Top10 publishers:
b'bobrov'117 
b'sp1d3rs'86 
b'geeknik'84 
b'linkks'75 
b'jobert'70 
b'nyymi'67 
b'someonenobbd'62 
b'ooooooo_q'54 
b'guido'50 
b'haxta4ok00'49 

the unofficial HackerOne disclosure timeline.

X
b'pixiv' disclosed a bug submitted by b'giwadaoud' 
b'Disclose Hidden Comments on Media Section of hub.vroid.com'
18 Jan 2026 timeline
b'pixiv' disclosed a bug submitted by b'hyk3n' 
b'clickjacing can lead to account takeover'
18 Jan 2026 timeline
b'curl' disclosed a bug submitted by b'andrewml' 
b'libcurl: Improper Authentication State Management on Cross-Protocol Redirects'
17 Jan 2026 timeline
b'Nextcloud' disclosed a bug submitted by b'hakuna' 
b'Easy way to create a new Deck board without permission '
16 Jan 2026 timeline
b'Nextcloud' disclosed a bug submitted by b'hakuna' 
b'Can download files on Android app without permission'
16 Jan 2026 timeline
b'AWS VDP' disclosed a bug submitted by b'farmer' 
b'Command Injection on Amazon Q Developer CLI via malicious .amazonq/mcp.json leads to arbitrary code execution'
16 Jan 2026 timeline
b'Node.js' disclosed a bug submitted by b'oriotie' 
b'fs.futimes() Bypasses Read-Only Permission Model'
15 Jan 2026 timeline
b'curl' disclosed a bug submitted by b'shiftj' 
b'IMAP Protocol Desynchronization and Response Smuggling via Naive Literal Parsing'
14 Jan 2026 timeline
b'Nextcloud' disclosed a bug submitted by b'somerandomdev' 
b'Roundcube Webmail Style Sanitizer can be bypassed using CSS Character Escapes'
14 Jan 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'7yr' 
b'[revive-adserver] Reflected XSS in Banner Delivery Options via cap parameter'
14 Jan 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'7yr' 
b'Reflected XSS in banner-acl.php and channel-acl.php via executionorder'
14 Jan 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'nigh7c0r3' 
b'Reflected XSS in afr.php'
14 Jan 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'0xjad' 
b'Broken Access Control allows advertiser accounts to delete trackers they do not own'
14 Jan 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'pakcyberbot' 
b'INI Format string injection in Revive Adserver 6.0.4 settings'
14 Jan 2026 timeline
b'curl' disclosed a bug submitted by b'z2_' 
b'Integer-underflow leads to heap over-read in TFTP implementation'
14 Jan 2026 timeline
b'curl' disclosed a bug submitted by b'andrew-bbp' 
b'Digest Authentication Header Injection'
14 Jan 2026 timeline
b'curl' disclosed a bug submitted by b'vikash_saw' 
b'Directory listing vulnerability is disclosing names and emails, widespread (thousands of records, publicly accessible without auth)'
14 Jan 2026 timeline
b'curl' disclosed a bug submitted by b'andrew-bbp' 
b'Gopher Protocol Command Injection (SSRF Smuggling)'
14 Jan 2026 timeline
b'curl' disclosed a bug submitted by b'adce626q' 
b'Use-After-Free in curl_easy_nextheader when reusing header handle across requests'
14 Jan 2026 timeline
1 2 3 ... 751
Follow @disclosedh1 on twitter to receive updates when a new bug is disclosed!
Twitter
BY DENIS WERNER - @NOBBD - IMPRESSUM