Bug Bounty Acknowledgements

Last revised: 23 Jun, 2022

Copy link to clipboardThank you.

Copy link to clipboardYour security contribution matters.

We take security seriously, for our clients and our products, so we appreciate the lengths you went to in submitting your findings.

We have rewarded over 60 bounties to 30 researchers in the 18 months our Bug Bounty program has been running so this is not a complete list of all our successful researchers, only those that wish to have their work published.


VulnerabilityResearcherSeverity (CVSS)
Remote code execution via the website pricing calculatorJohn Michael MondillaCritical (10)
IDOR to Delete Anyone's QueuesAnonymousCritical (9.6)
Standard User is able to configure API data on accounts/:id/apps/:id/app_keysAnonymousCritical (9.6)
Stored cross-site script when creating an appJohn Michael MondillaCritical (9.6)
No rate limiting on https://status.ably.com/admin/loginAnonymousCritical (9.1)
Broken authentication: Non Admin User in team Able to Invite other Users To TeamAnonymousHigh (9)
Website privilege escalation - incorrect rights validationAnonymousHigh (8.8)
Previously reported security vulnerability updateAnonymousHigh (8.8)
[email protected] Pre-account TakeoverMister ValdezzHigh (8.8)
XSS in API key leads to account takeoverJohn Michael MondillaHigh (8.8)
Broken Authentication and session managmentAnonymousHigh (8.8)
Improper Cache-Control on sensitive PageArgha SarkarHigh (8.8)
No Password Authentication on Changing Email Address Leads to Account takeoverAnonymousHigh (8.8)
Unverified user email allows account squattingAnonymousHigh (8.8)
IDOR to add any product to your subscription (Get invitation for any product)Shubham PathakHigh (8.8)
A XSS vulnerability in ably.com/searchAnonymousHigh (8.4)
Stored XSS vulnerability in websiteJohn Michael MondillaHigh (8.4)
Placeholder: New payment for VUL-7AnonymousHigh (8.4)
Attacker can impersonate victim's MFA device and 2FA codesAnonymousHigh (8.1)
Lack of rate limit on 2FA code allows bypassing of 2FA protectionAnonymousHigh (8.1)
Existing sessions remain active after setting up MFAAnonymousHigh (8)
Sms verification bypass by response manipulationAnonymousHigh (7.5)
User retains admin rights (hidden) post delete and recreateAnonymousHigh (7.2)
Utm_source allows external redirectsJohn Michael MondillaHigh (7.1)
Privilege escalation via invitation disclosure and lack of email verificationAnonymousHigh (7.1)
Removed admin user is still able to create new app and others via Control APIAnonymousMedium (6.8)
AngularJS injectionJohn Michael MondillaMedium (6.8)
Stored XSS in the error message when you invite an existing user to the same productJohn Michael MondillaMedium (6.8)
password reset token is sharing to third parties in reference headerTushar SharmaMedium (6.8)
password reset token is sharing to third parties in reference headerAnonymousMedium (6.8)
Privilege Escalation Leads to Add/Delete SubscriptionsAnonymousMedium (6.5)
A Standard user is able to delete an app with view only privilegeEugen LagueMedium (6.5)
A standard user has the privilege to manage and edit the api streamer profile (consumer and producer)Eugen LagueMedium (6.3)
Privilege escalation - standard user can edit an API Streamer productEugen LagueMedium (6.3)
Account Takeover via Stored XSS in Channel's client IDJohn Michael MondillaMedium (6.3)
No rate limit in password reset functionJohn Michael MondillaMedium (6.3)
ably-asset-tracking-js vulnerable to dependency confusion attackAnonymousMedium (6.3)
Open Redirect Vulnerability on rest-admin.ably.ioEmad ShanabMedium (6.1)
Admin user can edit app rule with ordinary user's cookiesQasim ShahMedium (6.1)
Account deletion via social engineeringAnonymousMedium (5.7)
Grafana 7.5.6 exposing data needs patchingEmad ShanabMedium (5.6)
Password and phone verification bypass changing 2FAAnonymousMedium (5.4)
Standard user can create a new product and a new subscription on api streamer producerEugen LagueMedium (5.4)
Open redirect bypass in utm_sourceJohn Michael MondillaMedium (5.4)
Website script injection - API streamer form value escapingAnonymousMedium (5.3)
No rate limit protection on admin login pageAnonymousMedium (5.3)
Open redirect bypass in utm_source parameterJohn Michael MondillaMedium (5.3)
Rate limit bypass using X-Forwarded-For headerAnonymousMedium (5.3)
Invite user feature will expose any user's nameAnonymousMedium (5.3)
app_queues API endpoint (app ID OFotlw) has no authorisationAnonymousMedium (5.3)
OAuth bypass (multiple OAuths)AnonymousMedium (4.7)
XSS issue via the referer headerJohn Michael MondillaMedium (4.7)
Cache control issue on ably.comAnonymousMedium (4.6)
XSS vulnerability Message Read ReceiptsAnonymousMedium (4.6)
Locust allows public access with default username and passwordKabeer SaxenaMedium (4.6)
Subdomain takeover of staging-d-fallback.ably-realtime.comAnonymousMedium (4.6)
Broken Access Control Leads To Violation Of Security Design PrincipleTushar SharmaMedium (4.5)
Disable your 2FA without password check after changing passwordAnonymousMedium (4.4)
Standard User able to unsubscribesEugen LagueMedium (4.3)
Standard User able to delete/disable ProductEugen LagueMedium (4.3)
Subdomain takeover of eu-west-1a-stats.ably.ioAnonymousMedium (4.3)
Second 2FA entry on same authorisation app invalidates the firstAnonymousMedium (4.1)
Missing rate limit on create new appAnonymousLow (3.8)
XSS Issue When creating a channelAnonymousLow (2.7)
Improper access control - An account admin can change the payment methodJohn Michael MondillaLow (2.7)
Bug: SSL Certificate ExpiredAnonymousLow (2.7)
Bug: Unrestricted Access to Prometheus MetricsAnonymousLow (2.7)