Reports in upserve program: S.No Title Bounty 1 DOM Based XSS via postMessage at https://inventory.upserve.com/login/ $2500.0 2 Ability to create own account UUID leads to stored XSS $1500.0 3 Open redirect at https://inventory.upserve.com/http://google.com/ $1200.0 4 Reflected XSS on https://inventory.upserve.com/ (affects IE users only) $1200.0 5 Blind stored xss in demo form $500.0 6 Insufficient validation of sides/modifiers quantity $500.0 7 [theacademy.upserve.com] Reflected XSS Query-String $250.0 8 reports.breadcrumb.com is vulnerable for Arbitrary file existence disclosur CVE-2014-7829 $200.0 9 Information disclosure through search engines (password reset token) $0.0 10 Reflected xss on theacademy.upserve.com $0.0 11 Ability to reset password for account $0.0 12 Open redirect on https://hq-api.upserve.com/ $0.0 13 OLO Total price manipulation using negative quantities $0.0 14 Payment method token being sent to 3rd party analytics service $0.0