Offzone 2023
HTTP Request Splitting vulnerabilities exploitation
Video: https://www.youtube.com/watch?v=p1ClNhaoZQ8
Slides: https://offzone.moscow/upload/iblock/11a/sagouc86idiapdb8f29w41yaupqv6fwv.pdf

VolgaCTF 2021
JavaScript Prototype Pollution
Video: https://www.youtube.com/watch?v=mcmlxFk-1NM
Slides: http://archive.volgactf.ru/volgactf_2021/slides/VolgaCTF_2021_Stupin_Bobrov.pdf

Zeronights 2018
Bug Bounty Automation
Slides: https://blackfan.ru/slides/ZN2018%20WV%20-%20BugBounty%20automation.pdf

BaltCTF 2012
PHP Tricks
Slides: https://blackfan.ru/slides/BaltCTF_PHP_tricks.pdf

PortSwigger Top 10 web hacking techniques
2023 #6 HTTP Request Splitting vulnerabilities exploitation
https://portswigger.net/research/top-10-web-hacking-techniques-of-2023

2021 #4 Exploiting Client-Side Prototype Pollution in the wild
https://portswigger.net/research/top-10-web-hacking-techniques-of-2021

Ceph
CVE-2021-3524
https://docs.ceph.com/en/latest/security/CVE-2021-3524/
CVE-2021-3509
https://access.redhat.com/security/cve/cve-2021-3509

Western Union
https://bugcrowd.com/westernunion/hall-of-fame

Positive bug hunting
https://bugbounty.standoff365.com/programs/ptsecurity/?tab=4

Алгоритмика
https://bugbounty.standoff365.com/programs/algoritmika_vk/?tab=4

ТАРМ
https://bugbounty.standoff365.com/programs/tarm_vk/?tab=4

VK HR Tek
https://bugbounty.standoff365.com/programs/hrtek_vk/?tab=4

PayDay
https://bugbounty.standoff365.com/programs/payday_vk/?tab=4

Чемпионаты VK
https://bugbounty.standoff365.com/programs/all_cup_vk/?tab=4

Tarantool
https://bugbounty.standoff365.com/programs/tarantool_vk/?tab=4

Lootdog
https://bugbounty.standoff365.com/programs/lootdog_vk/?tab=4

Skillfactory
https://bugbounty.standoff365.com/programs/skillfactory_vk/?tab=4

hh.ru
https://bugbounty.standoff365.com/programs/hh/?tab=4

Wildberries
https://bugbounty.standoff365.com/programs/wildberries/?tab=4

Азбука вкуса
https://bugbounty.standoff365.com/programs/av/?tab=4

Тинькофф
https://bugbounty.standoff365.com/programs/tinkoff/?tab=4

Standoff 365
https://bugbounty.standoff365.com/programs/standoff-365/?tab=4

VK Cloud Solutions
https://bugbounty.standoff365.com/programs/vk_cs_vk/?tab=4

Одноклассники
https://bugbounty.standoff365.com/programs/odnoklassniki_vk/?tab=4

ВКонтакте
https://app.bugbounty.bi.zone/companies/vkontakte/top-hackers
https://bugbounty.standoff365.com/programs/vkontakte_vk/

Skillbox
https://app.bugbounty.bi.zone/companies/skillbox/top-hackers
https://bugbounty.standoff365.com/programs/skillbox_vk/?tab=4

Хоум Банк
https://app.bugbounty.bi.zone/companies/homebank/top-hackers

Авито
https://app.bugbounty.bi.zone/companies/avito/top-hackers

Flutter UK&I
https://hackerone.com/flutteruki/thanks/2019
https://hackerone.com/flutteruki/thanks/2018

Stripe
https://hackerone.com/stripe/thanks/2020

TikTok
https://hackerone.com/tiktok/thanks/2021

Valve
https://hackerone.com/valve/thanks/2021

IRCCloud
https://hackerone.com/irccloud/thanks/2021

Epic Games
https://hackerone.com/epicgames/thanks/2022
https://hackerone.com/epicgames/thanks/2021

OANDA
https://hackerone.com/oanda/thanks/2022

Client-Side Prototype Pollution
CVE-2021-20083 jquery-plugin-query-object
CVE-2021-20084 jquery-sparkle
CVE-2021-20085 backbone-query-parameters
CVE-2021-20086 jquery-bbq
CVE-2021-20087 jquery-deparam
CVE-2021-20088 mootools-more
CVE-2021-20089 purl

