Links to refer for more information:

https://github.com/reddelexc/hackerone-reports
https://www.bugbountyhunter.com/disclosed/
https://hackerone.com/hacktivity/cwe_discovery?id=cwe-284

All of these are taken from reddelexc’s repo which indexes all top reports on h1, I am straight up taking those, reading them one by one, and adding summaries here.
The purpose of this is to get quick ideas from the reports, this is not an explanation blog of reported vulns.

DoS attacks Reports

Number	Title	Summary
1	DoS on PayPal via web cache poisoning to PayPal	Added any-header: burpcollaborator.net leads to site cache on that parameter getting poisoned and leads to DoS.
2	profile-picture name parameter with large value lead to DoS for other users and programs on the platform to HackerOne	Any place or parameter with upload image have no limit of name size length, so when long long file names are used, it leads to DoS.
3	Denial of service via cache poisoning to HackerOne	Super fun, a simple curl -H 'X-Forwarded-Port: 123' https://www.hackerone.com/index.php?dontpoisoneveryone=1 would poison the cache and next time anyone tried to visit the same parameter, it would redirect to website:123/blahblahblah, if done on the main website, we can do it to curl -H 'X-Forwarded-Host: www.hackerone.com:123' https://www.hackerone.com/index.php?dontpoisoneveryone=1 poison the cache and redirect everything to our website.
4	Uploading large payload on domain instructions causes server-side DoS to HackerOne	eh,  as the title, just spam large payloads to any upload enabled graphQL endpoint.
5	xmlrpc.php FILE IS enable it will used for Bruteforce attack and Denial of Service(DoS) to Nord Security	Some good exploit if you have xmlrpc.php enabled/available on the target.
6	character limitation bypass can lead to DoS on Twitter App and 500 Internal Server Error to X (Formerly Twitter)	Overloaded a twitter endpoint that creates ‘moments’ with double quotes, and this resulted in 500 error, on android and website. The primary reason for this was the 500 error, without that, they won’t pay anything. This is also out of scope on twitter now.
7	Permanent DoS with one click. to Automattic	Create 2 accounts, send a msg from accountA to accountB, then delete accountA, and try to see the message from accountB, results in a crash.
8	a very long name in hey.com can prevent anyone from accessing their contacts and probably can cause denial of service to Basecamp	While account creation, changed the name to a very long string, cause the app to slow down when anyone visits the profile. Results in DoS.
9	ActiveStorage throws exception when using whitespace as filename, may lead to denial of service of multiple pages to HackerOne	Super cool, add + or %0d%0a , or %20 to a filename when uploading, like profile pic, this will lead to application wide DoS wherever the profile is displayed.
10	Denial of Service via Hyperlinks in Posts to Slack	Edge case in slack, but can be done on end points which allow adding link property. Add a huge payload to link property of a parameter on maybe a blog, and when it opens, it crashes the app, leading to a DoS. Possible in mobile apps as well.
11	Cache Poisoning DoS on downloads.exodus.com to Exodus	Super cool, depends on the domain you find cache poisoning on, here attacker added authorization token and pushed it on cache, leading to 403 error on every download attempt, leads to DoS.
12	Attacker with an Old account might still be able to DoS ctf.hacker101.com by sending a Crafted request to HackerOne	Eh, edge case with hacker101, depends on how many groups the user have. Worth looking into if the content on the page is being loaded in the memory and you can increase the size of that content, this should lead to DoS, depending on how memory is being handled.
13	Denial of Service on twitter.com & mobile.twitter.com to X (Formerly Twitter)	Probably any webpage that tries to render a link in the background, and holds the webpage loading until that finishes is worth checking out, https://testinggithub.com:234234234234 crashes the webpage, leads to DoS attack.
14	[mijn.werkenbijdefensie.nl] Denial of service occurs due to lack of email length confirmation to Radancy	REALLLY long email address leads to DoS when you try to change your email or do any action on it. A lot of services don’t check the length of email.
