Top10 publishers:
b'bobrov'117 
b'sp1d3rs'86 
b'geeknik'84 
b'linkks'75 
b'jobert'70 
b'nyymi'67 
b'someonenobbd'62 
b'ooooooo_q'54 
b'guido'50 
b'haxta4ok00'49 

the unofficial HackerOne disclosure timeline.

X
b'curl' disclosed a bug submitted by b'sakthi02_sk' 
b'CRLF Injection in HAProxy PROXY Protocol via CURLOPT_HAPROXY_CLIENT_IP allows IP spoofing and protocol injection'
30 Mar 2026 timeline
b'curl' disclosed a bug submitted by b'xkiluar' 
b'HTTP/2 server push accepts a non-authoritative :scheme=https over cleartext h2c, enabling HTTPS cache-key poisoning'
29 Mar 2026 timeline
b'Tucows (VDP)' disclosed a bug submitted by b'2026' 
b'Password Strength Policy Bypass via Server-Side Validation Flaw'
27 Mar 2026 timeline
b'passhash' disclosed a bug submitted by b'sinic' 
b'Potential DoS due to PasswordPoliciesNotMet in errors.go'
27 Mar 2026 timeline
b'passhash' disclosed a bug submitted by b'sinic' 
b'Missing policies for password in password_policies.go'
27 Mar 2026 timeline
b'Node.js' disclosed a bug submitted by b'rafaelgss' 
b'Assertion error in node_url.cc via malformed URL format leads to Node.js crash'
26 Mar 2026 timeline
b'RubyGems' disclosed a bug submitted by b'6b_jjj' 
b'Server-side ReDoS via user-controlled regex in OIDC Access Policy'
26 Mar 2026 timeline
b'curl' disclosed a bug submitted by b'wizard021' 
b'Bearer Token Leaked to Attacker via .netrc Despite CVE-2026-3783 Fix'
26 Mar 2026 timeline
b'curl' disclosed a bug submitted by b'ankitsingh_76' 
b'Security Vulnerability Report: Protocol Injection via Programmatic Options'
26 Mar 2026 timeline
b'curl' disclosed a bug submitted by b'3lcarry' 
b'HTTP/1.1 Response Desynchronization via conflicting CL/TE headers in Proxy CONNECT'
25 Mar 2026 timeline
b'curl' disclosed a bug submitted by b'tynus' 
b'Function `do_pubkey()` can have out-of-bound read issue'
25 Mar 2026 timeline
b'IBM' disclosed a bug submitted by b'bugmithalchemist' 
b'Potential Subdomain Takeover on IBM.com domain.'
24 Mar 2026 timeline
b'LinkedIn' disclosed a bug submitted by b'riadalrashed' 
b'Access to Deactivated LinkedIn Company Pages via Competitor Analytics API'
24 Mar 2026 timeline
b'Python Cryptographic Authority' disclosed a bug submitted by b'uv3doble' 
b'Fail-Open in set_tlsext_servername_callback on pyopenssl via unhandled exceptions leads to security bypass'
20 Mar 2026 timeline
b'Mozilla' disclosed a bug submitted by b'adilnbabras' 
b'[Privilege Escalation] User can Pin|Unpin Any Comment on Any Project or Locale'
20 Mar 2026 timeline
b'curl' disclosed a bug submitted by b'zoroo2' 
b'Exposed .git/config File Leading to Potential Sensitive Information Disclosure'
20 Mar 2026 timeline
b'GitHub' disclosed a bug submitted by b'ahacker1' 
b'Add labels to arbitrary issues/prs & compromise github actions label checks'
19 Mar 2026 timeline
b'GitHub' disclosed a bug submitted by b's3rdz0' 
b'PATs without the required scope can leak issues'
19 Mar 2026 timeline
b'HackerOne' disclosed a bug submitted by b'theokeen' 
b'Lack of Validation in Reward Redemption Allows Unlimited Burp Suite License Abuse'
18 Mar 2026 timeline
1 2 3 ... 756
Follow @disclosedh1 on twitter to receive updates when a new bug is disclosed!
Twitter
BY DENIS WERNER - @NOBBD - IMPRESSUM