- Arbitrary code/command execution on a server in our production network
- Arbitrary queries on a production database
- Bypassing our sign-in process, either password or 2FA
- Accessing sensitive production user data and internal production systems
- Payment-related vulnerabilities that could result in loss to our clients and the company
- Cross-server scripting (XSS) that bypasses content security policy (CSP)
- The ability to bypass verification, log in to clients’ accounts or devices, extract clients’ sensitive data, and perform actions without consent
- Gaining access to back-end code, internal session cookies, or other sensitive information
- Exploiting interactive logic issues that can cause loss to clients
- The ability to access a limited portion of clients’ sensitive information, our back-end code, or internal information on GitHub
- XSS that does not bypass CSP and does not execute unauthorised actions in another user’s session
- Cross-site and server-side request forgery (without access to our internal network)
- Subdomain takeover
- Triggering debug error pages without proof of exploitability or obtaining sensitive information
- Cross-site request forgery (non-critical)
- Vulnerabilities depended on difficult scenarios or pre-conditions
- Exposed logs without sensitive information