Acknowledgment of those who have helped us to secure Bosch Websites.
Hall of Fame Bosch Websites
2021
Patrick Lang (Patrick Lang)
Oussama Kasmi (Oussama Kasmi)
N7 (@n7_sec)
Ismail Tasdelen (Ismail Tasdelen)
Cankat Çakmak (Twitter Profile)
Subodh Kumar (SUBODH)
Kanhaiya_sh (Kanhaiya_sh Kanhaiya Sharma)
Cache-Control for a Sensitive Page
Unprotected Transport of Credentials
Thilo Mohri (Thilo Mohri)
Abhiraj Krishnan (@KrishnanAbhiraj, LinkedIn Profile)
Mohammed Fadhl Al-Barbari (@m4dm0e)
shubhack319 (@shubhack319)
abdilahrf @ Vantage Point Indonesia (@abdilahrf)
Aditra Andri Laksana (Wayc0de)
Shahid Ahme (Shahid Ahme)
crazy_as_hell (crazy_as_hell)
Unprotected Transport of Credentials
Junting Zhu (@testert1ng)
Atul Sanjay Hadgal (Atul Hadgal)
courte66 e4366eolywrgpidfbio (@Twitter_e4366eolywrgpidfbio)
2020
Gokul Raju
MustafaSky
Thilo Mohri (Thilo Mohri)
Patrick Lang (Patrick Lang)
14x Sensitive Information Exposure
Vikas Srivastava, INDIA (@007vikaxh)
Sensitive Information Exposure
Tolgahan Demirayak (Tolgahan Demirayak)
Sensitive Information Exposure
Pam_sec
2x Sensitive Information Exposure
Mohammed Fadhl Al-Barbari (@m4dm0e)
Sensitive Information Exposure
courte66 e4366eolywrgpidfbio (@Twitter_e4366eolywrgpidfbio)
3x Sensitive Information Exposure
Aravind Valugonda (@iaravindv)
Abhiraj Krishnan (@KrishnanAbhiraj, LinkedIn Profile)
2x Sensitive Information Exposure
Tushar Balu Shinde (Tushar Shinde)
Clear Text Password Submission
Junting Zhu (@testert1ng)
Insecure Direct Object References (IDOR)
Akash H.C (Akash H.C)
Sensitive Information Exposure
Hamid Rezaei @ ZharfPouyan Toos (Xer0Days)
Observable Response Discrepancy
2x Insecure Direct Object Reference
Sensitive Information Exposure
Ismail Tasdelen (Ismail Tasdelen)
Unauthorized Access to Services (API/ Endpoints)
Sensitive Information Exposure
Husain Murabbi (@husain-murabbi-cyberhumans) Mansoor Rangwala (@mansoor-rangwala-cyberhumans)
Srikar V (@exp1o1t9r)
Sensitive Information Exposure
MelarDev (@melardev)
Lu William Hanugra @ Vantage Point Indonesia (hanugra)
Diwakar Kumar (Diwakar Kumar)
Steve Nyan Lin (Steve Nyan Lin)
Mariano Carrasco (@8marianoD)
Robbie Wiggins (@Random_Robbie)
Yunus YILDIRIM (@Th3Gundy)
delta0ne @ Vantage Point Singapore (delta0ne)
Priyanshu Parihar (Priyanshu (priyanshuxo) @priyanshu_xo )
pop404 Vantage Point Singapore (pop404)
Sensitive Information Exposure
Kirtikumar Anandrao Ramchandani (Kirtikumar Anandrao Ramchandani)
Uncontrolled Resource Consumption
abdilahrf @ Vantage Point Indonesia (@abdilahrf)
2x Sensitive Information Exposure
ashlyn @ Vantage Point Singapore (Ashlyn Lau)
Sensitive Information Exposure
Geethu Sivakumar, PaceHitech (Geethu Sivakumar, Geethu Sivakumar)
Muhammad Talha - Hamza Asif - Sarim Jamil - Syed Maaz Anwer
Jeffrey Hoekema (Jeffrey Hoekema)
Wasim Shaikh (@Wa_sim_sim)
Sensitive Information Exposure
