The following is a list of some security vulnerabilities I’ve found on various websites. Some of them contain links to more detailed write-ups.

Google (googleusercontent.com)

Problems: Image data leak
Reward: $
Accepted: Yes
Fixed: Not yet!

Google (google.com)

Problems: 401 phishing attack vuln
Reward: None
Accepted: No
Fixed: No

Google (earth.google.com)

Problems: XSS
Reward: None
Accepted: Yes
Fixed: Not yet

Google (console.firebase.google.com)

Problems: Auth Bypass
Reward: $
Accepted: Yes
Fixed: Yes

Google Code Jam (codejam.withgoogle.com)

Problems: XSS (reflected)
Reward: $
Accepted: Yes
Fixed: Yes

Google (g.co)

Problems: Unrestricted API endpoint
Reward: $
Accepted: Yes
Fixed: Not yet!

Google (CloudConnectCommunity.com)

Problems: XSS (reflected, stored), Auth bypass
Reward: None
Accepted: Yes, but not operated by Google?!?!
Fixed: Yes

Google (WebComponents.org)

Problems: XSS (stored)
Reward: $
Accepted: Yes
Fixed: Yes

Google (business.google.com)

YouTube Video
Problems: Open redirect
Fixed: No (not in scope of VRP)

Google Maps API (google.com)

Problems: Unrestricted Google’s API key allowing quota theft
Accepted: No
Fixed: No

heureka.cz

Problems: XSS (reflected, stored), CSRF, API authorization vulnerability
Reward: T-Shirt, HQ visit, $
Fixed: Yes

uloz.to

Problems: XSS (stored)
Reward: T-Shirts
Fixed: Yes

mall.cz

Problems: XSS (stored)
Reward: None
Fixed: Yes

mcdonalds.com

Problems: XSS (reflected)
Reward: None
Fixed: No

southwest.com

Problems: XSS (reflected)
Reward: None
Fixed: No

vodafone.cz

Problems: XSS (reflected)
Reward: None
Fixed: No

stahuj.cz

Problems: XSS (reflected)
Reward: None
Fixed: No

aukro.cz

Problems: XSS (stored), unrestricted system directories
Reward: None
Fixed: Yes

mapy.cz

Problems: XSS (reflected)
Reward: None
Fixed: No

karaoketexty.cz

Problems: XSS (reflected)
Reward: None
Fixed: No

databazeknih.cz

Problems: XSS (reflected)
Reward: None
Fixed: Yes

hyperinzerce.cz

Problems: XSS (reflected, stored)
Reward: None
Fixed: No

blibli.com

Problems: XSS (reflected)
Reward: None
Fixed: No

domcop.com

Problems: XSS (stored)
Reward: None
Fixed: Yes

leoexpress.com

Problems: XSS (reflected), API authorization vulnerability
Reward: None
Fixed: No (XSS), Yes (API vuln)

maxon-campus.net

Problems: SQLi
Reward: None
Fixed: Yes

 

 

You can find some of these vulns here: https://www.openbugbounty.org/researchers/ThomasOrlita/