Private Bug Bounty Programs 2015

Bug Bounty (wikipedia)
A bug bounty program is a deal offered by many website and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities.

Bug Bounty Guide:

1. Learn and study all types of common attack like XSS, SQL Injection, RFI, LFI and others. Remember one thing that hacking and vulnerability assessment are not same. To be a good bug bounty hunter you must know, how a vulnerability is generate and what is the wrong in coding to generate a vulnerability. It helps you mentally to find out where maybe the vulnerabilities are exist.
2. Find out which companies or websites are under bug bounty program. Searching in Google you can get a list of them. ex: Bug Bounty Program websites .
3. Using vulnerability assessment tools or any vulnerability scanner is not a good idea to become a good bug bounty hunter. You should use your brain not any software.
4. If your target is any big website than try to find out the sub domains of that website. It will be more easier to vulnerability assessment over it. But before that you should read their terms and conditions to know that is sub domains are allowed in bug bounty or not.
5. After your vulnerability assessment make a details report with POC about that vulnerabilities you have found. On your report you must highlight what kind vulnerability is about and what is the negative impact of that vulnerability if it found by any offensive hacker. 
6. After submitting your report wait for the replay. If you disclosure the vulnerability before their replay it is not good for your reputation

Thanks for Reading this Article and if you need any information so feel free to comment below .

Read more ...

How to Hack WPA/WPA2 WIFI Passwords in 3 Steps [2014/2015 , pin ]

Reaver Hacking Wifi tutortial how to hack wifi wpa protected password 2014/2015 working new wps hacking hack wifi wpa2 password kali linux/backtrack5 and crack wifi.

 How to Hack/Crack Wifi Password?

One of the Useful method of Wifi Cracking/Hacking is here only for you .So today you will learn how to Crack/hack the wifi Password through (Push button) .
you will learn cracking of a WPA / WPA2 Protected Wifi Password which has WPS ( push Button ) enabled on it.

What is Reaver ? 
Reaver is a Linux based software which bruteforce the wps pins on the router which has wps / Push Button enabled and it comes pre loaded with Kali Linux OS.

What is Push Button or WPS ?
Basically WPS/Push Button option comes with many routers / modems in which while connecting to a network you may avoid entering a password and can simply connect to your network by pressing a button inside your modem / router.

What You Will Need To Perform This Attack ?

• WPS ( Push Button ) Enabled WIFI Network in Range 
• Wireless Adapter 
• Kali Linux OS 

Get Started 

Start Your Kali Linux OS and open terminal

1. Turn On your monitor interface by typing the below command

airmon-ng start wlan0

2. Check if there is any wps enabled wifi in your range.
To check the wps enabled network we will use wash command so type the below command and it will list all those networks which have wps enabled.

wash -i mon0 -C

Now this will display all those networks which have wps enabled so chose any network which has strong signals and after copy its BSSID

3. Start Cracking by typing the below command

 reaver -i mon0 -b BSSID -vv

Here in this command  " reaver -i mon0 -b BSSID -vv " in BSSID paste the BSSID number which you want to crack and which you copied in past from above step and wait for about hours because this needs much time even 3-5 hours depending upon the pin code of the router which reaver will bruteforce and if the pin matches it will crack the password for you and will display the password.



How You can protect yourself from this attack ? 

As a Security Researcher my opinion for security reasons just disable the wps option from the device  or if you really want to enable it then create hard and end custom pin as many routers come with default pin code which reaver can easily crack.

Note : this is only for Education Purpose so don't try for negative work .
we are not responsible for any thing.

Read more ...

Logout Cross site Request Forgery CSRF Vulnerability [worth bug 250$ ]

CSRF LOGOUT IMPACT :

Logout should protect your logout mechanism against CSRF. At first it seems that all an attacker can do is logout the user, which would be annoying at worst. However, if you combine this with a phishing attack, the attacker may be able to entice the victim to re-login in using their own form and then capture the credentials. Very sketchy, but to protect against this sort of attack requires little cost.