15	https://themes.shopify.com::: Host header web cache poisoning lead to DoS to Shopify	Host header, setting the host header to same domain but different non-active port probably allowed the host header to be set, this resulted in cache poisoning with same host but wrong port, lol. Leads to DoS
16	Cache Poisoning DoS on updates.rockstargames.com to Rockstar Games	Used a header called ‘trailer: 1’ to poison the request for DoS on 400 response.
17	Cache poisoning Denial of Service affecting assets.gitlab-static.net to GitLab	Saw that they are using varnish, added a custom header that is not part of the cache key, x-http-method-override: HEAD this resulted in this getting cached. Hence poison and hence DoS.
18	[www.werkenbijbakertilly.nl] Denial of service due to incorrect server return can result in total denial of service. to Radancy	Interesting attack, even with the balancer and kubes monitor layer, they don’t kick in because it’s not resource overload; sent an invalid file, and sent a LOT of requests, this leads to the server processes stuck in waiting time to get the response back from the third party. Leads to DoS.
19	Denial of Service  [Chrome] to X (Formerly Twitter)	Added %00 to the end of a link, pushed it on tweets, leads to DoS on chrome. Weirdly, twitter seems to be very vulnerable in this aspect, check for any blog where you can post things, if it tried to render the link, it kills the page, leads to DoS for anyone who tried to access twitter via that page.
20	Web Cache Poisoning leads to XSS and DoS to Glassdoor	Beyond me, an excellent writeup here
21	Google  Maps API key stored as plain text leading to DOS and financial damage to Zenly
22	DoS attacks utilizing camo.stream.highwebmedia.com to Chaturbate
23	Memory Leak in OCUtil.dll library in Desktop client can lead to DoS to Nextcloud
24	Hash-Collision Denial-of-Service Vulnerability in Markdown Parser to Reddit
25	DOS via cache poisoning on [developer.mozilla.org] to Mozilla Core Services
26	iOS group chat denial of service to LINE
27	Application DOS via specially crafted payload on 3d.cs.money to CS Money
28	%0A (New line) and limitness URL leads to DoS at all system [Main adress (https://www.acronis.com/)] to Acronis
29	Regular expression denial of service in ActiveRecord's PostgreSQL Money type to Ruby on Rails
30	Remote denial of service in  HyperLedger Fabric to Hyperledger
31	Chrome Extension is vulnerable to the self-DOS issues in case it process the security.txt with a big size to Ed
32	Cookie poisoning leads to DOS and Privacy Violation to CS Money
33	CryptoNote: remote node DoS to Monero
34	Use after free vulnerability in mruby Array#to_h causing DOS possible RCE to shopify-scripts
35	DoS on the Direct Messages to Slack
36	No redirect_uri in the db for web-internal clientKey leads to one-click DoS on gitter.im to GitLab
37	Remote Server Restart Lead to Denial of Service by only one Request. to Keybase
38	Fastify denial-of-service vulnerability with large JSON payloads to Node.js third-party modules
39	cookie injection allow dos attack to periscope.tv to X (Formerly Twitter)
40	DOS attack by consuming all CPU and using all available memory to Tron Foundation
41	ICQ Android APP remote DoS to Mail.ru
42	JSON RPC methods for debugging enabled by default allow DoS to IOVLabs
43	Cache poisoning DoS to various TTS assets to GSA Bounty
44	DOS via issue preview to GitLab
45	xmlrpc.php FILE IS enable it will used for bruteforce attack and denial of service to LocalTapiola
46	Cookie injection leads to complete DoS over whole domain *.mackeeper.com. Injection point accountstage.mackeeper.com/ to Clario
47	DoS through cache poisoning using invalid HTTP parameters to Greenhouse.io
48	Single User DOS by Poisoning Cookie via Get Parameter to Pornhub
49	Insecure Processing of XML leads to Denial of Service through Billion Laughs Attack to Razer
50	Bypass of request line length limit to DoS via cache poisoning to Greenhouse.io
51	XMLRPC, Enabling XPSA and Bruteforce and DOS + A file disclosing installer-logs. to MTN Group
