Top10 publishers:
b'bobrov'117 
b'sp1d3rs'86 
b'geeknik'84 
b'linkks'75 
b'jobert'70 
b'nyymi'67 
b'someonenobbd'62 
b'ooooooo_q'54 
b'guido'50 
b'haxta4ok00'49 

the unofficial HackerOne disclosure timeline.

X
b'Python Cryptographic Authority' disclosed a bug submitted by b'uv3doble' 
b'Fail-Open in set_tlsext_servername_callback on pyopenssl via unhandled exceptions leads to security bypass'
20 Mar 2026 timeline
b'Mozilla' disclosed a bug submitted by b'adilnbabras' 
b'[Privilege Escalation] User can Pin|Unpin Any Comment on Any Project or Locale'
20 Mar 2026 timeline
b'curl' disclosed a bug submitted by b'zoroo2' 
b'Exposed .git/config File Leading to Potential Sensitive Information Disclosure'
20 Mar 2026 timeline
b'GitHub' disclosed a bug submitted by b'ahacker1' 
b'Add labels to arbitrary issues/prs & compromise github actions label checks'
19 Mar 2026 timeline
b'GitHub' disclosed a bug submitted by b's3rdz0' 
b'PATs without the required scope can leak issues'
19 Mar 2026 timeline
b'HackerOne' disclosed a bug submitted by b'theokeen' 
b'Lack of Validation in Reward Redemption Allows Unlimited Burp Suite License Abuse'
18 Mar 2026 timeline
b'curl' disclosed a bug submitted by b'lg_oled77c5pua' 
b'HSTS accepted from HTTP origin behind HTTPS proxy'
17 Mar 2026 timeline
b'curl' disclosed a bug submitted by b'am-perip' 
b'Unescaped username in SASL DIGEST-MD5 response allows injection'
17 Mar 2026 timeline
b'LinkedIn' disclosed a bug submitted by b'dphoeniixx' 
b'Session Cookie Leakage via Static Header Field in WebViewerFragment'
17 Mar 2026 timeline
b'Lovable VDP' disclosed a bug submitted by b'ziadmomen' 
b'Business Logic Bypass Allows Setting Read Access Role Without Pro Plan Subscription'
16 Mar 2026 timeline
b'curl' disclosed a bug submitted by b'tavro' 
b'SMB READ_ANDX DataOffset not validated'
16 Mar 2026 timeline
b'Basecamp' disclosed a bug submitted by b'perxibes' 
b'Unauthenticated access to private files on app.fizzy.do via Active Storage URLs leads to information disclosure'
16 Mar 2026 timeline
b'Consensys' disclosed a bug submitted by b'aszx87410' 
b'Authorization Bypass in Starknet Snap via enableAuthorize parameter leads to unauthorized transaction signing'
13 Mar 2026 timeline
b'IBM' disclosed a bug submitted by b'cr3ckerxploit' 
b'SQL Injection vulnerability found on ibm.com endpoint'
12 Mar 2026 timeline
b'curl' disclosed a bug submitted by b'henriqueg' 
b'Curl_compareheader() fails to match multi-value HTTP headers'
12 Mar 2026 timeline
b'curl' disclosed a bug submitted by b'otiscui' 
b'urlapi: off-by-one in custom scheme validation skips last character'
12 Mar 2026 timeline
b'Lovable VDP' disclosed a bug submitted by b'marioniangi' 
b'Bypass of Open Redirect Fix on lovable.dev via /..// Path Traversal in redirect parameter'
12 Mar 2026 timeline
b'curl' disclosed a bug submitted by b'm777m0' 
b'NULL Pointer Dereference (DoS) in libcurl SFTP QUOTE command parsing due to missing return statement'
11 Mar 2026 timeline
b'curl' disclosed a bug submitted by b'rat5ak' 
b'CVE-2026-3805: use after free in SMB connection reuse'
11 Mar 2026 timeline
1 2 3 ... 755
Follow @disclosedh1 on twitter to receive updates when a new bug is disclosed!
Twitter
BY DENIS WERNER - @NOBBD - IMPRESSUM