BUG BOUNTY DISCLOSURES
Read the current Smackdab policy in a cleaner web format, or download the official PDF copy.
Download official policy ↓Bug Bounty Program - Public Disclosures
Last Updated: December 10, 2024 The following is a record of vulnerability reports processed through our Bug Bounty Program. We publish these summaries to provide transparency and help researchers understand what types of findings qualify for rewards. ⚠️ Technical details are intentionally vague to protect our systems and users. Full reproduction details are not disclosed.
🏆 Hall of Fame
We recognize the following researchers for their contributions to Smackdab security:
Researcher
Recognition
Researcher C
Critical and High severity findings on core application
Researcher D
High severity finding on core application
Researcher B
Medium and Low severity findings on production infrastructure
Researcher A
Low severity findings on marketing website
📋 Processed Reports
Date
Researcher
Category
System
Severity
Outcome
010
Dec 2024
Researcher C
IDOR
Core application
Critical
$200
008
Dec 2024
Researcher C
Authentication Bypass
Core application
Critical
$200
007
Dec 2024
Researcher C
Stored XSS
Core application
High
$125
009
Dec 2024
Researcher D
Email Change Logic Flaw
Core application
High
$75
005
Dec 2024
Researcher B
Information Disclosure
Monitoring infrastructure
Medium
$50
012
Dec 2024
Researcher B
Open Redirect / XSS (Grafana)
Monitoring infrastructure
Medium
$50*
001
Dec 2024
Researcher A
XML-RPC Configuration
Marketing website
Low
$25*
002
Dec 2024
Researcher A
CORS Misconfiguration
Marketing website
Low
*combined
011
Dec 2024
Researcher B
Exposed Admin Interface
Marketing website
Low
*combined
003
Dec 2024
Researcher A
WordPress Configuration
Marketing website
Info
No bounty
004
Dec 2024
Researcher A
WordPress Configuration
Marketing website
Info
No bounty
006
Dec 2024
Researcher B
DNS Configuration (CAA)
Domain configuration
Info
No bounty
* Combined bounty paid for multiple related reports
📝 Report Summaries
#010 - IDOR (Critical)
Identified IDOR allowing an attacker to delete any Policy Group across organizations by manipulating a numeric ID in the delete API request. Remediated by implementing proper authorization checks.
#008 - Authentication Bypass (Critical)
Identified 2FA bypass via response manipulation. Remediated as part of authentication system hardening.
#007 - Stored XSS (High)
Identified stored cross-site scripting vulnerability in snippet management feature. Demonstrated session cookie access. Remediated.
#009 - Email Change Logic Flaw (High)
Identified that a user’s email address could be changed without re-entering the current password, enabling potential account takeover via session hijacking. Remediated by adding re-authentication check.
#005 - Information Disclosure (Medium)
Identified unauthenticated Prometheus metrics endpoints exposing internal infrastructure details. No credentials or customer data exposed. Remediated.
#012 - Open Redirect / XSS (Medium)
Identified vulnerability in internal Grafana instances (CVE-2025-4123) that could lead to arbitrary JavaScript execution and session hijacking for targeted DevOps team members. Remediated by upgrading.
#001 & #002 - XML-RPC & CORS (Low)
Reported XML-RPC endpoint and permissive CORS configuration on marketing site. Limited impact due to no customer data on affected system. Combined bounty awarded.
#011 - Exposed Admin Interface (Low)
Reported phpMyAdmin setup wizard was publicly exposed. Classified as Low severity due to affecting the marketing website. Remediated.
🚫 Declined Report Categories
For transparency, the following report types have been submitted and declined under our program terms:
Category
Reason
Terms Reference
WordPress default configurations
Hardening suggestions without exploitability
Section 2.3
DNS record recommendations
No demonstrated exploitation path
Section 2.3
Known CVEs on marketing site
Known-issue category
Section 2.4
Performance/availability suggestions
Not security vulnerabilities
Section 2.3
For questions about this page or our Bug Bounty Program, contact: security@smackdab.ai
