{"_id":"5735bed5eceb872200abbc89","__v":100,"user":"567bb6833241c20d00b730db","parentDoc":null,"project":"5540ce1b31827a0d007ab1cc","version":{"_id":"5540ce1c31827a0d007ab1cf","project":"5540ce1b31827a0d007ab1cc","__v":31,"createdAt":"2015-04-29T12:27:08.390Z","releaseDate":"2015-04-29T12:27:08.390Z","categories":["5540ce1c31827a0d007ab1d0","5540d91bbb9e762d00f594ad","5540e5f131827a0d007ab212","5540e5febb9e762d00f594d3","5540e61331827a0d007ab213","5540e6195cf9682100d61afa","5540e62631827a0d007ab214","5540e63031827a0d007ab215","5540e63531827a0d007ab216","5540e63e5cf9682100d61afc","5540e6445cf9682100d61afd","5540e64a5cf9682100d61afe","55a4ff5b2e70c0250038050f","55acb28318eefd0d0071d504","55ae1abe8576b92300291c80","55ae453ef302af23000ac109","55af586d555b900d0036d296","55af91dac8a85321007a53c3","55b9fee204775a2f00628071","55b9ff0e04775a2f00628072","55b9ff4604775a2f00628073","55b9ff5fd72d1e1900276a38","55b9ff7f04775a2f00628074","55b9ff90eb08801900f833e5","55b9ffa5d72d1e1900276a39","55b9ffca04775a2f00628075","55b9fffdd72d1e1900276a3a","56bc2f033ee9e70d008b46af","56c2f6efbbf9ec2d00e0fe4f","57595bbb18760817001e8bbe","57d8d9793916800e003dde53"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"1.0.0","version":"1.0"},"category":{"_id":"55af586d555b900d0036d296","pages":["55af5a24826d210d00041e4b","56ab71540b9e0b0d0061620a","56ab7572678b58170031eb86"],"project":"5540ce1b31827a0d007ab1cc","__v":3,"version":"5540ce1c31827a0d007ab1cf","sync":{"url":"","isSync":false},"reference":false,"createdAt":"2015-07-22T08:46:37.620Z","from_sync":false,"order":0,"slug":"send-push-guide","title":"Getting Started"},"updates":[],"next":{"pages":[],"description":""},"createdAt":"2016-05-13T11:47:33.325Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"required","params":[],"url":""},"isReference":false,"order":3,"body":"[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/n6l6n6nZSze2MsNYpe5c_bugbounty4_gif.gif\",\n        \"bugbounty4_gif.gif\",\n        \"1471\",\n        \"306\",\n        \"#fc5c04\",\n        \"\"\n      ]\n    }\n  ]\n}\n[/block]\nBecome a hero and shine in our Hall of Fame! We greatly appreaciate the input of volunteer testers who find valid vulnerabilities (subject to rules and terms of participation). **If you've discovered** a Push-related problem, bug or vulnerability, please, don’t share it publicly – instead, let us know a.s.a.p. via **[Contact Us](https://www.pushwoosh.com/contact-us/)** form on our website or via **[Hackerone](https://hackerone.com/pushwoosh)**. We’ll ping you back with a confirmation and a ton of kudos. So far our program offers only non-monetary rewards. **We're trying to respond as fast as we can, but in some cases it may take us up to 14 days to process a new report.**\n\n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"Sending a bug report\"\n}\n[/block]\nOnly original, previously unreported bugs will be taken into account. Please submit one issue per ticket.\n\nWhat should be included in your report:\n  *  Detailed instructions for reproducing the particular bug\n  *  Ways to (potentially) exploit this vulnerability\n  \nMuch appreciated:\n  * Screenshot or video with an exploit demonstration\n \n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"Targets\"\n}\n[/block]\n\n[block:callout]\n{\n  \"type\": \"success\",\n  \"title\": \"The target host for this bounty is\",\n  \"body\": \"**go.pushwoosh.com**\"\n}\n[/block]\n\n[block:callout]\n{\n  \"type\": \"danger\",\n  \"title\": \"The following will not qualify the program\",\n  \"body\": \"**pushwoosh.com**, **docs.pushwoosh.com**, **community.pushwoosh.com and any other subdomains are specifically excluded from this bounty.