niche.co API	Privacy Violation	eidelweiss	High	2017-11-03
OS Command Execution on User's PC via CSV Injection	OS Command Injection	cornerpirate	Medium	2017-11-03
[dev.twitter.com] XSS and Open Redirect	None supplied	bobrov	Medium	2017-09-30
Sensitive Information Disclosure https://cards-dev.twitter.com	Information Disclosure	hassham	Medium	2017-09-30
Open Redirect	Open Redirect	malcolmx	No rating	2017-08-19
XXE on sms-be-vip.twitter.com in SXMP Processor	XML External Entities (XXE)	joshbrodienz	Medium	2017-07-27
CSRF on Periscope Web OAuth authorization endpoint	Cross-Site Request Forgery (CSRF)	filedescriptor	No rating	2017-07-27
Vine all registered user Private/sensitive information disclosure .[ Ip address/phone no/email and many other informations ]	Information Disclosure	prial261	Critical	2017-07-11
CRLF and XSS stored on ton.twitter.com	Cross-site Scripting (XSS) - Generic	seifelsallamy	No rating	2017-07-06
csp bypass + xss	Cross-site Scripting (XSS) - Generic	kenan	No rating	2017-07-06
[Studio.twitter.com] See someone else pics	Improper Authentication - Generic	appsecure_in	No rating	2017-06-22
Vine - overwrite account associated with email via android application	Improper Authentication - Generic	mishre	Medium	2017-06-15
[██████████.gnip.com] .htpasswd disclosure	None supplied	rbcafe	Critical	2017-05-27
[URGENT] Opportunity to publish tweets on any twitters account	None supplied	kedrisch	High	2017-05-23
[IDOR][translate.twitter.com] Opportunity to change any comment at the forum	Privilege Escalation	kedrisch	Low	2017-05-12
[Gnip Blogs] Reflected XSS via "plupload.flash.swf" component vulnerable to SOME	Cross-site Scripting (XSS) - Reflected	ysx	Medium	2017-05-08
HTTP 401 response injection on "amp.twimg.com/amplify-web-player/prod/source.html" through "image_src" parameter	Information Disclosure	zlz	Low	2017-05-08
Bypassing Digits bridge origin validation	Improper Authentication - Generic	filedescriptor	No rating	2017-04-30
Multiple DOMXSS on Amplify Web Player	Cross-site Scripting (XSS) - Generic	filedescriptor	No rating	2017-04-15
CSRF on cards API	Cross-Site Request Forgery (CSRF)	filedescriptor	No rating	2017-04-11
DOM based cookie bomb	Denial of Service	filedescriptor	No rating	2017-04-11
SSRF in https://cards-dev.twitter.com/validator	Server-Side Request Forgery (SSRF)	mindaugas	Medium	2017-04-06
DOMXSS in Tweetdeck	Cross-site Scripting (XSS) - Generic	filedescriptor	No rating	2017-04-02
niche s3 buckets are readable/writeable/deleteable by authorized AWS users	Improper Authentication - Generic	yaworsk	No rating	2017-04-02
Attacker can get vine repost user all informations even Ip address and location .	Improper Authentication - Generic	prial261	No rating	2017-03-25
Remote Unrestricted file Creation/Deletion and Possible RCE.	Code Injection	zigoo0	Low	2017-02-26
Sub Domain Takeover at mk.prd.vine.co	None supplied	punkrock	No rating	2017-02-13
GNIP subdomain take over	None supplied	hussein98d	High	2017-02-06
Clickjacking Periscope.tv on Chrome	UI Redressing (Clickjacking)	mishre	Medium	2017-02-06
Stealing User emails by clickjacking cards.twitter.com/xxx/xxx	UI Redressing (Clickjacking)	akhil-reni	Medium	2017-02-03
leaking Digits OAuth authorization to third party websites	Information Disclosure	akhil-reni	No rating	2017-01-24
Twitter for android is exposing user's location to any installed android app	Information Disclosure	mishre	Low	2017-01-13
Twitter iOS fails to validate server certificate and sends oauth token	Cryptographic Issues - Generic	floyd	High	2016-12-23
Information Disclosure through .DS_Store in ██████████	Information Disclosure	lewerkun	No rating	2016-12-12
