Top 25 RCE Bug Bounty Reports

[mrreboot]

Top 25 RCE Bug Bounty Reports

The reports were disclosed through the HackerOne platform and were selected according to their upvotes, bounty, severity level, complexity, and uniqueness.

#1

Title: Potential pre-auth RCE on Twitter VPN

Company: Twitter

Bounty: $20,160

Link: https://hackerone.com/reports/591295

#2

Title: RCE on Steam Client via buffer overflow in Server Info

Company: Valve

Bounty: $18,000

Link: https://hackerone.com/reports/470520

#3

Title: Struct type confusion RCE

Company: Shopify

Bounty: $18,000

Link: https://hackerone.com/reports/181879

#4

Title: Malformed .BSP Access Violation in CS:GO can lead to Remote Code Execution

Company: Valve

Bounty: $12,500

Link: https://hackerone.com/reports/351014

#5

Title: Git flag injection — local file overwrite to remote code execution

Company: GitLab

Bounty: $12,000

Link: https://hackerone.com/reports/658013

#6

Title: Remote Code Execution on www.semrush.com/my_reports on Logo upload

Company: SEMrush

Bounty: $10,000

Link: https://hackerone.com/reports/403417

#7

Title: Panorama UI XSS leads to Remote Code Execution via Kick/Disconnect Message

Company: Valve

Bounty: $9,000

Link: https://hackerone.com/reports/631956

#8

Title: RCE using bash command injection on /system/images (toimitilat.lahitapiola.fi)

Company: LocalTapiola

Bounty: $6,800

Link: https://hackerone.com/reports/303061

#9

Title: Remote Code Execution at http://tw.corp.ubnt.com

Company: Ubiquiti Inc.

Bounty: $5,000

Link: https://hackerone.com/reports/269066

#10

Title: Adobe Flash Player Regular Expression UAF Remote Code Execution Vulnerability

Company: Flash (IBB)

Bounty: $5,000

Link: https://hackerone.com/reports/139879

#11

Title: RCE by command line argument injection to `gm convert` in `/edit/process?a=crop`

Company: Imgur

Bounty: $5,000

Link: https://hackerone.com/reports/212696

#12

Title: RCE and Complete Server Takeover of http://www.█████.starbucks.com.sg/

Company: Starbucks

Bounty: $4,000

Link: https://hackerone.com/reports/502758

#13

Title: [ RCE ] Through stopping the redirect in /admin/* the attacker able to bypass Authentication And Upload Malicious File

Company: Mail.ru

Bounty: $4,000

Link: https://hackerone.com/reports/683957

#14

Title: Blind SQLi leading to RCE, from Unauthenticated access to a test API Webservice

Company: Starbucks

Bounty: $4,000

Link: https://hackerone.com/reports/592400

#15

Title: Attention! Remote Code Execution at http://wpt.ec2.shopify.com/

Company: Shopify

Bounty: $3,000

Link: https://hackerone.com/reports/73567

#16

Title: Unchecked weapon id in WeaponList message parser on client leads to RCE

Company: Valve

Bounty: $3,000

Link: https://hackerone.com/reports/513154

#17

Title: Drupal 7 pre auth sql injection and remote code execution

Company: The Internet Bug Bounty Program

Bounty: $3,000

Link: https://hackerone.com/reports/31756

#18

Title: RCE via ssh:// URIs in multiple VCS

Company: The Internet Bug Bounty Program

Bounty: $3,000

Link: https://hackerone.com/reports/260005

#19

Title: Remote Code Execution on Git.imgur-dev.com

Company: Imgur

Bounty: $2,500

Link: https://hackerone.com/reports/206227

#20

Title: GMP Deserialization Type Confusion Vulnerability [MyBB <= 1.8.3 RCE Vulnerability]

Company: PHP (IBB)

Bounty: $1,500

Link: https://hackerone.com/reports/198734

#21

Title: Old WebKit HTML agent in Template Preview function has multiple known vulnerabilities leading to RCE

Company: Lob

Bounty: $1,500

Link: https://hackerone.com/reports/520717

#22

Title: Remote code execution using render :inline

Company: Ruby on Rails

Bounty: $1,500

Link: https://hackerone.com/reports/113928

#23

Title: RCE which may occur due to `ActiveSupport::MessageVerifier` or `ActiveSupport::MessageEncryptor` (especially Active storage)

Company: Ruby on Rails

Bounty: $1,500

Link: https://hackerone.com/reports/473888

#24

Title: Remote code execution on rubygems.org

Company: RubyGems

Bounty: $1,500

Link: https://hackerone.com/reports/274990

#25

Title: WordPress SOME bug in plupload.flash.swf leading to RCE

Company: Automattic

Bounty: $1,337

Link: https://hackerone.com/reports/134738

Bonus: 10 Zero Dollars RCE Reports

#1 Bonus

Title: Read files on application server, leads to RCE

Company: GitLab

Bounty: $0

Link: https://hackerone.com/reports/178152

#2 Bonus

Title: XXE in DoD website that may lead to RCE

Company: U.S. D.o.D.

Bounty: $0

Link: https://hackerone.com/reports/227880

#3 Bonus

Title: Remote Code Execution (RCE) in a DoD website

Company: U.S. D.o.D.

Bounty: $0

Link: https://hackerone.com/reports/248116

#4 Bonus

Title: Remote Unrestricted file Creation/Deletion and Possible RCE.

Company: Twitter

Bounty: $0

Link: https://hackerone.com/reports/191884

#5 Bonus

Title: RCE on via CVE-2017–10271

Company: U.S. D.o.D.

Bounty: $0

Link: https://hackerone.com/reports/576887

#6 Bonus

Title: Ability to access all user authentication tokens, leads to RCE

Company: GitLab

Bounty: $0

Link: https://hackerone.com/reports/158330

#7 Bonus

Title: Remote Code Execution via Extract App Plugin

Company: Nextcloud

Bounty: $0

Link: https://hackerone.com/reports/546753

#8 Bonus

Title: Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://███

Company: U.S. D.o.D.

Bounty: $0

Link: https://hackerone.com/reports/678496

#9 Bonus

Title: Remote Code Execution in Rocket.Chat Desktop

Company: Rocket.chat

Bounty: $0

Link: https://hackerone.com/reports/276031

#10 Bonus

Title: [npm-git-publish] RCE via insecure command formatting

Company: Node.js third-party modules

Bounty: $0

Link: https://hackerone.com/reports/730121

Source