Funny, we were just talking about something like this last week... The Web Hacking Incidents Database, hosted by WASC, lists multiple web hacking incidents. However, they also include references to Full-Disclosure posts for XSS issues in high-profile sites... http://www.webappsec.org/projects/whid/ - Steve