Cross-site scripting (reflected)	Cross-site Scripting (XSS) - Generic	linkks	Medium	2016-12-09
XSS using javascript:alert(8007)	Cross-site Scripting (XSS) - Generic	bains	Low	2016-11-28
View liked twits of private account via publish.twitter.com	Information Disclosure	kedrisch	Medium	2016-11-14
Full Path Disclosure at 27.prd.vine.co	None supplied	punkrock	Low	2016-10-22
List of a ton of internal twitter servers available on GitHub	Information Disclosure	a0005	No rating	2016-10-17
reverb.twitter.com redirects to vulnerable reverb.guru	None supplied	theraz0r	No rating	2016-10-01
Html Injection and Possible XSS in sms-be-vip.twitter.com	Cross-site Scripting (XSS) - Generic	secgeek	No rating	2016-08-29
File Upload XSS in image uploading of App in mopub	Cross-site Scripting (XSS) - Generic	vijay_kumar1110	No rating	2016-08-26
Add tweet to collection CSRF	Cross-Site Request Forgery (CSRF)	vijay_kumar1110	No rating	2016-08-22
Urgent : Disclosure of all the apps with hash ID in mopub through API request (Authentication bypass)	Improper Authentication - Generic	vijay_kumar1110	No rating	2016-08-22
Bypassing callback_url validation on Digits	Open Redirect	filedescriptor	No rating	2016-08-12
Bypassing Digits web authentication's host validation with HPP	Improper Authentication - Generic	filedescriptor	No rating	2016-08-12
XSS in the "Poll" Feature on Twitter.com	Cross-site Scripting (XSS) - Generic	mazen160	No rating	2016-08-12
XSS via Fabrico Account Name	Cross-site Scripting (XSS) - Generic	adeelimtiaz90	No rating	2016-07-11
[Critical] - Steal OAuth Tokens	Improper Authentication - Generic	paulos_	No rating	2016-07-11
xss in link items (mopub.com)	Cross-site Scripting (XSS) - Generic	cymtrick	No rating	2016-07-05
Tweetdeck (twitter owned app) not revoked	Improper Authentication - Generic	maxy	No rating	2016-04-29
xss in DM group name in twitter	Cross-site Scripting (XSS) - Generic	ashish_r_padelkar	No rating	2016-04-22
Profile Pic padding (Length-hiding) fails due to use of GZIP	Information Disclosure	ericlaw	No rating	2016-03-18
Sub-Domain Takeover	None supplied	bugdisclose	No rating	2016-03-18
Tweet Deck XSS- Persistent- Group DM name	Cross-site Scripting (XSS) - Generic	akhil-reni	No rating	2016-03-04
Can see private tweets via keyword searches on tweetdeck	Privilege Escalation	maxy	No rating	2016-02-16
IDOR- Activate Mopub on different organizations- steal api token- Fabric.io	Improper Authentication - Generic	akhil-reni	No rating	2016-01-25
Subdomain Expired	Improper Authentication - Generic	hak	No rating	2016-01-15
URGENT : NICHE.co Account Take Over Vulnerability	Cross-Site Request Forgery (CSRF)	hussein98d	No rating	2015-12-21
Following a User Actually Follows Another User	Open Redirect	ericr	No rating	2015-12-02
Following a User After Favoriting Actually Follows Another User (related to #95243)	UI Redressing (Clickjacking)	ericr	No rating	2015-12-02
XSS on OAuth authorize/authenticate endpoint	Cross-site Scripting (XSS) - Generic	filedescriptor	No rating	2015-11-20
Problem with OAuth	Improper Authentication - Generic	anonymous100928	No rating	2015-11-14
Fabric.io: Ex-admin of an organization can delete team members	Privilege Escalation	satishb3	No rating	2015-11-01
Insecure direct object reference - have access to deleted DM's	Improper Authentication - Generic	akhil-reni	No rating	2015-10-12
Insecure Direct Object Reference - access to other user/group DM's	Privilege Escalation	akhil-reni	No rating	2015-10-03
POODLE Bug: 199.16.156.44, 199.16.156.108, mx4.twitter.com	Cryptographic Issues - Generic	isox	No rating	2015-09-20
