Keeping You Secure

GlitchWitch is an independent information security researcher dedicated to helping secure the web. They are committed to addressing and reporting security issues they find through a coordinated and constructive approach. They believe the best way to achieve this is through working closely with software vendors and clients through a process of coordinated disclosure to ensure vulnerabilities are promptly addressed, and that the public end-user is informed whenever possible.

What is Coordinated Disclosure?

Coordinated disclosure is a vulnerability disclosure model in which a vulnerability is disclosed after a period of time or once the vulnerability is patched. When a vulnerability is identified, GlitchWitch will generally attempt to notify and work with the appropriate parties whenever possible. Details may be shared with the public after a set deadline, or sooner if a patch is released.

Vulnerability Disclosure Policy

Unless otherwise stated or agreed upon in written communication, a 15-day disclosure deadline will apply to all bugs, security issues, and vulnerabilities reported by GlitchWitch. All findings will be disclosed to the public once either a patch has been made broadly available or after 15 days from the initial report, regardless of the existence or availability of patches or workarounds. Extenuating circumstances, such as active exploitation, threats of an especially serious (or trivial) nature, or situations that require changes to an established standard may result in earlier or later disclosure.

If for some reason you wish to extend the disclosure deadline of a finding reported to you, a deadline extension may be provided if requested, up to a maximum of 30 days from the initial discovery. Additionally, vulnerability reports that are compensated through a bug bounty payout or non-disclosure contract may be exempt from public disclosure if mutually agreed upon.

Compensation & Acknowledgement

Showing the world that you are a company that values and prioritizes the safety and security of your product builds trust and brand recognition. While compensation for a report outside of a designated bug bounty program is not strictly required, it is highly encouraged. Financially compensating researchers for their work creates positive relationships and helps ensure that continued research can be done to help keep the web safer and more secure. In addition to compensation, public acknowledgement can help further build trust not only within the security community but with a vendor’s customers.

Looking to add value and further increase security? Consider working together to perform a security assessment or targeted penetration test.

Publicly Disclosed Reports

The following list includes previously disclosed findings. Reports are assigned a unique “Glitch Witch Advisory” number for reference. All dates are recorded in UTC.

ID Type Affected Party CVSS3 Status
GWA-2020-023 ID cobalt.io 6.5 Patched
GWA-2020-022 SQLi textlogistics.com 9.8 Unpatched
GWA-2020-021 ACB textlogistics.com 5.3 Unpatched
GWA-2020-020 ACB titanvest.com 5.3 Patched
GWA-2020-019 ACB rentpayment.com 5.3 Patched
GWA-2020-018 ACB vistaprint.com 5.3 Unpatched
GWA-2020-017 ACB zoom.us 5.3 Patched
GWA-2020-010 ID orchardhomes.com 9.4 Patched
GWA-2020-009 ID myvolly.com 9.4 Patched
GWA-2020-005 ID compass.com 9.4 Patched
GWA-2019-009 MV chenmed.com NA Patched
GWA-2018-008 MV winnipeg.ca NA Patched
GWA-2018-007 AFD shaw.ca 8.1 Patched
GWA-2018-006 ID shaw.ca 4.3 Patched
GWA-2018-005 ID t-mobile.com 5.3 Patched
GWA-2018-004 ID nhpopc.gov.au 8.6 Patched
GWA-2018-003 RCE caamanitoba.com 9.8 Patched
GWA-2018-001 ID textnow.com 7.5 Patched
Get a real-world look at the vulnerabilities impacting your organiztion.
View Services

Undisclosed Reports

Below is a list of reports either pending disclosure or permanently undisclosed. Some reports may be permanently undisclosed due to non-disclosure agreements resulting from bug bounty payouts or other circumstances.

