Top 100 reports with highest bounty: S.No Title Bounty 1 Github access token exposure $50000.0 2 [Pre-Submission][H1-4420-2019] API access to Phabricator on code.uberinternal.com from leaked certificate in git repo $39999.99 3 RCE via the DecompressedArchiveSizeValidator and Project BulkImports (behind feature flag) $33510.0 4 Remote Command Execution via Github import $33510.0 5 RCE via npm misconfig -- installing internal libraries from the public registry $30000.0 6 Arbitrary file read via the bulk imports UploadsPipeline $29000.0 7 SQL Injection in report_xml.php through countryFilter[] parameter $25000.0 8 Exposed Kubernetes API - RCE/Exposed Creds $25000.0 9 Server Side Request Forgery (SSRF) via Analytics Reports $25000.0 10 SAML Signature verification bypass allows logging into any user (with specific conditions) $25000.0 11 RepositoryPipeline allows importing of local git repos $22300.0 12 Potential pre-auth RCE on Twitter VPN $20160.0 13 Getting all the CD keys of any game $20000.0 14 Bypass for #488147 enables stored XSS on https://paypal.com/signin again $20000.0 15 Account takeover via leaked session cookie $20000.0 16 Arbitrary file read via the UploadsRewriter when moving and issue $20000.0 17 RCE via unsafe inline Kramdown options when rendering certain Wiki pages $20000.0 18 RCE when removing metadata with ExifTool $20000.0 19 Private objects exposed through project import $20000.0 20 Steal private objects of other projects via project import $20000.0 21 bd-j exploit chain $20000.0 22 Github Apps can use Scoped-User-To-Server Tokens to Obtain Full Access to User's Projects in Project V2 GraphQL api $20000.0 23 Stored XSS on https://paypal.com/signin via cache poisoning $18900.0 24 Oracle Webcenter Sites administrative and hi-privilege access available directly from the internet (/cs/Satellite) $18000.0 25 Struct type confusion RCE $18000.0 26 Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO $16000.0 27 Arbitrary file read during project import $16000.0 28 Stored XSS in markdown via the DesignReferenceFilter $16000.0 29 Token leak in security challenge flow allows retrieving victim's PayPal email and plain text password $15300.0 30 Ability to bypass partner email confirmation to take over any store given an employee email $15250.0 31 Open prod Jenkins instance $15000.0 32 [Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation $15000.0 33 Websites Can Run Arbitrary Code on Machines Running the 'PlayStation Now' Application $15000.0 34 Leaked JFrog Artifactory username and password exposed on GitHub - https://snapchat.jfrog.io $15000.0 35 Incorrect authorization to the intelbot service leading to ticket information $15000.0 36 Delete anyone's content spotlight remotely. $15000.0 37 Stored XSS in Notes (with CSP bypass for gitlab.com) $13950.0 38 XSS in ZenTao integration affecting self hosted instances without strict CSP $13950.0 39 New /add_contacts /remove_contacts quick commands susseptible to XSS from Customer Contact firstname/lastname fields $13950.0 40 Stored XSS via Kroki diagram $13950.0 41 Mass Accounts Takeover Without any user Interaction at https://app.taxjar.com/ $13000.0 42 Spring Actuator endpoints publicly available and broken authentication $12500.0 43 An attacker can archive and unarchive any structured scope object on HackerOne $12500.0 44 Remote vulnerabilities in spp $12500.0 45 View Titles of Private Reports with pending email invitation $12500.0 46 Bypass of GitLab CI runner slash fix in YAML validation $12000.0 47 JSON serialization of any Project model results in all Runner tokens being exposed through Quick Actions $12000.0 48 Local files could be overwritten in GitLab, leading to remote command execution $12000.0 49 Project Template functionality can be used to copy private project data, such as repository, confidential issues, snippets, and merge requests $12000.0 50 Git flag injection - local file overwrite to remote code execution $12000.0 51 Path traversal in Nuget Package Registry $12000.0 52 Path traversal, to RCE $12000.0 53 