Bosch PSIRT
Websites Hall of Fame

Acknowledgment of those who have helped us to secure Bosch Websites.

Hall of Fame Bosch Websites

2020

Sadir Mehdi (@mehdi_sadir)

Information Exposure

Nitish Shah (@IamNitishShah)

Unauthorized Access to Services (API / Endpoints)

Alex Chepovetsky (Alex Chepovetsky)

Reflected XSS

Sourav Newatia (Sourav Newatia)

Broken Authentication and Session Management

Shoeb Patel (@0xCaptainFreak)

Server Side Injection

Remote Code Execution

Shubham Maheshwari (Shubham Maheshwari)

2x Reflected XSS

2019

Belal Rashed Othman (@bl4ckpanth_er)

Insufficient Anti-Automation

Vishal Kumar Vachheta (Vishal Vachheta)

2 x Subdomain takeover

Cross Site Request Forgery

Jarosław Węgrzynowicz

Information Exposure

Wai Yan Aung (@waiyanaun9)

Reflected XSS

Md. Asif Hossain (Asif Farabi)

Information Exposure

Eusebiu Blindu (@testalways)

Sudomain takeover

Rayen Messaoudi (Rayen Messaoudi)

Information Exposure

Dominique van Dorsselaer

2 x Subdomain Takeover

Suhail Jahagirdar (Suhail Jahagirdar)

Cleartext Transmission of sensitive information

Shashank Chaurasia (Shashank Chaurasia)

Reflected XSS

Ezio Paglia (Ezio Paglia)

Reflected XSS

Bryan Smith (@d4rkm0de)

Arbitrary File Upload

Dan Fabro (@0x61_)

CSRF

Reflected XSS

Clickjacking

Armin (@cyberanteater)

Reflected XSS

Syed Abuthahir (Syed Abuthahir)

Server Misconfiguration

Patrick Davidson Tremblay (Patrick Davidson Tremblay)

Blind SSRF

Reflected XSS

Authentication Bypass

Default Credentials

Cleartext Transmission of sensitive information

Abhijeet Jain (@seecure963)

Information Exposure

Damian Schwyrz (@damian_89_)

Reflected XSS

Tushar Shinde (Tushar Shinde)

Reflected XSS

SerHack (@serhack_)

Information Exposure

Alper Tecimer (Alper Tecimer)

Stored XSS

Nikhil Kumar (Nikhil Kumar)

Host Header Attack

Numan OZDEMIR (Numan OZDEMIR)

Reflected XSS

Open Redirect

Sreekanth Reddy (Sreekanth Reddy)

Exposed Credentials

SI9NT

Information Exposure

2018

Aamir Usman Khan

Server Misconfiguration

Tijo Davis (Tijo Davis)

Clickjacking

Alberto Perez Agudo

SQL Injection

Niraj Gautam (Niraj Gautam)

Information Exposure

Pyae Phyoe Thu (Pyae Phyoe Thu)

Reflected XSS

Hein Thant Zin (Hein Thant Zin)

Stored XSS

दानिश इनामदार (दानिश इनामदार)

Clickjacking

Aman Bhardwaj (Aman Bhardwaj)

Error Message Information Disclosure

Dan Niño I. Fabro (Dan Niño I. Fabro)

CSRF

Stored XSS

2 X Clickjacking

Mohammed Azharuddin (Mohammed Azharuddin)

Text Injection

Prathamesh Joshi (Prathamesh Joshi)

Information Disclosure Vulnerability

Artur Kiefel (Artur Kiefel)

XSS in Cookie

Murtada Kamil (Murtada Kamil)

Information Exposure

Salman Sajid Khan (Salman Sajid Khan)

Information Exposure

Clickjacking

Nikhil Sahoo (Nikhil Sahoo)

4 x Clickjacking

Chinthala Srinivas (Chinthala Srinivas)

Host Header Attack

Information Exposure

Rajatkumar Karmarkar (Rajatkumar Karmarkar)

Content Injection

Ashish Gautam Kamble

Reflected XSS

Abhishek Misal (Abhishek Misal)

Host Header Attack

Clickjacking

Subodh Kumar

HSTS

Youssef A. Mohamed

DOS

Prayas Roshan Biswal (Prayas Roshan Biswal)

Information Exposure Through Error Message

Shiram Datar (Shiram Datar)

Information Exposure

Abhishek Tiwari (Abhishek Tiwari)

2 x Clickjacking

Raghav Rao

Information Exposure

Dzianis Skliar (Dzianis Skliar)

3 x Information Exposure

Information Exposure Through Error Message

Shubham Deshpande (Shubham Deshpande)

Reflected XSS

Dipen Patel (Dipen Patel)

Stored XSS

Ashish Chhatani

Clickjacking

Kunal Bahl (@Kunal Bahl)

HTML Injection

Arjun Singh (@Arjun Singh)

Reflected XSS

B.Dhiyaneshwaran (B.Dhiyaneshwaran)

Improper Control of Interaction Frequency

Chirag Gupta (Chirag Gupta)

