This page contains the Hall of Fame with a mostly up-to-date list of security researchers who have reported security vulnerabilities to us. It is the result of our responsible disclosure policy.

Reported and resolved vulnerabilities

May 2024

Reflected cross site scripting discovered by Mayank Mukhi (X)

January 2024

Information directory listing discovered by Hasibul Hasan Rifat (X)

Credential leak via darkweb cyber threat intelligence discovered by Htet Naing Lin (0xhnl)

Two clickjacking vulnerabilities discovered by Abhishrey Gupta (crimson-inferno) - (LinkedIn)

October 2023

rXSS vulnerability discovered by testt0 / Ola (X)

September 2023

Software with known vulnerabilties discovered by warringaa (LinkedIn)

July 2023

Local File Inclusion vulnerabilites discovered by Moein Abas / mosec (Zerocopter, X)

June 2023

Possible sensitive data exposure via API keys discovered by Arjith N R (LinkedIn)

Vulnerability with cleartext passwords discovered by Ruben Meeuwissen (LinkedIn)

May 2023

Possible Azure subdomain take-over discovered by Bob van der Staak (LinkedIn)

Possible Azure subdomain take-over discovered by Sumit Grover (X)

Captcha bypass vulnerability discovered by Tom Dantuma (LinkedIn)

March 2023

Information disclosure on a DNWG website discovered by Bob van der Staak (LinkedIn)

February 2023

No rate limit set on a login form on a Stedin website discovered by kapil

November 2022

No brute force protection on a two Stedin websites discovered by 0xashfaq

September 2022

Information leakage on a website of DWNG discovered by gugu1337.

August 2022

Expired certificate on a website of DNWG discovered by Bob van der Staak (LinkedIn)

Information leakage on websites of DWNG discovered by Bob van der Staak (LinkedIn)

June 2022

Sensitive information exposed on a website of DNWG discovered by fouad.

May 2022

Open directory listing on a Stedin website discovered by cyber-ghost102 (LinkedIn)

Sensitive information disclosure on a Stedin website discovered by cyber-ghost102 (LinkedIn)

April 2022

Cross site scripting vulnerability on a website of DNWG discovered by Mahmoud Elgendy (LinkedIn)

February 2022

Information leakage without authentication on a DNWG website discovered by mahmoud-elgendy (Twitter)

January 2022

No rate limit on login panel on a Stedin website discovered by Mehedii Hasan Remon (Twitter)

Server leaks information on a DNWG website discovered by krishnasec (LinkedIn)

No rate limit on login panel on a DNWG website discovered by Mehedii Hasan Remon (Twitter)

October 2021

Reflected XSS vulnerability on a DNWG website discovered by Tanuj Jane (Twitter)

Vulnerability on databases of DNWG discovered by aydinnyunus (LinkedIn)

August 2021

SAP-Open redirect on a website of DNWG discovered by Zax Asif (Twitter)

Open redirection on a website of DNWG discovered by Ifrah Iman

Microsoft exchange server reflected XSS at DNWG discovered by Zax Asif (Twitter)

July 2021

Clickjacking on a website of DNWG discovered by Aravind (LinkedIn / Twitter)

Clickjacking on a website of DNWG discovered by Muhammad Usman Nasir (LinkedIn)

User enumeration on websites of DNWG discovered by Ahmed Salah Abdalhfaz (Twitter)

June 2021

HTTP Strict Transport Security policy not enabled on a Stedin website discovered by shubhamch

May 2021

Phpunit leaking database credentials on a website of DNWG discovered by Harinder Singh (S1N6H) (LinkedIn)

Unsafe file upload on a website of DNWG discovered by Mayur Pamar (th3cyb3rc0p) (LinkedIn)

XSS in a portal of DNWG discovered by Omar (Powerjacob)

Unauthenticated REST API endpoint on a portal of DNWG discovered by aungpyaekoko

Critical file found on a website of DNWG discovered by Brokenstarr (Twitter)

April 2021

Tabnabbing on a website of DNWG discovered by Nishant Narendra Lugare

Security misconfiguration leads banner grabbing to CVE exploit discovered by Hasibul Hasan Rifta (Twitter)

February 2021

HTML injection through sendemail funtionallity on a website of DNWG discovered by D4rk0 (Twitter)

January 2021

Unsafe file upload on a website of DNWG discovered by herrfabs

validationKey and decryptionKey leak in web.config file discovered by herrfabs

CVE-2017-12635: Admin user created + access to application on a website of DNWG discovered by D4rk0 (Twitter)

December 2020

Clickjacking on a Stedin website discovered by Souvik-Mondal (LinkedIn)

Options method enabled on a website of Stedin discovered by iampritam

November 2020

Subdomain takeover on a Stedin website discovered by floerer

September 2020

API key leakage discovered by Muhammad Usman Nasir

Content spoofing on a Stedin website discovered by Muhammad Usman Nasir

July 2020

Vulnerability in Cisco ASA used by Stedin discovered by D-d-W

April 2020

Disclosure of server technology and version discovered by MZ-ZeroCPT

December 2019

Subdomain takeover possible due to a misconfigured CNAME record discovered by dominiquevd 

Subdomain takeover possible due to a misconfigured CNAME record discovered by jubobs

October 2019

Error page contains SQL error information discovered by D4rk0

September 2019

Usernames are findable through an unrelated search form discovered by D4rk0

August 2019

Unsecure configuration on a website discovered by an anonymous security researcher

Data enumeration possible based on limited information discovered by an anonymous security researcher

February 2019

Server information leakage discovered by sreeappsec

September 2018

Domain spoofing vulnerability on multiple websites discovered by SecguruOTX

Misconfigured SPF record discovered by SecguruOTX

January 2018

Captcha is not implemented on a form discovered by an anonymous security researcher

November 2017

XSS vulnerability discovered by rootaccess

Publicly accessible website which should be restricted to internal users only discovered by rootaccess

October 2017

DNS misconfiguration discovered by an anonymous security researcher

August 2017

Exposure of sensitive information on joulz.nl discovered by an anonymous security researcher

July 2017

Unsafe SSL configuration discovered by warringaa

March 2017

Missing headers which may lead to XSS discovered by an anonymous security researcher