Bug Bounty Acknowledgments

Found a bug or security issue in our project?
See https://app.certifix.eu/security.txt for more info
Bug Bounty Policy: See examples of repeated or unacceptable reports here

Hall of Fame

2024-11-26 - Hassan Jaleel - TLS-RPT record missing - €0.00
2024-05-26 - Pruthu Raut - MTA-STS record missing - €10.00
2024-05-17 - Himanshu Sondhi - SRI missing - €0.00
2024-05-17 - Himanshu Sondhi - Outdated jQuery library - €0.00
2023-12-25 - Mridul Rastogi - Password recovery process info leak - €0.00
2021-07-14 - Kiran Ghimire - Registration process logical issue - €0.00
2021-06-25 - Kunal Mhaske - Session expiration when changing password - €25.00
2021-01-18 - Prajwal Khante - HTML injection (XSS) with HTTP Referer header - €20.00
2020-12-09 - Zin Min Phyo - Filetype (mime/extension) confusion when uploading evidencing files - €15.00
Reported also by:
- 2020-12-22 - Akash Chauhan
2020-10-01 - Kinshuk Kumar - E-mail sent links not expiring - €15.00
2020-09-12 - Aditya Soni - crash in the password reset field using IDN homographic value - €10.00
2020-09-02 - Akshay Parse - user's fullname length was restricted too little - €5.00
2020-08-30 - Akshay Parse - registration process logical flaw - €15.00
Reported also by:
- 2023-12-25 - Milan Jain
2020-08-09 - Rashid P - WP-Cron exposal / DoS risk - €5.00
2020-08-08 - Kinshuk Kumar - missing DMARC policy on associated domain - €0.00
2020-08-07 - Sai ViNay Reddee - regression on session fixation - €10.00
2020-07-10 - Ronit Bhatt - hyperlink injection in user's name - €20.00
2020-07-08 - Keshav Malik - Account Lockout not Being Enforced - €25.00
2020-07-08 - Keshav Malik - password complexity not validated - €15.00
Reported also by:
- 2020-07-15 - Nishant N. Lungare
2020-07-06 - Keshav Malik - session fixation / invalidate user sessions on logout - €20.00
2020-07-02 - Akshay Parse - no rate limit on form submit actions - €25.00
Reported also by:
- 2020-07-06 - Keshav Malik
- 2020-07-06 - Ajaysen R
2020-07-01 - Aamir Usman Khan - stored XSS in document info - €20.00
2020-07-01 - Aamir Usman Khan - password length policy - €5.00
2020-06-28 - Bilal Abdul Muqeet - WP JSON API allowed for unauthenticated users - €10.00
2020-06-25 - Kunal Mhaske - invalidate all user sessions once the new password is set - €30.00
2020-05-14 - Kunal Mhaske - incorrect security on refererr, switched to origin-when-cross-origin - €25.00
2020-03-11 - Kunal Mhaske - email bombing on forgot password function - €10.00
2020-03-01 - Kunal Mhaske - missing DMARC policy on certifix.eu/certifix.cz - €10.00