Web vulnerabilities

The following is a list of some security vulnerabilities I’ve found on various websites. Some of them contain links to more detailed write-ups.
You can also find this list on my personal website.

Website Problems Reward Accepted Fixed References
Google (googleplex.com)
XSS $ Yes Yes
Google (google.org)
XSS (stored) $ Yes Yes
Google (google.org)
XSS (DOM) $ Yes Yes Blog
Google (google.org) User data information disclosure $ Yes Yes
Google (googleusercontent.com) Image data leak $ Yes No
Google (admin.googleusercontent.com) Image leak None Yes No
Google (storage.googleapis.com) Image leak / auth bypass $ Yes Yes
Google (google.com) 401 phishing attack vuln None No No
Google (earth.google.com/studio) IDOR, Auth Bypass, Null Byte Filename Injection None Yes Yes Blog
Google (earth.google.com) XSS None Yes No
Google (console.firebase.google.com) Auth Bypass $ Yes Yes Blog
Google Code-in (codein.withgoogle.com) XSS $ Yes Yes Blog
Google Code Jam (codejam.withgoogle.com) XSS $ Yes Yes Blog
Google (android.com)
Rate limit vuln None Yes No
Google (g.co) Unrestricted API endpoint $ Yes No
Google (CloudConnectCommunity.com) XSS (reflected, stored), Auth bypass None Yes Yes
Google (WebComponents.org) XSS $ Yes Yes Blog
Google (business.google.com) Open redirect OBB, YouTube Video
Google Maps API (google.com) Unrestricted Google’s API key allowing quota theft None No No
Google Drive (drive.google.com) Google Drive Auth Bypass None No No
Microsoft (earth.minecraft.net) Reflected POST XSS in earth.minecraft.net, not-httponly cookie None Yes Yes
heureka.cz XSS (reflected, stored), CSRF, API authorization vulnerability T-Shirt, HQ visit, $ Yes Yes Article Czech
leoexpress.com XSS (reflected), API authorization vulnerability None Yes Yes OBB, Blog
mcdonalds.com XSS (reflected) None No OBB, Blog
uloz.to XSS (stored) T-Shirts
Yes Yes
mall.cz XSS (stored) None Yes Yes OBB, YouTube Video
southwest.com XSS (reflected) None No
vodafone.cz XSS (reflected) None Yes OBB
stahuj.cz XSS (reflected) None No OBB
aukro.cz XSS (stored), unrestricted system directories None Yes
mapy.cz XSS (DOM) None Yes No
zbozi.cz XSS (Stored) No
seznam.cz IDOR API endpoint No
karaoketexty.cz XSS (reflected) None No No
databazeknih.cz XSS (reflected) None Yes Yes
hyperinzerce.cz XSS (reflected, stored) None No OBB
blibli.com XSS (reflected) None No OBB
domcop.com XSS (stored) None Yes
maxon-campus.net SQLi None Yes Blog
ceskatelevize.cz XSS (reflected) None Yes OBB
yougapi.com XSS (reflected) None No OBB
mobilmania.cz XSS (reflected) None No OBB
erec.com.hr XSS (reflected) None No OBB
mujsoubor.cz XSS None No OBB
top-prace.sk XSS, Path Traversal, CSFR, File listing $ Yes Yes
hotely.cz XSS (reflected) None No OBB
loupak.fun XSS (reflected, stored) None Yes Yes OBB
topreality.sk XSS (reflected) None No OBB
ceskereality.cz XSS (reflected) None No OBB
centrum.cz XSS (reflected) None No OBB
landi.cz XSS (reflected) None No OBB

Open Bug Bounty, Google Vulnerability Reward Program