LOGOUT CSRF POC :

Overview:

Hello , This is Abdul Haq Khokhar , I am Independent Security Researcher and I have recently found Vulnerability in website (Private Program) on hackerone.com and I don't want to disclose website because my report is still Triaged (12-12-2014) and security team is fixing now.

well vulnerability was really simple as i shown in below POC-Screenshot and i was just testing this vulnerability first time so i tried on this web and Got the Shocking response from the Website .


BUG : Logout CSRF Cross site Request Forgery CSRF


POC Code :
Already shown in POC Screenshot above .

Reporter : Abdul Haq Khokhar

After Reading the Response from Security team :

Reward : 250$

I hope you enjoyed this article and Hopefully you guys will try this bug on other websites too :-D

             
“Let him who would enjoy a good future waste none of his present.”
Roger Babson

For Contact :

Facebook  | Twitter  |  Bugcrowd  | Hackerone        

Read more ...

How to find Vulnerability in Website [2015,tools,top10 bugs]

How to Find Vulnerable Websites :

Website security is a major problem today and should be a priority in any organization or a webmaster, Now a days Hackers are concentrating alot of their efforts to find holes in a web application, If you are a website owner and having a High Page rank and High Traffic then there is a chance that you might be a victim of these Hackers. Few years back their existed no proper tools search for vulnerability, but now a days there are tons of tools available through which even a newbie can find a vulnerable site and start Hacking.



General Method Used for Website Hacking:

There are many methods that can be used to hack a website but most general and common once are as follows:
1.SQL Injection
2.XSS(Cross Site Scripting)
3.Remote File Inclusion(RFI)
4.Directory Traversal attack
5.Local File inclusion(LFI)
6.DDOS attack.

Tools which commonly used to find a vulnerability in website : 

 

Acunetix:

Acunetix is best tool for find a vulnerability even i am also using for many purpose. this is one of the my favorite tool to find a venerability in any web application It automatically checks/find your web applications for SQL Injection, XSS & other web vulnerabilities.

Download Here :

Download Acunetix Web Security Scanner 

Nessus:

Nessus is the best unix venerability testing tool and among the best to run on windows. Key features of this software include Remote and local file securitychecks a client/server architecture with a GTK graphical interface etc.

Download Here :

Download Nessus from the link below :
http://www.nessus.org/download


Metasploit Framework :
The Metasploit Framework is the open source penetration testing framework with the world's largest database of public and tested exploits.

Download Metasploit(For Windows users) from the link below http://www.metasploit.com/releases/framework-3.2.exe

Download Metaspolit(For Linux users) from the link below http://www.metasploit.com/releases/framework-3.2.tar.gz



Thanks for Reading and do comment if you want any help.

Read more ...

Full path disclosure at ads.twitter.com [Vulnerability , Reward 140$]

Vulnerability found in ads.twitter.com
Recently Independent Security Researcher Found a Vulnerability in Twitter .I was Really simple vulnerability but we can say its all about eagle eyes .

Twitter Vulnerability Description:
I noticed a small information disclosure (full path disclosure) on ads.twitter.com.

Steps to Reproduce a Vulnerability/Bug :

• 1. Login to ads.twitter.com
• 2. Start to create a new twitter-follower campaign
• 3. Choose to upload a new picture
• 4. Turn on your intercepting proxy
• 5. Upload a file
• 6. You should notice a request to your log facility.

GET /accounts/18ce53wparq/log?v=0.9&u=https%3A%2F%2Fads.twitter.

com%2Faccounts%2Fxxxx%2Fcampaigns%2Fnew_objective%2Ffollowers%3Fsou

rce%3Dobjective_picker&rt.start=cookie&r=https%3A%2F%2Fads.twitter.com 

%2Faccounts%2Fxxxxx%2Fcampaigns%2Fnew&timers=&events=ads%3Afollowers
%3Acreative%3A%3A%3Aenter HTTP/1.1
Host: ads.twitter.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 
Firefox/32.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://ads.twitter.com/accounts/xxxxx/campaigns/new_objective/

followers?source=objective_picker
Cookie: [COOKIES]
Connection: keep-alive

The response will contain something like this: 

x-sendfile: /var/lib/mesos/slaves/201403042312-2230002186-5050-50082

-705/frameworks/201104070004-0000002563-0000/executors/thermos-1409

696851527-revenue_web-prod-ads-36-d76baad3-5634-4141-ab52-478be9eca

b97/runs/e09cc5ea-77f8-4729-afd1-0045b2a772c5/sandbox/app/assets

/images/blank.gif

More Info :

