Top10 publishers:
b'bobrov'117 
b'sp1d3rs'86 
b'geeknik'84 
b'linkks'75 
b'jobert'70 
b'nyymi'67 
b'someonenobbd'62 
b'ooooooo_q'54 
b'guido'50 
b'haxta4ok00'49 

the unofficial HackerOne disclosure timeline.

X
b'Basecamp' disclosed a bug submitted by b'northeastprince' 
b'Spam & Clearance checks disabled with existing referenced Message-ID'
21 Jan 2026 timeline
b'Stripo Inc' disclosed a bug submitted by b'srcode' 
b'[Critical] Unauthorized Cross-Tenant Data Access in Stripo AI Hub Campaign via Deleted Project.'
20 Jan 2026 timeline
b'Cosmos' disclosed a bug submitted by b'0xjam' 
b'Memory Exhaustion in CometBFT v1.0.1 via malicious ProposalMessage leads to network-wide denial of service'
20 Jan 2026 timeline
b'curl' disclosed a bug submitted by b'ichise' 
b'Crossorigin cookies leak and injection risk when using a custom Host header'
20 Jan 2026 timeline
b'curl' disclosed a bug submitted by b'foobar4213' 
b'SSL options ISSUERCERT, EC_CURVES and CRLFILE silently ignored by non-OpenSSL backends'
20 Jan 2026 timeline
b'pixiv' disclosed a bug submitted by b'dexter34' 
b'Internal logs/info leaked via endpoint {https://203.137.128.240/server-status}'
20 Jan 2026 timeline
b'curl' disclosed a bug submitted by b'bhaskar_ram' 
b'Cookie Replacement Use-After-Free Vulnerability'
19 Jan 2026 timeline
b'curl' disclosed a bug submitted by b'bhaskar_ram' 
b'Cookie Max-Age Integer Overflow Vulnerability'
19 Jan 2026 timeline
b'pixiv' disclosed a bug submitted by b'giwadaoud' 
b'Disclose Hidden Comments on Media Section of hub.vroid.com'
18 Jan 2026 timeline
b'pixiv' disclosed a bug submitted by b'hyk3n' 
b'clickjacing can lead to account takeover'
18 Jan 2026 timeline
b'curl' disclosed a bug submitted by b'andrewml' 
b'libcurl: Improper Authentication State Management on Cross-Protocol Redirects'
17 Jan 2026 timeline
b'Nextcloud' disclosed a bug submitted by b'hakuna' 
b'Easy way to create a new Deck board without permission '
16 Jan 2026 timeline
b'Nextcloud' disclosed a bug submitted by b'hakuna' 
b'Can download files on Android app without permission'
16 Jan 2026 timeline
b'AWS VDP' disclosed a bug submitted by b'farmer' 
b'Command Injection on Amazon Q Developer CLI via malicious .amazonq/mcp.json leads to arbitrary code execution'
16 Jan 2026 timeline
b'Node.js' disclosed a bug submitted by b'oriotie' 
b'fs.futimes() Bypasses Read-Only Permission Model'
15 Jan 2026 timeline
b'curl' disclosed a bug submitted by b'shiftj' 
b'IMAP Protocol Desynchronization and Response Smuggling via Naive Literal Parsing'
14 Jan 2026 timeline
b'Nextcloud' disclosed a bug submitted by b'somerandomdev' 
b'Roundcube Webmail Style Sanitizer can be bypassed using CSS Character Escapes'
14 Jan 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'7yr' 
b'[revive-adserver] Reflected XSS in Banner Delivery Options via cap parameter'
14 Jan 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'7yr' 
b'Reflected XSS in banner-acl.php and channel-acl.php via executionorder'
14 Jan 2026 timeline
1 2 3 ... 751
Follow @disclosedh1 on twitter to receive updates when a new bug is disclosed!
Twitter
BY DENIS WERNER - @NOBBD - IMPRESSUM