**\"\n}\n[/block]\n\n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"API Information and Documentation\"\n}\n[/block]\n [Pushwoosh Docs](https://docs.pushwoosh.com)\n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"Creating the account\"\n}\n[/block]\nUse the **pentester_anyCharacters:::at:::any.domain** email alias when signing up for pushwoosh.com accounts that will be used to participate in this bounty.\n\nAccounts not following this rules will be suspended without warning.\n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"The following will not qualify for the bounty program:\"\n}\n[/block]\n  * Any kind of brute force\n  * Disclosure of known public files or directories (e.g. robots.txt)\n  * DDOS\n  * Password policy\n  * Any CSRF\n  * Open redirect\n  * Missing cookie secure flag\n  * DNSSEC not configured\n  * [Missing SPF DNS record](http://www.openspf.org/FAQ/Common_mistakes#all-domains)\n  * Clickjacking\n  * Any kind of HTML injection on Rich Media\n  * Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers),\n  * Any CSV Macro Injection (https://www.owasp.org/index.php/CSV_Excel_Macro_Injection)\n  * Reports from security scanners and other automatic systems\n  * Vulnerability reports based solely on the software version / protocol without a valid proof of concept\n  * Issues with Zendesk widgets and intercom widgets\n\n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"Pushwoosh Responsible Disclosure Policy\"\n}\n[/block]\nIn the best interest of our customers and Internet users worldwide, we ask that you follow the guidelines of responsible disclosure:\n  * Do not publicly disclose parts or full vulnerability until we have had a chance to investigate and address it.\n  * Do allow us a reasonable timeframe of 90 days to respond to you and address the vulnerability before making any information public.\n\n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"Our thanks to you\"\n}\n[/block]\nPushwoosh greatly appreciates the efforts of those security researchers who identify vulnerabilities and work with us to ensure that we can develop a fix and issue it to all our users. We thank you for going out of your way to help us minimize the risk to our users as well as help us in our vision to improve the overall security of our products.\n[block:api-header]\n{\n  \"type\": \"basic\",\n  \"title\": \"The list of our beloved security researchers\"\n}\n[/block]\n\n[block:parameters]\n{\n  \"data\": {\n    \"h-0\": \"Researcher\",\n    \"h-1\": \"Vulnerability\",\n    \"h-2\": \"Report date\",\n    \"1-0\": \"[Nikita Arykov](https://github.com/Falldi)\",\n    \"1-1\": \"Self-XSS at Push send form\",\n    \"1-2\": \"16.05.2016\",\n    \"2-0\": \"[FaisaL Ahmed](https://hackerone.com/faisalahmed)\",\n    \"2-1\": \"Stored XSS at Filter name\",\n    \"2-2\": \"26.05.2016\",\n    \"3-0\": \"[FaisaL Ahmed](https://hackerone.com/faisalahmed)\",\n    \"3-2\": \"26.05.2016\",\n    \"3-1\": \"Password recovery weakness\",\n    \"4-0\": \"[Rojan