Responsible Disclosure Hall of Fame

This page contains the Hall of Fame, with a (mostly up-to-date) list of all those people that have highlighted security issues to us. It is a direct result of our responsible disclosure policy, which we implemented in December 2012, modeled after the work of Floor Terra.

This has directed a lot of eyes towards our infrastructures, which spotted a lot of tiny details we would have otherwise missed. While we regularly scan our own infrastructure using automated tools, there are things a human will spot, but a scanner will miss. Having more eyes on the infrastructure means these irregularities are spotted too, allowing us to o provide a more secure environment for our customers, visitors and ourselves.

REPORTED ISSUES

October 2020
User enumeration on a website that wasn't supposed to be publicly available, discovered by Sanem Sudheendra.
August 2020
A CNAME record pointing to an unused AWS resource controllable by an attacker has been discovered by Mirhat Yaşar(@mirhatx).
May 2020
CNAME records pointing to an unused Azure resource controllable by an attacker has been discovered by Sumit Grover(@sumgr0). He also allocated the azure resource pointed by the CNAME to avoid further abuse by malicious actors before submitting the report, kudos for that! Rewarded with an amazon gift card.
April 2020
Deprecated Prometheus endpoints exposed from v1 of a Kubernetes cluster were found by Vanshit Malhotra (@vanshitmalhotra)
September 2018
Publicly exposed services with certain vulnerabilities and default configuration were discovered by hogarth45 and Ben Sadeghipour (@nahamsec), rewarded with the thinkgeek card and a donation towards the Room to read.
December 2017
Deprecated Acceptance Site Exposed discovered by Victor Angelier (https://thecodingcompany.se), rewarded with a €50 gift card for Getdigital (#3173)
September 2017
Dom-based XSS discovered by Guifre Ruiz (https://guif.re), rewarded with a 50€ gift card (#2914)
July 2017
Mixed Image Content discovered by Glen Baker, rewarded with a $50 gift card for Thinkgeek (#2603)
June 2017
Reflected XSS discovered by Wen Bin Kong (@kongwenbin, https://linkedin.com/in/kongwenbin) rewarded with a t-shirt (#2634)
October 2016
Information disclosure vulnerability in www.schubergphilis.com discovered by Amjad Kabhad, rewarded with a T-shirt (#724)
September 2016
Undisclosed privilege escalation in central account, discovered by 2 anonymous researchers, awarded with a 100E donation to Room to Read. (#1732)
December 2015
Clickjack protection missing by Suresh Thiyam rewarded with a T-shirt (#1038)
November 2015
SSL misconfiguration discovered by Daniyal Nasir (http://www.zetrew.com) rewarded with a 100E donation to Room to Read (#969)
June 2015
Host header injection discovered by Yassine Aboukir (http://www.yassineaboukir.com) rewarded with a t-shirt (#723)
January 2015 Cross Site Scripting discovered by Osama Mahmood rewarded with a t-shirt (#626)
SSL configuration issue discovered by an anonymous researcher rewarded with a t-shirt (#606) September 2014 XSS via referrer header discovered by Osama Mahmood rewarded with a t-shirt (#500) Autocomplete on password field, discovered by an Anonyous Researcher, rewarded with a 100E donation to Room to Reard (#501) Version disclosure, discovered by an Anonyous Researcher, rewarded with a 100E donation to Room to Reard (#508)
August 2014
Same site scripting, discovered by MTK, rewarded with a t-shirt (#479)
June 2014
Incorrectly secured session cookie, discovered by abhiramThak rewarded with a t-shirt (#437) May 2014
Multiple Cryptographic issues, discovered by S.Venkatesh, rewarded with a t-shirt (#385)
Incorrect SSL configuration photos.schubergphilis.com, discovered by Ch. Muhammad Osama rewarded with a t-shirt
Backup files on website, discovered by an anonymous researcher, rewarded with a t-shirt (#410)
Weak SSL config, discovered by an anonymous researcher, rewarded with a t-shirt (#410)
Weak SSL config, discovered by an anonymous researcher, rewarded with a t-shirt (#411)

