Bug Bounty Hall of Fame
The security hall of fame represents a list of security researchers who have provided qualifying exploit information for actual/tangible security risks against the Cloudsmith service itself (i.e. not third party services). Each entry represents a separate report for a particular exploit that was reported along with its final status, ordered by the date the exploit was reported in reverse chronological order. A description of the fields is provided below the table.
Cloudsmith thanks the following security researchers:
| Date | Reporter | Severity | Classification | Status |
|---|---|---|---|---|
| 2022-04-05 | Jens Müller | HIGH | Remote Code Execution | Fixed (2022-04-05) |
| 2022-01-28 | Imran Parray | MEDIUM | Information Disclosure | Fixed (2022-01-28) |
| 2020-06-30 | Armanul Miraz | LOW | Clickjacking / XSS | Fixed (2020-06-30) |
| 2020-06-18 | Parikshit Pingle | LOW | Session Management | Fixed (2020-06-23) |
| 2020-06-18 | Muhammad Julfikar Hyder | LOW | Server-Side Disclosure | Fixed (2020-06-18) |
| 2020-05-31 | Tarun Tandon | LOW | Brute Force / Flood Attack | Fixed (2020-06-18) |
| 2020-05-12 | Sanket Wadje | LOW | Complexity Attack | Fixed (2020-05-12) |
| 2020-03-23 | Akhil MM | LOW | Cross-Site Scripting (XSS) | Fixed (2020-03-24) |
| 2020-02-24 | Abhilash P K | HIGH | Server-Side Request Forgery (SSRF) | Fixed (2020-02-24) |
| 2019-09-18 | Kunal Mhaske | LOW | Session Management | Fixed (2019-10-15) |
| 2018-11-24 | B.Dhiyaneshwaran | LOW | Flood Attack | Fixed (2018-11-25) |
| 2018-07-26 | Abdelali Khalfi | HIGH | Subdomain Takeover | Fixed (2018-07-30) |
| 2017-08-08 | Suyog Palav | MEDIUM | Brute Force / Flood Attack | Fixed (2017-08-19) |
| 2017-05-31 | Amal Jacob | MEDIUM | Hyperlink Injection | Fixed (2017-08-11) |
| 2017-06-07 | Amal Jacob | MEDIUM | Tab URI Hijack | Fixed (2017-08-11) |
| 2017-05-20 | Yaroslav Olejnik | HIGH | Cross-Site Scripting (XSS) | Fixed (2017-05-23) |
| 2017-05-17 | Amal Jacob | MEDIUM | Information Disclosure | Fixed (2017-05-17) |
| 2017-05-16 | Pethuraj M | LOW | Brute Force Attack | Fixed (2017-05-16) |
| 2017-05-10 | Amal Jacob | MEDIUM | Hyperlink Injection | Fixed (2017-05-16) |
| 2017-03-21 | Evan Ricafort | LOW | Cross-Site Scripting (XSS) | Fixed (2017-03-29) |
| 2017-02-26 | Amal Jacob | MEDIUM | Brute Force Attack | Fixed (2017-03-29) |
| 2017-02-26 | Amal Jacob | MEDIUM | Brute Force Attack | Fixed (2017-03-29) |
| 2017-02-02 | Nitin Goplani | MEDIUM | Decompression Bomb | Fixed (2017-02-06) |
| 2017-02-02 | Nitin Goplani | MEDIUM | Open Redirect | Fixed (2017-02-06) |
| 2017-01-07 | Harry M. Gertos | LOW | Subdomain Takeover | Fixed (2017-01-12) |
| 2016-12-10 | Harry M. Gertos | MEDIUM | Cross-Site Scripting (XSS) | Fixed (2017-02-06) |
Date:
This is the date that the exploit was reported to Cloudsmith.
Reporter:
This is attribution to the security researcher that reported the exploit, along with a link to the profile location of their choosing. If the researcher wishes to remain anonymous or would prefer to use a pseudonym instead of a real name, then this will be marked as such.
Severity:
The severity for an exploit (if disclosed) will be determined based on a combination of impact (the damage that it can cause if exploited) and the likelihood that it will be exploited (how easy is it to actually perform the exploit). We will follow the OWASP Risk Rating Methodology when determining this and will assign a LOW, MEDIUM or HIGH severity rating.
Classification:
The classification for an exploit will follow the general categories for qualifying information as outlined in the Security Policy. If the category doesn't fit but is still determined to be qualifying information then we will either add an additional category or use a catch-all "Other" classification. Prior to full disclosure valid reports will be reported as "Not Disclosed Yet".
Status:
This is the status of the exploit, as of the specified date.
Updated over 2 years ago