Rijal](https://www.facebook.com/rojan.rijal.75)\",\n    \"4-1\": \"Self-XSS at session info message\",\n    \"4-2\": \"26.05.2016\",\n    \"5-0\": \"[Aaron Devaney](https://twitter.com/dodekeract)\",\n    \"5-1\": \"Public access of config via Vim swap file\",\n    \"5-2\": \"27.05.2016\",\n    \"6-0\": \"[Makwana kalpesh](https://twitter.com/makwanakalpesh2)\",\n    \"6-2\": \"31.05.2016\",\n    \"6-1\": \"Security vulnerability\",\n    \"7-0\": \"[Peter](https://hackerone.com/peter-676)\",\n    \"7-2\": \"31.05.2016\",\n    \"7-1\": \"Password recovery weakness\",\n    \"10-0\": \"[Aworunse Matthew Temmy](https://www.facebook.com/aaworunse)\",\n    \"10-1\": \"Database remote access with full permissions\",\n    \"10-2\": \"31.05.2016\",\n    \"11-0\": \"[Roman Solomakha](https://github.com/roman-solomaha)\",\n    \"11-1\": \"Local File Inclusion\",\n    \"11-2\": \"31.05.2016\",\n    \"12-0\": \"[Joel Noguera](https://hackerone.com/niemand)\",\n    \"12-1\": \"HTTP Response Splitting\",\n    \"12-2\": \"31.05.2016\",\n    \"13-0\": \"[Aworunse Matthew Temmy](https://www.facebook.com/aaworunse)\",\n    \"13-1\": \"[Sensitive data leaking via HTTP   Referer header](http://bugbountypoc.com/pushwoosh-sensitive-information-leakage/)\",\n    \"13-2\": \"31.05.2016\",\n    \"14-0\": \"[Makwana kalpesh](https://twitter.com/makwanakalpesh2)\",\n    \"14-1\": \"Security vulnerability\",\n    \"14-2\": \"31.05.2016\",\n    \"15-0\": \"[Hussain Adnan](https://hackerone.com/hussain)\",\n    \"15-1\": \"Stored XSS at Rich Media\",\n    \"15-2\": \"02.06.2016\",\n    \"16-0\": \"[Shuaib Oladigbolu](http://facebook.com/sawzeeyy)\",\n    \"16-1\": \"Password recovery information disclosure\",\n    \"16-2\": \"04.06.2016\",\n    \"17-0\": \"[Shuaib Oladigbolu](http://facebook.com/sawzeeyy)\",\n    \"17-2\": \"04.06.2016\",\n    \"17-1\": \"Multiple password request vulnerability\",\n    \"19-0\": \"[bughunterboy](https://hackerone.com/bughunterboy)\",\n    \"19-1\": \"Software version disclosure\",\n    \"19-2\": \"15.06.2016\",\n    \"20-0\": \"[Ashish Pathak](http://ashishpathaksec.blogspot.ru/)\",\n    \"20-1\": \"DOS with large password lengths\",\n    \"20-2\": \"15.06.2016\",\n    \"8-0\": \"[Peter](https://hackerone.com/peter-676)\",\n    \"8-1\": \"Password reset threshold‏‏\",\n    \"8-2\": \"31.05.2016\",\n    \"9-0\": \"[Peter](https://hackerone.com/peter-676)\",\n    \"9-1\": \"Web application sessions limitation threshold\",\n    \"9-2\": \"31.05.2016\",\n    \"21-0\": \"[popeax](https://hackerone.com/popeax)\",\n    \"21-1\": \"Unauthorized access. Ability to remove Filters of any another customer\",\n    \"21-2\": \"16.06.2016\",\n    \"18-2\": \"09.06.2016\",\n    \"18-1\": \"XSS via POST request\",\n    \"18-0\": \"[scorppy](https://hackerone.com/scorppy)\",\n    \"22-2\": \"17.06.2016\",\n    \"22-0\": \"[popeax](https://hackerone.com/popeax)\",\n    \"22-1\": \"HTTP response splitting. Content-type header\",\n    \"23-0\": \"[Business Protest GR](https://hackerone.com/businessprotect)\",\n    \"23-1\": \"Bypass blacklist email validation on user registration form\",\n    \"23-2\": \"20.06.2016\",\n    \"24-2\": \"21.06.2016\",\n    \"24-0\": \"[Seth Long](https://hackerone.com/megocode3)\",\n    \"24-1\": \"Ability to see push notification details of all customers\",\n    \"25-0\": \"[Mustafa Hasan](https://hackerone.com/strukt)\",\n    \"25-1\": \"Stored XSS at Application name\",\n    \"25-2\": \"23.06.2016\",\n    \"26-0\": \"[Mustafa Hasan](https://hackerone.com/strukt)\",\n    \"26-1\": \"Stored XSS at iBeacon UUID\",\n    \"26-2\": \"23.06.2016\",\n    \"27-0\": \"[Muhammad Hammad](https://www.facebook.com/muhammad.hammad.33483)\",\n    \"27-1\": \"Session Takeover\",\n    \"27-2\": \"27.06.2016\",\n    \"28-0\": \"[Mohit Rawat](https://www.linkedin.com/in/mohitrawat08)\",\n    \"28-1\": \"Privilege Escalation vulnerability\",\n    \"28-2\": \"27.06.2016\",\n    \"29-0\": \"[Uttam Soren](http://uttamsoren.com/)\",\n    \"29-1\": \"Ability to log out all sub accounts in case 1 sub account is deleted\",\n    \"29-2\": \"03.07.2016\",\n    \"31-0\": \"[Shuaib Oladigbolu](http://facebook.com/sawzeeyy)\",\n    \"31-1\": \"Host Header Injection\",\n    \"31-2\": \"31.07.2016\",\n    \"32-0\": \"[Anas Laabab](https://www.facebook.com/l44b4b.4n4s)\",\n    \"32-1\": \"XSS in Rich Media\",\n    \"32-2\": \"13.08.2016\",\n    \"33-0\": \"[Alec Blance](https://www.facebook.com/alec.blance)\",\n    \"33-1\": \"Information Disclosure and broken authentication\",\n    \"33-2\": \"20.08.2016\",\n    \"30-0\": \"[Ronni Skansing](https://www.linkedin.com/in/ronni-skansing-36143b65)\",\n    \"30-1\": \"Email spam via user invites\",\n    \"30-2\": \"12.07.2016\",\n    \"34-0\": \"[Robin Divino](https://twitter.com/japzkulotzkie)\",\n    \"34-1\": \"Email Spoofing\",\n    \"34-2\": \"14.11.2016\",\n    \"35-0\": \"[Robin Divino](https://twitter.com/japzkulotzkie)\",\n    \"35-1\": \"Nginx server version disclosure\",\n    \"35-2\": \"14.11.2016\",\n    \"36-0\": \"[Robin Divino](https://twitter.com/japzkulotzkie)\",\n    \"36-1\": \".htaccess file is accesible\",\n    \"36-2\": \"14.11.2016\",\n    \"37-1\": \"Unsecured Grafana instance\",\n    \"37-0\": \"[abc](https://hackerone.com/abc12345)\",\n    \"37-2\": \"15.11.2016\",\n    \"38-1\": \"Permission Issue\",\n    \"38-0\": \"[Dk](https://hackerone.com/dkd)\",\n    \"38-2\": \"15.11.2016\",\n    \"39-0\": \"[Ameer Pornillos](https://twitter.com/ameerpornillos)\",\n    \"39-1\": \"Password  Bug\",\n    \"39-2\": \"15.11.2016\",\n    \"40-1\": \"User Enumeration on resetPassword link\",\n    \"40-2\": \"15.11.2016\",\n    \"40-0\": \"[Nguyen 'Tsu' Nguyen](https://www.facebook.com/Tom.TsuG0d)\",\n    \"41-0\": \"[Mansi Kothari](https://hackerone.com/kothari)\",\n    \"41-1\": \"Password Change Issue\",\n    \"41-2\": \"15.11.2016\",\n    \"42-0\": \"[Dk](https://hackerone.com/dkd)\",\n    \"42-1\": \"Permission Issue [2]\",\n    \"42-2\": \"15.11.2016\",\n    \"43-0\": \"[Ameer Pornillos](https://twitter.com/ameerpornillos)\",\n    \"43-1\": \"Administrator Access To RabbitMQ\",\n    \"43-2\": \"16.11.2016\",\n    \"44-0\": \"[Robin Divino](https://twitter.com/japzkulotzkie)\",\n    \"44-1\": \"Nginx version disclosure\",\n    \"44-2\": \"18.11.2016\",\n    \"45-0\": \"[whitesector](https://hackerone.com/whitesector)\",\n    \"45-1\": \"XSS in autopushes\",\n    \"45-2\": \"19.11.2016\",\n    \"46-1\": \"Filename XSS\",\n    \"46-0\": \"[Mustafa Hasan](https://hackerone.com/strukt)\",\n    \"46-2\": \"19.11.2016\",\n    \"47-1\": \"Send invite issue\",\n    \"47-2\": \"14.11.2016\",\n    \"47-0\": \"[evez](https://hackerone.com/eveez)\",\n    \"48-0\": \"[dem0n](https://hackerone.com/dem0n)\",\n    \"48-1\": \"Spam issues\",\n    \"48-2\": \"14.11.2016\",\n    \"49-1\": \"Email spam via invites\",\n    \"49-0\": \"[Yashar Shahinzadeh](https://twitter.com/yshahinzadeh)\",\n    \"49-2\": \"14.11.2016\",\n    \"50-0\": \"[vishwaraj](https://vishwarajbhattrai.wordpress.com/)\",\n    \"50-1\": \"Email spam via invites\",\n    \"50-2\": \"14.11.2016\",\n    \"51-1\": \"no limit on sending invites\",\n    \"51-0\": \"[Mustafa Eg](https://hackerone.com/flashdisk)\",\n    \"51-2\": \"18.11.2016\",\n    \"52-0\": \"[cyriac](https://hackerone.com/cyriac)\",\n    \"52-1\": \"no limit on sending invites\",\n    \"52-2\": \"16.11.2016\",\n    \"53-0\": \"[cyriac](https://hackerone.com/cyriac)\",\n    \"53-1\": \"App name and subscribers count access\",\n    \"53-2\": \"22.11.2016\",\n    \"0-0\": \"[Ashutosh Kumar](https://www.cyberpeacefoundation.org/)\",\n    \"0-1\": \"XSS in autopushes\",\n    \"0-2\": \"05.01.2016\",\n    \"54-0\": \"[Mahmoud Barakat](https://hackerone.com/barakat)\",\n    \"54-1\": \"XSS in Platform Settings\",\n    \"54-2\": \"14.12.2016\",\n    \"56-0\": \"[Nikita Arykov](https://github.com/Falldi)\",\n    \"56-1\": \"Clickjacking\",\n    \"56-2\": \"23.01.2017\",\n    \"58-0\": \"[Saad](https://www.facebook.com/saadullah21)\",\n    \"58-1\": \"Account takeover\",\n    \"58-2\": \"14.02.2017\",\n    \"55-0\": \"Ahmad Shuja\",\n    \"55-1\": \"Nginx administrator page disclosure\",\n    \"55-2\": \"17.12.2016\",\n    \"57-0\": \"[Jhack rubz](https://hackerone.com/haxor_kids)\",\n    \"57-1\": \"Clickjacking\",\n    \"57-2\": \"03.02.2017\",\n    \"59-0\": \"[Mohammed Abdul Raheem](https://hackerone.com/mohdaltaf163)\",\n    \"59-1\": \"Clickjacking\",\n    \"59-2\": \"22.06.2017\"\n  },\n  \"cols\": 3,\n  \"rows\": 60\n}\n[/block]","excerpt":"Penetration testers are welcome!","slug":"pushwoosh-vulnerability-monitoring","type":"basic","title":"Pushwoosh Vulnerability Monitoring"}

Pushwoosh Vulnerability Monitoring

Penetration testers are welcome!

[block:image] { "images": [ { "image": [ "https://files.readme.io/n6l6n6nZSze2MsNYpe5c_bugbounty4_gif.gif", "bugbounty4_gif.gif", "1471", "306", "#fc5c04", "" ] } ] } [/block] Become a hero and shine in our Hall of Fame! We greatly appreaciate the input of volunteer testers who find valid vulnerabilities (subject to rules and terms of participation). **If you've discovered** a Push-related problem, bug or vulnerability, please, don’t share it publicly – instead, let us know a.s.a.p. via **[Contact Us](https://www.pushwoosh.com/contact-us/)** form on our website or via **[Hackerone](https://hackerone.com/pushwoosh)**. We’ll ping you back with a confirmation and a ton of kudos. So far our program offers only non-monetary rewards. **We're trying to respond as fast as we can, but in some cases it may take us up to 14 days to process a new report.** [block:api-header] { "type": "basic", "title": "Sending a bug report" } [/block] Only original, previously unreported bugs will be taken into account. Please submit one issue per ticket. What should be included in your report: * Detailed instructions for reproducing the particular bug * Ways to (potentially) exploit this vulnerability Much appreciated: * Screenshot or video with an exploit demonstration [block:api-header] { "type": "basic", "title": "Targets" } [/block] [block:callout] { "type": "success", "title": "The target host for this bounty is", "body": "**go.pushwoosh.com**" } [/block] [block:callout] { "type": "danger", "title": "The following will not qualify the program", "body": "**pushwoosh.com**, **docs.pushwoosh.com**, **community.pushwoosh.com and any other subdomains are specifically excluded from this bounty.