| Jan 2014 | EoP: PROBABLY_EXPLOITABLE Crash via Rapid RSS/HTML iFrame Switching |
| Oct 2013 | EoP: Crash Changing iFrame URL from RSS Feed |
| Jun 2013 | F12 Developer Tools: RCE via addEventListener Override |
| Apr 2013 | Probably Exploitable Crash: getOwnPropertyNames on Destroyed iFrame |
| Mar 2013 | Exploitable Crash via Cached Image Collection Access by Index |
| Feb 2013 | Exploitable Crash via Cached Element Collection After Redirect |
| Jun 2012 | IE10 EoP: Enumerating New Window Object During Redirect is EXPLOITABLE |
| Mar 2012 | EoP: Flash innerHTML Random Crash is PROBABLY_EXPLOITABLE |
| Feb 2012 | IE10 EoP: history.pushState Redirect to Blob URL then Reload is EXPLOITABLE |
| Feb 2012 | IE10 EoP: Invalid Content-Type on Blob URL Server Redirect is PROBABLY_EXPLOITABLE |
| Feb 2012 | IE10 EoP: window.open in Destroyed iframe Triggers EXPLOITABLE DEP Violation |
| Dec 2011 | IE10 EoP: htmlFile ActiveX Reload + setTimeout document.open/close is PROBABLY_EXPLOITABLE |
| Nov 2011 | IE8 EoP: Framed Cross-Domain Flash GetURL Triggers Exploitable Crash on Reload |
| Sep 2011 | IE10 EoP: Calling scroll Methods on Behalf of Another Window Crashes Browser |
| Jul 2011 | EoP/RCE: Arbitrary Code Execution via InsertImage Internal Dialog |
| May 2011 | IE9 EoP: Crashing the Browser by Resizing a Persistent createPopup |
| May 2011 | EoP: Destroying an htmlFile Reference While Its Trident Is Refreshing |
| Apr 2011 | EoP: Windows Media Player launchURL Crash via Intentional Failure |
| Mar 2011 | IE9 EoP: Arbitrary Code Execution via Internal InsertImage Dialog |
| Mar 2011 | IE9 EoP: Execute Window Method After the Page Has Navigated Away |
| Mar 2011 | IE9 EoP: Execute Window Method After Page Has Gone (Variant) |
| Jan 2011 | IE9 EoP: iFrame innerHTML Self-Destruction |
| Jan 2011 | IE9 EoP: Iterating an iFrame URL Between Feeds and HTML |
| Dec 2010 | IE9 EoP: document.open While the Browser Is Frozen by a Dialog |
| Aug 2010 | IE9 RCE: Intercepting Internal Dialogs via Object.defineProperty |
| Mar 2010 | CFD SharePoint: Remote Code Execution via WebOC Navigate2 |
| Mar 2010 | IE Crash: View Source Crash with a 70 MB HTML File |
| Oct 2009 | Silverlight 4 WebOC: RCE, UXSS, Referrer Forgery, and More |
| May 2009 | Silverlight 3 DoS — Source Change on FullScreenChanged Event |
| May 2009 | Silverlight 3 DoS — SplashScreenSource Null Pointer Dereference |
| Feb 2009 | RCE via Windows Desktop Search |
| Dec 2008 | IE8 RCE via About Dialog _unspecifiedFrame (IE8 Variation) |
| Nov 2008 | IE7 RCE via About Dialog _unspecifiedFrame |
| Oct 2007 | Vista RCE via XAML Frame + ExecWB PrintPreview |