Name * Phone number Email * Personal page
Hackerone / Twitter / Bugcrowd / Intergrity ... This information is used to honor you, as well as to be invited to VSEC's private bug bounty programs.
Types of incidents
Choose an incidentAuthentication Bypass Using an Alternate Path or Channel (CWE-288)Unprotected Transport of Credentials (CWE-523)Use of Hard-coded Cryptographic Key (CWE-321)Key Exchange without Entity Authentication (CWE-322)Buffer Under-read (CWE-127)Code Injection (CWE-94)UI Redressing (Clickjacking) (CAPEC-103)Use of Hard-coded Password (CWE-259)Unchecked Error Condition (CWE-391)Embedded Malicious Code (CWE-506)Man-in-the-Middle (CWE-300)Path Traversal: '.../...//' (CWE-35)Improer Handling of URL Encoding (Hex Encoding) (CWE-177)Phishing (CAPEC-98)Buffer Underflow (CWE-124)Use of Inherently Dangerous Function (CWE-242)Incorrect Calculation of Buffer Size (CWE-131)Integer Underflow (CWE-191)Use After Free (CWE-416)XML Entity Expansion (CWE-776)Missing Required Cryptographic Step (CWE-325)HTTP Request Smuggling (CWE-444)Memory Corruption - Generic (CWE-119)Replicating Malicious Code (Virus or Worm) (CWE-509)Classic Buffer Overflow (CWE-120)Download of Code Without Integrity Check (CWE-494)Reliance on Reverse DNS Resolution for a Security-Critical Action (CWE-350)CRLF Injection (CWE-93)Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CWE-80)Cross-site Scripting (XSS) - Generic (CWE-79)Remote File Inclusion (CWE-98)Violation of Secure Design Principles (CWE-657)XML External Entities (XXE) (CWE-611)Reversible One-Way Hash (CWE-328)Incorrect Permission Assignment for Critical Resource (CWE-732)Malware (CAPEC-549)Privacy Violation (CWE-359)Insecure Direct Object Reference (IDOR) (CWE-639)Exposed Dangerous Method or Function (CWE-749)Heap Overflow (CWE-122)Stack Overflow (CWE-121)Weak Cryptography for Passwords (CWE-261)Wrap-around Error (CWE-128)Password in Configuration File (CWE-260)Unverified Password Change (CWE-620)Cryptographic Issues - Generic (CWE-310)File and Directory Information Exposure (CWE-538)Insecure Storage of Sensitive Information (CWE-922)LDAP Injection (CWE-90)Information Exposure Through an Error Message (CWE-209)Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) (CWE-75)Improper Input Validation (CWE-20)Improper Handling of Insufficient Permissions or Privileges (CWE-280)Cross-site Scripting (XSS) - Stored (CWE-79)Use of Insufficiently Random Values (CWE-330)Cross-Site Request Forgery (CSRF) (CWE-352)Storing Passwords in a Recoverable Format (CWE-257)Externally Controlled Reference to a Resource in Another Sphere (CWE-610)Reliance on Untrusted Inputs in a Security Decision (CWE-807)Use of Hard-coded Credentials (CWE-798)Allocation of Resources Without Limits or Throttling (CWE-770)Improper Privilege Management (CWE-269)Incomplete Blacklist (CWE-184)Session Fixation (CWE-384)Cross-site Scripting (XSS) - Reflected (CWE-79)Use of a Key Past its Expiration Date (CWE-324)Leftover Debug Code (Backdoor) (CWE-489)External Control of Critical State Data (CWE-642)Cleartext Transmission of Sensitive Information (CWE-319)Business Logic Errors (CWE-840)Out-of-bounds Read (CWE-125)Type Confusion (CWE-843)Use of Externally-Controlled Format String (CWE-134)Incorrect Comparison (CWE-697)Information Exposure Through Discrepancy (CWE-203)Inclusion of Functionality from Untrusted Control Sphere (CWE-829)Information Exposure Through Directory Listing (CWE-548)Missing Authorization (CWE-862)XSS Using MIME Type Mismatch (CAPEC-209)Privilege Escalation (CAPEC-233)Improper Neutralization of HTTP Headers for Scripting Syntax (CWE-644)Improper