52	DoS of LINE client for Android via message containing multiple unicode characters (0x0e & 0x0f) to LINE
53	DOS validator nodes of blockchain to block external connections to Hyperledger
54	Pixel Flood Attack leads to Application level DoS to CS Money
55	scripts loader (denial of service) vulnerability to MariaDB
56	Comments Denial of Service in socialclub.rockstargames.com to Rockstar Games
57	Variant of CVE-2013-0269 (Denial of Service and Unsafe Object Creation Vulnerability in JSON) to Ruby
58	xmlrpc.php And /wp-json/wp/v2/users FILE IS enable it will used for bruteforce attack and denial of service to Sifchain
59	Denial of Service by requesting to reset a password to Nextcloud
60	lack of input validation that can lead Denial of Service (DOS) to X (Formerly Twitter)
61	Permanent Denial of Service to MS-DOS
62	Specially constructed multi-part requests cause multi-second response times; vulnerable to DoS to Ruby on Rails
63	DOS via move_issue to GitLab
64	Race condition on the Federalist API endpoints can lead to the Denial of Service attack to GSA Bounty
65	WEBrick::HTTPAuth::DigestAuth authentication is vulnerable to regular expression denial of service (ReDoS) to Ruby
66	Possible denial of service when entering a loooong password to Nextcloud
67	Server-side denial of service via large payload sent to wiki.cs.money/graphql to CS Money
68	CVE-2023-23916: HTTP multi-header compression denial of service to curl
69	[Java] CWE-755: Query to detect Local Android DoS caused by NFE to GitHub Security Lab
70	Single user DOS on selectedLanguage -cookie (yrityspalvelu.lahitapiola.fi) to LocalTapiola
71	DoS for HTTP/2 connections by crafted requests (CVE-2018-1333) to Internet Bug Bounty
72	xmlrpc.php file is enable it will used for (Denial of Service) and bruteforce attack to BlockDev Sp. Z o.o
73	Attacker may be able to bounce enough emails which suspend HackerOne's SES service and cause a DoS of HackerOne's email service to HackerOne
74	DoS via Playbook to Mattermost
75	xmlrpc.php FILE IS enabled it will used for Bruteforce attack and Denial of Service(DoS) to BlockDev Sp. Z o.o
76	Cookie-based client-side denial-of-service to all of the Lähitapiola domains to LocalTapiola
77	Application-level DoS on image's "size" parameter. to Gratipay
78	Resource Consumption DOS on Edgemax v1.10.6 to Ubiquiti Inc.
79	DoS of https://blog.yelp.com/ and other WP instances via CVE-2018-6389 to Yelp
80	xmlrpc.php FILE IS enable it will used for Bruteforce attack and Denial of Service(DoS) to Top Echelon Software
81	Null target_class DoS to shopify-scripts
82	Chained vulnerabilities create DOS attack against users on desafio5estrelas.com to Uber
83	DoS via large console messages to Mattermost
84	Denial of Service with Cookie Bomb to Nord Security
85	Web Cache Poisoning leading to DoS to U.S. General Services Administration
86	CVE-2022-35252: control code in cookie denial of service to curl
87	PNG compression DoS to HackerOne
88	Possible denial of service when entering a loooong password to Nextcloud
89	No Rate Limiting on https://██████/██████████/accounts/password/reset/ endpoint leads to Denial of Service to U.S. Dept Of Defense
90	Cookie Bombing cause DOS -  businesses.uber.com to Uber
91	User input validation can lead to DOS to X (Formerly Twitter)
92	Pre-auth Denial-of-Service in Dovecot RPA implementation to Open-Xchange
93	Insufficient limitation of web page title  leads to DoS against ICQ for Android to Mail.ru
94	Content length restriction bypass can lead to DOS by reading large files on gip.rocks to Gratipay
95	memjs allocates and stores buffers on typed input, resulting in DoS and uninitialized memory usage to Node.js third-party modules
96	Application level denial of service due to shutting down the server to Node.js third-party modules
97	Denial Of Service in Strapi Framework using argument injection to Node.js third-party modules
98	Permanent DOS for new users! to Stripo Inc
99	[mtn.com.af] Multiple vulnerabilities allow to Application level DoS to MTN Group
100	Remote denial of service in HyperLedger Fabric to Hyperledger
