| Hardware Wallets Do Not Check Unlock TIme |
Man-in-the-Middle |
thecharlatan |
Medium |
2021-09-12 |
| Unix time unlock_time values have dangerous validation rules enabling a number of exploits |
Business Logic Errors |
thecharlatan |
High |
2021-09-12 |
| Malicious get_random_rct_outs.bin rpc can cause a near-infinite loop |
Denial of Service |
ahook |
High |
2018-09-29 |
| Stack Overflow in JSON RPC Server |
Stack Overflow |
talko |
No rating |
2018-09-29 |
| Constant-time comparison is not always implemented; critical areas are vulnerable to key-timing attacks |
Missing Required Cryptographic Step |
anonimal |
Critical |
2018-08-06 |
| Trusted daemon check fails when proxied through torsocks or proxychains |
Privacy Violation |
equim |
Low |
2018-08-02 |
| Misreporting of received amount by show_transfers |
Business Logic Errors |
moneromooo |
High |
2018-08-02 |
| epee will accept an arbitrary amount of leading line-breaks in an http request |
Denial of Service |
ahook |
Low |
2018-08-02 |
| monerod can be disabled by a well-timed TCP reset packet |
Denial of Service |
ahook |
Medium |
2018-08-02 |
| A bug in the Monero wallet balance can enable theft from exchanges |
Business Logic Errors |
jagerman |
Critical |
2018-08-02 |
| Attcker can trick monero wallet into reporting it recived twice as much with alternative tx_keypubs |
Business Logic Errors |
phiren |
High |
2018-07-27 |
| forum.getmonero.org Shell upload |
Code Injection |
kaulse |
High |
2018-07-27 |
| Monero Website & Kovri on your policy are returning 404 not found. |
Business Logic Errors |
axolotl |
None |
2018-04-25 |
| TabNabbing issue (due to taget=_blank) |
None supplied |
ursa |
No rating |
2018-04-25 |
| Out-of-bounds read when importing corrupt blockchain with monero-blockchain-import |
Out-of-bounds Read |
ovrflow |
Low |
2018-04-25 |
| Buffer out of bound read in miniupnpc xml parser |
Buffer Over-read |
yukichen |
Low |
2018-04-25 |
| Monero GUI not linked with /DYNAMICBASE or hardening on windows, no ASLR |
None supplied |
flxflndy_ |
No rating |
2018-03-18 |
| Corrupt RPC responses from remote daemon nodes can lead to transaction tracing |
Privacy Violation |
monero-hax123 |
Medium |
2018-03-16 |
| remote access to localhost daemon, can issue jsonrpc commands |
Cross-Site Request Forgery (CSRF) |
bugbound |
Low |
2018-02-22 |
| Kovri: potential buffer over-read in garlic clove handling + I2NP message creation |
Information Disclosure |
aerodudrizzt |
High |
2017-12-05 |
Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles