Vulnerability Reports
From a defense perspective, Information Security is tough to get right. Even when everything has been done correctly, vulnerabilities in software and hardware exist that you either have no knowledge of, or are unable to resolve for some reason.
In theory (and so far, in practice) nothing is ever 100% secure. A defender has limited time to find and fix every issue, whereas an attacker has unlimited time to find and exploit just one.
If I have found an issue with a system you are responsible for...
I have not done so maliciously and I don't want anything for it (unless you participate in or otherwise offer a bug bounty of course!) with one exception: for the problem to be resolved. I may also like to write about it as per responsible disclosure, but if you do not wish for this to happen please tell me. I will always attempt to make contact first, several times, before publishing anything. Normally this will be at a minimum 90 days after first contact, though if the issue is judged to be very severe and I don't hear anything back from you this 90 day delay may get reduced. I'll let you know, though.
If you have found an issue on this site...
Want to dig about? Or have you happened across something interesting? The only rules are "don't leak/share personal data" (including information about the issue) and "try to not take anything offline", otherwise anything on the fyr.io domain (including any and all subdomains, except for the blackbox.fyr.io subdomain) is open. This site is on its own VPS, dedicated to the fyr.io domain, so go wild. Ratelimiting is appreciated though - try to not negatively impact the site 🙂
Whether it's full-blown RCE, minor information disclosure or something that I just haven't bothered to update, feel free to get in touch and let me know! I can't pay, but if you're the first person to report the issue (as of 2022-09-15) I'll add your name/alias/handle/etc along with any suitable links (social media profiles, personal sites, etc) to the Hall of Fame below. It's not much, but it's something.
Email me at this domain, but put "security" before the @ symbol - (Please note: It can take me a while to get to these issues, sorry!)
🔗Hall of Fame
These fine people have reported a valid, unfixed-and-unknown-at-the-time-of-report bug, vulnerability, misconfiguration or other technical issue on this site:
Home-grown site
2025
- Gaurang maheta - LinkedIn
Old wordpress site
2023
- Parth Narula - Website
2022
- Raju Basak - LinkedIn
- Vinit Lakra [x3] - LinkedIn
- Shaik Rehman - LinkedIn
- Rupali Jain - LinkedIn
- Mr!dul Vohra [x2] - LinkedIn
- Ajay Kumar [x2] - LinkedIn | Twitter
- Love Yadav - LinkedIn
- Nikhil Rane [x5] - LinkedIn
- Hemant kashyap - LinkedIn
- Sachhit
- Tharun - LinkedIn
- Ritik Jangra - LinkedIn
- sahil shailesh more - LinkedIn
- Atharva Manoj Allewar - LinkedIn | Twitter
- Yash kushwah (@cyberyash951) - LinkedIn
- G BHARATH KALYAN [x2] - LinkedIn
2021
- Priti Navale - LinkedIn
We can't fix every security issue out there, but if we can fix just one it makes everyone that little bit safer.
Reported Vulns
I thought it might be interesting to update this page (in May 2026) to list out the reported vulns with this site. The page is called 'vulns' afterall!
Current 'homegrown' site
| Vuln ID | Vuln Description | Fix? |
|---|---|---|
| v-26 | weak ssh hmac algo (SHA-1) | Hardened SSH, including removing weak algo's |
Old WordPress site
All fairly mundane, v-06, v-14 & v-16 were annoying though. Rushed regex is not my friend!
| Vuln ID | Vuln Description | Fix? |
|---|---|---|
| v-25 | /wp-admin path disclosure via robots.txt | No fix |
| v-24 | Admin user disclosure via /wp-login.php?action=lostpassword | Blocked endpoint via .htaccess |
| v-23 | Accessible Wordpress & extension endpoints accessible | No fix - minimal extensions used, endpoints require being accessible (same as wp-login) |
| v-22 | Admin user disclosure via /?rest_route=/wp/v2/users/ | Blocked endpoint via .htaccess |
| v-21 | No rate limit on (known) login page | No fix |
| v-20 | Mail Misconfiguration - "target application does not validate the authenticity of mail received and triggers action on the victim's account such as creating a support ticket on the victim's account" | invalid report. I just replied quickly enough for their automated scanner to think it was vulnerable to this lolol |
| v-19 | No HSTS | Enabled HSTS but without 'includeSubdomains' (due to ip. and blackbox. intentionally supporting HTTP) |
| v-17 | load-scripts.php theoretical abuse for DDoS participation | 403'd via .htaccess |
| v-16 | Admin user disclosure via /wp-json/wp/v2/users | v-06 & v-14 fix regex included trailing slash, which isn't needed. Removed and now url is blocked |
| v-15 | CORS misconfiguration of subdomain | Subdomain removed (experiment) |
| v-14 | Admin user disclosure via /wp-json/wp/v2/users/ | v-06 fix was case sensitive! Regex now case-*in*sensitive |
| v-13 | xmlrpc.php accessible on subdomain | Subdomain removed (experiment) |
| v-11 | No SSL on one subdomain | Subdomain removed |
| v-10 & v-12 (two independent reports) | clickjacking on three subdomains | Removed two subdomains (not used) and added x-frame-options header to ip. subdomain |
| v-09 | wp-login.php accessible | No fix, I did allowlist access via specific IP addresses for a while but took this off as it made phone stuff whilst out difficult |
| v-08 | /wp-sitemap-users-1.xml leaks username | Disabled generation of XML files |
| v-07 | wp-cron.php accessible | 403'd via .htaccess |
| v-06 | Admin user disclosure via /wp-json/wp/v2/users/ | 403'd via .htaccess |
| v-05 | SSRF via referrer, leads to IP leak | No fix, IP is public anyway. Caused by the 'WP-Statistics' plugin that fetches the favicon of the referring site. |
| v-04 | xmlrpc.php accessible | 403'd via .htaccess |
| v-03 | EXIF on files on fyr.io domain | downloaded, purged exif, reuploaded |
| v-02 | Missing DMARC record | added DMARC record |
| v-01 | Clickjacking on fyr.io domain | added x-frame-options header with appropriate configuration |