Aishwarya Sanjay Kendle (Aishwarya Kendle)
Patrick Davidson Tremblay (Patrick Davidson Tremblay)
Cleartext Transmission of sensitive information
Chi Tran (Chi Tran)
Nathan Lee Grant (nathanleegrant)
Anh_thanh_nien - Security Researcher at VNPT ISC
Aditya Shende (@ADITYASHENDE17)
Sensitive Information Exposure
Hoang Quoc Thinh (@g4mm4 of CyberJutsu.IO)
Sourajeet Majumder (@sourajeet__)
Rahul M (Rahul M)
Aziz Hakim (@4z1zu)
Vishnuraj K V (Vishnuraj KV)
Pankaj Kumar Thakur ( @Nep_1337_1998)
Severus (Severus)
Sensitive Information Exposure
Sadir Mehdi (@mehdi_sadir)
Nitish Shah (@IamNitishShah)
Unauthorized Access to Services (API/ Endpoints)
Alex Chepovetsky (Alex Chepovetsky)
Sourav Newatia (Sourav Newatia)
Broken Authentication and Session Management
Shoeb Patel (@0xCaptainFreak)
Shubham Maheshwari (Shubham Maheshwari)
2019
Belal Rashed Othman (@bl4ckpanth_er)
Vishal Kumar Vachheta (Vishal Vachheta)
Jarosław Węgrzynowicz
Wai Yan Aung (@waiyanaun9)
Md. Asif Hossain (Asif Farabi)
Eusebiu Blindu (@testalways)
Rayen Messaoudi (Rayen Messaoudi)
Dominique van Dorsselaer
Suhail Jahagirdar (Suhail Jahagirdar)
Cleartext Transmission of sensitive information
Shashank Chaurasia (Shashank Chaurasia)
Ezio Paglia (Ezio Paglia)
Bryan Smith (@d4rkm0de)
Dan Fabro
Armin (@cyberanteater)
Syed Abuthahir (Syed Abuthahir)
Patrick Davidson Tremblay (Patrick Davidson Tremblay)
Cleartext Transmission of sensitive information
Abhijeet Jain (@seecure963)
Damian Schwyrz (@damian_89_)
Tushar Shinde (Tushar Shinde)
SerHack (@serhack_)
Alper Tecimer (Alper Tecimer)
Nikhil Kumar (Nikhil Kumar)
Numan OZDEMIR (Numan OZDEMIR)
Sreekanth Reddy (Sreekanth Reddy)
SI9NT
2018
Aamir Usman Khan
Tijo Davis (Tijo Davis)
Alberto Perez Agudo
Niraj Gautam (Niraj Gautam)
Pyae Phyoe Thu (Pyae Phyoe Thu)
Hein Thant Zin (Hein Thant Zin)
दानिश इनामदार (दानिश इनामदार)
Aman Bhardwaj (Aman Bhardwaj)
Error Message Information Disclosure
Dan Niño I. Fabro
2 X Clickjacking
Mohammed Azharuddin (Mohammed Azharuddin)
Prathamesh Joshi (Prathamesh Joshi)
Information Disclosure Vulnerability
Artur Kiefel (Artur Kiefel)
Murtada Kamil (Murtada Kamil)
Salman Sajid Khan (Salman Sajid Khan)
Nikhil Sahoo (Nikhil Sahoo)
4 x Clickjacking
Chinthala Srinivas (Chinthala Srinivas)
Rajatkumar Karmarkar (Rajatkumar Karmarkar)
Ashish Gautam Kamble
Abhishek Misal (Abhishek Misal)
Subodh Kumar
Youssef A. Mohamed
Prayas Roshan Biswal (Prayas Roshan Biswal)
Information Exposure Through Error Message
Shiram Datar (Shiram Datar)
Abhishek Tiwari (Abhishek Tiwari)
2 x Clickjacking
Raghav Rao
Dzianis Skliar (Dzianis Skliar)
Information Exposure Through Error Message
Shubham Deshpande (Shubham Deshpande)
Dipen Patel (Dipen Patel)
Ashish Chhatani
Kunal Bahl (@Kunal Bahl)
Arjun Singh
B.Dhiyaneshwaran (B.Dhiyaneshwaran)
Improper Control of Interaction Frequency
Chirag Gupta (Chirag Gupta)
Mohammed Al-Barbari
Information Disclosure vulnerability