May 13, 2014 – Relaunch of schubergphilis.com & cupfighter.net, built in PHP on a Symfony 2.0 framework

May 2014
TRACE allowed in Flash file, discovered by Dushyant Sahu, rewarded with a t-shirt (#384)
Domain Hijacking vulnerability, discovered by Prayas Kulshrestha, rewarded with a donation for Room to Read (#352)
XSS in seccubus.com Contact Form plugin, discovered by Shubham Gupta, rewared with a t-shirt (#381)
TRACE method in seccubus.com, discovered by Muhammad Talha Khan, rewarded with a t-shirt. (#382)
XSS in seccubus.com, discovered by Muhammad Talha Khan, rewarded with a t-shirt. (#392)
April 2014
Apache information Disclosure, discovered by Muhammad Talha Khan, rewarded with a t-shirt. (#307)
March 2014
Yogesh Modi – 12 individual findings – rewarded with several t-shirts and a donation to room to read (various tickets)
January 2014
Information Disclosure vulnerability, discovered by Basavaraj, reward pending (#230)

Mail spoofing vulnerability, discovered by Prayas Kulshrestha, reward pending (#237)
Information Disclosure via parsable backup files in schubergphilis.com discovered by Siddesh Gawde, reward pending (#242)
No XFO on a VPN webinterface, discovered by Prayas Kulshrestha, reward pending (#244)
XSS on seccubus.com, discovered by Rodolfo Godalle, Jr. , rewarded with a € 100,- donation to Room to Read (#304)
February 2014
Open Dir listing in v2.seccubus.com, discovered by Florindarck of Romanian Security Team rewarded with a t-shirt (#309)
March 2014
Click Jacking vulnerability, discovered by Hari Krishnan, rewarded with a t-shirt (#338)
November 2013
CSRF in seccubus.com discovered by Jatinpreet Singh, reward pending (#208)
CSRF in cupfighter.com discovered by Siddhesh Gawde, reward pending (#209)
DOM XSS vulnerability in photos.schubergphilis.com discovered by Siddhesh Gawde, reward pending (#210)
Name servers software version exposure discovered by Jatinpreet Singh, reward pending (#218)
December 2013
Clickjack vulnerability in service.schubergphilis.com discovered by Yogesh Modi, rewarded with a € 100,- donation to Room to Read(#227)
Open redirect in photos.schubergphilis.com, discovered by Siddesh Gawde, reward pending(#233)
October 2013
XSS on www.cupfighter.net via double encoded URL discovered by Sahil Saif, rewarded with a t-shirt (#163)
XSS on www.schubergphilis.com discovered by Sudhanshu Chauhan, rewarded with a € 100,- donation to Room to Read(#175)
XSS on www.schubergphilis.com discovered by Sergey Bobrov of Positive Technologies rewarded with a t-shirt (#176)
Failure to clean up DNS records led to vulnerable servers being visible in our infrastructure discovered by Narendra Bhati (R00t Sh3ll) of Cyber Octet Pvt. Ltd. rewarded with a t-shirt (#182)
Clickjack vulnerability in xxx.schubergphilis.com discovered by Siddhesh Gawde rewarded with a t-shirt (#194)
Directory listing vulnerability and a CLickjacking vulnerability in www.seccubus.com discovered by Hammad Shamsi rewarded with a t-shirt(#195 and #200)
Directory listing vulnerability in www.seccubus.com discovered by Siddhesh Gawde reward pending (#196)
Zone transfer not prohibited, discovered by Adam Ziaja rewarded with a t-shirt (#199)
September 2013
Cookie/session handling vulnerability in xxx.schubergphilis.com discovered by an anonymous researcher, reward pending (#136)
Cross Site Request Forgery in xxx.schubergphilis.com discovered by Siddhesh Gawde rewarded with a t-shirt (#129)
