Top10 publishers:
b'bobrov'117 
b'sp1d3rs'86 
b'geeknik'84 
b'linkks'75 
b'jobert'70 
b'nyymi'67 
b'someonenobbd'62 
b'ooooooo_q'54 
b'guido'50 
b'haxta4ok00'49 

the unofficial HackerOne disclosure timeline.

X
b'curl' disclosed a bug submitted by b'spiderchan26' 
b'# SCURLOPT_SSH_KNOWNHOSTS and host fingerprint pins are silently bypassed when an SSH connection is reused from the connection pool'
06 Apr 2026 timeline
b'curl' disclosed a bug submitted by b'divsz' 
b'SMTP Command Injection via CRLF in libcurl MAIL_FROM / MAIL_RCPT (lib/smtp.c)'
06 Apr 2026 timeline
b'curl' disclosed a bug submitted by b'spichanlio76' 
b"ignoring 'options' when doing connection reuse"
05 Apr 2026 timeline
b'curl' disclosed a bug submitted by b'intrax' 
b'Data race in Curl_dnscache_add_negative() corrupts shared DNS cache heap corruption and double-free when using CURLOPT_SHARE with CURL_LOCK_DATA_DNS'
04 Apr 2026 timeline
b'curl' disclosed a bug submitted by b'rougerseven7' 
b'Internal application wrapper or script using curl'
03 Apr 2026 timeline
b'curl' disclosed a bug submitted by b'intrax71' 
b'Missing server identity policy enforcement in SSH connection reuse allows host key verification bypass via pool poisoning'
03 Apr 2026 timeline
b'curl' disclosed a bug submitted by b'calaba_zas' 
b'Cookie attribute TAB injection regression in Set-Cookie parsing'
03 Apr 2026 timeline
b'curl' disclosed a bug submitted by b'whitehat411' 
b'Bypassing Strict SSH Server Verification via Connection Pool Reuse in libcurl'
31 Mar 2026 timeline
b'curl' disclosed a bug submitted by b'h3xb1tx' 
b'Use-After-Free race condition in url_move_hostname() via shared connection pool'
31 Mar 2026 timeline
b'Sony' disclosed a bug submitted by b'resurrect20' 
b'DLL side-loading vulnerability in Sony Music Center for PC Ver. 2.7.2 (Latest version)'
31 Mar 2026 timeline
b'Nextcloud' disclosed a bug submitted by b'eclipse07077' 
b'Unauthenticated SSRF via Public Reference API -Sharing Token Bypass'
31 Mar 2026 timeline
b'curl' disclosed a bug submitted by b'ankitsingh131225' 
b'HackerOne Vulnerability Report: libcurl SSL/TLS Identity Leakage via Insecure Connection Reuse'
31 Mar 2026 timeline
b'curl' disclosed a bug submitted by b'm42kl33' 
b'HTTP/2 PUSH_PROMISE header loss on OOM bypasses scheme validation (regression of 2e8c922a89)'
31 Mar 2026 timeline
b'curl' disclosed a bug submitted by b'ok3y' 
b'Unbounded GZIP Decompression Leading to Event-Loop Starvation'
31 Mar 2026 timeline
b'arkadiyt-projects' disclosed a bug submitted by b'tipsen' 
b'SSRF Filter Bypass via Unblocked NAT64 Local-Use IPv6 Prefix (64:ff9b:1::/48)'
31 Mar 2026 timeline
b'arkadiyt-projects' disclosed a bug submitted by b'tipsen' 
b'Path Traversal in writeFile via Unsafe Prefix Containment Check Allows Out-of-Directory Writes'
31 Mar 2026 timeline
b'Node.js' disclosed a bug submitted by b'sharp_edged' 
b'HashDoS in V8'
30 Mar 2026 timeline
b'Node.js' disclosed a bug submitted by b'stif' 
b'Permission Model Bypass in realpathSync.native Allows File Existence Disclosure'
30 Mar 2026 timeline
b'Node.js' disclosed a bug submitted by b'x_probe' 
b'Timing side-channel in HMAC verification via memcmp() in crypto_hmac.cc leads to potential MAC forgery'
30 Mar 2026 timeline
b'Node.js' disclosed a bug submitted by b'xavlimsg' 
b'Node.js Permission Model bypass: UDS server bind/listen works without `--allow-net`'
30 Mar 2026 timeline
1 2 3 4 ... 758
Follow @disclosedh1 on twitter to receive updates when a new bug is disclosed!
Twitter
BY DENIS WERNER - @NOBBD - IMPRESSUM