Hall of Fame
BurnLink thanks every researcher who takes the time to audit our code and report vulnerabilities responsibly. This page recognizes those who helped make the platform safer. All credits are listed with the researcher's explicit consent — anonymous credit is available on request.
Credited researchers
No entries yet — be the first to find a valid
vulnerability.
Report a vulnerability →
Findings log
All reported findings and their resolution status. This log is updated after each remediation cycle. Findings are disclosed once a fix is deployed or after the 90-day disclosure deadline.
| ID | Title | Severity | Status | Resolved |
|---|---|---|---|---|
| BL-002 | Claimed: URL fragment key theft Reviewed — the URL fragment (#k=…) is the access credential by design (zero-knowledge architecture). The HTTP spec guarantees fragments are never transmitted to the server, never appear in access logs, and are excluded from Referer headers. Password protection adds an independent second factor absent from the URL. Single-use links delete the ciphertext after one read. This is an intentional, documented design trade-off; not a vulnerability. | High | By design | Mar 2026 |
| BL-001 | Race condition on one-time download Two concurrent requests could both receive the encrypted payload. Fixed by deleting the DB record atomically before fetching from storage. | Critical | Fixed | Mar 2026 |
| BL-022 | Claimed: EJS server-side template injection Reviewed — all EJS outputs use <%=> (HTML-escaped). Zero <%-> unescaped tags exist. User inputs are also whitelisted/validated before render. Not a valid finding. | Critical | Invalid | Mar 2026 |
| BL-023 | Claimed: Cold-start wipes brute-force counters Reviewed — password attempt counts and lockout timestamps are stored in Supabase DB, not in memory. Cold starts do not affect brute-force protection. The in-memory rate limiter is supplementary and does not gate the lockout logic. Not a valid finding. | High | Invalid | Mar 2026 |
| BL-024 | Claimed: Reverse tabnapping via target="_blank" Reviewed — every external link in all views already carries rel="noopener noreferrer". Not a valid finding. | Medium | Invalid | Mar 2026 |
| BL-025 | Claimed: Link preview bots burn one-time links Reviewed — share URLs point to /file/:id which returns HTML. The /raw fetch is triggered by client-side JavaScript only; bots do not execute JavaScript. The encrypted key is in the URL fragment (#k=…) which is never sent to the server. Not a valid finding for this implementation. | High | Invalid | Mar 2026 |
Recognition tiers
No monetary rewards are offered. Recognition is our way of saying thank you. Anonymous credit is available on request.