A lot of months ago I was researching bugs in the excellent Pentaho Business Intelligence platform (with bundled jboss). I've found the following: A) Reflected XSS B) Password field with autocomplete enabled C) Disclosure of Session Tokens in URL More infos here: [http://jira.pentaho.com/browse/BISERVER-2698?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel] After 6 months (SIX! it remembers me David Litchfield and Oracle :) ) Pentaho developers partially fixed everything. I've not disclosed this before because I'm trying to follow Responsible Disclosure more as I can... Is that the best? Well, sometimes... That's responsible disclosure