About
Files
News
Vote
Help
Changes
API
Advertise
Contact
Store
Join
Login
Changelog
Date: 2025/11/02 (1762066800)
A major change was implemented on how we're blocking bot traffic. There may be edge cases where you might get caught up in it and if so, we'd love to know those use cases and will try to address them if possible. The site scraping is out of control and we're possibly going to force logins going forward to mitigate the abuse.
Date: 2025/10/29 (1761721200)
Profile images that were uploaded weren't getting properly unlinked upon account deletion. The images themselves were named with random values, so enumeration attacks wouldn't find them post account deletion, but if you had prior knowledge of the URL for someone's image, you could still see them. This affected 14 accounts (but as we've deleted the user data, it's just tied to arbitrary integers for us post user data deletion) and the related images have all been purged. The unlinking issue is fixed. Thanks to Arjun for the find!
Date: 2025/10/27 (1761548400)
I'm starting to feel like the maintainer of curl over here. Please only send in vulnerability reports that have been validated, have an actual security implication (not just a setting on/off that we may have a use for but could be dangerous if used wrong), and an indication that you comprehend what you are reporting and why it is an issue. It's getting silly (and excessively time consuming).
Date: 2025/10/23 (1761202800)
We've been getting AI slop submissions for "vulnerabilities" that are not valid. Please manually validate your findings and comprehend what you are reporting before you do so. For instance, you should comprehend what your suggested remediations mean and do and how they apply to the issue you're claiming. It's time consuming and cycles are minimal around here. There's always a lot of work to do and a finite amount of time to do it in each day.
Also, RSS feeds were decommissioned today. This was long overdue. Please consider the threat intelligence feed if you need programmatic access to the system going forward.
Date: 2025/10/13 (1760338800)
We had some security issues reported over the weekend. Everyone can have them and we are no different, but how you react to them is always what matters. They immediately became priority one for us. And unlike most companies using bug bounties, we believe in full disclosure so we want to be verbose on these topics.
First up, a real egg on face issue. A bad code push stripped a strip and exif data remained in some uploaded images. Our analysis shows only 0.004% of pics were affected and they have all been stripped to ensure no further exposure. This included pictures for 3 users (myself one of them, the researcher the other, a third pic that was not an accessible pic but rather a stored image on the backend that had been converted), and an advertisement. We took the site offline during this process to mitigate further disclosure in case the issue was bigger. The primary vector of attack was addressed, tested, and pushed live. We would like to extend our thanks to Vaibhav Jain for reporting the issue.
An additional issue was reported by Vaibhav where we were not mitigating password reuse and that was initially by design as we did not want to have a massive cache of old user hashes, but upon reconsideration and looking at implementation cost, we got this changed as well within a few hours and the changes are now live.
But wait, there's more! We were missing a cache header on the settings page so post logout, a click back would reveal the browser's local cache. Not horrific but also not great in shared computing circumstances. This has been addressed and pushed live. We would like to extend our thanks to Shivang Singhal for reporting this issue.
Thanks to everyone for hacking us. It's appreciated.
Date: 2025/09/26 (1758870000)
Everything should be back up and functioning after a curious 24 hours. Please drop a note if it isn't.
Date: 2025/09/25 (1758783600)
Hmmm.. running into a very unique caching problem with the new code push and only in production. Will troubleshoot further tomorrow but for now, things may run a little slow.
Good news, however, is that we have new API tiers! And it's much cheaper. Please let us know if you see any bugs.
Date: 2025/09/19 (1758265200)
Some major backend updates got pushed today. It required a hard reboot of the entire ecosystem so apologies for about 10 minutes of downtime this morning. A new announcement is set for next week, stay tuned.
Date: 2025/09/03 (1756882800)
A set of cascading fails caused a 404 yesterday evening for visits to the main web site. The API was still functioning fine. A cronjob was turned off during a code push and was not re-enabled. It was such a simple oops. One would think, well, wouldn't you have monitoring to catch that? Absolutely! But then the monitoring got caught in a blacklist tied to the new IP space for the mail server and.. the messages did not get out. Yes, phone calls were received but not answered. After all, this was after hours and we try to keep boundaries. As noted, compounding, cascading failures. We will do better to ensure this does not happen again. Workarounds and adjustments have been made, but we are (obviously) still shaking out some bugs with this migration. Oh, Internet.
Date: 2025/09/02 (1756796400)
A function to globally force logout of all sessions was not available. Further, password changes didn't force logout of other devices in the case where a token was compromised, so that wasn't good. This has been addressed and you now have options to nuke other sessions via the change password flow and also just as a general option under your settings. Kudos to jainam28 for the finding!
Date: 2025/08/27 (1756278000)
A large migration took place today to new hardware and new operating systems. There were many moving pieces touched but extreme focus was taken to ensure no breakage. That said, now something will break. If you notice anything broken, please ping us!
Date: 2025/08/18 (1755500400)
Signed redirects added where applicable. If you noticed any failed flows, holler.
Date: 2025/08/17 (1755414000)
A staggering amount of UI changes have been made and although testing has occurred, bugs may exist. Hopefully things are more tolerable now. Please report any brokenness if you see it. There was another block on checkouts due to overly aggressively blocking a /10. Apologies. Signed redirects are being added for authenticated flows for ease of use. They will be fully rolled out tomorrow.
Date: 2025/08/11 (1754895600)
Had a bit of downtime this morning as some updates had to be applied while offline. In the midst of going through various conference related data from the past week. If you have anything you want added to the archive whether it be slides or a tool, hit us up!
Date: 2025/08/05 (1754377200)
We expect some interesting files to post this week. Although the site will have no representation in Vegas this year, we hope everyone has a safe time and enjoys the conferences and of course, the parties. If you have a new tool or finding you are releasing, or notice one that should be included in our archive, please drop us a line!
Date: 2025/07/21 (1753081200)
Plenty of interesting files today as well as headlines. Friendly reminder that automating scraping of the site results in not only failure, but blocking at the perimeter.
Date: 2025/07/16 (1752649200)
Bot activity will continue to be dropped as detected. If you don't want your entire /12 blocked, please stop your crawls Microsoft. If anyone can afford API access, it's you. Shameful.
Date: 2025/07/04 (1751612400)
A bad javascript code push caused an intermittent API purchase flow failure. It has been addressed. Thanks to Sam at Saint for alerting us to this issue.
Date: 2025/06/22 (1750575600)
A DDoS attack hit us this morning. It's been mitigated.
Date: 2025/06/10 (1749538800)
This morning's downtime was due to normal system updates, albeit out of band. Everything should be back online now.
Home