Bug Bounty Hall of Fame
The security hall of fame represents a list of security researchers who have provided qualifying exploit information for actual/tangible security risks against the Cloudsmith service itself (i.e. not third party services). Each entry represents a separate report for a particular exploit that was reported along with its final status, ordered by the date the exploit was reported in reverse chronological order. A description of the fields is provided below the table.
Cloudsmith thanks the following security researchers:
Date | Reporter | Severity | Classification | Status |
---|---|---|---|---|
2022-04-05 | HIGH | Remote Code Execution | Fixed (2022-04-05) | |
2022-01-28 | MEDIUM | Information Disclosure | Fixed (2022-01-28) | |
2020-06-30 | LOW | Clickjacking / XSS | Fixed (2020-06-30) | |
2020-06-18 | LOW | Session Management | Fixed (2020-06-23) | |
2020-06-18 | LOW | Server-Side Disclosure | Fixed (2020-06-18) | |
2020-05-31 | LOW | Brute Force / Flood Attack | Fixed (2020-06-18) | |
2020-05-12 | LOW | Complexity Attack | Fixed (2020-05-12) | |
2020-03-23 | LOW | Cross-Site Scripting (XSS) | Fixed (2020-03-24) | |
2020-02-24 | HIGH | Server-Side Request Forgery (SSRF) | Fixed (2020-02-24) | |
2019-09-18 | LOW | Session Management | Fixed (2019-10-15) | |
2018-11-24 | LOW | Flood Attack | Fixed (2018-11-25) | |
2018-07-26 | HIGH | Subdomain Takeover | Fixed (2018-07-30) | |
2017-08-08 | MEDIUM | Brute Force / Flood Attack | Fixed (2017-08-19) | |
2017-05-31 | MEDIUM | Hyperlink Injection | Fixed (2017-08-11) | |
2017-06-07 | MEDIUM | Tab URI Hijack | Fixed (2017-08-11) | |
2017-05-20 | HIGH | Cross-Site Scripting (XSS) | Fixed (2017-05-23) | |
2017-05-17 | MEDIUM | Information Disclosure | Fixed (2017-05-17) | |
2017-05-16 | LOW | Brute Force Attack | Fixed (2017-05-16) | |
2017-05-10 | MEDIUM | Hyperlink Injection | Fixed (2017-05-16) | |
2017-03-21 | LOW | Cross-Site Scripting (XSS) | Fixed (2017-03-29) | |
2017-02-26 | MEDIUM | Brute Force Attack | Fixed (2017-03-29) | |
2017-02-26 | MEDIUM | Brute Force Attack | Fixed (2017-03-29) | |
2017-02-02 | MEDIUM | Decompression Bomb | Fixed (2017-02-06) | |
2017-02-02 | MEDIUM | Open Redirect | Fixed (2017-02-06) | |
2017-01-07 | LOW | Subdomain Takeover | Fixed (2017-01-12) | |
2016-12-10 | MEDIUM | Cross-Site Scripting (XSS) | Fixed (2017-02-06) |
Date:
This is the date that the exploit was reported to Cloudsmith.
Reporter:
This is attribution to the security researcher that reported the exploit, along with a link to the profile location of their choosing. If the researcher wishes to remain anonymous or would prefer to use a pseudonym instead of a real name, then this will be marked as such.
Severity:
The severity for an exploit (if disclosed) will be determined based on a combination of impact (the damage that it can cause if exploited) and the likelihood that it will be exploited (how easy is it to actually perform the exploit). We will follow the OWASP Risk Rating Methodology when determining this and will assign a LOW, MEDIUM or HIGH severity rating.
Classification:
The classification for an exploit will follow the general categories for qualifying information as outlined in the Security Policy. If the category doesn't fit but is still determined to be qualifying information then we will either add an additional category or use a catch-all "Other" classification. Prior to full disclosure valid reports will be reported as "Not Disclosed Yet".
Status:
This is the status of the exploit, as of the specified date.
Updated about 5 hours ago