**" } [/block] [block:api-header] { "type": "basic", "title": "API Information and Documentation" } [/block] [Pushwoosh Docs](https://docs.pushwoosh.com) [block:api-header] { "type": "basic", "title": "Creating the account" } [/block] Use the **pentester_anyCharacters@any.domain** email alias when signing up for pushwoosh.com accounts that will be used to participate in this bounty. Accounts not following this rules will be suspended without warning. [block:api-header] { "type": "basic", "title": "The following will not qualify for the bounty program:" } [/block] * Any kind of brute force * Disclosure of known public files or directories (e.g. robots.txt) * DDOS * Password policy * Any CSRF * Open redirect * Missing cookie secure flag * DNSSEC not configured * [Missing SPF DNS record](http://www.openspf.org/FAQ/Common_mistakes#all-domains) * Clickjacking * Any kind of HTML injection on Rich Media * Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), * Any CSV Macro Injection (https://www.owasp.org/index.php/CSV_Excel_Macro_Injection) * Reports from security scanners and other automatic systems * Vulnerability reports based solely on the software version / protocol without a valid proof of concept * Issues with Zendesk widgets and intercom widgets [block:api-header] { "type": "basic", "title": "Pushwoosh Responsible Disclosure Policy" } [/block] In the best interest of our customers and Internet users worldwide, we ask that you follow the guidelines of responsible disclosure: * Do not publicly disclose parts or full vulnerability until we have had a chance to investigate and address it. * Do allow us a reasonable timeframe of 90 days to respond to you and address the vulnerability before making any information public. [block:api-header] { "type": "basic", "title": "Our thanks to you" } [/block] Pushwoosh greatly appreciates the efforts of those security researchers who identify vulnerabilities and work with us to ensure that we can develop a fix and issue it to all our users. We thank you for going out of your way to help us minimize the risk to our users as well as help us in our vision to improve the overall security of our products. [block:api-header] { "type": "basic", "title": "The list of our beloved security researchers" } [/block] [block:parameters] { "data": { "h-0": "Researcher", "h-1": "Vulnerability", "h-2": "Report date", "1-0": "[Nikita Arykov](https://github.com/Falldi)", "1-1": "Self-XSS at Push send form", "1-2": "16.05.2016", "2-0": "[FaisaL Ahmed](https://hackerone.com/faisalahmed)", "2-1": "Stored XSS at Filter name", "2-2": "26.05.2016", "3-0": "[FaisaL Ahmed](https://hackerone.com/faisalahmed)", "3-2": "26.05.2016", "3-1": "Password recovery weakness", "4-0": "[Rojan Rijal](https://www.facebook.com/rojan.rijal.75)", "4-1": "Self-XSS at session info message", "4-2": "26.05.2016", "5-0": "[Aaron Devaney](https://twitter.com/dodekeract)", "5-1": "Public access of config via Vim swap file", "5-2": "27.05.2016", "6-0": "[Makwana