As you can see, this discloses a full path to a resource. This information could be used in further attack scenarios like LFI or RCE. 



Thanks.

Read more ...

Send friend request from their own accounts[Make a Friend Troll]

Introduction About this App

I can say this is a Facebook Bug 2015 Because we are able to Send own Friend Request from your self and you can understand your reaction when you got a friend request from yourself through suggestion .

How to Troll one of your friends :

Follow These Steps:

1) Copy your friend's account URL from Browser
Example : https://www.facebook.com/Name.To.Pta.Hoga

2) Paste the URL in the input field

3) Click " Troll One Friend


Here is the Proof and Reactions when people Got own friend Request :

Another Proof :

Click Here to Download Here

Read more ...

Break privacy on facebook | Three steps to break Facebook DP Privacy 2015

 

How to Extract the Facebook DP ?

Introduction

OryxSolutions Software House develop a Useful app to access any person Facebook DP through Facebook DP Extractor, So anyone can see the Display Picture You just have to follow some easy STEPS. And the Rest work leave to us.

3 Simple Steps to Break a Facebook Privacy :

How it Works:

 

step 1:

Open your Target Profile in Facebook

step 2:

Copy Link from the address bar .

step 3:

Past it here and on fetch dp [Revealer]
Here is the Link : http://www.dp.theoryxlabs.com/

Finally Done :

Your Facebook DP fetched.

About Developer

Osama Tauseef Alam

 Working in Oryx Solutions for almost one year.
Facebook Page : DP Extractor

App URL : Facebook DP Extractor

Read more ...

How to Takover the Account by Simple Trick[Bug,csrf Protection]

Vulnerability type 

 InSecure Direct Object Reference

How to Takeover the Account Via Simple Trick :

Someone researcher found the account takeover vulnerability in Private website and so you can consider someone is me.so let me start how to takeover the account in simple way .i was testing the website and then i got an account editing page so as always tried to find csrf vulnerability and after some hardwork i bypassed their mechanism of CSRF protection by deleting the authenticity_token= value from the editing request ! But wait what is it ?

 

 After lots of hard-work i see the edit page So by changing the value in the id=edit_account_<victim_id> I was able to change the details of victim and also able to delete the account from the website.

 

 

 

Vulnerability Fixed :Within 2 days the “secret” website fixed the bug !But maybe I should check it again!

OMG ! They plugged some internal protection but they didn’t change anything in the POST request’s functionality!

So let's try for second time :D !

 

 

 

 

 

May be I should try to changing the parameter’s value id=<edit_account_victim_id> to id=<victim_id>

Done so I bypassed the mechanism of website second time also :) !

 

 

 

They rewarded me some more bounty ! 

 

 

 

If you want any question so feel free to ask on comment .

 

 

 

 

Read more ...

Sql Injection Vulnerability Found by Security Researcher in MyBB [tamperdata,test,examples]

 

First of Fall what is sql injection ?

SQL mixture is a kind of security try in which the attacker incorporates Structured Query Language (SQL) code to a Web structure information box to get access to resources or take off changes to data. There are many sql injection tutorial in Internet as well sql injection examples.A SQL request is a requesting for some movement to be performed on a database. Regularly, on a Web structure for customer check, when a customer enters their name and mystery key into the substance boxes suited them, those qualities are implanted into a SELECT inquiry. In case the qualities entered are found of course, the customer is allowed access; if they aren't found, access is denied. Regardless, most Web structures have no instruments set up to square incorporate other than names and passwords. Unless such preliminary measures are taken, an assailant can use the information boxes to send their speak to the database, which could allow them to download the entire database or interface with it in other unlawful ways. 