Murat Kaya
Abhishek Sidharthan (Abhishek Sidharthan)
Pranshu Tiwari (Pranshu Tiwari)
Adesh Nandkishor Kolte (@AdeshKolte)
Mohd Arif (Mohd Arif)
Mayank BIT Mesra (Mayank BIT Mesra)
Missing Authentication for Critical Function
2 x Error Message Information Disclosure
Mukesh Kumar (Mukesh Kumar)
Host based Web Cache Poisoning
Azam (Azam)
Samet Sahin
Orkhan Yolchuyev (Orkhan Yolchuyev)
Unrestricted Upload of File with Dangerous Type
Sean Melia (@seanmeals)
Mehmet Tuncer (Mehmet Tuncer)
Saransh Rana (Saransh Rana)
Samuel Eng (Samuel Eng)
Berk Imran (@berk_imran)
Bill Ben Haim (Bill Ben Haim)
Unrestricted Upload of File with Dangerous Type
Sahil Mehra (Sahil Mehra)
Islam Uddin (Islam Uddin)
Arne Ramos (Arne Ramos)
6 x Clickjacking
Agametov Rustam (@AgametovRustam)
Server-Side Request Forgery and XSS
Arcot Krishna Manjunath (Arcot Manju)
Cleartext Transmission of Sensitive Information
Shivankar Madaan (@shivankarmadaan)
Cleartext Transmission of Sensitive Information
Wai Yan Aung (@waiyanaun9)
4 x Reflected XSS
Kirtikumar Anandrao Ramchandani (Kirtikumar Anandrao Ramchandani)
Rony Gigi (Rony Gigi)
Wen Bin KONG (Wen Bin KONG)
Sanyam Chawla (Sanyam Chawla, bugcrowd.com/infosecsanyam)
Shubham Maheshwari (Shubham Maheshwari)
Miguel Santareno (Miguel Santareno)
Mindset Software Technologies (MISTS)
qwacsawd (hackerone.com/qwacsawd)
Error Message Information Disclosure
Niklas Tanskanen (Niklas Tanskanen)
Use of Insufficiently Random Values
Sam Eizad (Sam Eizad)
Athul Jayaram
Sreedeep.Ck Alavil (Sreedeep.Ck)
Improper Input Validation (CVE-2017-9065)
Sarath Kumar (kadavul)
Peled Eldan (Peled Eldan)
5 x Reflected XSS
Yash Mehta (Yasf Mehta)
Mitesh Patil (Mitesh Patil)
Dawood Ansar (Dawood Ansar)
Shanmukh D (Shanmukh D)
Thrivikram Gujarathi
Vikash Chaudhary
Ari Apridana (Ari Apridana)
Yusuf Furkan (Yusuf Furkan)
James Herrick (@mushicious)
Blake Rand
2 x Clickjacking
Remesh Ramachandran
Improper Input Validation (CVE-2017-9065)
Anant Mudgal (@anantmudgal)
Chris Green (@chris_t_green)
Ashish Kunwar (@D0rkerDevil)
Ipsita Subhadarshan Sahoo
4 x Clickjacking
Steven Hampton (@Steven)
2 x Clickjacking
Ismail Tasdelen (Ismail Tasdelen)
Overly Permissive Cross-domain Whitelist
4 x Clickjacking
Sensitive Cookie Without ‘HttpOnly’ Flag
Information Exposure Through an Error Message
7 x Improper Control of Interaction Frequency
6 x Cleartext Transmission of Sensitive Information
Nainsi Gupta (Nainsi Gupta)
Suru Santhosh (Suru Santhosh)
Mehmet Kelepçe (Mehmet Kelepçe)
2017
Himanshu Rahi (Himanshu Rahi)
Ravela Pramod Kumar (@PramodRavela)
3 x Improper Restriction of Excessive Authentication Attempts
Mohammed Azeem k
3 x Clickjacking
Akshay Bhardwaj (GreyArt) (Akshay Bhardwaj)
2 x Clickjacking
José Manuel Aparicio González (@jm_aparicio) Juan Francisco Acevedo Carles (@Odbk_sec)
3 x Reflected XSS
Ahmet Mersin
Suyog Palav (Suyog Palav)