Improper Verification of email address while saving Account Settings	Violation of Secure Design Principles	anshuman_bh	No rating	2015-08-13
Bad extended ascii handling in HTTP 301 redirects of t.co	Open Redirect	cqoicebordel	No rating	2015-08-09
Insecure Data Storage in Vine Android App	Cryptographic Issues - Generic	avicoder_	No rating	2015-06-24
Reporting user's profile by using another people's ID	Open Redirect	hussein98d	No rating	2015-06-11
Cross site Port Scanning bug in twitter developers console	Cryptographic Issues - Generic	d1pakda5	No rating	2015-05-23
Privecy Issue : view "Protected users" followers and following	Improper Authentication - Generic	kaito	No rating	2015-05-15
Privacy Issue on protected tweets	Improper Authentication - Generic	dia2diab	No rating	2015-05-14
Unauthorized Tweeting on behalf of Account Owners	Violation of Secure Design Principles	anshuman_bh	No rating	2015-05-07
HTTP Response Splitting (CRLF injection) due to headers overflow	None supplied	filedescriptor	No rating	2015-05-05
Twitter Card - Parent Window Redirection	Cross-site Scripting (XSS) - Generic	batuhan	No rating	2015-05-05
[mobile.twitter.com / twitter.com] CSRF protection bypass	Cross-Site Request Forgery (CSRF)	bobrov	No rating	2015-05-04
iOS App can establish Facetime calls without user's permission	Cross-Site Request Forgery (CSRF)	gepeto42	No rating	2015-04-27
Twitter Ads Campaign information disclosure through admin without any authentication.	Improper Authentication - Generic	avicoder_	No rating	2015-04-25
HTTP Response Splitting (CRLF injection) in report_story	None supplied	filedescriptor	No rating	2015-04-21
twitter android app Fragment Injection	Command Injection - Generic	miantaiduo	No rating	2015-04-12
XSS in twitter.com/safety/unsafe_link_warning	Cross-site Scripting (XSS) - Generic	masatokinugawa	No rating	2015-04-04
Open Redirect leak of authenticity_token lead to full account take over.	Open Redirect	seifelsallamy	No rating	2015-04-03
[Stored XSS] vine.co - profile page	Cross-site Scripting (XSS) - Generic	xorb	No rating	2015-03-26
Singup Page HTML Injection Vulnerability	Command Injection - Generic	ashwarya_me	No rating	2015-03-22
open redirect sends authenticity_token to any website or (ip address)	Open Redirect	seifelsallamy	No rating	2015-03-14
getting emails of users/removing them from victims account [using typical attack]	Improper Authentication - Generic	akhil-reni	No rating	2015-03-13
XSS in original referrer after follow	Cross-site Scripting (XSS) - Generic	akhil-reni	No rating	2015-03-09
Fabric.io - an app admin can delete team members from other user apps	Privilege Escalation	satishb3	No rating	2015-03-09
fabric.io - app member can make himself an admin	Privilege Escalation	satishb3	No rating	2015-03-09
User's DM won't deleted after logout from Twitter for iOS (com.atebits.xxx.application-state)	None supplied	config	No rating	2015-02-26
Redirect URL in /intent/ functionality is not properly escaped	Cross-site Scripting (XSS) - Generic	homakov	No rating	2015-02-24
URGENT - SUBDOMAIN TAKEOVER ON TWITTER ACQ.	Code Injection	simon90	No rating	2015-02-21
Path disclosure in platform0.twitter.com	Information Disclosure	avicoder_	No rating	2015-02-20
Flaw in login with twitter to steal Oauth tokens	Improper Authentication - Generic	akhil-reni	No rating	2015-02-18
HTML/XSS rendered in Android App of Crashlytics through fabric.io	Cross-site Scripting (XSS) - Generic	akhil-reni	No rating	2015-02-18
Account Deleted without any confirmation	Improper Authentication - Generic	sappi	No rating	2015-02-05
No rate limiting on creating lists	Violation of Secure Design Principles	sappi	No rating	2015-01-06
