Hall of Fame Bosch Websites
2020
Aditya Shende (@ADITYASHENDE17)
Sensitive Information Exposure
Nathan Lee Grant (nathanleegrant)
Hoang Quoc Thinh (@g4mm4 of CyberJutsu.IO)
Sourajeet Majumder (@sourajeet__)
Rahul M (Rahul M)
Aziz Hakim (@4z1zu)
Ismail Tasdelen (Ismail Tasdelen)
Vishnuraj K V (Vishnuraj KV)
Pankaj Kumar Thakur ( @Nep_1337_1998)
Severus (Severus)
Sensitive Information Exposure
Jeffrey Hoekema (Jeffrey Hoekema)
Sadir Mehdi (@mehdi_sadir)
Nitish Shah (@IamNitishShah)
Unauthorized Access to Services (API / Endpoints)
Alex Chepovetsky (Alex Chepovetsky)
Sourav Newatia (Sourav Newatia)
Broken Authentication and Session Management
Shoeb Patel (@0xCaptainFreak)
Shubham Maheshwari (Shubham Maheshwari)
2019
Belal Rashed Othman (@bl4ckpanth_er)
Vishal Kumar Vachheta (Vishal Vachheta)
Jarosław Węgrzynowicz
Wai Yan Aung (@waiyanaun9)
Md. Asif Hossain (Asif Farabi)
Eusebiu Blindu (@testalways)
Rayen Messaoudi (Rayen Messaoudi)
Dominique van Dorsselaer
Suhail Jahagirdar (Suhail Jahagirdar)
Cleartext Transmission of sensitive information
Shashank Chaurasia (Shashank Chaurasia)
Ezio Paglia (Ezio Paglia)
Bryan Smith (@d4rkm0de)
Dan Fabro (@0x61_)
Armin (@cyberanteater)
Syed Abuthahir (Syed Abuthahir)
Patrick Davidson Tremblay (Patrick Davidson Tremblay)
Cleartext Transmission of sensitive information
Abhijeet Jain (@seecure963)
Damian Schwyrz (@damian_89_)
Tushar Shinde (Tushar Shinde)
SerHack (@serhack_)
Alper Tecimer (Alper Tecimer)
Nikhil Kumar (Nikhil Kumar)
Numan OZDEMIR (Numan OZDEMIR)
Sreekanth Reddy (Sreekanth Reddy)
SI9NT
2018
Aamir Usman Khan
Tijo Davis (Tijo Davis)
Alberto Perez Agudo
Niraj Gautam (Niraj Gautam)
Pyae Phyoe Thu (Pyae Phyoe Thu)
Hein Thant Zin (Hein Thant Zin)
दानिश इनामदार (दानिश इनामदार)
Aman Bhardwaj (Aman Bhardwaj)
Error Message Information Disclosure
Dan Niño I. Fabro (Dan Niño I. Fabro)
2 X Clickjacking
Mohammed Azharuddin (Mohammed Azharuddin)
Prathamesh Joshi (Prathamesh Joshi)
Information Disclosure Vulnerability
Artur Kiefel (Artur Kiefel)
Murtada Kamil (Murtada Kamil)
Salman Sajid Khan (Salman Sajid Khan)
Nikhil Sahoo (Nikhil Sahoo)
4 x Clickjacking
Chinthala Srinivas (Chinthala Srinivas)
Rajatkumar Karmarkar (Rajatkumar Karmarkar)
Ashish Gautam Kamble
Abhishek Misal (Abhishek Misal)
Subodh Kumar
Youssef A. Mohamed
Prayas Roshan Biswal (Prayas Roshan Biswal)
Information Exposure Through Error Message
Shiram Datar (Shiram Datar)
Abhishek Tiwari (Abhishek Tiwari)
2 x Clickjacking
Raghav Rao
Dzianis Skliar (Dzianis Skliar)
Information Exposure Through Error Message
Shubham Deshpande (Shubham Deshpande)
Dipen Patel (Dipen Patel)
Ashish Chhatani
Kunal Bahl (@Kunal Bahl)
Arjun Singh (@Arjun Singh)
B.Dhiyaneshwaran (B.Dhiyaneshwaran)
Improper Control of Interaction Frequency
Chirag Gupta (Chirag Gupta)
Mohammed Al-Barbari
Information Disclosure vulnerability
Murat Kaya
Abhishek Sidharthan (Abhishek Sidharthan)
