mrreboot Posted January 25, 2020 Report Posted January 25, 2020 Top 25 RCE Bug Bounty Reports The reports were disclosed through the HackerOne platform and were selected according to their upvotes, bounty, severity level, complexity, and uniqueness. #1 Title: Potential pre-auth RCE on Twitter VPN Company: Twitter Bounty: $20,160 Link: https://hackerone.com/reports/591295 #2 Title: RCE on Steam Client via buffer overflow in Server Info Company: Valve Bounty: $18,000 Link: https://hackerone.com/reports/470520 #3 Title: Struct type confusion RCE Company: Shopify Bounty: $18,000 Link: https://hackerone.com/reports/181879 #4 Title: Malformed .BSP Access Violation in CS:GO can lead to Remote Code Execution Company: Valve Bounty: $12,500 Link: https://hackerone.com/reports/351014 #5 Title: Git flag injection — local file overwrite to remote code execution Company: GitLab Bounty: $12,000 Link: https://hackerone.com/reports/658013 #6 Title: Remote Code Execution on www.semrush.com/my_reports on Logo upload Company: SEMrush Bounty: $10,000 Link: https://hackerone.com/reports/403417 #7 Title: Panorama UI XSS leads to Remote Code Execution via Kick/Disconnect Message Company: Valve Bounty: $9,000 Link: https://hackerone.com/reports/631956 #8 Title: RCE using bash command injection on /system/images (toimitilat.lahitapiola.fi) Company: LocalTapiola Bounty: $6,800 Link: https://hackerone.com/reports/303061 #9 Title: Remote Code Execution at http://tw.corp.ubnt.com Company: Ubiquiti Inc. Bounty: $5,000 Link: https://hackerone.com/reports/269066 #10 Title: Adobe Flash Player Regular Expression UAF Remote Code Execution Vulnerability Company: Flash (IBB) Bounty: $5,000 Link: https://hackerone.com/reports/139879 #11 Title: RCE by command line argument injection to `gm convert` in `/edit/process?a=crop` Company: Imgur Bounty: $5,000 Link: https://hackerone.com/reports/212696 #12 Title: RCE and Complete Server Takeover of http://www.█████.starbucks.com.sg/ Company: Starbucks Bounty: $4,000 Link: https://hackerone.com/reports/502758 #13 Title: [ RCE ] Through stopping the redirect in /admin/* the attacker able to bypass Authentication And Upload Malicious File Company: Mail.ru Bounty: $4,000 Link: https://hackerone.com/reports/683957 #14 Title: Blind SQLi leading to RCE, from Unauthenticated access to a test API Webservice Company: Starbucks Bounty: $4,000 Link: https://hackerone.com/reports/592400 #15 Title: Attention! Remote Code Execution at http://wpt.ec2.shopify.com/ Company: Shopify Bounty: $3,000 Link: https://hackerone.com/reports/73567 #16 Title: Unchecked weapon id in WeaponList message parser on client leads to RCE Company: Valve Bounty: $3,000 Link: https://hackerone.com/reports/513154 #17 Title: Drupal 7 pre auth sql injection and remote code execution Company: The Internet Bug Bounty Program Bounty: $3,000 Link: https://hackerone.com/reports/31756 #18 Title: RCE via ssh:// URIs in multiple VCS Company: The Internet Bug Bounty Program Bounty: $3,000 Link: https://hackerone.com/reports/260005 #19 Title: Remote Code Execution on Git.imgur-dev.com Company: Imgur Bounty: $2,500 Link: https://hackerone.com/reports/206227 #20 Title: GMP Deserialization Type Confusion Vulnerability [MyBB <= 1.8.3 RCE Vulnerability] Company: PHP (IBB) Bounty: $1,500 Link: https://hackerone.com/reports/198734 #21 Title: Old WebKit HTML agent in Template Preview function has multiple known vulnerabilities leading to RCE Company: Lob Bounty: $1,500 Link: https://hackerone.com/reports/520717 #22 Title: Remote code execution using render :inline Company: Ruby on Rails Bounty: $1,500 Link: https://hackerone.com/reports/113928 #23 Title: RCE which may occur due to `ActiveSupport::MessageVerifier` or `ActiveSupport::MessageEncryptor` (especially Active storage) Company: Ruby on Rails Bounty: $1,500 Link: https://hackerone.com/reports/473888 #24 Title: Remote code execution on rubygems.org Company: RubyGems Bounty: $1,500 Link: https://hackerone.com/reports/274990 #25 Title: WordPress SOME bug in plupload.flash.swf leading to RCE Company: Automattic Bounty: $1,337 Link: https://hackerone.com/reports/134738 Bonus: 10 Zero Dollars RCE Reports #1 Bonus Title: Read files on application server, leads to RCE Company: GitLab Bounty: $0 Link: https://hackerone.com/reports/178152 #2 Bonus Title: XXE in DoD website that may lead to RCE Company: U.S. D.o.D. Bounty: $0 Link: https://hackerone.com/reports/227880 #3 Bonus Title: Remote Code Execution (RCE) in a DoD website Company: U.S. D.o.D. Bounty: $0 Link: https://hackerone.com/reports/248116 #4 Bonus Title: Remote Unrestricted file Creation/Deletion and Possible RCE. Company: Twitter Bounty: $0 Link: https://hackerone.com/reports/191884 #5 Bonus Title: RCE on via CVE-2017–10271 Company: U.S. D.o.D. Bounty: $0 Link: https://hackerone.com/reports/576887 #6 Bonus Title: Ability to access all user authentication tokens, leads to RCE Company: GitLab Bounty: $0 Link: https://hackerone.com/reports/158330 #7 Bonus Title: Remote Code Execution via Extract App Plugin Company: Nextcloud Bounty: $0 Link: https://hackerone.com/reports/546753 #8 Bonus Title: Arbitrary File Reading leads to RCE in the Pulse Secure SSL VPN on the https://███ Company: U.S. D.o.D. Bounty: $0 Link: https://hackerone.com/reports/678496 #9 Bonus Title: Remote Code Execution in Rocket.Chat Desktop Company: Rocket.chat Bounty: $0 Link: https://hackerone.com/reports/276031 #10 Bonus Title: [npm-git-publish] RCE via insecure command formatting Company: Node.js third-party modules Bounty: $0 Link: https://hackerone.com/reports/730121 Source 2 Quote