101	The parameter in the POST query allows to control size of returned page which in turn can lead to the potential DOS attack to LocalTapiola
102	DOS: out of memory from gif through upload api to Mattermost
103	Denial of service via cache poisoning on https://www.data.gov/ to GSA Bounty
104	Denial of service due to invalid memory access in mrb_ary_concat to shopify-scripts
105	Rack CVE-2022-30122: Denial of Service Vulnerability in Rack Multipart Parsing to Internet Bug Bounty
106	Single User DOS on SelectedLocale -cookie (verkkopalvelu.tapiola.fi) to LocalTapiola
107	Single user DOS on selectedLanuage -cookie at (verkkopalvelu.tapiola.fi) to LocalTapiola
108	Denial of Service through set_preference.json to Keybase
109	Fix for self-DoS in Security-txt Chrome Extension. to Ed
110	XML hash collision DoS vulnerability in Python's xml.etree module to Internet Bug Bounty
111	DoS for remote nodes using Slow Loris attack to Monero
112	Cisco ASA Denial of Service & Path Traversal (CVE-2018-0296) to ok.ru
113	Multiple HTTP/2 DOS Issues to Node.js
114	load scripts DOS vulnerability to OLX
115	xmlrpc.php FILE IS enable which enables attacker to XSPA Brute-force and even Denial of Service(DOS), in https://████/xmlrpc.php to U.S. Dept Of Defense
116	Permanent DoS at https://happy.tools/ when inviting a user to Automattic
117	Denial of Service in mruby due to null pointer dereference to shopify-scripts
118	CVE-2022-32206: HTTP compression denial of service to Internet Bug Bounty
119	potential denial of service attack via the locale parameter to Internet Bug Bounty
120	CVE-2023-25692: Apache Airflow Google Provider: Google Cloud Sql Provider Denial Of Service and Remote Command Execution to Internet Bug Bounty
121	Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests to Node.js
122	DoS in Brave browser for iOS to Brave Software
123	Proxy service crash DoS to Factlink
124	Возможность провести DoS атаку от имени vk.com сервера to VK.com
125	CVE-2017-8779 exploit on open rpcbind port could lead to remote DoS to Endless Group
126	scripts loader DOS vulnerability to FormAssembly
127	[Cache Posioning leading to denial of service at █████████ - Bypass fix from report #1198434
128	CVE-2022-35252: control code in cookie denial of service to Internet Bug Bounty
129	Lack of Packet Sanitation in Goflow Results in Multiple DoS Attack Vectors and Bugs to Cloudflare Public Bug Bounty
130	SSRF / Local file enumeration / DoS due to improper handling of certain file formats by ffmpeg to Imgur
131	Malformed SHA512 ticket DoS (CVE-2016-6302) to Internet Bug Bounty
132	Denial of Service in Action Pack Exception Handling to Ruby on Rails
133	http-proxy-agent passes unsanitized options to Buffer(arg), resulting in DoS and uninitialized memory leak to Node.js third-party modules
134	DoS of www.lahitapiolarahoitus.fi via CVE-2018-6389 exploitation to LocalTapiola
135	Client DoS due to large DH parameter (CVE-2018-0732) to Internet Bug Bounty
136	Algorithmic complexity vulnerability in ZXCVBN leads to remote denial of service attack to Dropbox
137	[cloudron-surfer] Denial of Service via LDAP Injection to Node.js third-party modules
138	Denial of Service in anti_ransomware_service.exe via logs files to Acronis
139	Application level DOS at Login Page ( Accepts Long Password ) to Reddit
140	DoS at ████████ (CVE-2018-6389) to U.S. Dept Of Defense
141	WordPress application vulnerable to DoS attack via wp-cron.php to U.S. Dept Of Defense
142	Range constructor type confusion DoS to shopify-scripts
143	CVE-2022-32205: Set-Cookie denial of service to Internet Bug Bounty
144	WordPress Authentication Denial of Service to Instacart
145	[DOS] denial of service using code snippet on brave browser to Brave Software
146	DoS vulnerability in mod_auth_digest CVE-2016-2161 to Internet Bug Bounty
147	WordPress core  - Denial of Service via Cross Site Request Forgery to WordPress
148	https-proxy-agent passes unsanitized options to Buffer(arg), resulting in DoS and uninitialized memory leak to Node.js third-party modules
149	Lodash "difference" (possibly others) Function Denial of Service Through Unvalidated Input to Node.js third-party modules
