No real names here as I don’t know if the companies would allow it

• Airline 2025 Private keys fully exposed
• Wind turbines manufacturer 2025 Azure private key inside a JS file
• National railway 2026 Rails monitoring cameras open to anyone
• Polar expeditions company 2025 Career page exposed all applicants resumes inside an open s3 bucket
• Booking platform 2026 Admin escalation without auth, DB keys inside public files
• Social media 2026 All users leaking PII data by a lack of API controls

And that's not even counting the dozens of unanswered reports. It's about time to have a remediation program and a security.txt file!