Reports in inflection program: S.No Title Bounty 1 Identity Login Page Redirect Can Be Manipulated $0.0 2 Open Redirect through POST Request $0.0 3 No password confirmation on changing primary email address $0.0 4 Open Redirect $0.0 5 Privilege Escalation. $0.0 6 Host Header Injection and Cache Poisoning $0.0 7 Fake mailing reports using mail service on [URL : mail-txn.identity.com] $0.0 8 Limited Account Takeover via Backup codes $0.0 9 XST(Cross Site Tracing) $0.0 10 Host Header Injection or cache poisoning in multiple domains $0.0 11 Amount Manipulation Buy Unlimited Credits in just $1.00 $0.0 12 HTTP Host Header Injection on app.goodhire.com $0.0 13 Unsubscribe Any User $0.0 14 Business Logic Flaw allowing Privilege Escalation $0.0 15 Limited arbitrary text inclusion in user invite emails $0.0 16 Goodhire Open Redirect $0.0 17 Information Disclosure and Privilege Escalation in app.goodhire.com/member/developers/api-settings $0.0 18 Reflected Cross-site Scripting Vulnerability via JSON Error Message $0.0 19 XSS at https://app.goodhire.com/member/GH.aspx $0.0 20 Open redirect at app.goodhire.com via ReturnUrl parameter $0.0 21 Clickjacking on https://www.goodhire.com/api $0.0 22 Session ID is accessible via XSS $0.0 23 Malicious callback url can be set while creating application in identity $0.0 24 Privilege Escalation: Read-Only to Admin $0.0