Getting started
Learn about vulnerability types 
Getting started in bug bounties 
Test your knowledge
Free Web Application Challenges
BugBountyHunter Membership
Guides for your hunts 
ZSeano's Methodology
Effective Note Taking for bug bounties
Useful Resources 
Disclosed HackerOne Reports 
Our community
Endorsed Members
Hackevents 
Member Articles Udemy Program Statistics
35 total issues disclosed
$2,325 total paid publicly
Most disclosed (8 disclosures) — Cross-site Scripting (XSS) - Generic
Disclosed Reports
| Report Title | Vulnerability Type | Disclosed By | Severity | Disclosed on |
|---|---|---|---|---|
| [engineering.udemy.com] - Subdomain Takeover (ghost.io) | Improper Access Control - Generic | kazan71p | Low | 2018-06-28 |
| Subdomain Takeover (and Stored XSS) via Trailing Dot at https://coding-exercises.udemy.com | None supplied | cha5m | None | 2018-05-10 |
| Weak Password | Violation of Secure Design Principles | firestone | None | 2017-08-29 |
| CSRF Token Design Flaw | Cross-Site Request Forgery (CSRF) | hdarji | None | 2017-08-29 |
| No password length restriction | Weak Cryptography for Passwords | alirazzaq4 | None | 2017-08-29 |
| Violation of secure design principle | Violation of Secure Design Principles | kaushalag29 | None | 2017-08-17 |
| CSRF Token | Cross-Site Request Forgery (CSRF) | hi_man | No rating | 2017-08-17 |
| Content Spoofing in udemy | Violation of Secure Design Principles | csanuragjain | Low | 2017-07-23 |
| Completed Compromise & Source Code Disclosure via Exposed Jenkins Dashboard at https://jenkins101.udemy.com | Code Injection | cha5m | High | 2017-06-17 |
| sweet32 | Cryptographic Issues - Generic | doglife | None | 2017-05-04 |
| Showing Up Source Code | None supplied | kashif | No rating | 2017-05-04 |
| Subdomain Takeover at Landing.udemy.com | Privilege Escalation | ak_1337 | Low | 2017-03-30 |
| Able to view others' gifts on /gift/share URL, giftId is predictable, and easy to manipulate | Improper Authentication - Generic | caffeinewriter | No rating | 2017-03-26 |
| Critical : Malware and XSS file can be uploaded and executed on udemy | Cross-site Scripting (XSS) - Generic | csanuragjain | No rating | 2017-01-11 |
| CSRF in Udemy.com | Cross-Site Request Forgery (CSRF) | c1231665 | No rating | 2017-01-11 |
| Csrf on creating course | Cross-Site Request Forgery (CSRF) | oldc4u53 | No rating | 2017-01-10 |
| Jenkins | None supplied | top | High | 2017-01-10 |
| Udemy s3 storage can be used by an attacker personal website because of missing CSRF Token | Cross-Site Request Forgery (CSRF) | csanuragjain | No rating | 2017-01-05 |
| AWS S3 bucket writable for authenticated aws user | Improper Authentication - Generic | dpgribkov | No rating | 2017-01-05 |
| NON VALIDATION OF SESSIONS AFTER PASSWORD CHANGE | Improper Authentication - Generic | w3b7ricks73r | No rating | 2016-09-17 |
| Ability to add pishing links in discusion ," Bypassing uneductional Links add " | Information Disclosure | zeyadk | No rating | 2016-07-09 |
| Stored XSS at Udemy | Cross-site Scripting (XSS) - Generic | ankitsingh | No rating | 2016-05-27 |
| Authentication Data are not Clearing | Improper Authentication - Generic | khalifah | No rating | 2016-04-13 |
| Reflected XSS and/or malicious redirection via JWPlayer 6 configuration modification | Cross-site Scripting (XSS) - Generic | decay | No rating | 2016-02-24 |
| Misconfigured SPF Record Flag | Violation of Secure Design Principles | geekboy | No rating | 2016-02-23 |
| Stored XSS | Cross-site Scripting (XSS) - Generic | manish121 | No rating | 2016-02-23 |
| information disclosure | Information Disclosure | shekhar93 | No rating | 2016-02-07 |
| leak receipt of another user | Information Disclosure | adrianbelen | No rating | 2015-11-13 |
| XSS Vulnerability | Cross-site Scripting (XSS) - Generic | robd4k | No rating | 2015-11-09 |
| XSS on https://www.udemy.com/asset/export.html | Cross-site Scripting (XSS) - Generic | adrianbelen | No rating | 2015-10-08 |
| Extremely high Course rating values could be set in order to make really high Average rating of the course. Negative values could be set to. | Violation of Secure Design Principles | decay | No rating | 2015-09-26 |
| xss profile | Cross-site Scripting (XSS) - Generic | x1622 | No rating | 2015-07-17 |
| xss on autoserch | Cross-site Scripting (XSS) - Generic | adrianbelen | No rating | 2015-07-09 |
| Multiple sub domain are vulnerable because of leaking full path | Information Disclosure | msarmad | No rating | 2015-06-25 |
| teach.udemy.com log poison vulnerability through wordpress debug.log being publically available | Code Injection | mthirup | No rating | 2015-06-09 |