150	HTTP/2 Denial of Service Vulnerability to Node.js
151	DoS for client-go jsonpath func to Kubernetes
152	SQL Injection or Denial of Service due to a Prototype Pollution to Node.js third-party modules
153	Camera adoption DoS - UniFi Protect to Ubiquiti Inc.
154	Ruby - Regular Expression Denial of Service Vulnerability of Date Parsing Methods to Internet Bug Bounty
155	Regular Expression Denial of Service vulnerability to Reddit
156	ruby DoS https://www.mruby.science to shopify-scripts
157	Denial of Service any Report to HackerOne
158	DOS Report  FILE html inside <code> in markdown to HackerOne
159	Denial of service attack on Brave Browser. to Brave Software
160	[tor] control connection pre-auth DoS (infinite loop) with --enable-bufferevents to Tor
161	Missing back-end user input validation can lead to DOS flaw to Liberapay
162	Remote P2P DoS to Monero
163	monerod JSON RPC server remote DoS to Monero
164	DoS via Automatic Response Message to Mattermost
165	DoS at █████(CVE-2018-6389) to U.S. Dept Of Defense
166	Thumbor misconfiguration at blogapi.uber.com can lead to DoS to Uber
167	[CVE-2023-22799] Possible ReDoS based DoS vulnerability in GlobalID to Internet Bug Bounty
168	Fastify uses allErrors: true ajv configuration by default which is susceptible to DoS to Node.js third-party modules
169	help.nextcloud.com: Known DoS condition (null pointer deref) in Nginx running to Nextcloud
170	Filename enumeration && DoS to Nextcloud
171	No Password Length Restriction leads to Denial of Service to Weblate
172	Abuse of Api that causes spamming users and possible DOS due to missing rate limit on contact form to Weblate
173	Denial of service in libxml2, using malicious lzma file to consume available system memory to Internet Bug Bounty
174	Denial of Service: nghttp2 use of uninitialized pointer to Node.js
175	Application level DoS via xmlrpc.php to U.S. Dept Of Defense
176	DoS for GCSArtifact.RealAll to Kubernetes
177	DoS due to improper input validation can break the admin access into the user data will disallow him from editing that user's data. to Nextcloud
178	Slowvote and Countdown can cause Denial of Service due to recursive inclusion to Phabricator
179	CVE-2022-32206: HTTP compression denial of service to curl
180	CVE-2022-32205: Set-Cookie denial of service to curl
181	DoS via lua_read_body() [zhbug_httpd_94] to Internet Bug Bounty
182	HTTP multi-header compression denial of service to Internet Bug Bounty
183	Arbitrary command execution in MS-DOS to MS-DOS
184	Potential denial of service in hackerone.com/<program>/reward_settings to HackerOne
185	Denial of service (segfault) due to null pointer dereference in mrb_obj_instance_eval to shopify-scripts
186	doc.owncloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service) to ownCloud
187	ci.nextcloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service) to Nextcloud
188	Ruby 2.3.x and 2.2.x still bundle DoS vulnerable verision of libYAML to Ruby
189	pngcrush double-free/segfault could result in DoS (CVE-2015-7700) to Internet Bug Bounty
190	CVE-2017-5969: libxml2 when used in recover mode, allows remote attackers to cause a denial of service (NULL pointer dereference) to Internet Bug Bounty
191	Dos  https://iandunn.name/ via CVE-2018-6389 exploitation to Ian Dunn
192	load scripts DOS vulnerability to BlockDev Sp. Z o.o
193	HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion to Node.js
194	Cache Posioning leading do Denial of Service on www.█████████ to U.S. Dept Of Defense
195	Instance Page DOS  within Organization on TikTok Ads to TikTok
196	Denial of Service vulnerability in curl when parsing MQTT server response to curl
197	DoS of  https://research.adobe.com/ via CVE-2018-6389 exploitation to Adobe
198	Regular Expression Denial of Service in Headers to Node.js
199	Possible DOS in app with crashing exceptions_app to Ruby on Rails
200	Possible DoS Vulnerability in Multipart MIME parsing in rack to Internet Bug Bounty
