the unofficial HackerOne disclosure timeline.

X
b'curl' disclosed a bug submitted by b'bagder' 
b"CURLOPT_PROXY_CRLFILE / CURLOPT_PROXY_ISSUERCERT / CURLOPT_PROXY_ISSUERCERT_BLOB silently ignored on backends that don't support them"
05 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'bagder' 
b'Shared HSTS cache accessed without lock'
05 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'hamaowo' 
b'RTSP Digest auth state leaks across origins on reused libcurl easy handle'
05 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'bowen111' 
b'TFTP upload ignores --continue-at / CURLOPT_RESUME_FROM and leaks skipped local file prefix'
05 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'skksndk' 
b'libcurl 8.20.0 ignores HTTP Digest domain protection space and preemptively leaks Digest auth outside the declared scope'
05 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'azraelxuemo' 
b'CURLOPT_COOKIE leaked to cross-origin redirect target CURLOPT_UNRESTRICTED_AUTH bypass for the STRING_COOKIE path'
05 Jun 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'darky_os' 
b'Missing access control when linking banners or campaigns to zones '
03 Jun 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'darky_os' 
b'Missing access control when linking trackers to campaigns'
03 Jun 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'titanrain' 
b'Blind SQL injection via clientid parameter in zoneinclude.php'
03 Jun 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'titanrain' 
b'Reflected XSS via clientid parameter in zoneinclude.php'
03 Jun 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'0x4c616e' 
b'PHP code injection via delivery limitation logical '
03 Jun 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'3l4' 
b'Stored XSS via Full Name field in userlog email entries'
03 Jun 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'0x4c616e' 
b'Session ID reuse allowing XMLRPC API authentication bypass'
03 Jun 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'3l4' 
b'Missing access control when modifying parent entities via XMLRPC'
03 Jun 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'v3rtical' 
b'Banner status override by advertiserlevel users'
03 Jun 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'3l4' 
b'Stored XSS via malicious usernames in audit log details + Username validation bypass in XMLRPC addUser '
03 Jun 2026 timeline
b'Revive Adserver' disclosed a bug submitted by b'rajib_mahmud' 
b'PHP code injection via unexpected delivery limitation parameter'
03 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'hungly09' 
b'PRE_PROXY change leaks stale Proxy Digest state across proxy-chain boundary'
03 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'arkss' 
b'curl/libcurl 8.20.0 NOPROXY bypass via uppercase-hex IPv4 aliases leaks off-proxy Basic credentials to the configured proxy'
03 Jun 2026 timeline
b'curl' disclosed a bug submitted by b'hualuo' 
b'SMTP connection reuse ignores --ssl-reqd / CURLOPT_USE_SSL and reuses a clear-text STARTTLS session on current master'
03 Jun 2026 timeline
1 2 3 4 5 ... 766
Follow @disclosedh1 on twitter to receive updates when a new bug is disclosed!
Twitter
BY DENIS WERNER - @NOBBD - IMPRESSUM