Reports in dropcontact program: S.No Title Bounty 1 Ngnix Server version disclosure. $0.0 2 User can Subscribe a plan that is hidden by manipulating the value of "subscription" parameter at [ https://app.dropcontact.io/app/checkout/] $0.0 3 Unauthorized Access and updation of EMAIL settings of other user at https://app.dropcontact.io/app/sponsorship/ by changing the " email " parameter. $0.0 4 Host Header Injection. $0.0 5 Unrestricted File Upload on https://app.dropcontact.io/app/upload/ $0.0 6 Idor for firstpromoter service $0.0 7 API key is not validated for C.R.M integration [Pipedrive] of LOGGED IN USER, A user can use another USER'S API key for this operation. $0.0 8 Dropcontact's disclosed report is exposing Private/Confidential information $0.0 9 Registering with email [ +70 Chars ] Lead to Disclose some informations [Django Debug Mode ] $0.0 10 [Information Disclosure through DEBUG at Subscription https://app.dropcontact.io/app/subscription?connector=salesforce](https://hackerone.com/reports/963921) $0.0 11 Django DEBUG mode enabled and leaked system information. $0.0 12 Sensitive Information Disclosure $0.0 13 Django should not have debug mode enabled $0.0 14 Django debug enabled showing information about system, database, configuration files. $0.0 15 User registration using public domain email like gmail in place of professional email. $0.0 16 No Valid SPF Records $0.0