Pranshu Tiwari (Pranshu Tiwari)
Adesh Nandkishor Kolte (@AdeshKolte)
Mohd Arif (Mohd Arif)
Mayank BIT Mesra (Mayank BIT Mesra)
Missing Authentication for Critical Function
2 x Error Message Information Disclosure
Mukesh Kumar (Mukesh Kumar)
Host based Web Cache Poisoning
Azam (Azam)
Samet Sahin
Orkhan Yolchuyev (Orkhan Yolchuyev)
Unrestricted Upload of File with Dangerous Type
Sean Melia (@seanmeals)
Mehmet Tuncer (Mehmet Tuncer)
Saransh Rana (Saransh Rana)
Samuel Eng (Samuel Eng)
Berk Imran (@berk_imran)
Bill Ben Haim (Bill Ben Haim)
Unrestricted Upload of File with Dangerous Type
Sahil Mehra (Sahil Mehra)
Islam Uddin (Islam Uddin)
Arne Ramos (Arne Ramos)
6 x Clickjacking
Agametov Rustam (@AgametovRustam)
Server-Side Request Forgery and XSS
Arcot Krishna Manjunath (Arcot Manju)
Cleartext Transmission of Sensitive Information
Shivankar Madaan (@shivankarmadaan)
Cleartext Transmission of Sensitive Information
Wai Yan Aung (@waiyanaun9)
4 x Reflected XSS
Kirtikumar Anandrao Ramchandani (Kirtikumar Anandrao Ramchandani)
Rony Gigi (Rony Gigi)
Wen Bin KONG (Wen Bin KONG)
Sanyam Chawla (Sanyam Chawla, bugcrowd.com/infosecsanyam)
Shubham Maheshwari (Shubham Maheshwari)
Miguel Santareno (Miguel Santareno)
Mindset Software Technologies (MISTS)
qwacsawd (hackerone.com/qwacsawd)
Error Message Information Disclosure
Niklas Tanskanen (Niklas Tanskanen)
Use of Insufficiently Random Values
Sam Eizad (Sam Eizad)
Athul Jayaram
Sreedeep.Ck Alavil (Sreedeep.Ck)
Improper Input Validation (CVE-2017-9065)
Sarath Kumar (kadavul)
Peled Eldan (Peled Eldan)
5 x Reflected XSS
Yash Mehta (Yasf Mehta)
Mitesh Patil (Mitesh Patil)
Dawood Ansar (Dawood Ansar)
Shanmukh D (Shanmukh D)
Thrivikram Gujarathi
Vikash Chaudhary
Ari Apridana (Ari Apridana)
Yusuf Furkan (Yusuf Furkan)
James Herrick (@mushicious)
Blake Rand
2 x Clickjacking
Remesh Ramachandran
Improper Input Validation (CVE-2017-9065)
Anant Mudgal (@anantmudgal)
Chris Green (@chris_t_green)
Ashish Kunwar (@D0rkerDevil)
Ipsita Subhadarshan Sahoo
4 x Clickjacking
Steven Hampton (@Steven)
2 x Clickjacking
Ismail Tasdelen (Ismail Tasdelen)
Overly Permissive Cross-domain Whitelist
4 x Clickjacking
Sensitive Cookie Without ‘HttpOnly’ Flag
Information Exposure Through an Error Message
7 x Improper Control of Interaction Frequency
6 x Cleartext Transmission of Sensitive Information
Nainsi Gupta (Nainsi Gupta)
Suru Santhosh (Suru Santhosh)
Mehmet Kelepçe (Mehmet Kelepçe)
2017
Himanshu Rahi (Himanshu Rahi)
Ravela Pramod Kumar (@PramodRavela)
3 x Improper Restriction of Excessive Authentication Attempts
Mohammed Azeem k
3 x Clickjacking
Akshay Bhardwaj (GreyArt) (Akshay Bhardwaj)
2 x Clickjacking
José Manuel Aparicio González (@jm_aparicio) Juan Francisco Acevedo Carles (@Odbk_sec)
3 x Reflected XSS
Ahmet Mersin
Suyog Palav (Suyog Palav)
3 x Clickjacking
Faiz Ahmed Zaidi (Faiz Ahmed Zaidi)
2 x Clickjacking
Macall Salugsugan
