Hall-of-Thanks-mb

Selected achievements - IT/Cyber security. ✨ I am glad I could help. 🎉 (only public or similar)

TOC - Table of contents

1. Hall of Fame
2. Hall of Thanks
3. Hall of Honors
4. Honorable Mentions
5. Hall of Thanks - H1 platform
6. Hall of Thanks - Huntr platform (Advisory Credited)
7. Hall of Fame - Bugcrowd platform
8. Hall of Fame - YWH platform
9. CVEs
10. Docker image disclosures
11. CWE™ (by MITRE): My Submissions and Contributions
12. ATT&CK™ (by MITRE): My Submissions and Contributions
13. OWASP: My Submissions and Contributions
14. Other achievements
15. Other - also improved security

Hall of Fame

• Visma https://www.visma.com/trust-centre/security/products-and-services/bug-bounty-and-responsible-disclosure/hall-of-fame/
• Mercedes-Benz https://www.mercedes-benz.com/en/whitehat/
• Robocorp https://robocorp.com/.well-known/security-hall-of-fame.html
• Hopin https://hopin.com/hopin-events/security/hall-of-fame
• Mozilla https://www.mozilla.org/en-US/security/bug-bounty/web-hall-of-fame/
• freeCodeCamp https://contribute.freecodecamp.org/#/security-hall-of-fame
• Sword Health https://swordhealth.com/security/hall-of-fame
• Paddle https://www.paddle.com/security/acknowledgments
• Wikimedia https://security.wikimedia.org/hall-of-fame/ (Mic1337bie)
• SuperOps https://superops.com/security/responsible-disclosure
• Michelin https://cert.michelin.com/halloffame
• NeuRA https://neura.edu.au/hall-of-fame.html
• FH Münster https://www.fh-muenster.de/de/informationssicherheit/fhms-cert/hall-of-fame
• U.S. Department of Health and Human Services https://hhs.responsibledisclosure.com/hc/en-us/articles/1500000280921-Acknowledgments
• World Health Organization https://www.who.int/about/cybersecurity/vulnerability-hall-of-fame/ethical-hacker-list
• Drexel University https://drexel.edu/it/security/services-processes/bug-bounty/ (+ CISO Letter of Appreciation)
• Substack https://substack.com/hall-of-fame
• Signify https://www.signify.com/global/product-security/coordinated-vulnerability-disclosure/hall-of-fame
• Bosch https://psirt.bosch.com/hall-of-fame/websites-hall-of-fame.html
• GEA https://www.gea.com/en/company/about-us/information-security/products/responsible-disclosure-of-security-issues/hall-of-fame/
• Bundesamt für Sicherheit in der Informationstechnik - BSI https://www.bsi.bund.de/DE/IT-Sicherheitsvorfall/IT-Schwachstellen/Hall_of_Fame/Hall_of_Fame_node.html (English: Federal Office for Information Security)
• Phenom https://www.phenom.com/hall_of_fame
• Carrefour https://www.carrefour.com/.well-known/hall-of-fame.txt (Michalk)
• StatusGator https://statusgator.com/blog/bug-bounty-hall-of-fame
• Anthology https://www.anthology.com/trust-center/security-hall-of-fame
• Process Street https://www.process.st/responsible-disclosure/
• Pescheck https://pescheck.io/responsible-disclosure-hall-of-fame/
• TrustSource https://www.trustsource.io/en/hof/
• Technische Universitat Braunschweig https://www.tu-braunschweig.de/en/ciso/cert/responsible-disclosure/hall-of-fame
• EC-Council https://www.eccouncil.org/bug-bounty/hall-of-fame/ (+ Certificate of Appreciation)

