Following are some of my Responsible Disclsoures. Target companies spans from web2 to web3.
| Issue | Company | Writeup/HOF |
|---|---|---|
| s3 Bucket takeover leading to KYC information | XYZ | https://medium.com/@mahitman1/i-own-your-customers-22e965761abd |
| Accessing to KYC information of a Crypto Exchange | XYZ | https://medium.com/@mahitman1/i-own-your-customers-22e965761abd |
| SQL Injection in a Plutus.io | Plutus | https://medium.com/@mahitman1/hacking-a-crypto-debit-card-service-730f287aaee7 |
| Nacos Instance leading to Backend Keys | H&M | https://medium.com/@mahitman1/how-i-found-a-goldmine-but-got-no-gold-e912a89fa522 |
| Access to Air Conditioning Panels | H&M | https://medium.com/@mahitman1/how-attacker-could-have-suffocated-the-company-staff-37a6b7192f12 |
| SSRF leading to Backend | Cargo.build | https://medium.com/@mahitman1/hacking-a-nft-platform-56fc59479d3b?source=user_profile---------1---------------------------- |
| Free Wallet TopUp | CJDropshipping | https://medium.com/@mahitman1/free-wallet-topups-f814bb56640f |
| XSS In Apple's Acquisition | BeatsByDre | http://exploiting365.blogspot.com/2016/03/xss-in-beatsbydrecom.html |
| XSS In Steam | Steam | http://exploiting365.blogspot.com/2016/03/xss-in-steamcommunity.html |
| XSS In Apptentive | Apptentive | http://exploiting365.blogspot.com/2016/03/cross-site-scripting-xss-in-apptentive.html |
| XSS In Hackpad | DropBox | http://exploiting365.blogspot.com/2015/09/cross-site-scripting-in-hackpad.html |
| XSS In Ebay | Ebay | https://pages.ebay.com/securitycenter/security_researchers_acknowledgements.html |
| Access to Redis Instance | Silvergoldbull | |
| Subdomain Takeover | Silvergoldbull | |
| Blind XSS In Crypto Exchange | Bilaxy | |
| Access to KYC File of CryptoExchange | rekeningku | |
| Stealing user funds via leveraging CSRF | Bilaxy | |
| Blind XSS in admin panel | Dflow | |
| CSRFs in Skypixel.com | DJI | |
| XXE in Solaredge.com | Solaredge | https://www.solaredge.com/bug-bounty-leaderboard |
| RCE in Cybozu.co.jp | Cybozu.co.jp | |
| Access to Admin Dashboard | Plutus.it | |
| Blind XSS in Oneplus | Oneplus | |
| Directory Traversal in Oneplus | Oneplus | |
| Misconfigured s3 Bucket | Sphero | |
| Account takeover using CSRF | Sphero | |
| Subdomain Takeover | Sphero | |
| XSS in Opera.com | Opera | https://blogs.opera.com/security/2014/01/thanks-researchers-2014/ |
| XSS in Unity3d.com | Unity | |
| XSS in Vmware.com | Vmware | |
| Log4j in tcl | TCL | |
| Nacos panel Misconfiguration leading to Credentials | TCL | |
| SQL Injection in Terravirtua | Terravirtua | |
| Access to multiple instance of 204 netman | H&M |