Top reports from Vimeo program at HackerOne:
- SSRF leaking internal google cloud data through upload function [SSH Keys, etc..] to Vimeo - 229 upvotes, $5000
- Domain pointing to vimeo portfolio are prone to takeover using on-demand. to Vimeo - 69 upvotes, $1500
- Improper Authentication in Vimeo's API 'versions' endpoint. to Vimeo - 52 upvotes, $2000
- Reflected File Download (RFD) in download video to Vimeo - 52 upvotes, $700
- Watch any Password Video without password to Vimeo - 43 upvotes, $500
- Downloading password protected / restricted videos to Vimeo - 40 upvotes, $600
- All Vimeo Private videos disclosure via Authorization Bypass to Vimeo - 29 upvotes, $600
- OAuth 2 Authorization Bypass via CSRF and Cross Site Flashing to Vimeo - 28 upvotes, $1000
- Make API calls on behalf of another user (CSRF protection bypass) to Vimeo - 23 upvotes, $1000
- Disclosure of sensitive information through Google Cloud Storage bucket to Vimeo - 22 upvotes, $500
- XSS on vimeo.com/home after other user follows you to Vimeo - 16 upvotes, $1500
- Images and Subtitles Leakage from private videos to Vimeo - 16 upvotes, $125
- CSRF on Vimeo via cross site flashing leading to info disclosure and private videos go public to Vimeo - 14 upvotes, $750
- URGENT - Subdomain Takeover on status.vimeo.com due to unclaimed domain pointing to statuspage.io to Vimeo - 13 upvotes, $100
- Vimeo.com Insecure Direct Object References Reset Password to Vimeo - 8 upvotes, $5000
- Stored XSS on player.vimeo.com to Vimeo - 8 upvotes, $500
- [vimeopro.com] CRLF Injection to Vimeo - 6 upvotes, $500
- XSS when using captions/subtitles on video player based on Flash (requires user interaction) to Vimeo - 6 upvotes, $200
- Application XSS filter function Bypass may allow Multiple stored XSS to Vimeo - 6 upvotes, $100
- XSS on vimeo.com | "Search within these results" feature (requires user interaction) to Vimeo - 6 upvotes, $100
- Securing "Reset password" pages from bots to Vimeo - 6 upvotes, $0
- Adding profile picture to anyone on Vimeo to Vimeo - 5 upvotes, $1000
- Error page Text Injection. to Vimeo - 5 upvotes, $0
- XSS on mobile version of vimeo.com where the button "Follow" appears to Vimeo - 5 upvotes, $0
- XSS on player.vimeo.com without user interaction and vimeo.com with user interaction to Vimeo - 4 upvotes, $250
- Can message users without the proper authorization to Vimeo - 4 upvotes, $100
- XSS on any site that includes the moogaloop flash player | deprecated embed code to Vimeo - 3 upvotes, $1000
- API: missing invalidation of OAuth2 Authorization Code during access revocation causes authorization bypass to Vimeo - 3 upvotes, $500
- Invite any user to your group without even following him to Vimeo - 3 upvotes, $250
- CRITICAL full source code/config disclosure for Cameo to Vimeo - 3 upvotes, $100
- Reflected XSS on vimeo.com/musicstore to Vimeo - 3 upvotes, $100
- Poodle bleed vulnerability in cloud sub domain to Vimeo - 3 upvotes, $0
- Insecure Direct Object References in https://vimeo.com/forums to Vimeo - 2 upvotes, $500
- subdomain takeover 1511493148.cloud.vimeo.com to Vimeo - 2 upvotes, $250
- Vimeo + & Vimeo PRO Unautorised Tax bypass to Vimeo - 2 upvotes, $250
- A user can add videos to other user's private groups to Vimeo - 2 upvotes, $250
- Insecure Direct Object References that allows to read any comment (even if it should be private) to Vimeo - 2 upvotes, $150
- Missing rate limit on private videos password to Vimeo - 2 upvotes, $0
- XSS in Subtitles of Vimeo Flash Player and Hubnut to Vimeo - 2 upvotes, $0
- abusing Thumbnails(https://vimeo.com/upload/select_thumb) to see a private video to Vimeo - 1 upvotes, $1000
- A user can post comments on other user's private videos to Vimeo - 1 upvotes, $500
- Buying ondemand videos that 0.1 and sometimes for free to Vimeo - 1 upvotes, $260
- Ability to Download Music Tracks Without Paying (Missing permission check on
/musicstore/download) to Vimeo - 1 upvotes, $250 - A user can edit comments even after video comments are disabled to Vimeo - 1 upvotes, $250
- CRITICAL vulnerability - Insecure Direct Object Reference - Unauthorized access to
Videosof Channel whose privacy is set toPrivate. to Vimeo - 1 upvotes, $250 - Post in private groups after getting removed to Vimeo - 1 upvotes, $250
- [URGENT ISSUE] Add or Delete the videos in watch later list of any user . to Vimeo - 1 upvotes, $250
- A user can enhance their videos with paid tracks without buying the track to Vimeo - 1 upvotes, $250
- Stored XSS on vimeo.com and player.vimeo.com to Vimeo - 1 upvotes, $200
- Vimeo Search - XSS Vulnerability [http://vimeo.com/search] to Vimeo - 1 upvotes, $100
- XSS on Vimeo to Vimeo - 1 upvotes, $100
- Private, embeddable videos leaks data through Facebook & Open Graph to Vimeo - 1 upvotes, $100
- USER PRIVACY VIOLATED (PRIVATE DATA GETTING TRANSFER OVER INSECURE CHANNEL ) to Vimeo - 1 upvotes, $0
- CSRF bypass to Vimeo - 1 upvotes, $0
- Brute force on "vimeo" cookie to Vimeo - 1 upvotes, $0
- Full account takeover via Add a New Email to account without email verified and without password confirmation. to Vimeo - 1 upvotes, $0
- No Limitation on Following allows user to follow people automatically! to Vimeo - 1 upvotes, $0
- Share your channel to any user on vimeo without following him to Vimeo - 0 upvotes, $250
- APIs for channels allow HTML entities that may cause XSS issue to Vimeo - 0 upvotes, $100
- ftp upload of video allows naming that is not sanitized as the manual naming to Vimeo - 0 upvotes, $100
- Vimeo.com - reflected xss vulnerability to Vimeo - 0 upvotes, $100
- player.vimeo.com - Reflected XSS Vulnerability to Vimeo - 0 upvotes, $100
- Vimeo.com - Reflected XSS Vulnerability to Vimeo - 0 upvotes, $100
- Legacy API exposes private video titles to Vimeo - 0 upvotes, $100
- unvalid open authentication with facebook to Vimeo - 0 upvotes, $0
- Misconfigured crossdomain.xml - vimeo.com to Vimeo - 0 upvotes, $0
- profile photo update bypass to Vimeo - 0 upvotes, $0
- Bypassing Email verification to Vimeo - 0 upvotes, $0
- May cause account take over (Via invitation page) to Vimeo - 0 upvotes, $0
- Open Redirection Security Filter bypassed to Vimeo - 0 upvotes, $0