Reports in ping identity program: S.No Title Bounty 1 Server-Side Request Forgery on SAML Application - Import via URL $450.0 2 Internal Hostname disclosure from multiple Apache servers via blank host header method $150.0 3 Google Maps API key leaked during device pairing $150.0 4 Forbidden access to https://apps-staging.pingone.com but "/packages.json" visible and full path disclosure $100.0 5 CSRF in Inviting users $0.0 6 SaaS admin can modify/delete/get user information. $0.0 7 Session misconfiguration on change password feature at https://apps-staging.pingone.com/myaccount/?environmentId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx# $0.0 8 Session misconfiguration on forget password feature at https://ort-admin.pingone.com $0.0 9 Stored XSS in Application menu via Home Page Url $0.0 10 No valid SPF record not found $0.0 11 Broken Link on Ping Identity's Vulnerability Submission Form on Hackerone $0.0