Bug bounty

Bugcrowd: https://bugcrowd.com/vavkamil
Hackerone: https://hackerone.com/vavkamil

Mostly web hacking stuff; I helped with IT security to the following companies (and many more):

MOST RECENT

Company: Telefonica Czech Republic
Website: o2.cz
Vulnerability: Multiple IDORs
Reward: ???


Company: MAFRA, a. s.
Website: idos.cz
Vulnerability: Multiple XSS, Arbitrary File Download
Reward: ???


Company: Accenture
Website: *.accenture.com
Vulnerability: Multiple XSS (JIRA)
Reward: Hall of Fame


Company: Pirati
Website: socialnisystem.cz
Vulnerability: Reflected XSS
Reward: nothing, open-source fix 🙂



Company: Automattic
Website: wordpress.com
Vulnerability: Insufficient DKIM record with RSA 512-bit key used on WordPress.com
Reward: $$

TOP CZECH & SLOVAK WEBSITES

Company: Gransy s.r.o.
Website: subreg.cz
Vulnerability: DOM based XSS
Reward: $$


Company: UPC Česká republika, s.r.o.
Website: eshop.upc.cz
Vulnerability: Reflected XSS via Unvalidated Redirect
Reward: Thank you e-mail


Company: Ceske drahy, a.s.
Website: www.cd.cz
Vulnerability: Personal information leak (misconfigured API endpoint)
Reward: $$


Company: POMO Media Group s.r.o.
Website: www.csfd.cz/vyvojari
Vulnerability: (API: XSS, stealing oauth token)
Reward: $$


Company: T-Mobile Czech Republic a.s.
Website: www.t-mobile.cz/bug-bounty/zed-slavy
Vulnerability: Cross-site request forgery (CSRF), Unexpected log report, Multiple XSS vulnerabilities
Reward: $$


Company: CZECH NEWS CENTER a. s.
Website: www.zive.cz
Vulnerability: Multiple XSS vulnerabilities
Reward: Thank you e-mail


Company: Internet Mall, a.s.
Website: www.mall.cz
Vulnerability: XSS vulnerability
Reward: $$


Company: Fler s.r.o.
Website: www.fler.cz
Vulnerability: Misconfigured CORS headers
Reward: Thank you e-mail


Company: Alza.cz a.s.
Website: www.alza.cz
Vulnerability: Multiple XSS vulnerabilities, Clickjacking
Reward: Nothing


Company: Heureka Shopping s.r.o.
Website: www.heureka.cz
Vulnerability: Multiple XSS vulnerabilities
Reward: Thank you e-mail


Company: CESKA LEKARNA HOLDING, a.s.
Website: www.drmax.cz
Vulnerability: Misconfigured CORS headers
Reward: Nothing – no reply


Company: Seznam.cz, a.s.
Website: www.email.cz
Vulnerability: XSS -> CSP bypass -> CSRF -> e-mail account takeover
Reward: Thank you e-mail, visit to the data center, coffee


Company: TELE3 s.r.o.
Website: www.tele3.cz
Vulnerability: SQL Injection
Reward: Thank you e-mail, notepad, pen, USB flash drive


Company: Citadelo Czech Republic, s.r.o.
Website: citadelo.cz
Vulnerability: SSL misconfigurations with little impact
Reward: $$


Company: Adastra Partnering s.r.o.
Website: marketlocator.sk
Vulnerability: CSRF with significant impact
Reward: $$


Company: DayByMe
Website: daybyme.com
Vulnerability: Stored XSS with significant impact, Direct object reference
Reward: $$

TOP GLOBAL WEBSITES

  • Smartsheet
  • Quora
  • Fitbit
  • Gogo
  • Bugcrowd
  • Sprout Social
  • Spotify
  • HubSpot Responsible Disclosure
  • LastPass
  • SendSafely
  • Tesla