Reports in exness program: S.No Title Bounty 1 SSRF in graphQL query (pwapi.ex2b.com) $3000.0 2 Verification process done using different documents without corresponding to user information / User information can be changed after verification $500.0 3 [com.exness.android.pa Android] Universal XSS in webview. Lead to steal user cookies $400.0 4 CRLF Injection - Http Response Splitting $200.0 5 Taking position in a discontinued forex pair without executing any trades $0.0 6 Access control vulnerability (read-only) $0.0 7 Access control vulnerability (read/write) $0.0 8 Acess control vulnerability (read/write) $0.0 9 Improper Implementation of SDK Allows Universal XSS in Webview Leading to Account Takeover $0.0 10 subdomain takeover at odoo-staging.exness.io $0.0 11 IDOR in Stats API Endpoint Allows Viewing Equity or Net Profit of Any MT Account $0.0 12 Double forward slash breaks server-side restrictions & allows access to prohibited services from a partner account $0.0 13 Blind SSRF on https://my.exnessaffiliates.com/ allows for internal network enumeration $0.0 14 Unrestricted Access to Celery Flower Instance $0.0