Apache Cordova InAppBrowser
CVE-2019-0219
https://lists.apache.org/thread.html/197482d5ab80c0bff4a5ec16e1b0466df38389d9a4b5331d777f14fc%40%3Cdev.cordova.apache.org%3E

Apache Tomcat
CVE-2018-11784
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.12
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.34
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.91

Apache httpd
CVE-2016-4975
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2016-4975
https://httpd.apache.org/security/vulnerabilities_22.html#CVE-2016-4975
https://hackerone.com/ibb-apache/thanks/2018

Android
CVE-2016-6716
https://source.android.com/security/bulletin/2016-11-01.html#acknowledgements
https://source.android.com/security/overview/acknowledgements.html#2016

Django
CVE-2016-7401
https://www.djangoproject.com/weblog/2016/sep/26/security-releases/
https://hackerone.com/django/thanks/2015
https://hackerone.com/django/thanks/2016

Express.js serve-static
CVE-2015-1164
https://www.npmjs.com/advisories/35

Oracle
April 2014 http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html
CVE-2014-0414
https://www.securitylab.ru/lab/PT-2013-49
CVE-2014-0426
https://www.securitylab.ru/lab/PT-2013-47
CVE-2014-0413
https://www.securitylab.ru/lab/PT-2013-48

Siemens
CVE-2012-2596, CVE-2012-2597, CVE-2012-2598, CVE-2012-2595, CVE-2012-3003
https://cert-portal.siemens.com/productcert/pdf/ssa-223158.pdf
CVE-2012-3031, CVE-2012-3028, CVE-2012-3030
https://cert-portal.siemens.com/productcert/pdf/ssa-864051.pdf
CVE-2013-0667, CVE-2013-0671, CVE-2013-0672
https://cert-portal.siemens.com/productcert/pdf/ssa-212483.pdf
CVE-2013-4912, CVE-2013-4911
https://cert-portal.siemens.com/productcert/pdf/ssa-064884.pdf
CVE-2013-0679
https://cert-portal.siemens.com/productcert/pdf/ssa-714398.pdf

PHP
CVE-2012-3365
https://www.securitylab.ru/lab/PT-2012-14

Yandex
https://yandex.com/bugbounty/i/hall-of-fame/

Google
https://bughunter.withgoogle.com/profile/1d87fcbc-fea5-4c1d-b4a0-559a56b7dac8
Q4 2013 Sergey Bobrov
Q1 2011 BlackFan
https://www.google.com/about/appsecurity/hall-of-fame/archive/

Facebook
2014
2011
https://www.facebook.com/whitehat/thanks/

Twitter
https://hackerone.com/twitter/thanks/2014
https://hackerone.com/twitter/thanks/2017

Etsy
https://www.etsy.com/bounty/hall-of-fame

Mozilla
Q2 2020
Q1 2019
Q4 2018
Q3 2018
Q4 2017
Q2 2017
Q2 2016
Q1 2016
https://www.mozilla.org/en-US/security/bug-bounty/web-hall-of-fame/

Yahoo
https://hackerone.com/yahoo/thanks/2014
https://hackerone.com/yahoo/thanks/2015
https://hackerone.com/yahoo/thanks/2016

Adobe
https://hackerone.com/adobe/thanks/2016
https://hackerone.com/adobe/thanks/2017
https://hackerone.com/adobe/thanks/prior
2012 https://helpx.adobe.com/security/acknowledgements.html

Mail.Ru
https://hackerone.com/mailru/thanks/2014
https://hackerone.com/mailru/thanks/2015
https://hackerone.com/mailru/thanks/2016
https://hackerone.com/mailru/thanks/2017
https://hackerone.com/mailru/thanks/2018
https://hackerone.com/mailru/thanks/2019
https://hackerone.com/mailru/thanks/2020
https://hackerone.com/mailru/thanks/2021
https://app.bugbounty.bi.zone/companies/pochta-oblako-i-kalendar-mail-ru/top-hackers
https://bugbounty.standoff365.com/programs/mail_vk/?tab=4

Apple
2017 https://support.apple.com/ru-ru/HT201536
2013 https://support.apple.com/ru-ru/HT207627

Foxycart
https://www.foxy.io/security-contact
https://bugcrowd.com/foxycart/hall-of-fame

Microsoft (Online Services)
June 2013 https://www.microsoft.com/en-us/msrc/researcher-acknowledgments-online-services-archive
May 2021 https://msrc.microsoft.com/update-guide/acknowledgement/online