 
Sql injection cheat sheet  :

If you want to learn Advance Sql Injection so click here of cheat sheet.

Mybb 1.8.x SQL Injection Vulnerability POC by MakMan:

Title:
MyBB 1.8.X to 1.8.1 Error based SQL Injection

Exploit URL and POC :
http://pastie.org/private/qqgmvkyn758abfiyutje3q

Date : 2014-11-15
Google Dork : intext:Powered By MyBB # Version: 1.8.X
# Tested on: Linux / Python 2.7
# Status : Patched in MyBB 1.8.2
# Author : MakMan -- facebook.com/hackticlabs

   

Here is the POC Video For the SQL Injection Vulnerability :

Mybb 1.8.x SQL Injection POC by MakMan from Mukarram Khalid on Vimeo.


IF you want any Question about this vulnerability or anything Please Feel Free to Comment Below .

Read more ...

how to verify paypal without bank account 2015

Verify Paypal with bank account [in India]

 

 

Introduction:
We all know that it's very hard to get credit card(in India) as it requires so many formalities so today we are going to see how to PayPal account by linking and confirming our bank account without the need of a credit card.Follow these simple step by step procedure to verify Paypal account with a your bank account in India.

Steps For Verified Paypal :

1)Login to PayPal and click on "Get verified" link shown in Status.PayPal Get Verified Link How to verify Paypal with bank account [in India].

2)Click on Link My Bank Account buttonpaypal link bank account button How to verify Paypal with bank account [in India] 

 

3)Enter your Name, Bank name, IFSC code ( bank unique code, get from your bank or at http://bankifsccode.com/) and Account number and click ContinuePayPal Enter your bank details How to verify Paypal with bank account [in India].

4)Now verify those details and click on Add Bank Account PayPal bank details confirm How to verify Paypal with bank account [in India].

 

5)PayPal will then send 2 small deposits to your bank account in 4-6 days. Then login to your PayPal account and click on the Confirm bank account link.PayPal bank account confirm link How to verify Paypal with bank account [in India].


6)Enter those two amounts and click on "Confirm" buttonpaypal small amounts confirm How to verify Paypal with bank account [in India].

 

 

That's all. Your account will be verified.

 

Read more ...

Open ssl security issue(vulnerabilities,ssl v 3 encryption,bug report) #3

 

Poodle Bleed Vulnerability Found in Relateiq.com

 

 

Poodlebleed Issue POC Report :

This vulnerability found by mtk .

What is Poodle Bleed Vulnerability in website?

Ans : A vulnerability in SSL 3.0/ssl v3/ssl v 3 (commonly known as Poodlebleed) could allow information disclosure.  This is an industry-wide vulnerability affecting the SSL 3.0 protocol itself and it is not specific to the Windows operating system or PlateSpin products or . PlateSpin servers leverage Microsoft IIS, which implements the SSL 3.0 protocol.

How to Test your Own Website ?

Ans : Goto Poodlebleed.com and test your own website .if there is any vulnerability so fix it as soon as possible.

 

Question is How to fix this SSL v 3 Vulnerabilities , So here is the way :

Disable SSLv3 in web browsers ? Answer is Below

Firefox

• Install the Mozilla add-on called “SSL Version Control”

Or

• Type about:config into the navigation bar and press [Enter]
• Accept the warning and proceed
• Search for tls
• Change the value of security.tls.version.min from 0 to 1 (0 = SSL 3.0; 1 = TLS 1.0)

Chrome

• Upgrade to the latest version of Chrome

Or

• Run Chrome with the following command-line flag: –ssl-version-min=tls1

Internet Explorer

• Go to Settings -> Internet Options -> Advanced Tab -> Uncheck “SSLv3″ under “Security”.

If you wanna ask any question so feel free to comment .

Read more ...

Bug bounty program websites List for ethical hackers

What is Bug Bounty Program for penetration Websites?

