Reports in rubygems program: S.No Title Bounty 1 Remote code execution on rubygems.org $1500.0 2 Installing a crafted gem package may create or overwrite files $1000.0 3 Escape sequence injection in "summary" field $500.0 4 Delete directory using symlink when decompressing tar $500.0 5 Password Reset emails missing TLS leads account takeover $0.0 6 Invalid username updating $0.0 7 Login credentials transmitted in cleartext on index.rubygems.org $0.0 8 Possible Subdomain Takeover at http://production.s3.rubygems.org/ pointing to Fastly $0.0 9 Request Hijacking Vulnerability in RubyGems 2.6.11 and earlier $0.0 10 No limit of summary length allows Denail of Service $0.0 11 Host header Injection rubygems.org $0.0 12 Host Header Injection/Redirection $0.0 13 RCE,SQL,Vulnerability + Exploit Method. $0.0 14 [gem server] Stored XSS via crafted JavaScript URL inclusion in Gemspec $0.0 15 Negative size in tar header causes infinite loop $0.0 16 Installer can modify other gems if gem name is specially crafted $0.0 17 Gem signature forgery $0.0 18 Malware in active-support gem $0.0 19 65534 times efficient, Brute-force attack for api_key $0.0 20 Request Hijacking Vulnerability in RubyGems 2.6.13 and earlier $0.0 21 Cross-Domain JavaScript Source File Inclusion $0.0 22 DNS SRV lookup of file:// sources enables local hijacking of gems $0.0 23 Unpacker improperly validates symlinks, allowing gems writes to arbitrary locations $0.0 24 Dependency repository hijacking aka Repo Jacking from GitHub repo rubygems/bundler-site & rubygems/bundler.github.io + bundler.io docs $0.0 25 Possibility to guess email address from gravatar image URL $0.0 26 Bundler's RCE with response using Marshal $0.0