Yasin Soliman

Yasin Soliman

I'm Yasin, a security analyst and researcher from the UK. This is my personal blog for sharing technical findings. I also write for Graham Cluley and Tripwire.

Yasin Soliman



Advisories and acknowledgements

Yasin SolimanYasin Soliman


Project maintainers have issued the following disclosures in response to specific remediated vulnerabilities of note.

Product/ServiceDisclosure DateIssue(s)CVE
GitLab (8.16.5)February 15th 2017Stored XSS via markup languagesN/A
GitLab (9.0.2)March 30th 2017Private group name disclosureN/A
GitLab (9.0.4)March 30th 2017Open redirect via importN/A
Piwik (3.1.0)September 12th 2017XSS issueN/A
WordPress (4.8.2)September 19th 2017Open redirect via user and term edit screensCVE-2017-14725
GitLab (10.0.4)October 18th 2017Stored XSS via Markdown parser bypassN/A


The following organisations have publicly* acknowledged my responsible disclosure and vulnerability research efforts. Follow my activities on HackerOne, Bugcrowd, and the Google VRP to keep updated with new findings.

Year (first recognised)Organisations
2016Ubiquiti Networks, General Motors, Hootsuite, Netflix, Instacart, Constant Contact, Xero, OwnCloud, Coursera, Shopify, GlassWire, Skyport Systems, and Legal Robot
2017GitHub, Recorded Future, Sourceforge, Uber, Automattic, Dell, AOL, Gogo, Sophos, Auto Trader, Envato, DigitalOcean, New Relic, Yahoo, Informatica Corporation, AT&T, Bosch, Etsy, Twitter, Mozilla (Firefox & Web Services), Algolia, Snapchat, Harvest, Plotly, Artsy, WordPress, Google, Imgur, and more...

*Recognition from invitation-only bug bounty engagements and private programs are not included in the list above.