Hall of Thanks

• Zooniverse https://blog.zooniverse.org/2022/12/20/fixed-cross-site-scripting-vulnerability-on-hosted-media-domains/
• DEV.TO / Forem https://dev.to/page/security
• Checkpoint https://www.checkpoint.com/white-hat/
• Transifex https://www.transifex.com/legal/security/
• Penpot https://github.com/penpot/penpot/blob/develop/THANKYOU.md
• Formbricks https://github.com/formbricks/formbricks/releases/tag/v1.0.3
• Umbraco HQ https://umbraco.com/trust-center/security-and-umbraco/how-to-report-a-vulnerability-in-umbraco/list-of-security-contributors
• NVIDIA https://www.nvidia.com/en-us/security/acknowledgements/ (2025)
  • NVIDIA https://www.nvidia.com/en-us/security/acknowledgements/ (2024: Michalk)
• Australian Cricket https://www.cricket.com.au/vulnerability-disclosure-program/
• BASF https://www.basf.com/global/en/legal/responsible-disclosure-statement
• Honeywell https://www.honeywell.com/us/en/product-security#acknowledgments
• Berlin.de https://www.berlin.de/wir-ueber-uns/7470384-4219174-danksagungen.html
• CERN https://security.web.cern.ch/home/en/kudos.shtml
• Pretalx https://pretalx.com/p/news/releasing-pretalx-2025-1-0/
• Siemens https://www.siemens.com/global/en/products/services/cert/hall-of-thanks.html
• Miele https://www.miele.com/en/com/cybersecurity-5047.htm#p5052
• Movary https://github.com/leepeuker/movary/releases/tag/0.70.0
• Ericsson https://www.ericsson.com/en/about-us/security/vulnerability-reporting-form/acknowledgements

Hall of Honors

• Philips (2025 HOH) https://www.philips.com/a-w/security/coordinated-vulnerability-disclosure/hall-of-honors.html
  • Philips (2024 and prior HOH archive) https://www.philips.com/a-w/security/coordinated-vulnerability-disclosure/hall-of-honors.html#slide_#

Honorable Mentions

• Google https://bughunters.google.com/leaderboard/honorable-mentions

Hall of Thanks - H1 platform

• Brave
• Quora
• Weblate
• Cloudflare
• Liverpool Victoria
• Nextcloud
• Informatica
• Shopify
• Chainlink

... and that's not even all.

Hall of Thanks - Huntr platform (Advisory Credited)

• Aptabase
• Vrite
• Open edX Platform
• Gitea
• Gogs
• Appwrite

Hall of Fame - Bugcrowd platform

• Office of Personnel Management - Vulnerability Disclosure Program https://bugcrowd.com/opm-vdp/hall-of-fame
• Victoria's Secret - VDP Pro https://bugcrowd.com/victoriassecret-vdp/hall-of-fame
• National Aeronautics and Space Administration (NASA) - Vulnerability Disclosure Program - https://bugcrowd.com/nasa-vdp/hall-of-fame

Hall of Fame - YWH platform

• OVHcloud

CVEs

Vulnerability Research - the public known CVEs I found.

• GHSA-6c37-r62q-7xf4 - freeCodeCamp
• GHSA-mv6w-52pf-9qhf - Novu
• GHSA-gx3w-rwh5-w5cg - Tolgee
  • CVE-2023-41316
• GHSA-xpfv-454c-3fj4 - OpenReplay
  • CVE-2023-48226
• GHSA-8r6h-8r68-q3pp - Hoppscotch
  • CVE-2024-27092
• GHSA-g78w-95q9-v739 - OpenOLAT
• GHSA-r3jq-4r5c-j9hp - Taipy
  • CVE-2024-47833
• GHSA-w8vm-jx29-52fr - Novu
• GHSA-3xhv-r4gx-xw99 - Weblate
  • CVE-2025-61587
• GHSA-cf57-c578-7jvv - Anubis
  • CVE-2025-64716
• CVE-2025-61514 - CoCalc
• GHSA-x39m-3393-3qp4 - FlowiseAI
• GHSA-fjh6-8679-9pch - FlowiseAI
• GHSA-x7rp-qj2h-ghgw - FlowiseAI
• GHSA-76gj-pmvx-jcc6 - WBCE CMS
  • CVE-2025-67504
• GHSA-23rx-gprm-2hrh - WBCE CMS
• CVE-2025-67163
• CVE-2025-67164
• CVE-2025-67165
• CVE-2025-67168
• CVE-2025-67170
• CVE-2025-67171
• CVE-2025-67172
• CVE-2025-67173
• CVE-2025-67174
• CVE-2026-1468
• GHSA-v877-x568-4v5v - Movary
  • CVE-2026-23841
• GHSA-pj3m-gmq8-2r57 - Movary
  • CVE-2026-23840
• GHSA-v32w-5qx7-p3vq - Movary
  • CVE-2026-23839

Dedicated repo: here.