Notifications can mark as read by CSRF	Cross-Site Request Forgery (CSRF)	batuhan	No rating	2015-01-03
Homograph attack.	Violation of Secure Design Principles	shivathegame	No rating	2015-01-01
URGENT - Subdomain Takeover on users.tweetdeck.com , the same issue of report #32825	Code Injection	missoum1307	No rating	2015-01-01
Abuse of "Remember Me" functionality.	Improper Authentication - Generic	gadhiyasavan	No rating	2014-12-29
Options Method Enabled	None supplied	ruisilva	No rating	2014-12-26
Option Method Enabled on web server	None supplied	ruisilva	No rating	2014-12-25
XSS in fabric.io	Cross-site Scripting (XSS) - Generic	atom	No rating	2014-12-23
Open redirection in fabric.io	Open Redirect	avicoder_	No rating	2014-12-18
BROKEN AUTHENTICATION IN MOBILE VERIFICATION	Violation of Secure Design Principles	geekboy	No rating	2014-12-15
DOM Cross-Site Scripting ( XSS )	Cross-site Scripting (XSS) - Generic	avram	No rating	2014-12-04
Flaw in valid password policy.	Improper Authentication - Generic	siddiki	No rating	2014-12-01
Broken authentication and invalidated email address leads to account takeover	Cryptographic Issues - Generic	born2hack	No rating	2014-11-29
Creating Unauthorized Audience Lists	Violation of Secure Design Principles	anshuman_bh	No rating	2014-11-28
ads.twitter.com xss	Cross-site Scripting (XSS) - Generic	arbitrarycode	No rating	2014-11-17
Full path disclosure at ads.twitter.com	Information Disclosure	internetwache	No rating	2014-11-17
Token remains alive ever after logging out!	Improper Authentication - Generic	shahriyar	No rating	2014-11-17
XSS platform.twitter.com \| video-js metadata	Cross-site Scripting (XSS) - Generic	batram	No rating	2014-11-17
XSS platform.twitter.com	Cross-site Scripting (XSS) - Generic	batram	No rating	2014-11-17
Headers Missing	Violation of Secure Design Principles	hammad	No rating	2014-11-15
Missing Rate Limiting on https://twitter.com/account/complete	Information Disclosure	surgent10cross	No rating	2014-11-10
URGENT - Subdomain Takeover on media.vine.co due to unclaimed domain pointing to AWS	Cross-site Scripting (XSS) - Generic	fransrosen	No rating	2014-11-04
Cross site scripting on ads.twitter.com	Cross-site Scripting (XSS) - Generic	appsecure_in	No rating	2014-10-16
Twitter Flight SSL 2.0 deprecated protocol vulnerability.	Cryptographic Issues - Generic	simon90	No rating	2014-10-07
HTML form without CSRF protection at http://try.crashlytics.com/enterprise/	Cross-Site Request Forgery (CSRF)	karthik-reddy	No rating	2014-10-02
Delete Credit Cards from any Twitter Account in ads.twitter.com [New Vulnerability]	Improper Authentication - Generic	secgeek	No rating	2014-09-30
Stored xss	Cross-site Scripting (XSS) - Generic	detroitsmash	No rating	2014-09-27
Captcha bypass with extension at http://www.mopub.com/about/contact/	Cryptographic Issues - Generic	vineet	No rating	2014-09-22
CSRF in crashlytics.com	Cross-Site Request Forgery (CSRF)	defmax	No rating	2014-09-08
Password reset link not validated.	Denial of Service	born2hack	No rating	2014-08-31
uclfinal.twitter.com and euro2012.twitter.com are vulnerable to CRIME attack	Cryptographic Issues - Generic	mohaab007	No rating	2014-08-17
XSS ON MOPUB.COM	Cross-site Scripting (XSS) - Generic	jpsecurityresearch	No rating	2014-08-15
password sent over HTTP	Cryptographic Issues - Generic	mohaab007	No rating	2014-08-05
Cookie not marked as secure.	None supplied	simon90	No rating	2014-08-04
XSS vulnerability in video player page	Cross-site Scripting (XSS) - Generic	guido	No rating	2014-08-02

BugBountyHunter

X (Formerly Twitter) Program Statistics

Disclosed Reports