kalpesh](https://twitter.com/makwanakalpesh2)", "6-2": "31.05.2016", "6-1": "Security vulnerability", "7-0": "[Peter](https://hackerone.com/peter-676)", "7-2": "31.05.2016", "7-1": "Password recovery weakness", "10-0": "[Aworunse Matthew Temmy](https://www.facebook.com/aaworunse)", "10-1": "Database remote access with full permissions", "10-2": "31.05.2016", "11-0": "[Roman Solomakha](https://github.com/roman-solomaha)", "11-1": "Local File Inclusion", "11-2": "31.05.2016", "12-0": "[Joel Noguera](https://hackerone.com/niemand)", "12-1": "HTTP Response Splitting", "12-2": "31.05.2016", "13-0": "[Aworunse Matthew Temmy](https://www.facebook.com/aaworunse)", "13-1": "[Sensitive data leaking via HTTP Referer header](http://bugbountypoc.com/pushwoosh-sensitive-information-leakage/)", "13-2": "31.05.2016", "14-0": "[Makwana kalpesh](https://twitter.com/makwanakalpesh2)", "14-1": "Security vulnerability", "14-2": "31.05.2016", "15-0": "[Hussain Adnan](https://hackerone.com/hussain)", "15-1": "Stored XSS at Rich Media", "15-2": "02.06.2016", "16-0": "[Shuaib Oladigbolu](http://facebook.com/sawzeeyy)", "16-1": "Password recovery information disclosure", "16-2": "04.06.2016", "17-0": "[Shuaib Oladigbolu](http://facebook.com/sawzeeyy)", "17-2": "04.06.2016", "17-1": "Multiple password request vulnerability", "19-0": "[bughunterboy](https://hackerone.com/bughunterboy)", "19-1": "Software version disclosure", "19-2": "15.06.2016", "20-0": "[Ashish Pathak](http://ashishpathaksec.blogspot.ru/)", "20-1": "DOS with large password lengths", "20-2": "15.06.2016", "8-0": "[Peter](https://hackerone.com/peter-676)", "8-1": "Password reset threshold‏‏", "8-2": "31.05.2016", "9-0": "[Peter](https://hackerone.com/peter-676)", "9-1": "Web application sessions limitation threshold", "9-2": "31.05.2016", "21-0": "[popeax](https://hackerone.com/popeax)", "21-1": "Unauthorized access. Ability to remove Filters of any another customer", "21-2": "16.06.2016", "18-2": "09.06.2016", "18-1": "XSS via POST request", "18-0": "[scorppy](https://hackerone.com/scorppy)", "22-2": "17.06.2016", "22-0": "[popeax](https://hackerone.com/popeax)", "22-1": "HTTP response splitting. Content-type header", "23-0": "[Business Protest GR](https://hackerone.com/businessprotect)", "23-1": "Bypass blacklist email validation on user registration form", "23-2": "20.06.2016", "24-2": "21.06.2016", "24-0": "[Seth Long](https://hackerone.com/megocode3)", "24-1": "Ability to see push notification details of all customers", "25-0": "[Mustafa Hasan](https://hackerone.com/strukt)", "25-1": "Stored XSS at Application name", "25-2": "23.06.2016", "26-0": "[Mustafa Hasan](https://hackerone.com/strukt)", "26-1": "Stored XSS at iBeacon UUID", "26-2": "23.06.2016", "27-0": "[Muhammad Hammad](https://www.facebook.com/muhammad.hammad.33483)", "27-1": "Session Takeover", "27-2": "27.06.2016", "28-0": "[Mohit Rawat](https://www.linkedin.com/in/mohitrawat08)", "28-1": "Privilege Escalation vulnerability", "28-2": "27.06.2016", "29-0": "[Uttam Soren](http://uttamsoren.com/)", "29-1": "Ability to log out all sub accounts in case 1 sub account is deleted", "29-2": "03.07.2016", "31-0": "[Shuaib Oladigbolu](http://facebook.com/sawzeeyy)", "31-1": "Host Header Injection", "31-2": "31.07.2016", "32-0": "[Anas Laabab](https://www.facebook.com/l44b4b.4n4s)", "32-1": "XSS in Rich