We would like to thank the following researchers: (2020-09-10) RS K - Stored self XSS (2020-09-02) RS K - Host header injection (2020-09-01) RS K - Session doesn't expire after logout (2020-08-29) Deleite - Clickjacking vulnerability (2020-08-28) Deleite - Google bucket enumeration (2020-08-27) Deleite - Subdomain takeover (2020-08-17) Venkat Malla - Flaws in password policy (2020-08-14) RS K - Mail spoofing (2020-07-29) Yogeshwaran Chandrasekaran - SPF, MX, DMARC records not set correctly (2020-07-24) Nitin Gavhane - Missing text field limit (2020-07-19) Freaking Rollings - SPF record not found (2020-07-19) Yassine Nafiai - Bypass rate limit (2020-07-15) Nitin Gavhane - Clickjacking vulnerability (2020-07-13) Yogeshwaran Chandrasekaran - Stored self XSS due to Server Side Template Injection (2020-07-10) Yassine Nafiai - User email enumeration (2020-07-09) Venkat Malla - Session token lean in URL (2020-07-08) Venkat Malla - Lack of Security Headers (2020-07-07) Roy Niss - Bug in authentication session managment (2020-07-07) Roy Niss - No email confirmation after signup (2020-07-07) Roy Niss - User email enumeration (2020-07-06) Yassine Nafiai - No rate limit in login form (2020-07-06) Venkat Malla - Session doesn't expire after logout (2020-07-06) Venkat Malla - Old session doesn't expire after password change (2020-07-06) Roy Niss - Improved password policy (2020-07-06) Yogeshwaran Chandrasekaran - Blind SSRF (2020-02-07) Rodrigo Peña - Bug in referral program (2019-09-03) Hussein Daher - Bug in email tracking configuration (2019-06-02) Hussein Daher - Bug in DNS configuration (2019-06-02) Samuel - Bug in CSRF token implementation (2019-05-31) Samuel - Bad CORS implementation (2022-03-02) Esteban Fuentealba - Cross Site Scripting (2022-08-10) Marcelo Clavel - Cache Poisoning (2022-09-01) Jairo Carrasco - Credenciales filtradas en Artifactory (2022-09-01) Vipin Bihari - Subdomain Takeover at "in.fintual.com" (2022-09-02) Bug Hunter - Unauthorized access to issues + able to add issues anonymously (2023-02-26) Sergio Fuentes - Open Redirect (2023-03-05) Ezequiel Fernandez - Improper access control in GraphQL mutation (2023-03-06) Ezequiel Fernandez - Improper onboarding state handling allowing to skip regulatory steps (2023-03-06) Ezequiel Fernandez - Self-HTL Injection in Goals names (2023-03-10) Ezequiel Fernandez - Public GraphQL schema that favoured DoS (2023-11-11) Armanul Miraz - Business metrics disclosure via unauthenticated endpoints (2023-11-11) Armanul Miraz - WordPress User Enumeration via Unprotected REST API (2023-12-23) Issam - Improper cache control in customer support chat (2024-01-02) Aadesh Jain - No Rate limiting on forget password page (2024-01-04) Melissa Silva - Admin panel endpoints leaking information on internal company processes to non-admin users (2024-01-04) Melissa Silva - Subdomain takeover through third party service at "trivia.fintual.mx" (2024-01-07) Melissa Silva - Improper access control at risk assessment questionnaire (2024-01-22) Melissa Silva - Performance endpoint leaks semi-public information (2024-02-04) Claudio Salazar - Improper authorization in GraphQL mutation (2024-02-07) Claudio Salazar - 0-click XSS in group goal (2024-03-05) Alejandro Tapia - Enumeration of usernames in "chatmarket.fintual.in" (2024-03-09) Alejandro Tapia - Open Redirect (2024-06-04) Melissa Silva - Improper session expiration (2024-06-04) Melissa Silva - Cross-domain leftover cookie (2024-07-12) Rene Silva - DoS via circular GraphQL Reference (2024-07-20) Rodrigo Apas - Possible dependency confusion (2024-07-29) Mridul Vohra - HTML injection signup form (2024-12-03) Philippe Delteil - Referrals program abuse (2024-12-03) Philippe Delteil - Improper authorization for PEP status update (2024-12-23) @aoxsin - Debug Information Exposed (2025-02-05) Shrujal Mandawkar - No Rate Limit on OTP (2025-03-05) Md Saikat - Misconfigured S3 bucket (2025-07-21) Claudio Salazar - Blind XSS on user attribute leads to admin user session takover (2025-09-07) Zain Iqbal - Misconfiguration in SPF