3 x Clickjacking
Faiz Ahmed Zaidi (Faiz Ahmed Zaidi)
2 x Clickjacking
Kamran Saifullah
Vasim Shaikh (vasim-shaikh)
Md Sameull Soykot (@s0yk0t)
Nathan Lee Grant (@nathanleegrant)
2 x Reflected XSS
Pankaj Rane (@Panckaz_Rane)
Aayush Babbar
Tansel ÇETİN (@tansbey)
Lars Peeters
3 x Reflected XSS
Jose Carlos Exposito Bueno
3 x Reflected XSS
Secuninja (@secuninja)
6 x Reflected XSS
Matthew Mawby (@updat3d, Matthew Mawby)
GAİS (Güvenlik Açığı İstihbarat Servisi)
Shuvamoy Roy (shuvamoy.roy.3)
Eliran Itzhak (eliran-itzhak)
4 x Reflected XSS
Florian Kunushevci (florianx00)
Shwetabh Suman (@SHWETABHSUMAN11)
Hagay Sason (grseecon.com)
3 x Reflected XSS
Umesh Jore
Max Derrick
Bharath Kumar (BharathKumarMV)
Improper Input Validation (CVE-2017-5638)
Mario Sahertian (mario-sahertian)
Error Message Information Disclosure
Yasin Soliman (@SecurityYasin)
Muhammad Mudassar Yamin (mudassaryamin)
M.L (@SonnySpooks)
2 x Error Message Information Disclosure
4 x Reflected XSS
Suhas Sunil Gaikwad (SuhasGaikwad, @iamSuhasGaikwad)
Sam Sanoop (@snoopysecurity)
5 x Reflected XSS
Amine Hm
Kenan Genç
Ketankumar B. Godhani (@KBGodhani)
Ed (@EdOverflow)
3 x Reflected XSS
2 x Insufficient Session Management
Pedro Cardoso (@tvmpt)
Vipin Chaudhary(vipin-chaudhary, @vipinxsec)
2 x Reflected XSS
Michał Praszmo (@nazywam)
Waseem Ullah Siddiqui
Sadik Shaikh
Mateusz Szymaniec (@RevToJa)
2016
Nassim Bouali
2 x Reflected XSS
Serge Lacroute
3 x Reflected XSS
2 x External service interaction
Sandeep Singh Jadon
Илья Селезнёв
2 x Path Traversal
Kenan GÜMÜŞ
XSS across many sites
João Pina (@tomahock)
2 x Reflected XSS
2 x Stored XSS
Elarbi Dafrouillah
2 x Path Traversal
Bosch PSIRT Hall of Fame Policy
Researchers who report vulnerabilities in Bosch products and websites, after proper validation of their finding, can choose to appear in the Bosch PSIRT Hall of Fame.
Information that can be displayed in the Hall of Fame:
- Complete name
- Alias or nickname
- Link to personal social media page (e.g. Twitter, Facebook)
- Link to personal professional social media page (e.g. LinkedIn, Xing)
- Link to business social media page (e.g. Facebook, Twitter, LinkedIn, Xing)
- Link to hacker’s communities sites (e.g. Bugcrowd)
Information that cannot be displayed in the Hall of Fame:
- Links to personal websites
- Links to company’s website
- Links to any site with unknown terms and conditions or content moderation
- E-mail addresses
- Messaging services (e.g. Whatsapp, Telegram)
Please note that researchers can request to be removed from the Hall of Fame at any time. For this, they should send an email to PSIRT@bosch.com with the subject “Request of removal from HoF.”
Bosch PSIRT
Bosch PSIRT public keys
Search our S/MIME key here
Fingerprint: 87:F1:6F:70:60:D2:94:83:82:AC:69:F5:46:86:7C:80:7F:86:1D:F0
Find our PGP Key here
Fingerprint: C472 B7F2 92E1 59FA 18B6 7725 0379 8EFD B0BB 0EB1