Kamil Vavra | @vavkamil

Offensive website security | Bug bounty | Ethical hacking

🕵️Whoami 💰Bug bounty 📖Blog 💻GitHub 📢Talks 🏆LinkedIn 📩Contact

👕SecurityMerch.com

Bug bounty

CVEs

HackerOne

Higlights

Bugcrowd

Higlights

Write-ups & disclosed reports

Responsible disclosure

Website Company Vulnerability Details Reward References
Rohlik.cz Velká Pecka s.r.o. Multiple vulnerabilitites XSS, multiple web cache deception, open redirect No  
Airbank.cz Siteone s.r.o. Disclosed Twitter API keys API keys with full access & ability to tweet No  
Zive.cz CZECH NEWS CENTER a.s. Account takeover Multiple XSS and broken logic in Single sign-on Yes security.txt
mdBook Rust language XSS Reflected XSS in search function No CVE-2020-26297
kubernetes-csi.github.io Kubernetes XSS Reflected XSS in docs page No  
Trezor.io SatoshiLabs s.r.o. Open redirect + XSS Wiki open redirect & docs XSS No  
drive.protonmail.com Proton Technologies AG XSS Reflected XSS via .svg file Yes  
drive.protonmail.com Proton Technologies AG RLO spoofing Spoofing file extension via share link Yes  
trezord-go SatoshiLabs s.r.o. Misconfigured CORS CORS bypass via null origin No github.com
Notino.cz Notino, s.r.o. XSS Reflected XSS in seach No  
SRT 43UB6203 Strong.tv Denial of Service Unauthenticated Remote DoS Exploit in smart TV No Exploit
Airbank.cz Siteone s.r.o. XSS Reflected Dom XSS via POST request Yes security.txt
Subreg.cz Gransy s.r.o. XSS Multiple Reflected & Dom based XSS Yes  
Airbank.cz Siteone s.r.o. Unrestricted file upload Insecure API end-point allowing to upload any file Yes security.txt
Active24.cz ACTIVE 24, s.r.o. XSS Dom based XSS in domain search No security.txt
Prospanek.cz SmartBase XSS Reflected XSS in search No  
Damejidlo.cz damejidlo.cz s.r.o. XSS Reflected XSS in restaurants archive Yes  
Gopay.com GOPAY s.r.o. XSS Stored XSS in WordPress (CVE-2019-11869) No security.txt
Trezor.io SatoshiLabs s.r.o. Domain takeover Disclosure of user IPs via debug MessageEvent Yes Leaderboard
Rohlik.cz Velká Pecka s.r.o. Improper Access Control Access to Google calendar revealing sensitive info No security.txt
o2.cz O2 Czech Republic a.s. Multiple IDORs Disclosure of invoices and PII via android app API No Write-up
Idos.cz MAFRA, a. s. Multiple XSS, Arbitrary File Download Source-code disclosure No  
Socialnisystem.cz Česká pirátská strana Reflected XSS Found via source code review No GitHub issue
Eshop.upc.cz UPC Česká republika, s.r.o. Reflected XSS Unvalidated redirect No  
Cd.cz Ceske drahy, a.s. Personal information leak Misconfigured API (PII in JavaScript, CORS) Yes  
CSFD.cz POMO Media Group s.r.o. XSS, IDOR, account takeover Multiple vulnerabilities reported via bug bounty Yes Hall of Fame
T-mobile.cz T-Mobile Czech Republic a.s. CSRF, Multiple XSS, … Multiple vulnerabilities reported via bug bounty Yes Hall of Fame
Zive.cz CZECH NEWS CENTER a. s. XSS Multiple XSS vulnerabilities No security.txt
Mall.cz Internet Mall, a.s. XSS XSS in Angular Template Yes Hacktrophy
Fler.cz Fler s.r.o. CORS misconfiguration Disclosure of PII via JavaScript exploit No  
Alza.cz Alza.cz, a.s. XSS XSS filter bypass No security.txt
Heureka.cz Heureka Group a.s. XSS Multiple XSS vulnerabilities No security.txt
Drmax.cz Dr. Max BDC, s.r.o. CORS misconfiguration Disclosure of PII via JavaScript exploit No  
Email.cz Seznam.cz, a.s. Account takeover XSS -> CSP bypass -> CSRF -> account takeover No  
Tele3.cz TELE3 s.r.o. SQLi Blind based SQL Injection Yes  
Daybyme.com DayByMe s.r.o. CSRF, IDOR Stored XSS with significant impact Yes Hacktrophy
Tsbohemia.cz T.S.BOHEMIA a.s. XSS Dom based XSS in search function No  

Content on this site is licensed under a Creative Commons Attribution 4.0 International License
🄯 2019‐2022 - @vavkamil - Open-source Github pages - Powered by Jekyll & The Hacker theme - Subscribe via RSS