Zynga
2014 https://www.zynga.com/security/whitehats

Serv-U File Server
https://www.securitylab.ru/lab/PT-2013-70
https://www.securitylab.ru/lab/PT-2013-69
https://www.securitylab.ru/lab/PT-2013-68
https://www.securitylab.ru/lab/PT-2013-67
https://www.securitylab.ru/lab/PT-2013-66

mnoGoSearch
https://www.securitylab.ru/lab/PT-2013-17
https://www.securitylab.ru/lab/PT-2013-18

Bitrix
https://www.securitylab.ru/lab/PT-2014-10

Jetty
https://www.securitylab.ru/lab/PT-2013-65

Schuberg Philis
October 2013 https://schubergphilis.com/en/security-hall-of-fame

Python
https://docs.python.org/3.4/whatsnew/changelog.html#python-3-4-2-release-candidate-1

QIWI
https://hackerone.com/qiwi/thanks/2022
https://hackerone.com/qiwi/thanks/2020
https://hackerone.com/qiwi/thanks/2019
https://hackerone.com/qiwi/thanks/2018
https://hackerone.com/qiwi/thanks/2017
https://hackerone.com/qiwi/thanks/2016
https://hackerone.com/qiwi/thanks/2015
https://hackerone.com/qiwi/thanks/2014

Airbnb
https://hackerone.com/airbnb/thanks/2018
https://hackerone.com/airbnb/thanks/2017

Greenhouse.io
https://hackerone.com/greenhouse/thanks/2014

Pantheon
https://bugcrowd.com/pantheon/hall-of-fame

abacus
https://bugcrowd.com/abacus/hall-of-fame

Vimeo
https://hackerone.com/vimeo/thanks/2022
https://hackerone.com/vimeo/thanks/2021
https://hackerone.com/vimeo/thanks/2014
https://vimeo.com/about/security

Heroku
https://bugcrowd.com/heroku/hall-of-fame

Square
https://hackerone.com/square/thanks/2015

Trello
https://hackerone.com/trello/thanks/2015
https://bugcrowd.com/trello/hall-of-fame

Zaption
https://hackerone.com/zaption/thanks/2015

Dropbox
https://hackerone.com/dropbox/thanks/2015
https://hackerone.com/dropbox/thanks/2016
https://hackerone.com/dropbox/thanks/2017

Magix AG
June 2015 http://research.magix.com/

Indeed
https://bugcrowd.com/indeed/hall-of-fame

Shopify
https://hackerone.com/shopify/thanks/2020
https://hackerone.com/shopify/thanks/2017
https://hackerone.com/shopify/thanks/2016
https://hackerone.com/shopify/thanks/2015

SoundCloud
https://help.soundcloud.com/hc/en-us/articles/115003561228-Reporting-a-security-vulnerability

Gratipay
https://hackerone.com/gratipay/thanks/2015

Anghami
https://hackerone.com/anghami/thanks/2015

Keybase
https://hackerone.com/keybase/thanks/2015

Zopim
https://hackerone.com/zopim/thanks/2015

Dashlane
https://hackerone.com/dashlane/thanks/2016

CloudWalk
https://hackerone.com/cloudwalk/thanks/2016

Uber
https://hackerone.com/uber/thanks/2016


ownCloud
https://hackerone.com/owncloud/thanks/2016

LocalTapiola
https://hackerone.com/localtapiola/thanks/2016
https://hackerone.com/localtapiola/thanks/2017

Skyliner
https://hackerone.com/skyliner/thanks/2016

Sucuri
https://hackerone.com/sucuri/thanks/2018
https://hackerone.com/sucuri/thanks/2016

leetfiles
https://hackerone.com/leetfiles/thanks/2016

C2FO
https://hackerone.com/c2fo/thanks/2015

Sophos
https://bugcrowd.com/sophos/hall-of-fame

Fitbit
https://bugcrowd.com/fitbit/hall-of-fame

Automattic
https://hackerone.com/automattic/thanks/2016

Teespring
https://hackerone.com/teespring/thanks/2016

Brave Software
https://hackerone.com/brave/thanks/2016

HubSpot
https://bugcrowd.com/hubspot/hall-of-fame

CloudFlare
https://hackerone.com/cloudflare/thanks/2018
https://hackerone.com/cloudflare/thanks/2017

Algolia
https://hackerone.com/algolia/thanks/2017

Quora
https://hackerone.com/quora/thanks/2017

Starbucks
https://hackerone.com/starbucks/thanks/2020
https://hackerone.com/starbucks/thanks/2019
https://hackerone.com/starbucks/thanks/2018
https://hackerone.com/starbucks/thanks/2017