Improper Access Control

Mohammed Al-Barbari

Information Disclosure vulnerability

Authentication Bypass

Murat Kaya

Reflected XSS

Abhishek Sidharthan (Abhishek Sidharthan)

Server Misconfiguration

Pranshu Tiwari (Pranshu Tiwari)

Server Misconfiguration

Adesh Nandkishor Kolte (@AdeshKolte)

XSS via SSRF

Mohd Arif (Mohd Arif)

Persistent XSS

Mayank BIT Mesra (Mayank BIT Mesra)

Missing Authentication for Critical Function

2 x Error Message Information Disclosure

Mukesh Kumar (Mukesh Kumar)

Host based Web Cache Poisoning

Azam (Azam)

Reflected XSS

Samet Sahin

Reflected XSS

Orkhan Yolchuyev (Orkhan Yolchuyev)

Unrestricted Upload of File with Dangerous Type

Improper Input Validation

Sean Melia (@seanmeals)

Code Execution

Information Exposure

Mehmet Tuncer (Mehmet Tuncer)

Information Exposure

Path Traversal

File Inclusion

Saransh Rana (Saransh Rana)

Information Exposure

Samuel Eng (Samuel Eng)

Information Exposure

Berk Imran (@berk_imran)

Reflected XSS

Bill Ben Haim (Bill Ben Haim)

Information Exposure

Unrestricted Upload of File with Dangerous Type

Sahil Mehra (Sahil Mehra)

Host Header Attack

Islam Uddin (Islam Uddin)

2 x Information Exposure

Arne Ramos (Arne Ramos)

6 x Clickjacking

Agametov Rustam (@AgametovRustam)

Server-Side Request Forgery and XSS

Arcot Krishna Manjunath (Arcot Manju)

Cleartext Transmission of Sensitive Information

Cross Origin Resource Sharing

Shivankar Madaan (@shivankarmadaan)

Cleartext Transmission of Sensitive Information

Wai Yan Aung (@waiyanaun9)

4 x Reflected XSS

Kirtikumar Anandrao Ramchandani (Kirtikumar Anandrao Ramchandani)

HSTS

DOS

Rony Gigi (Rony Gigi)

CSRF

Wen Bin KONG (Wen Bin KONG)

Reflected XSS

Sanyam Chawla (Sanyam Chawla, bugcrowd.com/infosecsanyam)

Reflected XSS

Shubham Maheshwari (Shubham Maheshwari)

Reflected XSS

Miguel Santareno (Miguel Santareno)

Reflected XSS

Mindset Software Technologies (MISTS)

Improper Access Control

qwacsawd (hackerone.com/qwacsawd)

Reflected XSS

Error Message Information Disclosure

Niklas Tanskanen (Niklas Tanskanen)

Use of Insufficiently Random Values

Sam Eizad (Sam Eizad)

Header Injection

Athul Jayaram

Content Injection

Sreedeep.Ck Alavil (Sreedeep.Ck)

Improper Input Validation (CVE-2017-9065)

Sarath Kumar (kadavul)

Reflected XSS

Peled Eldan (Peled Eldan)

5 x Reflected XSS

Yash Mehta (Yasf Mehta)

Reflected XSS

Mitesh Patil (Mitesh Patil)

Reflected XSS

Dawood Ansar (Dawood Ansar)

Reflected XSS

Shanmukh D (Shanmukh D)

Reflected XSS

Thrivikram Gujarathi

Reflected XSS

Vikash Chaudhary

Reflected XSS

Ari Apridana (Ari Apridana)

Reflected XSS

Yusuf Furkan (Yusuf Furkan)

HSTS

James Herrick (@mushicious)

Reflected XSS

Blake Rand

2 x Clickjacking

Remesh Ramachandran

Improper Input Validation (CVE-2017-9065)

Anant Mudgal (@anantmudgal)

Use of Hard-coded Credentials

Missing Custom Error Page

Information Disclosure

Chris Green (@chris_t_green)

SQL Injection

Ashish Kunwar (@D0rkerDevil)

Clickjacking

Ipsita Subhadarshan Sahoo

4 x Clickjacking

Steven Hampton (@Steven)

2 x Clickjacking

Ismail Tasdelen (Ismail Tasdelen)

Overly Permissive Cross-domain Whitelist

4 x Clickjacking

Sensitive Cookie Without ‘HttpOnly’ Flag

Rate Limit Bypass

Information Exposure Through an Error Message

7 x Improper Control of Interaction Frequency

6 x Cleartext Transmission of Sensitive Information

7 x Information Exposure

Nainsi Gupta (Nainsi Gupta)

Open Directory Listing

Suru Santhosh (Suru Santhosh)

Reflected XSS

Clickjacking

Mehmet Kelepçe (Mehmet Kelepçe)

Reflected XSS

2017

Himanshu Rahi (Himanshu Rahi)

Stored XSS

Ravela Pramod Kumar (@PramodRavela)

3 x Improper Restriction of Excessive Authentication Attempts

Mohammed Azeem k

3 x Clickjacking

Akshay Bhardwaj (GreyArt) (Akshay Bhardwaj)