Docker image disclosures

Dedicated repo: here.

CWE™ (by MITRE): My Submissions and Contributions

• CWE 4.17
  • CWE-1428: Reliance on HTTP instead of HTTPS - https://cwe.mitre.org/data/definitions/1428.html
• CWE 4.18
  • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') - https://cwe.mitre.org/data/definitions/601.html
• CWE 4.19
  • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer - https://cwe.mitre.org/data/definitions/212.html
  • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor - https://cwe.mitre.org/data/definitions/359.html
  • CWE-1391: Use of Weak Credentials - https://cwe.mitre.org/data/definitions/1391.html
  • CWE-598: Use of GET Request Method With Sensitive Query Strings - https://cwe.mitre.org/data/definitions/598.html
    • Ultimately led to the addition of a new record to the CWE glossary - https://cwe.mitre.org/documents/glossary/index.html#Sensitive%20Information

ATT&CK™ (by MITRE): My Submissions and Contributions

• Contributors List: https://attack.mitre.org/resources/engage-with-attack/contribute/
• v18.0 Website: https://attack.mitre.org/versions/v18
  • Release Notes (credited): https://attack.mitre.org/resources/updates/updates-october-2025/#contributors-to-this-release
    • T1592.002 Gather Victim Host Information: Software https://attack.mitre.org/versions/v18/techniques/T1592/002/

OWASP: My Submissions and Contributions

• OWASP Community Pages (www-community)
  • Attacks:
    • Content Spoofing: https://owasp.org/www-community/attacks/Content_Spoofing
    • HTTP/2 Reset Attack: https://owasp.org/www-community/attacks/HTTP2_Reset_Attack
  • Vulnerabilities:
    • Information exposure through query strings in URL: https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url
• OWASP Cheat Sheet Series
• OWASP WSTG - v4.1 (www-project-web-security-testing-guide)
• OWASP www-project-juice-shop
• Recognized as a listed member of OWASP Nest

Other achievements

• Ranked #2 globally on Huntr.dev Leaderboard (prior to the platform's AI pivot; focused on Open Source projects – Aug 2023)
• Ranked Top 3 (including #1) on the HackerOne Poland Leaderboard (Apr & May 2025)
• Ranked Top 3 in Poland on the Google Bug Hunters Honorable Mentions Leaderboard (Apr 2025)
• Listed among the Top GitHub contributors in Poland (Oct 2025)
• Recognized among the Top 1% of TryHackMe users worldwide (2024 & 2025)

Other - also improved security

• CircleCI (security swag)
• Chess24
• ING
• Jamf
• Comarch
• Syncfusion
• Odoo
• Plausible
• Sololearn
• Samsung
• TinyMCE
• inlang com
• Issuu
• Amazon Web Services (AWS)
• Vivaldi
• SuperTokens
• meteor com
• Hasura
• CERT-EU
• Crunchbase
• Salesforce
• Erasmus University Rotterdam
• Chromium
• EnBW
• Intel
• Olark (security swag)
• Pulumi
• BMW
• NTHW Not The Hidden Wiki (Hall Of Fame List + Top 3 Contributors) https://github.com/notthehiddenwiki/NTHW/blob/nthw/HoF.md
• The University of Nebraska System
• SMSEagle
• Thales
• Bayer
• Holopin
• Microsoft
• Meta Security
• ASSA ABLOY
• Danfoss
• Wingify
• 2degrees
• PostHog (security swag)
• Atos
• Atlassian

and maaaaaaaaaaaaany more!

• Selected CTF Writeups (and similar): ctf-writeups