Information disclosure vulnerability in jira.schubergphilis.com discovered by Kamil Sevi rewarded with a t-shirt (#137)
HTML injection in xxx.schubergphilis.com discovered by Siddhesh Gawde rewarded with a t-shirt (#148)
ClickJack vulnerability on xxx.schubergphilis.com discovered by an Devesh Bhatt, rewarded with a t-shirt (#155)
XSS on www.schubergphilis.com via flash discovered by Gökmen GureÅŸçi rewarded with a t-shirt (#157)
August 2013
Information disclosure vulnerability in www.schubergphilis.com discovered by Javid Hussain rewarded with t-shirt (#31)
Three cross site scripting vulnerabilities in www.schubergphilis.com discovered by Jon of Bitquark Security Research rewarded with two t-shirts and a € 100,- donation to Room to Read (#35)
XSS on www.schubergphilis.com discovered by Frans Rosén of Detectify rewarded with a € 100,- donation to Room to Read (#36)
The same XSS on www.schubergphilis.com also discovered by Sergey Markov rewarded with a t-shirt (#39)
Another XSS on www.schubergphilis.com also discovered by Sergey Markov rewarded with a t-shirt (#45)
Three SSL issues and two click jacking issues discovered by Ankit Bharathan rewarded with two t-shirts (#52) & (#54)
XSS in photos.schubergphilis.com discovered by Siddhesh Gawde rewarded with a t-shirt (#58)
WAF configuration issue discovered by Arpit Gupta as well as Mariano Di Martino and Prakhar Prasad all three rewarded with a t-shirt. (#60) and (#113)
CSRF issue on xxx.schubergphilis.com discovered by Tejash Patel rewarded with a € 100,- donation to Room to Read (#109)
Click Jack vulnerability on xxx.schubergphilis.com discovered by Siddhesh Gawde rewarded with a t-shirt (#119)
Stored XSS on xxx.schubergphilis.com discovered by Siddhesh Gawde rewarded with a € 100,- donation to Room to Read (#122)
July 2013
Clickjacking vulnerability on SSL VPN device discovered by Surya Kumar rewarded with a t-shirt (#10)
XSS in www.schubergphilis.com via flash discovered by Darius Petrescu and (akkiliON) rewarded with a t-shirt (#11)
Information disclosure via error page on jira.schubergphilis.com discovered by Atul Shedage rewarded with a € 100,- donation to Room to Read (#12)
Insecure SSL renegotiation on SSL VPN and missing cross domain policy on photos.schubergphilis.com discovered by Harsha Vardhan Bappana (#14)
Clickjacking vulnerability in photos.schubergphilis.com discovered by Tushar Kumbhare of Defencely rewared with a € 100,- donation to Room to Read (#16)
XSS in www.schubergphilis.com discovered by SimranJeet Singh rewarded with a t-shirt (#17)
Clickjacking vulnerability in news.schubergphilis.com discovered by Javid Hussain rewarded with t-shirt (#18)
Clickjacking vulnerability in jira.schubergphilis.com discovered by Jigar Thakkar of Infobit rewarded with a t-shirt (#20)
Content spoofing in xxx.schubergphilis.com discovered by Jay Turla rewarded with a t-shirt (#21)
XSS on www.schubergphilis.com discovered by Olivier Beg rewarded with a t-shirt (#22)
June 2013
XSS in photo.schubergphilis.com discovered by Florindarck of Romanian Security Team rewarded with a t-shirt (#9)
May 2013
Cross Site Scripting vulnerability (XSS) in www.schubergphilis.com discovered by Yaroslav Olejnik – O.J.A. rewarded with a t-shirt (#7)
XSS in www.schubergphilis.com discovered by Danish Tariq and Ali hassah ghauri rewarded with a t-shirt (#8)