Media", "32-2": "13.08.2016", "33-0": "[Alec Blance](https://www.facebook.com/alec.blance)", "33-1": "Information Disclosure and broken authentication", "33-2": "20.08.2016", "30-0": "[Ronni Skansing](https://www.linkedin.com/in/ronni-skansing-36143b65)", "30-1": "Email spam via user invites", "30-2": "12.07.2016", "34-0": "[Robin Divino](https://twitter.com/japzkulotzkie)", "34-1": "Email Spoofing", "34-2": "14.11.2016", "35-0": "[Robin Divino](https://twitter.com/japzkulotzkie)", "35-1": "Nginx server version disclosure", "35-2": "14.11.2016", "36-0": "[Robin Divino](https://twitter.com/japzkulotzkie)", "36-1": ".htaccess file is accesible", "36-2": "14.11.2016", "37-1": "Unsecured Grafana instance", "37-0": "[abc](https://hackerone.com/abc12345)", "37-2": "15.11.2016", "38-1": "Permission Issue", "38-0": "[Dk](https://hackerone.com/dkd)", "38-2": "15.11.2016", "39-0": "[Ameer Pornillos](https://twitter.com/ameerpornillos)", "39-1": "Password Bug", "39-2": "15.11.2016", "40-1": "User Enumeration on resetPassword link", "40-2": "15.11.2016", "40-0": "[Nguyen 'Tsu' Nguyen](https://www.facebook.com/Tom.TsuG0d)", "41-0": "[Mansi Kothari](https://hackerone.com/kothari)", "41-1": "Password Change Issue", "41-2": "15.11.2016", "42-0": "[Dk](https://hackerone.com/dkd)", "42-1": "Permission Issue [2]", "42-2": "15.11.2016", "43-0": "[Ameer Pornillos](https://twitter.com/ameerpornillos)", "43-1": "Administrator Access To RabbitMQ", "43-2": "16.11.2016", "44-0": "[Robin Divino](https://twitter.com/japzkulotzkie)", "44-1": "Nginx version disclosure", "44-2": "18.11.2016", "45-0": "[whitesector](https://hackerone.com/whitesector)", "45-1": "XSS in autopushes", "45-2": "19.11.2016", "46-1": "Filename XSS", "46-0": "[Mustafa Hasan](https://hackerone.com/strukt)", "46-2": "19.11.2016", "47-1": "Send invite issue", "47-2": "14.11.2016", "47-0": "[evez](https://hackerone.com/eveez)", "48-0": "[dem0n](https://hackerone.com/dem0n)", "48-1": "Spam issues", "48-2": "14.11.2016", "49-1": "Email spam via invites", "49-0": "[Yashar Shahinzadeh](https://twitter.com/yshahinzadeh)", "49-2": "14.11.2016", "50-0": "[vishwaraj](https://vishwarajbhattrai.wordpress.com/)", "50-1": "Email spam via invites", "50-2": "14.11.2016", "51-1": "no limit on sending invites", "51-0": "[Mustafa Eg](https://hackerone.com/flashdisk)", "51-2": "18.11.2016", "52-0": "[cyriac](https://hackerone.com/cyriac)", "52-1": "no limit on sending invites", "52-2": "16.11.2016", "53-0": "[cyriac](https://hackerone.com/cyriac)", "53-1": "App name and subscribers count access", "53-2": "22.11.2016", "0-0": "[Ashutosh Kumar](https://www.cyberpeacefoundation.org/)", "0-1": "XSS in autopushes", "0-2": "05.01.2016", "54-0": "[Mahmoud Barakat](https://hackerone.com/barakat)", "54-1": "XSS in Platform Settings", "54-2": "14.12.2016", "56-0": "[Nikita Arykov](https://github.com/Falldi)", "56-1": "Clickjacking", "56-2": "23.01.2017", "58-0": "[Saad](https://www.facebook.com/saadullah21)", "58-1": "Account takeover", "58-2": "14.02.2017", "55-0": "Ahmad Shuja", "55-1": "Nginx administrator page disclosure", "55-2": "17.12.2016", "57-0": "[Jhack rubz](https://hackerone.com/haxor_kids)", "57-1": "Clickjacking", "57-2": "03.02.2017", "59-0": "[Mohammed Abdul Raheem](https://hackerone.com/mohdaltaf163)", "59-1": "Clickjacking", "59-2": "22.06.2017" }, "cols": 3, "rows": 60 } [/block]