Bug bounty program offered by many Famous and Private Static and Dynamic websites and software developers by which individuals can receive recognition programs and compensation for reporting bugs And Security Researchers comes in website for penetration testing and then Report Ethically. 

What is Ethical Hacker ?

There are four types of Hackers are : 

WhiteHats : Mean Ethical Hacker , Security Researcher , Penetration .

BlackHats : Mean Negative , If BlackHats Find the Vulnerability then they will go for Exploit rather then Ethical Report.
GrayHats : Mean Power of two , They are Positive and also Negative well its depend on Situation.
Anonymous : Mean Only work for patriotism.

Bug Bounty Program  / Private and Famous Website List:

• http://www.123contactform.com/security-acknowledgements.htm
• https://hackerone.com/4chan/thanks
• http://www.activecampaign.com/security/
• http://helpx.adobe.com/security/acknowledgements.html
• https://www.airbnb.com/help/policies/responsible_disclosure#responsible_disclosure_policy
• https://www.appcelerator.com/privacy/responsible-disclosure-of-security-vulnerabilities/
• http://support.apple.com/kb/HT1318
• http://www.androidfreeapp.net/security-researcher-acknowledgments/ (May 2014)
• https://www.apptentive.com/contact/
• https://www.appointlet.com/
• https://artsy.net/security
• http://www.audiomack.com/about
• https://barracudalabs.com/research-resources/bug-bounty-program/bug-bounty-hall-of-fame-2/
• https://getbase.com/security/
• http://ca.blackberry.com/business/enterprise-mobility/mobile-security/incident-response-team/collaborations.html (2014)
• http://www.blesta.com/responsible-disclosure/(CORE-931)
• • Bidmail — http://www.bidmail.com/index.php/contact/
• • Big Commerce — http://www.bigcommerce.com/about-us/
• • Birst — http://www.birst.com/security-reporting
• • Bitcasa — https://support.bitcasa.com/hc/en-us/articles/202210658-How-To-Responsibly-Report-Security-Concerns
• • Bufferapp — https://bufferapp.com/security
• • Bugcrowd — https://bugcrowd.com/bugcrowd/hall-of-fame
• • Bugherd — http://bugherd.com/security
• • Calameo — http://en.calameo.com/content/about_calameo-about-calameo.htm
• • Calendar Budget — https://calendarbudget.com/support2/open.php
• • Cisco — http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
• • Cloudflare — https://hackerone.com/cloudflare/thanks
• • Colupon — https://bugcrowd.com/c028
• • Commando IO — https://commando.io/security.html#hall-of-fame-section
• • Compilr — https://compilr.com/forum/security-thanks
• • Comodo Dragon — http://www.comodo.com/contact-comodo/contact-us.php
• • Coinbase — https://hackerone.com/coinbase/thanks
• • Constant Contact — http://www.constantcontact.com/about-constant-contact/security/report-vulnerability.jsp
• • Crowdrise — http://www.crowdrise.com/UnitedRelief-ARC (Reward ($100) Donated to Typhoon Haiyan Victims in the Philippines [2013])
• • Deutsche Telekom — http://www.telekom.com/security/acknowledgements
• • Dell Secureworks — http://www.secureworks.co.uk/contact/disclosure/
• • Digital Fire — http://digitalfire.com/services/contact.php
• • Dropbox — https://www.dropbox.com/special_thanks
• • Dropcam — https://www.dropcam.com/security
• • DuckDuckGo — https://duck.co/feedback/bug/-
• • Duo Security — https://www.duosecurity.com/security
• • Ecstasy Data — http://www.ecstasydata.org/contact.php
• • EMC Corporation — http://www.emc.com/contact-us/contact/product-security-response-center.htm
• • File Pigeon — http://www.filepigeon.com/faq/
