I'm going to try to keep a timeline of some vulnerabilities I've identified and reported here. Dates may be approximate. I haven't been keeping track of when most of these were fixed. I dunno. Maybe you'll find it interesting or something.


Nov 30, 2016: Reported vulnerability to GitHub (Timing Attack) Dec 01, 2016: Report to GitHub marked as Informative. Dec 16, 2016: Reported vulnerability to Gwiddle (Info Disclosure) Dec 16, 2016: Report to Gwiddle triaged Dec 17, 2016: Gwiddle vulnerability patched Jan 27, 2017: Reported vulnerabilities to USCERT (7 instances of XSS on various gov't sites) Feb 21, 2017: Reported vulnerability to phpMyAdmin (XSS) Feb 27, 2017: Report to phpMyAdmin marked as Duplicate Feb 26, 2017: Reported vulnerability to VestaCP (Session Fixation #1) Feb 26, 2017: Reported vulnerability to VestaCP (CSRF #2) Feb 26, 2017: Reported vulnerability to VestaCP (RCE #3) Feb 27, 2017: Report to VestaCP triaged (#1) Feb 27, 2017: Report to VestaCP triaged (#2) Feb 27, 2017: Report to VestaCP triaged (#3) Feb 28, 2017: Vulnerability in VestaCP patched (#1). Assigned CVE-2017-6365 Feb 29, 2017: Vulnerability in VestaCP patched (#2). Assigned CVE-2017-6476 Apr 05, 2017: Reported vulnerability to VestaCP (XSS #4) Apr 05, 2017: Reported vulnerability to VestaCP (XSS #5) Apr 05, 2017: Reported vulnerability to VestaCP (CSRF #6) Apr 05, 2017: Reported vulnerability to VestaCP (Insecure Crypto #7) Apr 17, 2017: Report to VestaCP triaged (#4) Apr 17, 2017: Report to VestaCP triaged (#5) Apr 17, 2017: Report to VestaCP triaged (#6) Apr 18, 2017: Report to VestaCP triaged (#7) Apr 30, 2017: Reported vulnerability to Blockchain.info (CSRF+XSS) Apr 30, 2017: Report to Blockchain.info marked as Duplicate. May 04, 2017: Reported vulnerability to naviance (multiple instances of CSRF+XSS) May 21, 2017: Reported vulnerability to turnitin.com (CSRF+XSS) May 22, 2017: Report to turnitin.com triaged May 24, 2017: Reported vulnerability to Department of Defense (XSS #1) May 26, 2017: Report to Department of Defense marked as Duplicate (#1) May 26, 2017: Reported vulnerability to Department of Defense (CSRF #2) Jun 01, 2017: Report to Department of Defense triaged (#2) Jul 17, 2017: Reported vulnerability to Plesk (XSS #1) Jul 17, 2017: Report to Plesk triaged (#1) Jul 25, 2017: Reported numerous vulnerabilities to VestaCP (3 CRLF injection, 1 XSS, 1 IDOR, 1 RCE) Aug 02, 2017: Vulnerability in Plesk patched (#1) Aug 12, 2017: Reported vulnerability to chaoswebs.net (XSS) Aug 12, 2017: Vulnerability in chaoswebs.net patched. Aug 19, 2017: Reported vulnerability to Plesk (XSS #2) Aug 20, 2017: Report to Plesk triaged (#2) Aug 22, 2017: Reported vulnerability to Google (CSRF) Aug 23, 2017: Report to Google patched, but marked as out of scope Aug 26, 2017: Reported vulnerability to Department of Defense (CSRF #3) Aug 26, 2017: Reported vulnerability to Department of Defense (CSRF #4) Aug 28, 2017: Report to Department of Defense triaged (#3) Aug 28, 2017: Report to Department of Defense triaged (#4) Sep 01, 2017: Vulnerability in Plesk patched (#2) Sep 01, 2017: Reported vulnerability to Plesk (XSS #3) Sep 03, 2017: