Reports in liberapay program: S.No Title Bounty 1 Email Address Exposure via Gratipay Migration Tool $100.0 2 Origin IP found, Cloudflare bypassed $0.0 3 CSRF to make any user accept the invitation to the team $0.0 4 Authenticated reflected XSS on liberapay.com via the back_to parameter when leaving a team. $0.0 5 twitter api access token leaked on github $0.0 6 Unsecure changing password $0.0 7 Able to View other users income history $0.0 8 Liberapay Non Verified Account Takeover with signup feature $0.0 9 Anyone can register organization legal type as "Soletrader" $0.0 10 Same CSRF token is being used for deleting other platform login’s within an account and across other liberapay Account’s $0.0 11 The csrf token remains same after user logs in $0.0 12 Insecure Account Deletion $0.0 13 CSRF ON EDITING NAME (OPTIONAL) $0.0 14 Phishing by Navigating Browser Tabs $0.0 15 Current CSP Policy chained with HTML Injection can lead to Data Exfiltration $0.0 16 csrf token did not changed after login/logout many times $0.0 17 CSRF token manipulation in every possible form submits. NO server side Validation $0.0 18 Unsafe deserialization in Libera Pay allows to escalate a SQL injection to Remote Command Execution $0.0 19 REGISTRATION USING FAKE EMAIL ACCOUNT $0.0 20 Csrf token does not meet security design $0.0 21 Missing back-end user input validation can lead to DOS flaw $0.0 22 Exploiting JSONP callback on /username/charts.json endpoint leads to information disclosure despite user's privacy settings $0.0 23 Returning back from the browser after logging off will disclose some information $0.0 24 Punny code Detection Parsing should be implemented on Markdown $0.0 25 A single user can subscribe a community multiple times $0.0 26 Buffer overflow $0.0 27 Cross site scripting (content-sniffing) $0.0 28 No Data Validation, No Captcha, No Filters... $0.0 29 Improper Data Validation / Unvalidated Input $0.0 30 Broken Authentication and session management OWASP A2 $0.0 31 Import of repositories from GitHub is tied to username instead of immutable ID $0.0 32 Publicly editable GitHub wikis $0.0 33 User Enumeration $0.0 34 Session Cookie without HttpOnly and secure flag set $0.0 35 Full Path disclosure on 500 error $0.0 36 Invalidate session after password reset $0.0 37 Private target account appears in search results $0.0 38 Leaking Of Sensitive Information on Github $0.0 39 Reauthentication for changing password bypass $0.0 40 Failure to Invalid Session after Password Change $0.0 41 Login CSRF : Login Authentication Flaw on https://liberapay.com/ $0.0 42 Disavowing an account doesn't disable it $0.0 43 Disavowed an email without any authentication $0.0 44 Twitter account hijack @Costalfy $0.0 45 Password Reset Token Leak Via Referrer $0.0 46 Avatar URL is exposed in patron export for secret donations $0.0 47 Unsafe yaml load can lead to remote code execution $0.0