There are plenty of applications using environment variables for passing credentials to programs. libreport must have a black list of such environment variables and must clear all of them. libreport also must allow users to provide their own black list of cleared environment variables.
OpenStack : OS_*
Amazon EC2 : AWS_*
OpenNebula : ONE_*
Vmware : VI_*
Rackspace : NOVA_*
DigitalOcean : DO_*
Google Computing Engine : APPID_*
Amazon EC2/Eucalyptus: EC2_*
And as was suggested on the list:
are probably not things you'd want in your bug report either ...
In libreport we have src/gui-wizard-gtk/forbidden_words.conf which already contains some sensitive word. We can add it there.
Upstream patch: https://github.com/abrt/libreport/pull/658