Bug bounty

CVEs

• CVE-2021-44223
• CVE-2020-26297

HackerOne

• HackerOne profile

Higlights

• Evernote / Automattic / Starbucks / Node.js / Kubernetes / Traffic Factory

Bugcrowd

• Bugcrowd profile

Higlights

• Smartsheet / Quora / Fitbit / Spotify / Bugcrowd / LastPass / SendSafely / Tesla

Write-ups & disclosed reports

• WordPress Plugin Confusion: How an update can get you pwned
• WP GDPR Compliance < 1.5.6 - Unauthenticated Stored Cross-Site Scripting (XSS)
• XSS on kubernetes-csi.github.io (mdBook)
• All-in-One WP Migration < 7.15 - Arbitrary Backup Download
• Node.js ~ CRLF Injection in legacy url API (url.parse().hostname)
• Insufficient DKIM record with RSA 512-bit key used on WordPress.com

Responsible disclosure

Website	Company	Vulnerability	Details	Reward	References
Rohlik.cz	Velká Pecka s.r.o.	Multiple vulnerabilitites	XSS, multiple web cache deception, open redirect	No
Airbank.cz	Siteone s.r.o.	Disclosed Twitter API keys	API keys with full access & ability to tweet	No
Zive.cz	CZECH NEWS CENTER a.s.	Account takeover	Multiple XSS and broken logic in Single sign-on	Yes	security.txt
mdBook	Rust language	XSS	Reflected XSS in search function	No	CVE-2020-26297
kubernetes-csi.github.io	Kubernetes	XSS	Reflected XSS in docs page	No
Trezor.io	SatoshiLabs s.r.o.	Open redirect + XSS	Wiki open redirect & docs XSS	No
drive.protonmail.com	Proton Technologies AG	XSS	Reflected XSS via .svg file	Yes
drive.protonmail.com	Proton Technologies AG	RLO spoofing	Spoofing file extension via share link	Yes
trezord-go	SatoshiLabs s.r.o.	Misconfigured CORS	CORS bypass via null origin	No	github.com
Notino.cz	Notino, s.r.o.	XSS	Reflected XSS in seach	No
SRT 43UB6203	Strong.tv	Denial of Service	Unauthenticated Remote DoS Exploit in smart TV	No	Exploit
Airbank.cz	Siteone s.r.o.	XSS	Reflected Dom XSS via POST request	Yes	security.txt
Subreg.cz	Gransy s.r.o.	XSS	Multiple Reflected & Dom based XSS	Yes
Airbank.cz	Siteone s.r.o.	Unrestricted file upload	Insecure API end-point allowing to upload any file	Yes	security.txt
Active24.cz	ACTIVE 24, s.r.o.	XSS	Dom based XSS in domain search	No	security.txt
Prospanek.cz	SmartBase	XSS	Reflected XSS in search	No
Damejidlo.cz	damejidlo.cz s.r.o.	XSS	Reflected XSS in restaurants archive	Yes
Gopay.com	GOPAY s.r.o.	XSS	Stored XSS in WordPress (CVE-2019-11869)	No	security.txt
Trezor.io	SatoshiLabs s.r.o.	Domain takeover	Disclosure of user IPs via debug MessageEvent	Yes	Leaderboard
Rohlik.cz	Velká Pecka s.r.o.	Improper Access Control	Access to Google calendar revealing sensitive info	No	security.txt
o2.cz	O2 Czech Republic a.s.	Multiple IDORs	Disclosure of invoices and PII via android app API	No	Write-up
Idos.cz	MAFRA, a. s.	Multiple XSS, Arbitrary File Download	Source-code disclosure	No
Socialnisystem.cz	Česká pirátská strana	Reflected XSS	Found via source code review	No	GitHub issue
Eshop.upc.cz	UPC Česká republika, s.r.o.	Reflected XSS	Unvalidated redirect	No
Cd.cz	Ceske drahy, a.s.	Personal information leak	Misconfigured API (PII in JavaScript, CORS)	Yes
CSFD.cz	POMO Media Group s.r.o.	XSS, IDOR, account takeover	Multiple vulnerabilities reported via bug bounty	Yes	Hall of Fame
T-mobile.cz	T-Mobile Czech Republic a.s.	CSRF, Multiple XSS, …	Multiple vulnerabilities reported via bug bounty	Yes	Hall of Fame
Zive.cz	CZECH NEWS CENTER a. s.	XSS	Multiple XSS vulnerabilities	No	security.txt
Mall.cz	Internet Mall, a.s.	XSS	XSS in Angular Template	Yes	Hacktrophy
Fler.cz	Fler s.r.o.	CORS misconfiguration	Disclosure of PII via JavaScript exploit	No
Alza.cz	Alza.cz, a.s.	XSS	XSS filter bypass	No	security.txt
Heureka.cz	Heureka Group a.s.	XSS	Multiple XSS vulnerabilities	No	security.txt
Drmax.cz	Dr. Max BDC, s.r.o.	CORS misconfiguration	Disclosure of PII via JavaScript exploit	No
Email.cz	Seznam.cz, a.s.	Account takeover	XSS -> CSP bypass -> CSRF -> account takeover	No
Tele3.cz	TELE3 s.r.o.	SQLi	Blind based SQL Injection	Yes
Daybyme.com	DayByMe s.r.o.	CSRF, IDOR	Stored XSS with significant impact	Yes	Hacktrophy
Tsbohemia.cz	T.S.BOHEMIA a.s.	XSS	Dom based XSS in search function	No