• • Ford Motor Company (Fleet Department) — http://www.fleet.ford.com/contact-us/
• • Form Assembly — http://www3.formassembly.com/blog/formassembly-vulnerability-and-security-reporting/
• • FoxyCart — http://www.foxycart.com/security-contact/
• • Freelancer — https://www.freelancer.com/u/evanricafort.html
• • Friendster — http://www.friendster.com/contact_us
• • Game Institute — https://www.gameinstitute.com/contact.php
• • Gapminder — http://www.gapminder.org/about-gapminder/contact/
• • Geonode — https://github.com/GeoNode/geonode/commit/f48b14e26894c21006c165beb62a9a13265dba0e
• • GF Overflow — http://www.gfoverflow.com/contact.php
• • GitLab — https://about.gitlab.com/vulnerability-acknowledgements/ (2014)
• • Gizmo Host — http://www.gizmohost.com/contact
• • Gizmo Quip — http://gizmoquip.com/#contact
• • Gli.PH — https://gli.ph/security.html
• • Google — http://www.google.com/about/appsecurity/hall-of-fame/reward/ (Quarter 3 - 2014)
• • Hackerearth — http://www.hackerearth.com/recruit/faq/
• • HackForCause — http://hackforcause.com/hall-of-fame/
• • Harvard University — http://about.worldmap.harvard.edu/icb/icb.do?pageid=icb.page481343
• • Honeybadger — http://docs.honeybadger.io/article/181-security
• • Hotgloo — http://www.hotgloo.com/security/hall-of-fame
• • HTC — http://www.htc.com/us/terms/product-security/
• • Huawei — http://www.huawei.com/en/security/psirt/report-vulnerabilities/index.htm
• • Hubdia — https://hackerone.com/hubdia/thanks
• • IBM Corporation — http://www-03.ibm.com/security/secure-engineering/report.html
• • iBuildApp — http://ibuildapp.com/about-us/
• • Icecoder — https://bugcrowd.com/icecoder/hall-of-fame
• • iDevAffiliate — http://www.idevdirect.com/contact.php
• • Intel — https://www-ssl.intel.com/content/www/us/en/forms/webmaster-contact-us.html
• • Internetwache — https://en.internetwache.org/security/
• • Juniper Networks — https://www.juniper.net/us/en/security/report-vulnerability/
• • Kayako — https://my.kayako.com/Knowledgebase/Article/View/853/0/security-vulnerability-fix-and-patch-policy
• • Khan Academy — https://hackerone.com/khanacademy/thanks
• • Lavasoft — http://lavasoft.com/mylavasoft/company/about.php
• • Lleida — http://www.lleida.net/en/company/about-us
• • LG Developers — http://developer.lge.com/footer/footer/RetrieveContactInfo.dev
• • LinkedIn — http://help.linkedin.com/app/safety/answers/detail/a_id/37022
• • Logentries — https://logentries.com/doc/security/
• • Joomlart — http://www.joomlart.com/joomlart/contact-us
• • JotForm — http://www.jotform.com/about/
• • Magix AG — http://research.magix.com/(May 2014)
• • MailChimp — http://mailchimp.com/about/security-response/
• • Mastercoin Foundation — https://bugcrowd.com/mastercoin/hall-of-fame
• • MaxCDN — http://www.maxcdn.com/company/security/
• • Meldium — https://www.meldium.com/security
• • Metrodeal — http://www.metrodeal.com/about-us
• • Microsoft — http://technet.microsoft.com/en-us/security/cc308575#0114 (January 2014)
• • Moment.Me — http://www.moment.me/
• • Motorola — http://www.motorolasolutions.com/US-EN/About/Security%20Vulnerability
• • Movember — https://bugcrowd.com/movember/hall-of-fame
• • My News Desk — http://www.mynewsdesk.com/about
• • National Cyber Security Center (Netherlands) — https://www.ncsc.nl/security
• • Nitrous I/O — http://help.nitrous.io/admin-security-response/ (2014)
• • Oculus VR — https://www.oculusvr.com/bug-submission/
• • OpenDrive — https://www.opendrive.com/security
• • OpenText — http://www.opentext.com/Who-We-Are/Copyright-Information/Security-Acknowledgements
