In Jan ’14 I reported three Cross-site Scripting vulnerabilities to the Yahoo Bug Bounty Program. And I know, it is really really hard, but … again … no feedback or bounty :)
XSS on ‘celebrity.yahoo.com‘
XSS on ‘movies.yahoo.com‘
XSS on ‘music.yahoo.com’
Continue reading "Yahoo Bug Bounty Program Vulnerability #4 #5 #6 Cross-site Scripting vulnerabilities"
Here are the my last advisory which I’ve reported in 2013 to the Yahoo Bug Bounty Program. And again…the same story for this report as for my others :-/
If you’re interested, you can read it here:
Here is my advisory for the XSS on de-mg42.mail.yahoo.com:
Continue reading "Yahoo Bug Bounty Program Vulnerability #3 XSS on de-mg42.mail.yahoo.com"
In Nov ’13 I reported a Cross-site Scripting vulnerability to the Yahoo Bug Bounty Program. As for my other reports, I’ve got no response or feedback, so I wrote a message to them via email this time and so on … blah blah :)
To cut a long story short, for all my reports the communication with Yahoo was really bad and of course: No bounty!
It seems this XSS is fixed, so here is my advisory:
Continue reading "Yahoo Bug Bounty Program Vulnerability #1 XSS on ads.yahoo.com"
Since November 2013 I reported seven Cross-site Scripting vulnerabilities to the Giftcard Bug Bounty Program. Sadly, only one of them wasn’t a duplicate :-/. Strange? Perhaps, but not impossible given the simplicity of the vulnerabilities.
But, what I really don’t understand: Why do they still work until today?
Continue reading "My experiences with the GiftCards.com Bug Bounty Program"
Today I received my bounty for a vulnerability, which I reported for the MARKPLAATS.nl Bug Bounty Program.
And here it is … my ‘ebay classifieds whitehat’ :-)
Really nice, isnt’t it :-) ?
In my opinion the MARKPLAATS.nl bug bounty program is one of the good ones, fast feedback and a nice contact, too.
By the way, the vulnerability is not fixed yet, so I will publish the advisory to a later time.
In Dec ’13 I reported a Open Redirect (and two other vulnerabilities, first in Nov ’13) to the Yahoo Bug Bounty Program. Sadly, I’ve got no response or feedback for any of this issues, so I wrote a new message to them (this time via email).
Last week they told me that Open redirects are no longer in scope of the bug bounty programm :-/
So here is my advisory for this issue:
Continue reading "Yahoo Bug Bounty Program Vulnerability #2 Open Redirect"