Honorable Mentions
Hall of Fame
Honorable Mentions
If you come across any vulnerabilities, please don't hesitate to contact us at security@axya.co. Your vigilance is crucial to our ongoing commitment to maintaining a secure environment.
2025
Nafeed, who identified Critical 2FA Implementation Vulnerabilities (High Severity): Two critical flaws were discovered - reusable 2FA codes that never expire and the ability to bypass 2FA through response manipulation with non-expiring tokens. These vulnerabilities could allow unauthorized persistent access to user accounts. Additionally, comprehensive penetration testing was conducted on our loginless portal links with valuable security recommendations provided. These issues have been resolved.
Yash Kundlik Jare, who discovered a No Rate Limit Vulnerability (High Severity): The vulnerability allows unlimited email requests to be sent through the 2FA "Send a new one" functionality, potentially enabling email bombing attacks and denial-of-service conditions. This issue could lead to inbox flooding and server overload. This vulnerability has been mitigated.
Randiansyah, who reported an Email Spoofing Vulnerability (High Severity): The vulnerability allows attackers to spoof emails from the axya.co domain, potentially enabling phishing attacks and impersonation of legitimate communications. This issue has been promptly addressed.
Omri, who reported a Subdomain Takeover Vulnerability (High Severity): The vulnerability allowed an attacker to hijack unused domain, potentially leading to phishing, and malicious content hosting. This issue has been promptly mitigated.
Harsh Maheta, who reported a Missing X-Frame-Options Header, Missing Content-Security-Policy (CSP), and a Weak Cipher usage on a subdomain: The headers were missing on our main production server. The CSP was correctly configured in preproduction but wasn’t deployed to production. The weak cipher was found on one of our subdomains. These issues, which could expose the platform to clickjacking, content injection, and weakened encryption, were promptly fixed following the report.
Muhammad Kamran, who reported UI Redress/Clickjacking vulnerabilities and missing DMARC Quarantine/Reject policy: The clickjacking vulnerability allowed an attacker to trick users into clicking on hidden or disguised elements, potentially compromising their actions on the website. The absence of proper DMARC policy exposed the domain to email spoofing and phishing attacks. These security issues were promptly fixed following the report.
Gowthambalaji S, who reported a Host Header Injection vulnerability (High Severity): The vulnerability allows an attacker to manipulate the X-Forwarded-Host header to redirect users to malicious domains, potentially enabling phishing attacks, OAuth token theft, password reset poisoning, and cache poisoning. This security issue was promptly addressed by implementing strict hostname validation in our Keycloak configuration.
2023
Shubham Bothra who reported an Open Redirect Vulnerability (Low Severity): The vulnerability allows for redirection to external websites, but it has limited impact on the security of the system.
2022
Vipul Sahu who reported an Exif Data Exposure and Session Fixation (Low Severity): These vulnerabilities, while identified, have minimal potential for security risks, and appropriate measures have been taken to mitigate their impact.
Any question?
Contact us if you have any questions regarding our platform security or if you suspect you have found any vulnerability in our application.