Twitter


Most disclosed vulnerability type (34 disclosures) — Cross-site Scripting (XSS) - Generic

filedescriptor has disclosed the most with 19 reports!

205 total issues disclosed

$279,659 total paid publicly


Accepts reports via HackerOne

Twitter's top public payouts




Most recently disclosed


Delete direct message history without access the proper conversation_id

@ Submitted by soareswallace
Bug Type: Business Logic Errors

Disclosed on 2020-11-20

Rating: Low


http request smuggling in twitter.com

@ Submitted by protostar0
Bug Type: HTTP Request Smuggling

Disclosed on 2020-11-18

Rating: High


Twitter Media Studio Source Information Disclosure With Analyst Role

@ Submitted by gokay
Bug Type: Information Disclosure

Disclosed on 2020-10-26

Rating: Medium


XSS via referrer parameter

@ Submitted by keer0k
Bug Type: Cross-site Scripting (XSS) - Reflected

Disclosed on 2020-10-26

Rating: Medium


Android WebViews in Twitter app are vulnerable to UXSS due to configuration and CVE-2020-6506

@ Submitted by alesandroortiz
Bug Type: Cross-site Scripting (XSS) - Generic

Disclosed on 2020-09-24

Rating: High


http request smuggling in pscp.tv and periscope.tv

@ Submitted by protostar0
Bug Type: HTTP Request Smuggling

Disclosed on 2020-09-11

Rating: High


Safe Redirect Bypass

@ Submitted by cyanpiny
Bug Type: Security Through Obscurity

Disclosed on 2020-09-10

Rating: Low


Denial of Service | twitter.com & mobile.twitter.com

@ Submitted by cyanpiny
Bug Type: Denial of Service

Disclosed on 2020-09-02

Rating: Medium


Insufficient validation on Digits bridge

@ Submitted by filedescriptor
Bug Type: Improper Authentication - Generic

Disclosed on 2020-08-20

Rating: No rating


Private list members disclosure via GraphQL

@ Submitted by ryotak
Bug Type: Improper Access Control - Generic

Disclosed on 2020-08-04

Rating: Low


Private list members disclosure via GraphQL

@ Submitted by ryotak
Bug Type: Improper Access Control - Generic

Disclosed on 2020-08-04

Rating: Low


Private list members disclosure via GraphQL

@ Submitted by ryotak
Bug Type: Improper Access Control - Generic

Disclosed on 2020-08-04

Rating: Low


Private list members disclosure via GraphQL

@ Submitted by ryotak
Bug Type: Improper Access Control - Generic

Disclosed on 2020-08-04

Rating: Low


Denial of Service [Chrome]

@ Submitted by cyanpiny
Bug Type: Denial of Service

Disclosed on 2020-07-24

Rating: Medium


Rating: Low