Account Takeover via Authentication Bypass in TikTok Account Recovery $12000.0 54 Arbitrary Code Execution via npm misconfiguration – installing internal libraries from the public registry $11500.0 55 Exfiltrate and mutate repository and project data through injected templated service $11000.0 56 IDOR to add secondary users in www.paypal.com/businessmanage/users/api/v1/users $10500.0 57 Ability to DOS any organization's SSO and open up the door to account takeovers $10500.0 58 Partial disclosure of report activity through new "Export as .zip" feature $10000.0 59 Crash: Initialize Decimal with itself triggers an assertion $10000.0 60 Segfault and/or potential unwanted (byte)code execution with "break" and "||=" inside a loop $10000.0 61 Segfault in mruby, mruby_engine and the parent MRI Ruby due to null pointer dereference $10000.0 62 Range constructor type confusion DoS $10000.0 63 Range#initialize_copy null pointer dereference $10000.0 64 Null pointer derefence due to bug in codegen with negation without using value $10000.0 65 Buffer overflow in mrb_time_asctime $10000.0 66 Broken handling of maximum number of method call arguments leads to segfault $10000.0 67 Information Disclosure in /skills call $10000.0 68 Invalid handling of zero-length heredoc identifiers leads to infinite loop in the sandbox $10000.0 69 Crash: Overwriting NoMethodError with a builtin class crashes/corrupts memory $10000.0 70 Certain inputs cause tight C-level recursion leading to process stack overflow $10000.0 71 Double Payout via PayPal $10000.0 72 Malformed NAV file leads to buffer overflow and code execution in Left4Dead2.exe $10000.0 73 SSRF on project import via the remote_attachment_url on a Note $10000.0 74 gitlab-workhorse bypass in Gitlab::Middleware::Multipart allowing files in allowed_paths to be read $10000.0 75 Use-After-Free In IPV6_2292PKTOPTIONS leading To Arbitrary Kernel R/W Primitives $10000.0 76 Remote Code Execution on Cloud via latest Kibana 7.6.2 $10000.0 77 Access to multiple production Grafana dashboards $10000.0 78 SOCK_RAW sockets reachable from Webkit process allows triggering double free in IP6_EXTHDR_CHECK $10000.0 79 RCE hazard in reporting (via Chromium) $10000.0 80 CSRF protection bypass in GitHub Enterprise management console $10000.0 81 Use-after-free in setsockopt IPV6_2292PKTOPTIONS (CVE-2020-7457) $10000.0 82 size_t-to-int vulnerability in exFAT leads to memory corruption via malformed USB flash drives $10000.0 83 Authentication bypass on gist.github.com through SSH Certificates $10000.0 84 Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via RCE in syslog-ng $10000.0 85 Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via nomad template injection $10000.0 86 Privilege Escalation to Root SSH Access via Pre-Receive Hook Environment in GitHub Enterprise Server $10000.0 87 Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via nomad template injection and audit-forward $10000.0 88 Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via RCE in actions-console $10000.0 89 Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via RCE in collectd $10000.0 90 Management Console Editor Privilege Escalation to Root SSH Access in GitHub Enterprise Server via RCE in ghe-update-check $10000.0 91 DoS on PayPal via web cache poisoning $9700.0 92 XSS at jamfpro.shopifycloud.com $9400.0 93 RCE via npm misconfig -- installing internal libraries from the public registry $9000.0 94 RCE on CS:GO client using unsanitized entity ID in EntityMsg message $9000.0 95 AWS keys and user cookie leakage via uninitialized memory leak in outdated librsvg version in Basecamp $8868.0 96 Arbitrary POST request as victim user from HTML injection in Jupyter notebooks $8690.0 97 Content injection in Jira issue title enabling sending arbitrary POST request as victim $8690.0 98 SAML Authentication Bypass on uchat.uberinternal.com $8500.0 99 [CRITICAL] -- Complete Account Takeover $8000.0 100 Crash: calling Proc::initialize_copy with a Proc instance where initialize never ran leads to a crash $8000.0