I'm going to try to keep a timeline of some vulnerabilities I've identified and reported here. Dates may be approximate. I haven't been keeping track of when most of these were fixed. I dunno. Maybe you'll find it interesting or something.


Nov 30, 2016: Reported vulnerability to GitHub (Timing Attack) Dec 01, 2016: Report to GitHub marked as Informative. Dec 16, 2016: Reported vulnerability to Gwiddle (Info Disclosure) Dec 16, 2016: Report to Gwiddle triaged Dec 17, 2016: Gwiddle vulnerability patched Jan 27, 2017: Reported vulnerabilities to USCERT (7 instances of XSS on various gov't sites) Feb 21, 2017: Reported vulnerability to phpMyAdmin (XSS) Feb 27, 2017: Report to phpMyAdmin marked as Duplicate Feb 26, 2017: Reported vulnerability to VestaCP (Session Fixation #1) Feb 26, 2017: Reported vulnerability to VestaCP (CSRF #2) Feb 26, 2017: Reported vulnerability to VestaCP (RCE #3) Feb 27, 2017: Report to VestaCP triaged (#1) Feb 27, 2017: Report to VestaCP triaged (#2) Feb 27, 2017: Report to VestaCP triaged (#3) Feb 28, 2017: Vulnerability in VestaCP patched (#1). Assigned CVE-2017-6365 Feb 29, 2017: Vulnerability in VestaCP patched (#2). Assigned CVE-2017-6476 Apr 05, 2017: Reported vulnerability to VestaCP (XSS #4) Apr 05, 2017: Reported vulnerability to VestaCP (XSS #5) Apr 05, 2017: Reported vulnerability to VestaCP (CSRF #6) Apr 05, 2017: Reported vulnerability to VestaCP (Insecure Crypto #7) Apr 17, 2017: Report to VestaCP triaged (#4) Apr 17, 2017: Report to VestaCP triaged (#5) Apr 17, 2017: Report to VestaCP triaged (#6) Apr 18, 2017: Report to VestaCP triaged (#7) Apr 30, 2017: Reported vulnerability to Blockchain.info (CSRF+XSS) Apr 30, 2017: Report to Blockchain.info marked as Duplicate. May 04, 2017: Reported vulnerability to naviance (multiple instances of CSRF+XSS) May 21, 2017: Reported vulnerability to turnitin.com (CSRF+XSS) May 22, 2017: Report to turnitin.com triaged May 24, 2017: Reported vulnerability to Department of Defense (XSS #1) May 26, 2017: Report to Department of Defense marked as Duplicate (#1) May 26, 2017: Reported vulnerability to Department of Defense (CSRF #2) Jun 01, 2017: Report to Department of Defense triaged (#2) Jul 17, 2017: Reported vulnerability to Plesk (XSS #1) Jul 17, 2017: Report to Plesk triaged (#1) Jul 25, 2017: Reported numerous vulnerabilities to VestaCP (3 CRLF injection, 1 XSS, 1 IDOR, 1 RCE) Aug 02, 2017: Vulnerability in Plesk patched (#1) Aug 12, 2017: Reported vulnerability to chaoswebs.net (XSS) Aug 12, 2017: Vulnerability in chaoswebs.net patched. Aug 19, 2017: Reported vulnerability to Plesk (XSS #2) Aug 20, 2017: Report to Plesk triaged (#2) Aug 22, 2017: Reported vulnerability to Google (CSRF) Aug 23, 2017: Report to Google patched, but marked as out of scope Aug 26, 2017: Reported vulnerability to Department of Defense (CSRF #3) Aug 26, 2017: Reported vulnerability to Department of Defense (CSRF #4) Aug 28, 2017: Report to Department of Defense triaged (#3) Aug 28, 2017: Report to Department of Defense triaged (#4) Sep 01, 2017: Vulnerability in Plesk patched (#2) Sep 01, 2017: Reported vulnerability to Plesk (XSS #3) Sep 03, 2017: Report to Plesk triaged (#3) Sep 04, 2017: Reported vulnerability to Mythic Beasts (CSRF+XSS #1) Sep 05, 2017: Vulnerability in Plesk patched (#3) Sep 05, 2017: Reported vulnerability to Department of Defense (CSRF #5) Sep 07, 2017: Report to Mythic Beasts triaged and patched (#1). Sep 15, 2017: Vulnerability reported to AT&T (CSRF #1) Sep 15, 2017: Vulnerability reported to AT&T (CSRF #2) Sep 16, 2017: Vulnerability reported to AT&T (CSRF+XSS #3) Sep 