A researcher reported a high-severity information disclosure and user enumeration vulnerability to the Dutch government's NCSC-NL, resulting in a fix but only receiving a t-shirt as compensation instead of meaningful bounty.
A researcher discovered an information disclosure vulnerability on a Google-acquired property by identifying an API endpoint that exposed user PII (personally identifiable information) when usernames were changed in the request URL, allowing enumeration of other users' private data.
Researcher discovered a CSRF vulnerability in a user deletion module lacking CSRF tokens, combined with numeric user ID brute-forcing to delete all application users. The attack bypassed X-Frame-Options and origin validation by using iframe-targeted requests.
A researcher discovered a stored XSS vulnerability in a cryptocurrency exchange platform by registering accounts with XSS payloads through the referral system, then leveraging predictable user IDs to create XSS notifications across all user accounts, earning 2.5 BTC for the finding.