Bug bounty

Bugcrowd: https://bugcrowd.com/vavkamil
Hackerone: https://hackerone.com/vavkamil

Mostly web hacking stuff; I helped with IT security to the following companies (and many more):


Company: ServMask
Website: All-in-One WP Migration
Vulnerability: Arbitrary Backup Download
Reward: Thank you e-mail.

Company: Subreg
Website: https://subreg.cz
Vulnerability: XSS
Reward: Thank you e-mail.

Company: Airbank a.s.
Website: https://airbank.cz
Vulnerability: Unrestricted file upload via API
Reward: Thank you e-mail, $$.

Company: Active 24
Website: https://active24.cz
Vulnerability: XSS
Reward: Thank you e-mail.

Company: ProSpanek
Website: https://prospanek.cz
Vulnerability: XSS
Reward: Thank you e-mail.

Company: Node.js
Website: https://github.com/nodejs/node
Vulnerability: CRLF Injection in legacy url API
Reward: Responsible Disclosure

Company: Damejidlo
Website: damejidlo.cz
Vulnerability: ???
Reward: ???

Company: Gopay
Website: gopay.cz
Vulnerability: ???
Reward: ???

Company: Trezor
Website: trezor.io
Vulnerability: ???
Reward: ???

Company: Rohlik
Website: rohlik.cz
Vulnerability: ???
Reward: ???

Company: Telefonica Czech Republic
Website: o2.cz
Vulnerability: Multiple IDORs
Reward: ???

Company: MAFRA, a. s.
Website: idos.cz
Vulnerability: Multiple XSS, Arbitrary File Download
Reward: ???

Company: Accenture
Website: *.accenture.com
Vulnerability: Multiple XSS (JIRA)
Reward: Hall of Fame

Company: Pirati
Website: socialnisystem.cz
Vulnerability: Reflected XSS
Reward: nothing, open-source fix 🙂

Company: Automattic
Website: wordpress.com
Vulnerability: Insufficient DKIM record with RSA 512-bit key used on WordPress.com
Reward: $$


Company: Gransy s.r.o.
Website: subreg.cz
Vulnerability: DOM based XSS
Reward: $$

Company: UPC Česká republika, s.r.o.
Website: eshop.upc.cz
Vulnerability: Reflected XSS via Unvalidated Redirect
Reward: Thank you e-mail

Company: Ceske drahy, a.s.
Website: www.cd.cz
Vulnerability: Personal information leak (misconfigured API endpoint)
Reward: $$

Company: POMO Media Group s.r.o.
Website: www.csfd.cz/vyvojari
Vulnerability: (API: XSS, stealing oauth token)
Reward: $$

Company: T-Mobile Czech Republic a.s.
Website: www.t-mobile.cz/bug-bounty/zed-slavy
Vulnerability: Cross-site request forgery (CSRF), Unexpected log report, Multiple XSS vulnerabilities
Reward: $$

Company: CZECH NEWS CENTER a. s.
Website: www.zive.cz
Vulnerability: Multiple XSS vulnerabilities
Reward: Thank you e-mail

Company: Internet Mall, a.s.
Website: www.mall.cz
Vulnerability: XSS vulnerability
Reward: $$

Company: Fler s.r.o.
Website: www.fler.cz
Vulnerability: Misconfigured CORS headers
Reward: Thank you e-mail

Company: Alza.cz a.s.
Website: www.alza.cz
Vulnerability: Multiple XSS vulnerabilities, Clickjacking
Reward: Nothing

Company: Heureka Shopping s.r.o.
Website: www.heureka.cz
Vulnerability: Multiple XSS vulnerabilities
Reward: Thank you e-mail

Website: www.drmax.cz
Vulnerability: Misconfigured CORS headers
Reward: Nothing – no reply

Company: Seznam.cz, a.s.
Website: www.email.cz
Vulnerability: XSS -> CSP bypass -> CSRF -> e-mail account takeover
Reward: Thank you e-mail, visit to the data center, coffee

Company: TELE3 s.r.o.
Website: www.tele3.cz
Vulnerability: SQL Injection
Reward: Thank you e-mail, notepad, pen, USB flash drive

Company: Citadelo Czech Republic, s.r.o.
Website: citadelo.cz
Vulnerability: SSL misconfigurations with little impact
Reward: $$

Company: Adastra Partnering s.r.o.
Website: marketlocator.sk
Vulnerability: CSRF with significant impact
Reward: $$

Company: DayByMe
Website: daybyme.com
Vulnerability: Stored XSS with significant impact, Direct object reference
Reward: $$


  • Smartsheet
  • Quora
  • Fitbit
  • Gogo
  • Bugcrowd
  • Sprout Social
  • Spotify
  • HubSpot Responsible Disclosure
  • LastPass
  • SendSafely
  • Tesla