Security · acknowledgements

The people who found things first.

These researchers responsibly disclosed vulnerabilities to Gish — and made the platform safer for everyone before anyone got hurt. Thank you, all.

Reports received

Patched

$48k

Paid out

11h

Avg time to triage

2026

Linh N.

@linh.noctura

"IDOR on /api/contributions exposing other users' gift amounts via crafted listIDs"

FEB 14CRITICAL · $8,200

Anonymous

prefers no credit

"Auth bypass via expired session reuse on the OAuth callback handler"

JAN 23HIGH · $3,500

Tunde A.

@tunde.security

"Stored XSS in wish notes via crafted markdown rendering"

JAN 11MEDIUM · $850

Priya R.

@priyalabs

"CSRF on the friend-removal endpoint — missing token validation"

JAN 4MEDIUM · $620

2025

Marcus W.

@mwebb.dev

"Outcome-fund payee verification could be bypassed for amounts under $500 via timing attack"

NOV 17CRITICAL · $14,000

Aisha O.

@aisha.haxx

"Privilege escalation in business admin: invited team members briefly received owner-tier permissions"

OCT 8HIGH · $4,200

Dev Patel

@dvpatl

"Browser extension content script could be injected with malicious wish payloads from spoofed retailer pages"

SEP 22HIGH · $3,100

Grace L.

@graceofcode

"Email change verification did not require current password — partial account takeover risk"

AUG 15MEDIUM · $900

Sam Chu

@samchu

"Open redirect in /share?to= parameter could be chained with phishing"

JUL 30MEDIUM · $400

Ines V.

@inesv

"Information disclosure: avatar upload retained EXIF GPS metadata"

JUN 4LOW · $200

2024 · launch year

Jordan K.

@jkdotsec

"Stripe webhook signature validation could be skipped via header manipulation"

DEC 19HIGH · $5,000

Olivia T.

@oliviasec

"Rate limit on password reset endpoint was per-IP not per-account — credential stuffing risk"

NOV 4MEDIUM · $750

Want to be on this list? Find something.

Read the disclosure policy. Email security@gishme.com. We respond fast and pay generously.

Read the policy →