- CVE-2025-6031 - Amazon Cloud Cam
- Multiple Advisories in SAP Products
- CVE-2014-9320
A critical privilege escalation vulnerability found using a fun fuzzing technique for BO
- SAP Advisory 2039905
Denial of Service XML Expansion (CVE-2014-8080)
- For good reason it wasn’t advertised, the PoC could remotely DoS any Rails installation with little effort.
CVE-2014-5265, CVE-2014-5266, CVE-2014-5267
- This impacted all versions of Drupal and Wordpress.
SAP HANA Web-based Development Workbench Code Injection (SAP Advisory 2015446)
Unauthenticated Username Enumeration in Business Objects (SAP Advisory 2001109)
Unauthenticated Remote Crash of Business Objects (CVE-2014-8310)
- Also found via the same fuzzing technique
- SAP Advisory 2001106
Information Disclosure in Business Objects (CVE-2014-8311)
- SAP Advisory 1998990
XSS in Business Objects (CVE-2014-8308)
- SAP Advisory 1941562
Multiple XSS in SAP HANA (CVE-2014-8314)
- SAP Advisory 2009696
Multiple XSS in SAP HANA (CVE-2014-5172)
- SAP Advisory 1993349
Multiple XSS in SAP BO (CVE-2014-3134)
- SAP Advisory 1931399
Multiple Advisories in SAP Products
- On paper, it was a default password issue 🤷. In practice, it was an application that was packaged with many products that allowed trivial RCE out of the box and a nice metasploit module.
- SAP Advisory 1432881
FCKEditor.NET File Upload Code Execution
Selected Bug Bounties
I have had a mixed experience with bug bounties. I think in total I have received a bounty or Hall of Fame from 40+ companies; not a ton but enough to see some of the good and bad. Below are some programs I really enjoyed participating with.
- AT&T
Top 50 hacker at one point.
- 2019 I had the points and bugs, but one of the programs unfairly gave me a negative rating which dropped me below the threshold. As you can tell, I am still salty 👷.
- I believe I had the highest payout for a Web bounty up to that point.
- I had a handful of critical bugs in devices including RCE but the details are unfortunately private.