Xero
https://hackerone.com/xero/thanks/2017

Ubiquiti Inc.
https://hackerone.com/ui/thanks/2019
https://hackerone.com/ui/thanks/2017

Tesla
https://bugcrowd.com/tesla/hall-of-fame

Jet.com
https://bugcrowd.com/jet/hall-of-fame

StatusPage.io
https://bugcrowd.com/statuspage/hall-of-fame

General Motors
https://hackerone.com/gm/thanks/2017

WakaTime
https://hackerone.com/wakatime/thanks/2017

Imgur
https://hackerone.com/imgur/thanks/2018

WePay
https://hackerone.com/wepay/thanks/2018
https://hackerone.com/wepay/thanks/2017

Spotify
https://hackerone.com/spotify/thanks/2021
https://hackerone.com/spotify/thanks/2020
https://hackerone.com/spotify/thanks/2019
https://hackerone.com/spotify/thanks/2018
https://hackerone.com/spotify/thanks/2017

Bitdefender
https://bugcrowd.com/bitdefender/hall-of-fame

Mobidea
https://bugcrowd.com/mobidea/hall-of-fame

Magento
https://bugcrowd.com/magento/hall-of-fame

Twilio
https://bugcrowd.com/twilio/hall-of-fame

You Need a Budget
https://bugcrowd.com/ynab/hall-of-fame

Vulners
https://hackerone.com/vulnerscom/thanks/2018

Plaid
https://hackerone.com/plaid/thanks/2018

SAP Concur
https://bugcrowd.com/concur/hall-of-fame

Tencent
https://hackerone.com/tencent/thanks/2020
https://en.security.tencent.com/user/p/twitter_tsrc178619771

Vanilla
https://hackerone.com/vanilla/thanks/2018

GSA Bounty
https://hackerone.com/gsa_bbp/thanks/2021
https://hackerone.com/gsa_bbp/thanks/2020
https://hackerone.com/gsa_bbp/thanks/2019
https://hackerone.com/gsa_bbp/thanks/2018

Discourse
https://hackerone.com/discourse/thanks/2018

Upserve
https://hackerone.com/upserve/thanks/2021
https://hackerone.com/upserve/thanks/2020
https://hackerone.com/upserve/thanks/2019
https://hackerone.com/upserve/thanks/2018

BitMEX
https://hackerone.com/bitmex/thanks/2018

Gatecoin
https://hackerone.com/gatecoin/thanks/2018

MasterCard
https://bugcrowd.com/mastercard/hall-of-fame

Netflix
https://bugcrowd.com/netflix/hall-of-fame

Blue Jeans Network
https://bugcrowd.com/bluejeans/hall-of-fame

HackerOne Leaderboard
https://hackerone.com/leaderboard/2016/q4

Dell Technologies
https://bugcrowd.com/dell/hall-of-fame

Cisco Meraki
https://bugcrowd.com/ciscomeraki/hall-of-fame

SEEK
https://bugcrowd.com/seek/hall-of-fame

FanDuel
https://hackerone.com/fanduel/thanks/2022
https://hackerone.com/fanduel/thanks/2021
https://hackerone.com/fanduel/thanks/2019

Redtube
https://hackerone.com/redtube/thanks/2019

Omise
https://hackerone.com/omise/thanks/2019
https://hackerone.com/omise/thanks/2018

Grammarly
https://hackerone.com/grammarly/thanks/2018

Postmates
https://hackerone.com/postmates/thanks/2020
https://hackerone.com/postmates/thanks/2018
https://hackerone.com/postmates/thanks/2017

DataStax
https://hackerone.com/datastax/thanks/2020

New Relic
https://hackerone.com/newrelic/thanks/2020

Trustpilot
https://hackerone.com/trustpilot/thanks/2020

Grubhub
https://hackerone.com/grubhub/thanks/2021
https://hackerone.com/grubhub/thanks/2020

Affinity
https://hackerone.com/affinity/thanks/2020

Xiaomi
https://hackerone.com/xiaomi/thanks/2022
https://hackerone.com/xiaomi/thanks/2021
https://hackerone.com/xiaomi/thanks/2020
https://hackerone.com/xiaomi/thanks/2019

Roblox
https://hackerone.com/roblox/thanks/2020

Unikrn
https://hackerone.com/unikrn/thanks/2020

Atlassian
https://bugcrowd.com/atlassian/hall-of-fame

Centrify
https://bugcrowd.com/centrify/hall-of-fame

InVision
https://bugcrowd.com/invision/hall-of-fame

LastPass
https://bugcrowd.com/lastpass/hall-of-fame