REPORTS
PROGRAMS
PUBLISHERS
Top10 publishers:
b'bobrov'
117
b'sp1d3rs'
86
b'geeknik'
84
b'linkks'
75
b'jobert'
70
b'nyymi'
67
b'someonenobbd'
62
b'ooooooo_q'
54
b'guido'
50
b'haxta4ok00'
49
Now on Twitter
the unofficial
HackerOne
disclosure timeline.
X
b'AWS VDP'
disclosed a bug submitted by
b'misop00p'
b'V1Plugin.Decrypt panics on empty ciphertext (Remote DoS)'
28 May 2026
b'AWS VDP'
disclosed a bug submitted by
b'misop00p'
b'V2Plugin.Decrypt panics on empty ciphertext (Remote DoS)'
28 May 2026
b'Brave Software'
disclosed a bug submitted by
b'aaront'
b'iOS Brave Playlist "Open in Private Tab" bypasses FaceID requirement for Private Tabs'
28 May 2026
b'curl'
disclosed a bug submitted by
b'giant_anteater'
b'Heap-OOB read in urlapi `redirect_url()` via `CURLU_GUESS_SCHEME` + `CURLU_NO_GUESS_SCHEME` flow'
25 May 2026
b'curl'
disclosed a bug submitted by
b'jingzhou'
b'curl GnuTLS backend accepts a clientAuth-only certificate for HTTPS server authentication'
25 May 2026
b'Rocket.Chat'
disclosed a bug submitted by
b'deprrous'
b'Autotranslate DDP Method Exposes Private Messages Without Authentication or Room Access Check'
25 May 2026
b'Node.js'
disclosed a bug submitted by
b'junius'
b'NULL pointer dereference in node:sqlite DatabaseSync#applyChangeset() via malformed SQLite changeset'
23 May 2026
b'Node.js'
disclosed a bug submitted by
b'v1ct0rv0nd00m'
b'Memory Corruption via TOCTOU Race in SharedArrayBuffer UTF-8 Decode (`StringBytes::Encode`)'
23 May 2026
b'Nextcloud'
disclosed a bug submitted by
b'msatz'
b'Group restriction bypass via bearer token in user_oidc (SETTING_RESTRICT_LOGIN_TO_GROUPS not enforced in Backend::getCurrentUserId)'
21 May 2026
b'curl'
disclosed a bug submitted by
b'sdjasj'
b'curl --skip-existing has a TOCTOU race that lets a post-check symlink redirect the later download write'
20 May 2026
b'curl'
disclosed a bug submitted by
b'giant_anteater'
b'Credentials forwarded to HTTP after HTTPSHTTP same-port redirect url_set_data_creds uses scheme-blind comparator'
20 May 2026
b'CoinMate.io'
disclosed a bug submitted by
b'glferreira-devsecops'
b'POST /api/bitcoinWithdrawalFees returns financial data without authentication despite being documented as a USER OPERATION (private endpoint)'
20 May 2026
b'CoinMate.io'
disclosed a bug submitted by
b'glferreira-devsecops'
b'HMAC signature verification omits endpoint and payload allowing request forgery on CoinMate API'
20 May 2026
b'curl'
disclosed a bug submitted by
b'giant_anteater'
b'HTTP/3 paused transfer buffers incoming data without bound up to ~1 GiB'
19 May 2026
b'curl'
disclosed a bug submitted by
b'giant_anteater'
b'Schannel custom-CA path skips Extended Key Usage enforcement'
19 May 2026
b'curl'
disclosed a bug submitted by
b'7omoo'
b'Connection reuse ignores haproxyprotocol and HAPROXY_CLIENT_IP settings, allowing PROXY context to persist across transfers'
19 May 2026
b'curl'
disclosed a bug submitted by
b'hexproof'
b"SSL session-cache peer key omits signature_algorithms: strict-sigalg handle silently resumes a permissive sibling's session"
19 May 2026
b'curl'
disclosed a bug submitted by
b'giant_anteater'
b'CURLOPT_PROXY_CAINFO_BLOB silently activates native CA store on Apple builds'
19 May 2026
b'curl'
disclosed a bug submitted by
b'giant_anteater'
b'TLS peer-verification bypass via mid-transfer ssl_config mutation'
19 May 2026
1
2
3
...
763
BY DENIS WERNER - @NOBBD -
IMPRESSUM
