Full transparency — every report and its status
| Ticket | Title | Reporter | Status | Severity | Bounty | Date |
|---|---|---|---|---|---|---|
| TRK-0125AB5D | Property Availability API in other currencies | Fung G | Accepted | Low | 5,000 | Feb 17, 2026 |
| TRK-D8E2F6A9 | DNS Zone Transfer Enabled on Secondary Tratok Nameserver Leaks Internal Subdomain Inventory | Aisha Patel | Rejected | Info | – | Feb 13, 2026 |
| TRK-F1A4B7C3 | Outdated jQuery Library (v3.3.1) on Tratok Partner Portal Introduces Known CVE Exposure | Marcus Chen | Accepted | Info | 2,000 | Feb 10, 2026 |
| TRK-B9D2E5F7 | Predictable Booking Reference Generation Pattern Enables Enumeration of Active Reservations | Mei Lin Wong | Rejected | Low | – | Feb 9, 2026 |
| TRK-E3C6A8D2 | Missing Security Headers on Tratok Booking Confirmation Pages Allow Clickjacking Attacks | Ryan O'Connor | Rejected | Low | – | Feb 6, 2026 |
| TRK-2F7D8B1A | Information Disclosure via Verbose Error Messages in Tratok Flight Booking Search API | Natalia Soares | Accepted | Low | 5,000 | Feb 4, 2026 |
| TRK-6A5E9C4F | Server-Side Request Forgery in Tratok Partner Integration Webhook Handler Exposes Internal Network | Omar Hassan | Rejected | Medium | – | Feb 2, 2026 |
| TRK-4C1B7D3E | TLS Certificate Pinning Bypass in Tratok Mobile App Allows Man-in-the-Middle Interception | Elena Fischer | Accepted | Medium | 22,000 | Jan 30, 2026 |
| TRK-9E8F5A2D | Insufficient Rate Limiting on Tratok Wallet Recovery Endpoint Enables Brute-Force of Recovery Phrases | Kenji Tanaka | Rejected | Medium | – | Jan 27, 2026 |
| TRK-3D4A1C9B | Stored XSS in Tratok Travel Platform Hotel Review Submission Allows Session Hijacking | Lucia Morales | Accepted | Medium | 18,000 | Jan 24, 2026 |
| TRK-7B6E2F8A | Race Condition in TRAT Token Swap Function Allows Double-Spend During High-Frequency Transactions | Jonas Eriksson | Rejected | High | – | Jan 20, 2026 |
| TRK-1A9C3D5E | JWT Token Forgery via Weak HMAC Secret in Tratok Travel Platform Authentication Service | Aisha Patel | Accepted | High | 40,000 | Jan 17, 2026 |
| TRK-C7E4D9A1 | Smart Contract Reentrancy in TRAT Staking Pool Withdrawal Function Enables Fund Drainage | Dmitri Volkov | Accepted | Critical | 85,000 | Jan 14, 2026 |
| TRK-5F2B8E67 | Insecure Direct Object Reference in Hotel Booking API Exposes Guest PII and Payment Tokens | Sarah Kovac | Accepted | High | 45,000 | Jan 10, 2026 |
| TRK-8A3F1B2C | Cross-Chain Bridge Token Relay Allows Unauthorized Minting of TRAT via Spoofed Origin Validation | Marcus Chen | Accepted | Critical | 95,000 | Jan 6, 2026 |
