Bug Bounty Hall of Fame

The security hall of fame represents a list of security researchers who have provided qualifying exploit information for actual/tangible security risks against the Cloudsmith service itself (i.e. not third party services). Each entry represents a separate report for a particular exploit that was reported along with its final status, ordered by the date the exploit was reported in reverse chronological order. A description of the fields is provided below the table.

Cloudsmith thanks the following security researchers:

DateReporterSeverityClassificationStatus
2024-11-06Michal GuszpitMEDIUMOIDC Token Claim ValidationFixed (2024-11-06)
2024-10-07Luca4BountyMEDIUMCross-Site Scripting (XSS)Fixed (2024-10-09)
2022-04-05Jens MüllerHIGHRemote Code ExecutionFixed (2022-04-05)
2022-01-28Imran ParrayMEDIUMInformation DisclosureFixed (2022-01-28)
2020-06-30Armanul MirazLOWClickjacking / XSSFixed (2020-06-30)
2020-06-18Parikshit PingleLOWSession ManagementFixed (2020-06-23)
2020-06-18Muhammad Julfikar HyderLOWServer-Side DisclosureFixed (2020-06-18)
2020-05-31Tarun TandonLOWBrute Force / Flood AttackFixed (2020-06-18)
2020-05-12Sanket WadjeLOWComplexity AttackFixed (2020-05-12)
2020-03-23Akhil MMLOWCross-Site Scripting (XSS)Fixed (2020-03-24)
2020-02-24Abhilash P KHIGHServer-Side Request Forgery (SSRF)Fixed (2020-02-24)
2019-09-18Kunal MhaskeLOWSession ManagementFixed (2019-10-15)
2018-11-24B.DhiyaneshwaranLOWFlood AttackFixed (2018-11-25)
2018-07-26Abdelali KhalfiHIGHSubdomain TakeoverFixed (2018-07-30)
2017-08-08Suyog PalavMEDIUMBrute Force / Flood AttackFixed (2017-08-19)
2017-05-31Amal JacobMEDIUMHyperlink InjectionFixed (2017-08-11)
2017-06-07Amal JacobMEDIUMTab URI HijackFixed (2017-08-11)
2017-05-20Yaroslav OlejnikHIGHCross-Site Scripting (XSS)Fixed (2017-05-23)
2017-05-17Amal JacobMEDIUMInformation DisclosureFixed (2017-05-17)
2017-05-16Pethuraj MLOWBrute Force AttackFixed (2017-05-16)
2017-05-10Amal JacobMEDIUMHyperlink InjectionFixed (2017-05-16)
2017-03-21Evan RicafortLOWCross-Site Scripting (XSS)Fixed (2017-03-29)
2017-02-26Amal JacobMEDIUMBrute Force AttackFixed (2017-03-29)
2017-02-26Amal JacobMEDIUMBrute Force AttackFixed (2017-03-29)
2017-02-02Nitin GoplaniMEDIUMDecompression BombFixed (2017-02-06)
2017-02-02Nitin GoplaniMEDIUMOpen RedirectFixed (2017-02-06)
2017-01-07Harry M. GertosLOWSubdomain TakeoverFixed (2017-01-12)
2016-12-10Harry M. GertosMEDIUMCross-Site Scripting (XSS)Fixed (2017-02-06)

Date:

This is the date that the exploit was reported to Cloudsmith.

Reporter:

This is attribution to the security researcher that reported the exploit, along with a link to the profile location of their choosing. If the researcher wishes to remain anonymous or would prefer to use a pseudonym instead of a real name, then this will be marked as such.

Severity:

The severity for an exploit (if disclosed) will be determined based on a combination of impact (the damage that it can cause if exploited) and the likelihood that it will be exploited (how easy is it to actually perform the exploit). We will follow the OWASP Risk Rating Methodology when determining this and will assign a LOW, MEDIUM or HIGH severity rating.

Classification:

The classification for an exploit will follow the general categories for qualifying information as outlined in the Security Policy. If the category doesn't fit but is still determined to be qualifying information then we will either add an additional category or use a catch-all "Other" classification. Prior to full disclosure valid reports will be reported as "Not Disclosed Yet".

Status:

This is the status of the exploit, as of the specified date.


Cloudsmith is the new standard in Package / Artifact Management and Software Distribution

With support for all major package formats, you can trust us to manage your software supply chain.


Start My Free Trial Now
Cookie Declaration (Manage Cookies)