4 x Clickjacking
Kamran Saifullah
Vasim Shaikh (vasim-shaikh)
Md Sameull Soykot (@s0yk0t)
Nathan Lee Grant (@nathanleegrant)
2 x Reflected XSS
Pankaj Rane (@Panckaz_Rane)
Aayush Babbar
Tansel ÇETİN (@tansbey)
Lars Peeters
3 x Reflected XSS
Jose Carlos Exposito Bueno
3 x Reflected XSS
Secuninja (@secuninja)
6 x Reflected XSS
Matthew Mawby (@updat3d, Matthew Mawby)
GAİS (Güvenlik Açığı İstihbarat Servisi)
Shuvamoy Roy (shuvamoy.roy.3)
Eliran Itzhak (eliran-itzhak)
4 x Reflected XSS
Florian Kunushevci (florianx00)
Shwetabh Suman (@SHWETABHSUMAN11)
Hagay Sason (grseecon.com)
3 x Reflected XSS
Umesh Jore
Max Derrick
Bharath Kumar (BharathKumarMV)
Improper Input Validation (CVE-2017-5638)
Mario Sahertian (mario-sahertian)
Error Message Information Disclosure
Yasin Soliman (@SecurityYasin)
Muhammad Mudassar Yamin (mudassaryamin)
M.L (@SonnySpooks)
2 x Error Message Information Disclosure
4 x Reflected XSS
Suhas Sunil Gaikwad (SuhasGaikwad, @iamSuhasGaikwad)
Sam Sanoop (@snoopysecurity)
5 x Reflected XSS
Amine Hm
Kenan Genç
Ketankumar B. Godhani (@KBGodhani)
Ed (@EdOverflow)
3 x Reflected XSS
2 x Insufficient Session Management
Pedro Cardoso (@tvmpt)
Vipin Chaudhary(vipin-chaudhary, @vipinxsec)
2 x Reflected XSS
Michał Praszmo (@nazywam)
Waseem Ullah Siddiqui
Sadik Shaikh
Mateusz Szymaniec (@RevToJa)
2016
Nassim Bouali
2 x Reflected XSS
Serge Lacroute (@fakessh)
3 x Reflected XSS
2 x External service interaction
Sandeep Singh Jadon
Илья Селезнёв
2 x Path Traversal
Kenan GÜMÜŞ
XSS across many sites
João Pina (@tomahock)
2 x Reflected XSS
2 x Stored XSS
Elarbi Dafrouillah
2 x Path Traversal
Bosch PSIRT Hall of Fame Policy
Researchers who report vulnerabilities in Bosch products and websites, after proper validation of their finding, can choose to appear in the Bosch PSIRT Hall of Fame.
Researchers can request to be removed from the Hall of Fame at any time. For this, they should send an email to PSIRT@bosch.com with the subject “Request of removal from HoF.”
Information that can be displayed in the Hall of Fame:
- Complete name
- Alias or nickname
- Link to personal social media page (e.g. Twitter, Facebook)
- Link to personal professional social media page (e.g. LinkedIn, Xing)
- Link to business social media page (e.g. Facebook, Twitter, LinkedIn, Xing)
- Link to hacker’s communities sites (e.g. Bugcrowd)
Information that cannot be displayed in the Hall of Fame:
- Links to personal websites
- Links to company’s website
- Links to any site with unknown terms and conditions or content moderation
- E-mail addresses
Please note that you can request to be removed from our page at any time by sending us an e-mail to psirt@bosch.com.
Bosch PSIRT public keys
Search our S/MIME key here
Fingerprint: 87:F1:6F:70:60:D2:94:83:82:AC:69:F5:46:86:7C:80:7F:86:1D:F0
Find our PGP Key here
Fingerprint: ED:47:BD:35:F9:C8:5A:52:3F:08:A7:B8:55:60:42:DB:20:A6:AB:46