Report to Plesk triaged (#3) Sep 04, 2017: Reported vulnerability to Mythic Beasts (CSRF+XSS #1) Sep 05, 2017: Vulnerability in Plesk patched (#3) Sep 05, 2017: Reported vulnerability to Department of Defense (CSRF #5) Sep 07, 2017: Report to Mythic Beasts triaged and patched (#1). Sep 15, 2017: Vulnerability reported to AT&T (CSRF #1) Sep 15, 2017: Vulnerability reported to AT&T (CSRF #2) Sep 16, 2017: Vulnerability reported to AT&T (CSRF+XSS #3) Sep 16, 2017: Vulnerability reported to AT&T (CSRF+XSS #4) Sep 26, 2017: Report to AT&T triaged (#1) Sep 26, 2017: Report to AT&T triaged and patched (#3). Placed on AT&T Hall of Fame Sep 26, 2017: Report to Department of Defense triaged (#5) Sep 28, 2017: Reported vulnerability to Arch Mirror ftp.kaist.ac.kr (RCE) Sep 29, 2017: Reported vulnerability to USCERT (XSS #1) Sep 29, 2017: Reported vulnerability to USCERT (XSS #2) Oct 06, 2017: Mythic Beasts awarded bug bounty and published a blog post about it (#1). Oct 10, 2017: Report to Department of Defense unmarked as duplicate (#1) Oct 22, 2017: Reported vulnerability to Mythic Beasts (CSRF #2) Oct 22, 2017: Reported vulnerability to Mythic Beasts (CSRF #3) Oct 23, 2017: Reported vulnerability to Reverso.net (XSS) Oct 25, 2017: Vulnerability in Mythic Beasts patched (CSRF #2) Oct 25, 2017: Vulnerability in Mythic Beasts patched (CSRF #3) Oct 29, 2017: Vulnerability reported to AT&T (XSS #5) Oct 29, 2017: Vulnerability reported to Plesk (XSS #4) Oct 29, 2017: Report to Plesk triaged (#4) Nov 02, 2017: Vulnerability reported to Plesk (XSS #5) Nov 03, 2017: Vulnerability in Plesk patched (#4) Nov 08, 2017: AT&T awarded bug bounty (#3) Nov 13, 2017: Vulnerability reported to AT&T (CSRF #6) Nov 13, 2017: Multiple vulnerabilities reported to Passmark (2 CSRF, 1 XSS, 1 SQLi) Nov 13, 2017: Vulnerabilities in Passmark patched Nov 16, 2017: Reported multiple vulnerabilities to FMV (4 CSRF, 4 XSS) Dec 06, 2017: Vulnerability in AT&T patched (#5) Dec 09, 2017: Reported vulnerablity to AT&T (XSS+CSRF #7) Dec 11, 2017: Vulnerability in AT&T patched (#4) Dec 15, 2017: Reported vulnerability to Dutch Government (CSRF) Dec 15, 2017: Reported multiple vulnerabilities to UptimeRobot (6 CSRF, 1 XSS) Dec 15, 2017: Vulnerability in Dutch Government website patched Dec 16, 2017: Vulnerabilities in UptimeRobot patched Dec 22, 2017: Multiple vulnerabilities reported to [redacted] (4 RCE) Dec 22, 2017: Vulnerability reported to Plesk (Info Disclosure #6) Dec 24, 2017: Report to Plesk marked as Duplicate (#6) Dec 27, 2017: Vulnerability reported to Jarcimex (SQL Dump) Dec 28, 2017: Vulnerability reported to artofproblemsolving.com (LFI) Dec 28, 2017: Vulnerability in artofproblemsolving.com patched Jan 10, 2017: Reported vulnerability to Federal Communications Commission (XSS) Jan 11, 2017: Vulnerability in AT&T patched (#2) Jan 15, 2017: Reported vulnerability to Lafayette College (Open Redir) Jan 21, 2017: Reported vulnerability to FindU (XSS+CSRF)


The vast majority of these vulns were either reported via email or hackerone (undisclosed/unpatched). If you would like more information on any of these however, feel free to contact me.