4A7@arvi-7$28,600
Ranked by validated severity weight. Ties break by earliest report. Earnings shown only for researchers who opted in.
Rolling window — switch the range below.
| # | Researcher | Severity mix | Reports | Earned |
|---|---|---|---|---|
| 4 | A7@arvi-7 | 5H12M9L | 26 | $28,600 |
| 5 | NQ@nikolaj-q | 1C3H7M | 14 | $22,800 |
| 6 | MR@maru-9 | 4H6M5L | 15 | $17,200 |
| 7 | CT@cori-t | 2H8M | 12 | $13,400 |
| 8 | PB@pelin-b | 1C3M4L | 9 | $11,900 |
| 9 | JK@jonas-k | 2H4M6L | 12 | $9,700 |
| 10 | HF@hanae-f | 5M7L | 13 | $7,300 |
| 11 | DR@dustin-r | 1H3M5L | 9 | $5,400 |
| 12 | EL@eya-l | 2M6L | 8 | $3,200 |
Independent researcher. Joined Acme bounty in 2023; consistently strong on web auth chains. Ranked #1 over the rolling 12-month window.
Server-side request forgery through the webhook URL validator allowed Owner-tier users to reach internal AWS metadata. Patched and re-verified before disclosure.
One email per disclosure, max two a week. Unsubscribe with a click. We never share your address.