Reports in zendesk program: S.No Title Bounty 1 Full Sub Domain Takeover at wx.zopim.net $0.0 2 [status.zopim.com] Open Redirect $0.0 3 AWS S3 bucket writable for authenticated aws user $0.0 4 XSS in zendesk.com/product/ $0.0 5 Missing function level access controls allowing attacker to abuse file access controls. Multiple vulnerabilities $0.0 6 Android SDK - CREATE_REQUEST broascast is unprotected $0.0 7 express config leaking stacktrace $0.0 8 Error stack trace enabled $0.0 9 a stored xss in web widget chat $0.0 10 Twitter SSO allows unverified e-mail registration, leads to Slack and social media hijacks $0.0 11 Race Condition in Article "Helpful" Indicator $0.0 12 Unvalidated / Open Redirect $0.0 13 Stored XSS in Draft Articles. $0.0 14 open redirect in <your_zendesk>.zendesk.com $0.0 15 Remote code execution as root on [REDACTED] $0.0 16 SSRF issue in "URL target" allows [REDACTED] $0.0 17 XSS with needed user intervention $0.0 18 dom based xss in *.zendesk.com/external/zenbox/ $0.0 19 Secret API Key Leakage via Query String $0.0 20 Stored Cross Site Scripting on Zendesk agent dashboard $0.0 21 Admin Macro Description Stored XSS $0.0 22 Leaked artifactory_key, artifactory_api_key, and gcloud refresh_token via GitHub. $0.0 23 Leaked artifactory_api_key via GitHub. $0.0 24 Blind XSS via Suspended Ticket Recovery $0.0 25 Stored XSS in Macro Editing - Introduced by Admins to affect Admins $0.0 26 "Test target" of the "HTTP target" extension can unintentionally send username and password in the Authorization header $0.0 27 SMTP user enumeration via mail.zendesk.com $0.0 28 CSRF on developer.zendesk.com via Cache Deception $0.0 29 Privilege escalation - Support-Contributor to Support and Product Admin via /api/v2/██████ . No ADMIN PRIVILEGE required. $0.0