Reports in vimeo program: S.No Title Bounty 1 Invite any user to your group without even following him $0.0 2 Downloading password protected / restricted videos $0.0 3 XSS in Subtitles of Vimeo Flash Player and Hubnut $0.0 4 [vimeopro.com] CRLF Injection $0.0 5 URGENT - Subdomain Takeover on status.vimeo.com due to unclaimed domain pointing to statuspage.io $0.0 6 Can message users without the proper authorization $0.0 7 Application XSS filter function Bypass may allow Multiple stored XSS $0.0 8 Securing "Reset password" pages from bots $0.0 9 XSS on mobile version of vimeo.com where the button "Follow" appears $0.0 10 XSS on player.vimeo.com without user interaction and vimeo.com with user interaction $0.0 11 XSS on vimeo.com/home after other user follows you $0.0 12 XSS on vimeo.com | "Search within these results" feature (requires user interaction) $0.0 13 XSS when using captions/subtitles on video player based on Flash (requires user interaction) $0.0 14 Stored XSS on player.vimeo.com $0.0 15 Reflected XSS on vimeo.com/musicstore $0.0 16 Disclosure of sensitive information through Google Cloud Storage bucket $0.0 17 Images and Subtitles Leakage from private videos $0.0 18 OAuth 2 Authorization Bypass via CSRF and Cross Site Flashing $0.0 19 Watch any Password Video without password $0.0 20 Improper Authentication in Vimeo's API 'versions' endpoint. $0.0 21 Domain pointing to vimeo portfolio are prone to takeover using on-demand. $0.0 22 Possibility to overwrite any file in the vpe.cdn.vimeo.tv leads to the Stored XSS for the all customers on the embed.vhx.tv $0.0 23 Reflected File Download (RFD) in download video $0.0 24 SSRF leaking internal google cloud data through upload function [SSH Keys, etc..] $0.0