Top10 publishers:
b'bobrov'117 
b'sp1d3rs'86 
b'geeknik'84 
b'linkks'75 
b'jobert'70 
b'nyymi'67 
b'someonenobbd'62 
b'ooooooo_q'54 
b'guido'50 
b'haxta4ok00'49 

the unofficial HackerOne disclosure timeline.

X
b'Node.js' disclosed a bug submitted by b'sharp_edged' 
b'HashDoS in V8'
30 Mar 2026 timeline
b'Node.js' disclosed a bug submitted by b'stif' 
b'Permission Model Bypass in realpathSync.native Allows File Existence Disclosure'
30 Mar 2026 timeline
b'Node.js' disclosed a bug submitted by b'x_probe' 
b'Timing side-channel in HMAC verification via memcmp() in crypto_hmac.cc leads to potential MAC forgery'
30 Mar 2026 timeline
b'Node.js' disclosed a bug submitted by b'xavlimsg' 
b'Node.js Permission Model bypass: UDS server bind/listen works without `--allow-net`'
30 Mar 2026 timeline
b'Node.js' disclosed a bug submitted by b'yushengchen' 
b'Denial of Service via `__proto__` header name in `req.headersDistinct` (Uncaught `TypeError` crashes Node.js process)'
30 Mar 2026 timeline
b'Node.js' disclosed a bug submitted by b'wooseokdotkim' 
b'CVE-2024-36137 Patch Bypass - FileHandle.chmod/chown'
30 Mar 2026 timeline
b'Node.js' disclosed a bug submitted by b'galbarnahum' 
b'Memory leak in Node.js HTTP/2 server via WINDOW_UPDATE on stream 0 leads to resource exhaustion'
30 Mar 2026 timeline
b'curl' disclosed a bug submitted by b'sakthi02_sk' 
b'CRLF Injection in HAProxy PROXY Protocol via CURLOPT_HAPROXY_CLIENT_IP allows IP spoofing and protocol injection'
30 Mar 2026 timeline
b'curl' disclosed a bug submitted by b'xkiluar' 
b'HTTP/2 server push accepts a non-authoritative :scheme=https over cleartext h2c, enabling HTTPS cache-key poisoning'
29 Mar 2026 timeline
b'Tucows (VDP)' disclosed a bug submitted by b'2026' 
b'Password Strength Policy Bypass via Server-Side Validation Flaw'
27 Mar 2026 timeline
b'passhash' disclosed a bug submitted by b'sinic' 
b'Potential DoS due to PasswordPoliciesNotMet in errors.go'
27 Mar 2026 timeline
b'passhash' disclosed a bug submitted by b'sinic' 
b'Missing policies for password in password_policies.go'
27 Mar 2026 timeline
b'Node.js' disclosed a bug submitted by b'rafaelgss' 
b'Assertion error in node_url.cc via malformed URL format leads to Node.js crash'
26 Mar 2026 timeline
b'RubyGems' disclosed a bug submitted by b'6b_jjj' 
b'Server-side ReDoS via user-controlled regex in OIDC Access Policy'
26 Mar 2026 timeline
b'curl' disclosed a bug submitted by b'wizard021' 
b'Bearer Token Leaked to Attacker via .netrc Despite CVE-2026-3783 Fix'
26 Mar 2026 timeline
b'curl' disclosed a bug submitted by b'ankitsingh_76' 
b'Security Vulnerability Report: Protocol Injection via Programmatic Options'
26 Mar 2026 timeline
b'curl' disclosed a bug submitted by b'3lcarry' 
b'HTTP/1.1 Response Desynchronization via conflicting CL/TE headers in Proxy CONNECT'
25 Mar 2026 timeline
b'curl' disclosed a bug submitted by b'tynus' 
b'Function `do_pubkey()` can have out-of-bound read issue'
25 Mar 2026 timeline
b'IBM' disclosed a bug submitted by b'bugmithalchemist' 
b'Potential Subdomain Takeover on IBM.com domain.'
24 Mar 2026 timeline
1 2 3 ... 756
Follow @disclosedh1 on twitter to receive updates when a new bug is disclosed!
Twitter
BY DENIS WERNER - @NOBBD - IMPRESSUM