201	[CVE-2022-44570] Possible Denial of Service Vulnerability in Rack’s Range header parsing to Internet Bug Bounty
202	[CVE-2023-22796] Possible ReDoS based DoS vulnerability in Active Support’s underscore to Internet Bug Bounty
203	[CVE-2022-44572] Possible Denial of Service Vulnerability in Rack’s RFC2183 boundary parsing to Internet Bug Bounty
204	[CVE-2022-44571] Possible Denial of Service Vulnerability in Rack Content-Disposition parsing to Internet Bug Bounty
205	DNS Max Responses for DOS to Node.js
206	Denial of Service to HackerOne
207	DoS Attack in Controller Lookup Code to Ruby on Rails
208	Possible  SQL injection can cause denial of service attack to Dropbox
209	Denial of service in report view. to HackerOne
210	Denial of service in account statistics endpoint to Mapbox
211	Denial of service attack(window object) on brave browser to Brave Software
212	Denial of service (segfault) due to null pointer dereference in mrb_vm_exec to shopify-scripts
213	Abuse of Api that causes spamming users and possible DOS due to missing rate limit to Weblate
214	Regular Expression Denial of Service (ReDoS) to Node.js third-party modules
215	Server side includes in https://lgtm-com.pentesting.semmle.net/internal_api/v0.2/savePublicInformation leads to 500 server error and  D-DOS to Semmle
216	Node.js HTTP/2 Large Settings Frame DoS to Node.js
217	Improper Input Validation allows an attacker to "double spend" or "respend", violating the integrity of the message command history or causing DoS to Agoric
218	DoS attack against the client when entering a long password to Nextcloud
219	API Server DoS (crash?) if many large resources (~1MB each) are concurrently/repeatedly sent to an external Validating WebHook endpoint to Kubernetes
220	[play.mtn.co.za] Application level DoS via xmlrpc.php to MTN Group
221	1-click DOS in fastify-static via directly passing user's input to new URL() of NodeJS without try/catch to Fastify
222	Self-DoS due to template injection via email field in password reset form on access.acronis.com to Acronis
223	moderate: mod_deflate denial of service to Internet Bug Bounty
224	Potential denial of service in hackerone.com/teams/new to HackerOne
225	History Disclosure of MS-Dos to MS-DOS
226	Apache Range Header Denial of Service Attack (Confirmed PoC) to ownCloud
227	CrashPlan Backup is Vulnerable Allowing to a DoS Attack Against Uber's Backups to backup.uber.com to Uber
228	xmlrpc.php FILE IS enable it can be used for conducting a Bruteforce attack and Denial of Service(DoS) to Ian Dunn
229	"Self" DOS with large deployment and scaling to Kubernetes
230	Denial of Service when entring an Array in email at seetings to Nextcloud
231	[meemo-app] Denial of Service via LDAP Injection to Node.js third-party modules
232	[json-bigint] DoS via __proto__ assignment to Node.js third-party modules
233	[http-live-simulator] Application-level DoS to Node.js third-party modules
234	DRb denial of service vulnerability to Ruby
235	Possibility of DoS attack at https://sifchain.finance// via CVE-2018-6389 exploitation to Sifchain
236	curl "globbing" can lead to denial of service attacks to curl
237	Inadequate input validation on API endpoint leading to self denial of service and increased system load. to IRCCloud
238	Dashboard panel embedded onto itself causes a denial of service to Phabricator
239	owncloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service) to ownCloud
240	DOS in browser using window.print() function to Brave Software
241	Denial of service(POP UP Recursion) on Brave browser to Brave Software
242	Possibility of DOS Through logging System to Quora
243	Media parsing in canvas is at least vulnerable to Denial of Service through multiple vulnerabilities to Node.js third-party modules
244	DoS of https://blog.makerdao.com/ via CVE-2018-6389 to BlockDev Sp. Z o.o
245	A specifically designed sieve script can cause a DoS in lib-sieve during sieve script compilation via NULL pointer dereference to Open-Xchange
246	No Password Length Restriction leads to Denial of Service to Reddit