Reports in logitech program: S.No Title Bounty 1 One Click Account takeover using Ouath CSRF bypass by adding Null byte %00 in state parameter on www.streamlabs.com $200.0 2 Moderator user has access to owner's support portal and tickets $200.0 3 Sensitive information disclosure to shared access user via streamlabs platform api $200.0 4 SSRF allows reading AWS EC2 metadata using "readapi" variable in Streamlabs Cloudbot $200.0 5 session takeover via open protocol redirection on streamlabs.com $200.0 6 GET based Open redirect on [streamlabs.com/content-hub/streamlabs-obs/search?query=] $100.0 7 IDOR when creating App on [platform.streamlabs.com/api/v1/store/whitelist] with user_id field $0.0 8 Stored XSS in [https://streamlabs.com/dashboard#/*goal] pages $0.0 9 CSRF in changing users donation_settings [https://streamlabs.com/api/v6/viewer-portal/viewer-settings/donation_settings] $0.0 10 Stored XSS on oslo.io in notifications via project name change $0.0 11 Host Header injection in oslo.io (using X-Forwarded-For header) leading to email spoofing $0.0 12 Manipulating response leads to free access to Streamlabs Prime $0.0 13 Privilege Escalation Leads to Control The Owner Access Token Which leads to control the stream [streamlabs.com] $0.0 14 Steal any users access_token via open redirect in https://streamlabs.com/global/identity?popup=1&r= $0.0 15 clickjacking on deleting user's clips [https://crossclip.com/clips] $0.0