Internet Bug Bounty: Remote client memory corruption in ssl_add_clienthello_tlsext()

https://guidovranken.wordpress.com/2016/10/13/openssl-1-1-0-remote-client-memory-corruption-in-ssladdclienthellotlsext/ OpenSSL is not treating this as a security vulnerability because 1 session tickets need to be enabled 2 request certificate status from server 3 an unrealistically large ALPN li...

Internet Bug Bounty: Double-free in X509 parsing

Note: OpenSSL decided not to assign a CVE, so I'm submitting this for reputation points. See: https://github.com/openssl/openssl/commit/6dcba070a94b1ead92f3e327cf207a0b7db6596f https://github.com/guidovranken/openssl-x509-vulnerabilities...

Internet Bug Bounty: Potential double free in EVP_DigestInit_ex

https://github.com/openssl/openssl/commit/ffe9150b1508a0ffc9e724f975691f24eb045c05 If a bounty isn't possible for these non-CVE vulns then I'd appreciate reputation points so it wasn't all for nothing :P...

Vimeo: Missing rate limit on private videos password

Missing rate limit on password protected clips. Rate-limits is a non-qualifying bug at this time. We have received multiple reports of this in the past, however, since that time we have implemented a clip password rate limit. This was not appropriately applied to all clip password areas, so we've...