2 x Clickjacking

José Manuel Aparicio González (@jm_aparicio) Juan Francisco Acevedo Carles (@Odbk_sec)

3 x Reflected XSS

SQL Injection

Ahmet Mersin

HTML Injection

Suyog Palav (Suyog Palav)

HTML Injection

3 x Clickjacking

Faiz Ahmed Zaidi (Faiz Ahmed Zaidi)

2 x Clickjacking

Macall Salugsugan

Stored XSS

HTML Injection

Rate Limit Bypass

4 x Clickjacking

Kamran Saifullah

Vasim Shaikh (vasim-shaikh)

Md Sameull Soykot (@s0yk0t)

Clickjacking

Nathan Lee Grant (@nathanleegrant)

2 x Reflected XSS

Stored XSS

HTML Injection

Pankaj Rane (@Panckaz_Rane)

Aayush Babbar

Clickjacking

Tansel ÇETİN (@tansbey)

Reflected XSS

Lars Peeters

3 x Reflected XSS

Jose Carlos Exposito Bueno

3 x Reflected XSS

Secuninja (@secuninja)

6 x Reflected XSS

Matthew Mawby (@updat3d, Matthew Mawby)

Subdomain Takeover

GAİS (Güvenlik Açığı İstihbarat Servisi)

Reflected XSS

Shuvamoy Roy (shuvamoy.roy.3)

Eliran Itzhak (eliran-itzhak)

4 x Reflected XSS

Florian Kunushevci (florianx00)

Reflected XSS

Shwetabh Suman (@SHWETABHSUMAN11)

HTML Injection

Hagay Sason (grseecon.com)

3 x Reflected XSS

Stored XSS

Umesh Jore

Clickjacking

Max Derrick

Reflected XSS

Bharath Kumar (BharathKumarMV)

Improper Input Validation (CVE-2017-5638)

Mario Sahertian (mario-sahertian)

Error Message Information Disclosure

Yasin Soliman (@SecurityYasin)

Reflected XSS

Information Disclosure

Muhammad Mudassar Yamin (mudassaryamin)

Cross Site Tracing

Windows Short File Name

M.L (@SonnySpooks)

2 x Error Message Information Disclosure

4 x Reflected XSS

Suhas Sunil Gaikwad (SuhasGaikwad, @iamSuhasGaikwad)

Reflected XSS

Sam Sanoop (@snoopysecurity)

5 x Reflected XSS

Amine Hm

SQL Injection

Kenan Genç

Reflected XSS

Ketankumar B. Godhani (@KBGodhani)

Clickjacking

Ed (@EdOverflow)

Reverse Tabnabbing

3 x Reflected XSS

2 x Insufficient Session Management

Open Redirect

CSRF

DOS

Pedro Cardoso (@tvmpt)

Reflected XSS

Vipin Chaudhary(vipin-chaudhary, @vipinxsec)

Resource Injection

2 x Reflected XSS

Michał Praszmo (@nazywam)

Open Redirect

Waseem Ullah Siddiqui

Open Redirect

Reflected XSS

Sadik Shaikh

Clickjacking

Mateusz Szymaniec (@RevToJa)

Reflected XSS

2016

Nassim Bouali

2 x Reflected XSS

SQL Injection

Serge Lacroute (@fakessh)

3 x Reflected XSS

2 x External service interaction

Open Redirect

Sandeep Singh Jadon

User enumeration

Илья Селезнёв

2 x Path Traversal

2 x Remote File Inclusion

Kenan GÜMÜŞ

XSS across many sites

João Pina (@tomahock)

2 x Reflected XSS

2 x Stored XSS

File Enumeration

Elarbi Dafrouillah

2 x Path Traversal

Bosch PSIRT Hall of Fame Policy

Researchers who report vulnerabilities in Bosch products and websites, after proper validation of their finding, can choose to appear in the Bosch PSIRT Hall of Fame.

Researchers can request to be removed from the Hall of Fame at any time. For this, they should send an email to PSIRT@bosch.com with the subject “Request of removal from HoF.”

Information that can be displayed in the Hall of Fame:

  • Complete name
  • Alias or nickname
  • Link to personal social media page (e.g. Twitter, Facebook)
  • Link to personal professional social media page (e.g. LinkedIn, Xing)
  • Link to business social media page (e.g. Facebook, Twitter, LinkedIn, Xing)
  • Link to hacker’s communities sites (e.g. Bugcrowd)

Information that cannot be displayed in the Hall of Fame:

  • Links to personal websites
  • Links to company’s website
  • Links to any site with unknown terms and conditions or content moderation
Contact

Bosch PSIRT

E-mail
Report a Vulnerability here

Bosch PSIRT public keys

Search our S/MIME key here
Fingerprint: 87:F1:6F:70:60:D2:94:83:82:AC:69:F5:46:86:7C:80:7F:86:1D:F0

Find our PGP Key here
Fingerprint: ED:47:BD:35:F9:C8:5A:52:3F:08:A7:B8:55:60:42:DB:20:A6:AB:46