GSA Bounty: Cross-Site Request Forgery on the Federalist API (all endpoints), using Flash file on the attacker's host

We endorse sp1d3rs's summary! The PR fixing this ticket is here: https://github.com/18F/federalist/pull/1157 Thanks to the 18F team for the great experience, fast fix, and the bounty! The report details i requested the limited disclosure due to lot of sensitive info in the attachments and report...

GSA Bounty: Race condition on the Federalist API endpoints can lead to the Denial of Service attack

Description Hello. I discovered that the Federalist API doesn't have rate limiting in place, and executes any amount of request to the endpoint in parallel mode. The impact Since you are using the cloud, and i can't test the production environment, impact is theoretical in this case - it can be a...