Top10 publishers:
b'bobrov'117 
b'sp1d3rs'86 
b'geeknik'84 
b'linkks'75 
b'jobert'70 
b'nyymi'67 
b'someonenobbd'62 
b'ooooooo_q'54 
b'guido'50 
b'haxta4ok00'49 

the unofficial HackerOne disclosure timeline.

X
b'Nextcloud' disclosed a bug submitted by b'hakuna' 
b'Easy way to create a new Deck board without permission '
16 Jan 2026 timeline
b'Nextcloud' disclosed a bug submitted by b'hakuna' 
b'Can download files on Android app without permission'
16 Jan 2026 timeline
b'AWS VDP' disclosed a bug submitted by b'farmer' 
b'Command Injection on Amazon Q Developer CLI via malicious .amazonq/mcp.json leads to arbitrary code execution'
16 Jan 2026 timeline
b'Node.js' disclosed a bug submitted by b'oriotie' 
b'fs.futimes() Bypasses Read-Only Permission Model'
15 Jan 2026 timeline
b'curl' disclosed a bug submitted by b'shiftj' 
b'IMAP Protocol Desynchronization and Response Smuggling via Naive Literal Parsing'
14 Jan 2026 timeline
b'Nextcloud' disclosed a bug submitted by b'somerandomdev' 
b'Roundcube Webmail Style Sanitizer can be bypassed using CSS Character Escapes'
14 Jan 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'7yr' 
b'[revive-adserver] Reflected XSS in Banner Delivery Options via cap parameter'
14 Jan 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'7yr' 
b'Reflected XSS in banner-acl.php and channel-acl.php via executionorder'
14 Jan 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'nigh7c0r3' 
b'Reflected XSS in afr.php'
14 Jan 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'0xjad' 
b'Broken Access Control allows advertiser accounts to delete trackers they do not own'
14 Jan 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'pakcyberbot' 
b'INI Format string injection in Revive Adserver 6.0.4 settings'
14 Jan 2026 timeline
b'curl' disclosed a bug submitted by b'z2_' 
b'Integer-underflow leads to heap over-read in TFTP implementation'
14 Jan 2026 timeline
b'curl' disclosed a bug submitted by b'andrew-bbp' 
b'Digest Authentication Header Injection'
14 Jan 2026 timeline
b'curl' disclosed a bug submitted by b'vikash_saw' 
b'Directory listing vulnerability is disclosing names and emails, widespread (thousands of records, publicly accessible without auth)'
14 Jan 2026 timeline
b'curl' disclosed a bug submitted by b'andrew-bbp' 
b'Gopher Protocol Command Injection (SSRF Smuggling)'
14 Jan 2026 timeline
b'curl' disclosed a bug submitted by b'adce626q' 
b'Use-After-Free in curl_easy_nextheader when reusing header handle across requests'
14 Jan 2026 timeline
b'curl' disclosed a bug submitted by b'0xshakib0x04' 
b'MQTT: unsigned integer underflow bypasses MAX_MQTT_MESSAGE_SIZE check'
13 Jan 2026 timeline
b'curl' disclosed a bug submitted by b'gudyuu' 
b'integer Overflow in MQTT Protocol Handling Allows Bypassing Message Size Limit'
13 Jan 2026 timeline
b'U.S. Dept Of Defense' disclosed a bug submitted by b'moha1sd' 
b'Information Disclosure in API Endpoint /users'
12 Jan 2026 timeline
b'U.S. Dept Of Defense' disclosed a bug submitted by b'l0rdv0ld3m0r7' 
b'Publicly Accessible CDN Endpoint Exposing XML Metadata (including ETag)'
12 Jan 2026 timeline
1 2 3 4 ... 752
Follow @disclosedh1 on twitter to receive updates when a new bug is disclosed!
Twitter
BY DENIS WERNER - @NOBBD - IMPRESSUM