Changelog
Date: 2025年11月26日 (1764144000)
Things always get busy the week of Thanksgiving. I suspect it's due to free time on people's hands. If responses are slow, that's why. We've gone from a daily update average of 20 daily entries to 50-100 daily entries this year with the improvements, but with it comes a time cost.
Date: 2025年11月09日 (1762675200)
Large scale changes have been implemented. Load testing will occur today and updates will resume post load testing.
Date: 2025年11月06日 (1762416000)
Some legacy nuances caused a backend dependency to fail in really odd places. Clean up and repair has begun on a massive scale but for now, it's delaying updates until later today.
Date: 2025年11月05日 (1762329600)
Some emergency changes had to be made to ensure consistency across some dependencies and those in turn caused more dependency fall out. Some functions, like search, may be offline today as we troubleshoot. Update 2PM PST - things should be addressed but if you see some broken rendering or the like, please shoot a mail to staff@ thanks!
Date: 2025年11月02日 (1762066800)
A major change was implemented on how we're blocking bot traffic. There may be edge cases where you might get caught up in it and if so, we'd love to know those use cases and will try to address them if possible. The site scraping is out of control and we're possibly going to force logins going forward to mitigate the abuse.
Date: 2025年10月29日 (1761721200)
Profile images that were uploaded weren't getting properly unlinked upon account deletion. The images themselves were named with random values, so enumeration attacks wouldn't find them post account deletion, but if you had prior knowledge of the URL for someone's image, you could still see them. This affected 14 accounts (but as we've deleted the user data, it's just tied to arbitrary integers for us post user data deletion) and the related images have all been purged. The unlinking issue is fixed. Thanks to Arjun for the find!
Date: 2025年10月27日 (1761548400)
I'm starting to feel like the maintainer of curl over here. Please only send in vulnerability reports that have been validated, have an actual security implication (not just a setting on/off that we may have a use for but could be dangerous if used wrong), and an indication that you comprehend what you are reporting and why it is an issue. It's getting silly (and excessively time consuming).
Date: 2025年10月23日 (1761202800)
We've been getting AI slop submissions for "vulnerabilities" that are not valid. Please manually validate your findings and comprehend what you are reporting before you do so. For instance, you should comprehend what your suggested remediations mean and do and how they apply to the issue you're claiming. It's time consuming and cycles are minimal around here. There's always a lot of work to do and a finite amount of time to do it in each day.
Also, RSS feeds were decommissioned today. This was long overdue. Please consider the threat intelligence feed if you need programmatic access to the system going forward.
Date: 2025年10月13日 (1760338800)
We had some security issues reported over the weekend. Everyone can have them and we are no different, but how you react to them is always what matters. They immediately became priority one for us. And unlike most companies using bug bounties, we believe in full disclosure so we want to be verbose on these topics.
First up, a real egg on face issue. A bad code push stripped a strip and exif data remained in some uploaded images. Our analysis shows only 0.004% of pics were affected and they have all been stripped to ensure no further exposure. This included pictures for 3 users (myself one of them, the researcher the other, a third pic that was not an accessible pic but rather a stored image on the backend that had been converted), and an advertisement. We took the site offline during this process to mitigate further disclosure in case the issue was bigger. The primary vector of attack was addressed, tested, and pushed live. We would like to extend our thanks to Vaibhav Jain for reporting the issue.
An additional issue was reported by Vaibhav where we were not mitigating password reuse and that was initially by design as we did not want to have a massive cache of old user hashes, but upon reconsideration and looking at implementation cost, we got this changed as well within a few hours and the changes are now live.
But wait, there's more! We were missing a cache header on the settings page so post logout, a click back would reveal the browser's local cache. Not horrific but also not great in shared computing circumstances. This has been addressed and pushed live. We would like to extend our thanks to Shivang Singhal for reporting this issue.
Thanks to everyone for hacking us. It's appreciated.
Date: 2025年09月26日 (1758870000)
Everything should be back up and functioning after a curious 24 hours. Please drop a note if it isn't.
Date: 2025年09月25日 (1758783600)
Hmmm.. running into a very unique caching problem with the new code push and only in production. Will troubleshoot further tomorrow but for now, things may run a little slow.
Good news, however, is that we have new API tiers! And it's much cheaper. Please let us know if you see any bugs.
Date: 2025年09月19日 (1758265200)
Some major backend updates got pushed today. It required a hard reboot of the entire ecosystem so apologies for about 10 minutes of downtime this morning. A new announcement is set for next week, stay tuned.
Date: 2025年09月03日 (1756882800)
A set of cascading fails caused a 404 yesterday evening for visits to the main web site. The API was still functioning fine. A cronjob was turned off during a code push and was not re-enabled. It was such a simple oops. One would think, well, wouldn't you have monitoring to catch that? Absolutely! But then the monitoring got caught in a blacklist tied to the new IP space for the mail server and.. the messages did not get out. Yes, phone calls were received but not answered. After all, this was after hours and we try to keep boundaries. As noted, compounding, cascading failures. We will do better to ensure this does not happen again. Workarounds and adjustments have been made, but we are (obviously) still shaking out some bugs with this migration. Oh, Internet.
Date: 2025年09月02日 (1756796400)
A function to globally force logout of all sessions was not available. Further, password changes didn't force logout of other devices in the case where a token was compromised, so that wasn't good. This has been addressed and you now have options to nuke other sessions via the change password flow and also just as a general option under your settings. Kudos to jainam28 for the finding!
Date: 2025年08月27日 (1756278000)
A large migration took place today to new hardware and new operating systems. There were many moving pieces touched but extreme focus was taken to ensure no breakage. That said, now something will break. If you notice anything broken, please ping us!
Date: 2025年08月18日 (1755500400)
Signed redirects added where applicable. If you noticed any failed flows, holler.
Date: 2025年08月17日 (1755414000)
A staggering amount of UI changes have been made and although testing has occurred, bugs may exist. Hopefully things are more tolerable now. Please report any brokenness if you see it. There was another block on checkouts due to overly aggressively blocking a /10. Apologies. Signed redirects are being added for authenticated flows for ease of use. They will be fully rolled out tomorrow.
Date: 2025年08月11日 (1754895600)
Had a bit of downtime this morning as some updates had to be applied while offline. In the midst of going through various conference related data from the past week. If you have anything you want added to the archive whether it be slides or a tool, hit us up!
Date: 2025年08月05日 (1754377200)
We expect some interesting files to post this week. Although the site will have no representation in Vegas this year, we hope everyone has a safe time and enjoys the conferences and of course, the parties. If you have a new tool or finding you are releasing, or notice one that should be included in our archive, please drop us a line!
Date: 2025年07月21日 (1753081200)
Plenty of interesting files today as well as headlines. Friendly reminder that automating scraping of the site results in not only failure, but blocking at the perimeter.