Following of a Certificate's Chain of Trust (CWE-296)Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)Plaintext Storage of a Password (CWE-256)Relative Path Traversal (CWE-23)SQL Injection (CWE-89)Resource Injection (CWE-99)Improper Certificate Validation (CWE-295)Improper Null Termination (CWE-170)Improper Check or Handling of Exceptional Conditions (CWE-703)Command Injection - Generic (CWE-77)Weak Password Recovery Mechanism for Forgotten Password (CWE-640)Inadequate Encryption Strength (CWE-326)Deserialization of Untrusted Data (CWE-502)Open Redirect (CWE-601)Forced Browsing (CWE-425)XML Injection (CWE-91)HTTP Response Splitting (CWE-113)Insufficient Session Expiration (CWE-613)Uncontrolled Recursion (CWE-674)Buffer Over-read (CWE-126)Insecure Temporary File (CWE-377)Off-by-one Error (CWE-193)Use of a Broken or Risky Cryptographic Algorithm (CWE-327)Incorrect Authorization (CWE-863)Reliance on Cookies without Validation and Integrity Checking in a Security Decision (CWE-784)Information Disclosure (CWE-200)Server-Side Request Forgery (SSRF) (CWE-918)Misconfiguration (CWE-16)Integer Overflow (CWE-190)Information Exposure Through Debug Information (CWE-215)Cleartext Storage of Sensitive Information (CWE-312)User Interface (UI) Misrepresentation of Critical Information (CWE-451)Execution with Unnecessary Privileges (CWE-250)Improper Neutralization of Escape, Meta, or Control Sequences (CWE-150)Missing Encryption of Sensitive Data (CWE-311)Write-what-where Condition (CWE-123)Modification of Assumed-Immutable Data (MAID) (CWE-471)Path Traversal (CWE-22)Improper Export of Android Application Components (CWE-926)Unrestricted Upload of File with Dangerous Type (CWE-434)Untrusted Search Path (CWE-426)Array Index Underflow (CWE-129)Information Exposure Through Timing Discrepancy (CWE-208)Cross-site Scripting (XSS) - DOM (CWE-79)Improper Handling of Highly Compressed Data (Data Amplification) (CWE-409)Insufficiently Protected Credentials (CWE-522)NULL Pointer Dereference (CWE-476)Information Exposure Through Sent Data (CWE-201)Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') (CWE-362)Brute Force (CWE-307)Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338)Improper Authentication - Generic (CWE-287)Reusing a Nonce, Key Pair in Encryption (CWE-323)Improper Access Control - Generic (CWE-284)Missing Authentication for Critical Function (CWE-306)Using Components with Known Vulnerabilities (CWE-1035)Trust of System Event Data (CWE-360)Client-Side Enforcement of Server-Side Security (CWE-602)Double Free (CWE-415)Improper Authorization (CWE-285)Security Through Obscurity (CWE-656)Denial of Service (CWE-400)OS Command Injection (CWE-78)Khác
Severity
Choose levelsNotificationLowMediumHighDangerous
Proof of concept is the most important part of your vulnerability report. With a clear, concise presentation will help us confirm the problem as quickly as possible
Title *
Briefly, clearly include the name of the vulnerability and the affected content Example: Store XSS on xxx.com/abc could lead to a user's account being stolen
Description *
Steps to find the vulnerability: Details on how we can reproduce the issue Steps to reimplement the vulnerability:Details on how to reimplement the vulnerability so that VSEC can confirm this warning 1. Steps 1 2. Step 2
Information
Attachments / Evidence You can upload images, documents to online storage such as: Google Drive, OneDrive, Dropbox, file.io,... Then Share the link with us here.
This site uses cookies to provide you with a better user experience. For more information, refer to our Privacy & Policy
