Reports in cs money program: S.No Title Bounty 1 Blind XSS on image upload $1000.0 2 Cookie poisoning leads to DOS and Privacy Violation $700.0 3 Site-wide CSRF on Safari due to CORS misconfiguration (not localhost) $300.0 4 Attacker can generate cancelled transctions in a user's transaction history using only Steam ID $300.0 5 Able to blocking users with 2fa from login into their accounts by just knowing the SteamID $300.0 6 Html injection on subscription email $300.0 7 ReDoS at wiki.cs.money graphQL endpoint (AND probably a kind of command injection) $250.0 8 Pixel Flood Attack leads to Application level DoS $200.0 9 Internal Path Disclosure $100.0 10 Authentication Bypass to (CVE-2023-2982) $100.0 11 SSRF via 3d.cs.money/pasteLinkToImage $0.0 12 Bypass Filter on link of build $0.0 13 Bypass restrict of member subscription to use custom background in https://3d.cs.money without prime subscription $0.0 14 IDOR in https://3d.cs.money/ $0.0 15 [cs.money] Open Redirect Leads to Account Takeover $0.0 16 Application DOS via specially crafted payload on 3d.cs.money $0.0 17 Improper authentication in the load sell inventory page $0.0 18 Manipulate Uneditable Messages in Support $0.0 19 Content Spoofing/Text Injection in https://support.cs.money and JS file not minified and uglyfied which makes it clearly readable $0.0 20 Отправка писем с произвольным текстом/кликабельными ссылками любому зарегистрированному пользователю с указанной почтой, зная только steamid $0.0 21 Able to upload backgrounds before entering 2FA $0.0 22 Origin IP found, Cloudflare bypassed $0.0 23 Blind Based SQL Injection in 3d.sc.money $0.0 24 Previously created sessions continue being valid after MFA activation $0.0