Project maintainers have issued the following disclosures in response to specific remediated vulnerabilities of note.
|GitLab (8.16.5)||February 15th 2017||Stored XSS via markup languages (blogpost)||N/A|
|GitLab (9.0.2)||March 30th 2017||Private group name disclosure||N/A|
|GitLab (9.0.4)||March 30th 2017||Open redirect via import||N/A|
|WordPress (4.8.2)||September 19th 2017||Open redirect via user and term edit screens||CVE-2017-14725|
|GitLab (10.0.4)||October 18th 2017||Stored XSS via Markdown parser bypass||N/A|
|BuddyPress (2.9.2)||November 2nd 2017||Open redirect via extended user edit screen||N/A|
Packages and libraries
|geminabox (0.13.10)||November 13th 2017||Stored XSS via Gemspec ||CVE-2017-16792|
|gemirro (0.15.0)||November 15th 2017||Stored XSS via Gemspec ||CVE-2017-16833|
|Various NPM packages||December 2017||Static web server directory traversal; reflected XSS||N/A|
|RubyGems (2.7.6)||December 2017||Stored XSS in gem server via Gemspec URL injection||N/A|
The following organisations have publicly* acknowledged my responsible disclosure and vulnerability research efforts. Follow my activities on HackerOne, Bugcrowd, and the Google VRP to keep updated with new findings.
|Year (first recognised)||Organisations|
|2016||Ubiquiti Networks, General Motors, Hootsuite, Netflix, Instacart, Constant Contact, Xero, OwnCloud, Coursera, Shopify, GlassWire, Skyport Systems, and Legal Robot|
|2017||GitHub, Recorded Future, Sourceforge, Uber, Automattic, Dell, AOL, Sophos, Auto Trader, Envato, DigitalOcean, New Relic, Yahoo, Informatica Corporation, AT&T, Bosch, Etsy, Twitter, Mozilla (Firefox & Web Services), Algolia, Snapchat, Harvest, Plotly, Artsy, WordPress, Google, Imgur, and more...|
|2018||GrabTaxi and Facebook|
*Recognition from invitation-only bug bounty engagements and private programs are not included in the lists above.