• • Pagerduty — http://www.pagerduty.com/security/disclosure/
• • PayPal — https://www.paypal.com/webapps/mpp/security-tools/wall-of-fame-honorable-mention (Quarter 2 of 2014)
• • Perfectcloud — https://www.perfectcloud.io/about.html
• • PhpNuke — https://downloads.phpnuke.org/en/email/contact_us.htm
• • Pwnie Express — https://www.pwnieexpress.com/contact-us/
• • Rackspace — http://www.rackspace.com/information/legal/rsdp
• • Rainedout — http://www.rainedout.com/contact
• • Rapid7 — https://www.rapid7.com/disclosure.jsp
• • Rebelmouse — https://about.rebelmouse.com/company
• • RelateIQ — https://hackerone.com/relateiq/thanks
• • Ribose — https://www.ribose.com/security/hall_of_fame
• • Rietta — http://rietta.com/contact/security/
• • Risk I/O — https://www.risk.io/security
• • Samsung — https://samsungtvbounty.com/HallOfFame.aspx
• • Search on Zippy — http://www.searchonzippy.com/contact
• • Sellfy — https://sellfy.com/security/
• • Shaukk — http://shaukk.com/developers.php
• • Site Liner — http://www.siteliner.com/contact
• • Slack — https://hackerone.com/slack/thanks
• • SmartQ — http://www.getsmartq.com/support.php
• • Sony — https://secure.sony.net/hallofthanks
• • Sourceforge Japan — http://sourceforge.jp/docs/SourceForge.JP%E3%81%AE%E9%80%A3%E7%B5%A1%E5%85%88
• • SoundCloud — http://help.soundcloud.com/customer/portal/articles/439715-responsible-disclosure
• • Splitwise — http://blog.splitwise.com/about/responsible-disclosure-special-thanks/
• • StarHub — http://www.starhub.com/personal/support/contact-us.html
• • Survey Gizmo — http://surveygizmo.helpgizmo.com/help/contact-us
• • Sprout Social — http://sproutsocial.com/responsible-disclosure-policy
• • Steam — https://support.steampowered.com/index.php
• • StoptheHacker — https://hackerone.com/stopthehacker/thanks
• • Student CRM - Data Harvesting U.K — http://www.student-crm.co.uk/about/security/
• • Swipe Identity — https://bugcrowd.com/c030/hall-of-fame
• • Tagged — http://safety.tagged.com/security/
• • Thumbr — http://www.thumbr.io/tos
• • Tresorit — https://tresorit.com/hacking-challenge
• • Tumblr — http://www.tumblr.com/security
• • Twitch TV — http://www.twitch.tv/p/security
• • Twilio — https://bugcrowd.com/twilio/hall-of-fame
• • Twitter — https://about.twitter.com/company/security (2013 and 2014)
• • Typo3 — http://typo3.org/teams/security/
• • Uber — https://www.uber.com/security
• • United States Naval Academy — http://www.usna.edu/About/
• • UK Secure Web Hosting — http://www.uksecurewebhosting.co.uk/contact.php
• • US Unlocked — https://www.usunlocked.com/contact_us.php
• • Valve Software — http://www.valvesoftware.com/security/
• • Via Forensics — https://viaforensics.com/company/contact/
• • Visa Incorporation — http://www.visa.com/globalgateway/
• • Vox Analytics — https://www.voxanalytics.com/contact
• • WePay — https://hackerone.com/wepay/thanks
• • Wizehive — https://www.wizehive.com/security/
• • Wordpress — http://codex.wordpress.org/Security_FAQ
• • World Vision Philippines — http://worldvision.org.ph/contact-us
• • WPEngine — http://wpengine.com/contact/
• • Yahoo! — https://hackerone.com/yahoo/thanks
• • Yamaha Club Philippines — https://www.yamahaclub.com.ph/contact/
• • Yandex — http://company.yandex.com/security/hall-of-fame.xml (March 2014)
• • Yesware — http://www.yesware.com/security/
• • Zendesk — http://www.zendesk.com/company/responsible-disclosure-policy
• • Zynga — http://company.zynga.com/security/whitehats (2014)

Read more ...