ID Type Affected Party CVSS3 Status
GWA-2021-008 OR undisclosed 5.9 Unpatched
GWA-2021-007 OR undisclosed 4.2 Unpatched
GWA-2021-006 SQLi undisclosed 8.8 Unpatched
GWA-2021-005 SSM undisclosed 5.3 Unpatched
GWA-2021-004 SSM undisclosed 8.2 Unpatched
GWA-2021-003 SSM undisclosed 8.2 Unpatched
GWA-2021-002 PrivESC undisclosed 6.4 Unpatched
GWA-2021-001 XSS undisclosed 7.6 Patched
GWA-2020-080 SSRF undisclosed 5.8 Patched
GWA-2020-079 SSM undisclosed 5.3 Unpatched
GWA-2020-077 NA undisclosed NA Unpatched
GWA-2020-076 NA undisclosed NA Unpatched
GWA-2020-075 NA undisclosed NA Unpatched
GWA-2020-074 NA undisclosed NA Unpatched
GWA-2020-073 NA undisclosed NA Unpatched
GWA-2020-072 NA undisclosed NA Unpatched
GWA-2020-071 NA undisclosed NA Unpatched
GWA-2020-070 NA undisclosed NA Unpatched
GWA-2020-069 NA undisclosed NA Patched
GWA-2020-068 NA undisclosed NA Unpatched
GWA-2020-067 NA undisclosed NA Unpatched
GWA-2020-066 NA undisclosed NA Unpatched
GWA-2020-065 NA undisclosed NA Unpatched
GWA-2020-064 NA undisclosed NA Patched
GWA-2020-063 NA undisclosed NA Unpatched
GWA-2020-062 WAF WestUC.com NA Unpatched
GWA-2020-061 NA undisclosed NA Unpatched
GWA-2020-060 NA undisclosed NA Unpatched
GWA-2020-059 NA undisclosed NA Patched
GWA-2020-058 NA undisclosed NA Patched
GWA-2020-057 NA undisclosed NA Patched
GWA-2020-056 NA undisclosed NA Patched
GWA-2020-055 XSS undisclosed 6.4 Patched
GWA-2020-054 PrivESC undisclosed 8.3 Patched
GWA-2020-053 SSM undisclosed NA Patched
GWA-2020-052 ID undisclosed 8.5 Patched
GWA-2020-051 VULN undisclosed NA Patched
GWA-2020-049 SSI undisclosed NA Unpatched
GWA-2020-048 SSM undisclosed 4.9 Patched
GWA-2020-047 ID undisclosed NA Unpatched
GWA-2020-046 PrivESC undisclosed 7.2 Patched
GWA-2020-045 CONF undisclosed NA Patched
GWA-2020-044 CONF undisclosed NA Unpatched
GWA-2020-043 LFI undisclosed 8.2 Patched
GWA-2020-042 PrivESC undisclosed 7.6 Patched
GWA-2020-041 ID undisclosed 8.8 Patched
GWA-2020-040 RCE undisclosed 9.1 Patched
GWA-2020-039 RCE undisclosed 9.1 Patched
GWA-2020-038 RCE undisclosed 9.1 Patched
GWA-2020-037 XSS undisclosed 6.1 Unpatched
GWA-2020-036 SSI undisclosed 8.5 Unpatched
GWA-2020-035 SSM undisclosed 7.3 Unpatched
GWA-2020-034 OR undisclosed 6.5 Unpatched
GWA-2020-033 AUTH undisclosed NA Unpatched
GWA-2020-032 EXT undisclosed 9.0 Unpatched
GWA-2020-031 SSM undisclosed NA Unpatched
GWA-2020-030 ACB undisclosed NA Patched
GWA-2020-029 SSM undisclosed NA Patched
GWA-2020-028 OR undisclosed NA Patched
GWA-2020-027 ACB undisclosed NA Patched
GWA-2020-026 MV undisclosed NA Patched
GWA-2020-025 SSL undisclosed 6.8 Unpatched
GWA-2020-024 SSM cobalt.io 6.5 Patched
GWA-2020-016 SSI undisclosed NA Unpatched
GWA-2020-015 UFU undisclosed NA Unpatched
GWA-2020-014 AUTH undisclosed NA Unpatched
GWA-2020-013 AUTH undisclosed NA Unpatched
GWA-2020-012 SSM cobalt.io NA Patched
GWA-2020-011 AUTH undisclosed NA Unpatched
GWA-2020-008 SSL undisclosed 6.8 Unpatched
GWA-2020-007 MV undisclosed NA Patched
GWA-2020-006 MV undisclosed NA Patched
GWA-2020-004 SSL undisclosed NA Unpatched
GWA-2020-003 ACB undisclosed NA Patched
GWA-2020-002 SSM undisclosed NA Patched
GWA-2020-001 SSM undisclosed NA Patched
GWA-2019-026 XSS undisclosed NA Patched
GWA-2019-025 XSS undisclosed NA Unpatched
GWA-2019-024 XSS undisclosed NA Patched
GWA-2019-023 DoS undisclosed NA Patched
GWA-2019-022 RL undisclosed NA Patched
GWA-2019-021 ID undisclosed NA Unpatched
GWA-2019-020 ID undisclosed NA Unpatched
GWA-2019-019 ID undisclosed NA Unpatched
GWA-2019-018 ID undisclosed NA Unpatched
GWA-2019-017 PrivESC undisclosed NA Unpatched
GWA-2019-016 ID undisclosed NA Patched
GWA-2019-015 SSL undisclosed NA Patched
GWA-2019-014 ID undisclosed NA Patched
GWA-2019-013 AUTH undisclosed NA Patched
GWA-2019-012 ID cobalt.io NA Patched
GWA-2019-011 ACB undisclosed NA Patched
GWA-2019-010 ACB undisclosed NA Patched
GWA-2019-008 SSL undisclosed NA Patched
GWA-2019-007 ID undisclosed NA Patched
GWA-2019-006 HHI undisclosed NA Patched
GWA-2019-005 XSS undisclosed NA Patched
GWA-2019-004 NA undisclosed NA Patched
GWA-2019-003 ID undisclosed NA Patched
GWA-2019-002 ID undisclosed NA Patched
GWA-2019-001 XSS undisclosed NA Patched
GWA-2018-002 IDOR undisclosed NA Patched