16, 2017: Vulnerability reported to AT&T (CSRF+XSS #4) Sep 26, 2017: Report to AT&T triaged (#1) Sep 26, 2017: Report to AT&T triaged and patched (#3). Placed on AT&T Hall of Fame Sep 26, 2017: Report to Department of Defense triaged (#5) Sep 28, 2017: Reported vulnerability to Arch Mirror ftp.kaist.ac.kr (RCE) Sep 29, 2017: Reported vulnerability to USCERT (XSS #1) Sep 29, 2017: Reported vulnerability to USCERT (XSS #2) Oct 06, 2017: Mythic Beasts awarded bug bounty and published a blog post about it (#1). Oct 10, 2017: Report to Department of Defense unmarked as duplicate (#1) Oct 22, 2017: Reported vulnerability to Mythic Beasts (CSRF #2) Oct 22, 2017: Reported vulnerability to Mythic Beasts (CSRF #3) Oct 23, 2017: Reported vulnerability to Reverso.net (XSS) Oct 25, 2017: Vulnerability in Mythic Beasts patched (CSRF #2) Oct 25, 2017: Vulnerability in Mythic Beasts patched (CSRF #3) Oct 29, 2017: Vulnerability reported to AT&T (XSS #5) Oct 29, 2017: Vulnerability reported to Plesk (XSS #4) Oct 29, 2017: Report to Plesk triaged (#4) Nov 02, 2017: Vulnerability reported to Plesk (XSS #5) Nov 03, 2017: Vulnerability in Plesk patched (#4) Nov 08, 2017: AT&T awarded bug bounty (#3) Nov 13, 2017: Vulnerability reported to AT&T (CSRF #6) Nov 13, 2017: Multiple vulnerabilities reported to Passmark (2 CSRF, 1 XSS, 1 SQLi) Nov 13, 2017: Vulnerabilities in Passmark patched Nov 16, 2017: Reported multiple vulnerabilities to FMV (4 CSRF, 4 XSS) Dec 06, 2017: Vulnerability in AT&T patched (#5) Dec 09, 2017: Reported vulnerablity to AT&T (XSS+CSRF #7) Dec 11, 2017: Vulnerability in AT&T patched (#4) Dec 15, 2017: Reported vulnerability to Dutch Government (CSRF) Dec 15, 2017: Reported multiple vulnerabilities to UptimeRobot (6 CSRF, 1 XSS) Dec 15, 2017: Vulnerability in Dutch Government website patched Dec 16, 2017: Vulnerabilities in UptimeRobot patched Dec 22, 2017: Multiple vulnerabilities reported to [redacted] (4 RCE) Dec 22, 2017: Vulnerability reported to Plesk (Info Disclosure #6) Dec 24, 2017: Report to Plesk marked as Duplicate (#6) Dec 27, 2017: Vulnerability reported to Jarcimex (SQL Dump) Dec 28, 2017: Vulnerability reported to artofproblemsolving.com (LFI) Dec 28, 2017: Vulnerability in artofproblemsolving.com patched Jan 10, 2018: Reported vulnerability to Federal Communications Commission (XSS) Jan 11, 2018: Vulnerability in AT&T patched (#2) Jan 15, 2018: Reported vulnerability to Lafayette College (Open Redir) Jan 21, 2018: Reported vulnerability to FindU (XSS+CSRF) Feb 09, 2018: Reported vulnerability to EasyCTF (Race Condition) Feb 10, 2018: Vulnerability in EasyCTF patched Feb 27, 2018: Reported vulnerability to Department of Defense (XSS #6) Feb 27, 2018: Report to Department of Defense closed as Informative, and patched (#6) Mar 12, 2018: Reported vulnerability to Portland Community College (XSS+CSRF) Mar 13, 2018: Report to Portland Community College triaged Mar 17, 2018: Reported vulnerability to the-aiff.com (Info. Disclosure) Mar 17, 2018: Vulnerability in the-aiff.com patched Apr 06, 2018: Vulnerability in AT&T patched (#7) Apr 23, 2018: Reported vulnerability to Department of Defense (IAC #7) Apr 26, 2018: Reported vulnerabilities to OR Secretary of State (5 XSS vulns) Apr 26, 2018: Reported vulnerabilities to Brother (XSS + ~10 CSRF vulns) May 03, 2018: Reported vulnerabilities to PythonTutor (Multiple XSS + User Spoofing) ... this got pretty outdated. I'll come and update this soon maybe.


The vast majority of these vulns were either reported via email. If you would like more information on any of these however, feel free to contact me.