Reports in reddit program: S.No Title Bounty 1 XSS via Mod Log Removed Posts $6000.0 2 Blind SSRF to internal services in matrix preview_link API $6000.0 3 s3 bucket takeover presented in https://github.com/reddit/rpan-studio/blob/e1782332c75ecb2f774343258ff509788feab7ce/CI/full-build-macos.sh $5000.0 4 Deleting all DMs on RedditGifts.com $5000.0 5 Able to bypass email verification and change email to any other user email $5000.0 6 Reflected xss in https://sh.reddit.com $5000.0 7 Able to approve admin approval and change effective status without adding payment details . $5000.0 8 Getting access of mod logs from any public or restricted subreddit with IDOR vulnerability $5000.0 9 RichText parser vulnerability in scheduled posts allows XSS $5000.0 10 [accounts.reddit.com] Redirect parameter allows for XSS $5000.0 11 Reddit talk promotion offers don't expire, allowing users to accept them after being demoted $1000.0 12 IDOR to pay less for coin purchases on oauth.reddit.com via /api/v2/gold/paypal/create_coin_purchase_order in order_id parameter $500.0 13 Domain Takeover of Reddit.ru via DNS Hijacking $500.0 14 Image queue default key of 'None' and GraphQL unhandled type exception $500.0 15 Regression on dest parameter sanitization doesn't check scheme/websafe destinations $500.0 16 No Rate Limit on redditgifts gift when Adding Comment $100.0 17 Weak rate limit could lead to ATO due to weak password protection mechanisms $100.0 18 Moderators can send messages to users from banned subreddits via oauth.reddit.com/api/mod/conversations $100.0 19 Unrestricted File Upload on reddit.secure.force.com $100.0 20 Hash-Collision Denial-of-Service Vulnerability in Markdown Parser $0.0 21 hardcoded api secret & api key in com.reddit.frontpage $0.0 22 Content Spoofing $0.0 23 [dubmash] Lack of authorization checks - Update Sound Titles $0.0 24 No Password Length Restriction leads to Denial of Service $0.0 25 Email Verification Bypass And Get access to user's private invitation. $0.0 26 Oauth Misconfiguration Lead To Account Takeover $0.0 27 XSS $0.0 28 critical file found etc/passwd on www.reddit.com $0.0 29 User Account has been taken out $0.0 30 Vulnerability Name: URL Redirection / Unvalidate Open Redirect $0.0 31 Broken Authendication And Session Management $0.0 32 GPS metadata preserved when converting HEIF to PNG $0.0 33 S3 bucket Upload on studio.redditinc.com (s3-r-w.ap-east-1.amazonaws.com) $0.0 34 Outsider can affect Upvote Percentage of private subreddit post by calling /api/vote API $0.0 35 Race condition leads to Inflation of coins when bought via Google Play Store at endpoint https://oauth.reddit.com/api/v2/gold/android/verify_purchase $0.0 36 Third party app could steal access token as well as protected files using inAppBrowser $0.0 37 Content Spoofing/Text Injection at https://gateway-production.dubsmash.com $0.0 38 Missing rate limit in current password change settings leads to Account takeover $0.0 39 No Rate limit on change password leads to account takeover $0.0 40 [dubsmash] Long String in 'shoutout' Parameter Leading Internal server Error on Popular hastags , Community and User Profile $0.0 41 com.reddit.frontpage vulernable to Task Hijacking (aka StrandHogg Attack) $0.0 42 [dubsmash] Username and password bruteforce $0.0 43 Application level DOS at Login Page ( Accepts Long Password ) $0.0 44 registering with the same email address multiple times leads to account takeover $0.0 45 Regular Expression Denial of Service vulnerability $0.0 46 Misconfigurated login page able to lock login action for any account without user interaction $0.0 47 Several Subdomains Takeover $0.0 48 CSRF (protection bypassed) to force a below 18 user into viewing an nsfw subreddit ! $0.0 49 Open Redirect through POST Request in www.redditinc.com $0.0 50 Can use the Reddit android app as usual even though revoking the access of it from reddit.com $0.0 51 One-click account hijack for anyone using Apple sign-in with Reddit, due to response-type switch + leaking href to XSS on www.redditmedia.com $0.0 52 XSS in redditmedia.com can compromise data of reddit.com $0.0 53 Open Redirect on www.redditinc.com via failed query param $0.0 54 XSS Reflected on reddit.com via url path $0.0 55 IDOR allows an attacker to modify the links of any user $0.0 56 Open Redirect on www.redditinc.com via failed query param bypass after fixed bug #1257753 $0.0 57 api keys leaked $0.0 58 sensitive data exposure $0.0 59 Admin can create a hidden admin account which even the owner can not detect and remove and do administrative actions on the application. $0.0 60 No rate limit leads to spaming post $0.0 61 Huge amount of Subdomains Takeovers at Reddit.com $0.0 62 Reflected XSS via File Upload $0.0 63 CVE-2020-11022 $0.0 64 oauth misconfigration lead to account takeover $0.0 65 read and message other user's messages $0.0 66 HTML injection in API response including request url $0.0 67 Broken links make users from France unable to understand the allowed content policy $0.0 68 Rate limit is implemented in Reddit , but its not working . $0.0 69 Infromation Disclosure To Use of Hard-coded Cryptographic Key $0.0 70 IDOR lets a malicious user reveal the unpinned achievement badges of any Reddit user $0.0