[Sohcahtoa82]

My favorite was an e-mail titled "[Critical Urgent] Vulnerability Report 1 : Clickjacking On Login Lead to Account Takeover Of Any User/Cross Site Scripting Attacks/DOM Based Xss/Csrf Attacks/Deletion OF Account/User Account Privilege Escalation/Victim Privilege Escalation/Malware Execution/Victim PC Hijack/Unauthorized Access To Any User Account/Account Takeover Of All The Users Registered On Your Application"

The finding that we didn't include the "X-Frame-Options: DENY" header was correct, but the app simply doesn't work in an iframe anyways, so it wasn't exploitable.

It certainly wouldn't result in all the other things listed.