Reports in omise program: S.No Title Bounty 1 Host Header Injection leads to Open Redirect and Content Spoofing or Text Injection. $300.0 2 XSS via X-Forwarded-Host header $200.0 3 Cross-site scripting on dashboard2.omise.co $200.0 4 Open Redirect $100.0 5 ████. $100.0 6 Open S3 Bucket Accessible by any User $100.0 7 Anonymous access control - Payments Status $100.0 8 IDOR Payments Status $100.0 9 Subdomain takeover http://accessday.opn.ooo/ $50.0 10 Public and secret api key leaked via omise github repo(owned by omise) $0.0 11 SSRF in webhooks leads to AWS private keys disclosure $0.0 12 Email enumeration at SignUp page $0.0 13 [Found Origin IP's Lead To Access To Grafana Instance , PgHero Instance [ Can SQL Injection ] $0.0 14 Failure to Invalid Session after Password Change $0.0 15 Signup with any email and enable 2FA without verifying email $0.0 16 Authenticity token doesnt expire after single use leading to CSRF $0.0 17 Broken Authentication and Session Management Flaw After Change Password and Logout $0.0 18 assets/vendor.js file exposing sentry.io token and DNS and application id . $0.0 19 Brute force attack of current password on login page by bypassing account limit using IP rotator(https://dashboard.omise.co/signin) $0.0 20 Race condition on action: Invite members to a team $0.0 21 The endpoint '/test/webhooks' is vulnerable to DNS Rebinding $0.0 22 Unauthorized Access - downgraded admin roles to none can still edit projects through brupsuite $0.0 23 Brute force of a current password on a disable 2fa leads to guess password and disable 2fa. $0.0 24 Secret API Key is logged in cleartext $0.0 25 The endpoint '/test/webhooks' is vulnerable to DNS Rebinding $0.0