2025
| Researcher | Vulnerability | Date |
| Identification and Authentication Failure | February 2025 | |
| Insecure Design | February 2025 | |
| Insecure Design | February 2025 | |
| Broken Access Control | February 2025 | |
| Data Integrity Failure | February 2025 | |
| Data Integrity Failure | January 2025 | |
| Injection | January 2025 | |
| Broken Access Control | January 2025 |
2024
| Researcher | Vulnerability | Date |
| Insecure Design | Dec 2024 | |
| Insecure Design | Dec 2024 | |
| Vulnerable and Outdated Components | Dec 2024 | |
| Vulnerable and Outdated Components | Dec 2024 | |
| Insecure Design | Dec 2024 | |
| Security Misconfiguration | Nov 2024 | |
| Insecure Design | Nov 2024 | |
| Injection | Nov 2024 | |
| Broken Access Control | Nov 2024 | |
| Injection | Nov 2024 | |
| Injection | Nov 2024 | |
| Insecure Design | Oct 2024 | |
| Late - | Injection | Oct 2024 |
| Broken Access Control | Oct 2024 | |
| Vulnerable and Outdated Components | Sept 2024 | |
| Insecure Design | August 2024 | |
| Injection | August 2024 | |
| Broken Access Control | August 2024 | |
| Insecure Design | August 2024 | |
| Security Misconfiguration | July 2024 | |
| Vulnerable and Outdated Components | July 2024 | |
| Vulnerable and Outdated Components | July 2024 | |
| Security Misconfiguration | July 2024 | |
| Injection | July 2024 | |
| Insecure Design | July 2024 | |
| Injection | June 2024 | |
| Insecure Design | June 2024 | |
| Insecure Design | June 2024 | |
| Insecure Design | June 2024 | |
| Injection | May 2024 | |
| Security Misconfiguration | May 2024 | |
| Broken Access Control | May 2024 | |
| Security Misconfiguration | May 2024 | |
| Security Misconfiguration | May 2024 | |
| Sensitive Information Disclosure | May 2024 | |
| Sensitive Information Disclosure | May 2024 | |
| Security Misconfiguration | April 2024 | |
| Security Misconfiguration | April 2024 | |
| Security Misconfiguration | April 2024 | |
| Sensitive Information Disclosure | April 2024 | |
| Security Misconfiguration | April 2024 | |
| Injection | April 2024 | |
| Information Disclosure | April 2024 | |
| Security Misconfiguration | March 2024 | |
| Insecure Design | March 2024 | |
| Broken Access Control | March 2024 | |
| Information Disclosure | February 2024 | |
| Security Misconfiguration | February 2024 | |
| Injection | February 2024 | |
| Broken Authentication | February 2024 | |
| Injection | January 2024 | |
| Security Misconfiguration | January 2024 |
2023
| Researcher | Vulnerability | Date |
| Security misconfiguration | Dec 2023 | |
| Injection | Dec 2023 | |
| Insecure Design | Dec 2023 | |
| Injection | Dec 2023 | |
| Injection | Dec 2023 | |
| Injection | Dec 2023 | |
| Injection | Dec 2023 | |
| Security Misconfiguration | Dec 2023 | |
| Data Integrity | Dec 2023 | |
| Insecure Design | Nov 2023 | |
| Broken Access Control | Nov 2023 | |
| Broken Access Control | Nov 2023 | |
| Insecure Design | Nov 2023 | |
| Broken Access Control | Nov 2023 | |
| Injection | Nov 2023 | |
| Insecure Design | Nov 2023 | |
| Broken Access Control | Nov 2023 | |
| Injection | Oct 2023 | |
| Data Integrity | Oct 2023 | |
| Insecure Design | Oct 2023 | |
| Broken Access Control | Oct 2023 | |
| Broken Access Control | Oct 2023 | |
| Injection | Oct 2023 | |
| Insecure Design | Oct 2023 | |
| Security Misconfiguration | Oct 2023 | |
| Injection | Oct 2023 | |
| Outdated Components | Sept 2023 | |
| Injection | Sept 2023 | |
| Security Misconfiguration | Sept 2023 | |
| Outdated Components | Sept 2023 | |
| Outdated Components | Aug 2023 | |
| Injection | Aug 2023 | |
| Insecure Design | July 2023 | |
| Injection | July 2023 | |
| Injection | July 2023 | |
| Security Misconfiguration | June 2023 | |
| Injection | June 2023 | |
| Broken Access Control | June 2023 | |
| Outdated Components | June 2023 | |
| Insecure Design | June 2023 | |
| Insecure Design | May 2023 | |
| Injection | May 2023 | |
| Outdated Components | May 2023 | |
| Outdated Components | May 2023 | |
| Injection | May 2023 | |
| Injection | April 2023 | |
| Jose Carlos Exposito Bueno | Security Misconfiguration | April 2023 |
| Injection | April 2023 | |
| Insecure Design | March 2023 | |
| Injection | March 2023 | |
| Injection | March 2023 | |
| Insecure Design | March 2023 | |
| Broken Access Control | March 2023 | |
| Broken Access Control | March 2023 | |
| Injection | March 2023 | |
| Data Integrity | March 2023 | |
| Injection | March 2023 | |
| Injection | March 2023 | |
| Injection | Feb 2023 | |
| Server-Side Request Forgery | Feb 2023 | |
| Server-Side Request Forgery | Jan 2023 | |
| Injection | Jan 2023 | |
| Injection | Jan 2023 | |
| Injection | Jan 2023 | |
| Injection | Jan 2023 | |
| & Petter Olsen | Data Integrity | Jan 2023 |
| Injection | Jan 2023 | |
| Broken Access Control | Jan 2023 | |
| Injection | Jan 2023 |
2022
| Researcher | Vulnerability | Date |
| Insecure Design | Dec 2022 | |
| Injection | Dec 2022 | |
| Injection | Nov 2022 | |
| Injection | Nov 2022 | |
| Data Integrity | Nov 2022 | |
| Injection | Oct 2022 | |
| Injection | Sept 2022 | |
| Injection | Aug 2022 | |
| Insecure Design | July 2022 | |
| Injection | July 2022 | |
| Data Integrity | July 2022 | |
| Injection | July 2022 | |
| Broken Access Control | July 2022 | |
| Data Integrity | Jun 2022 | |
| Injection | May 2022 | |
| Jordan Glover | Data Integrity | Apr 2022 |
| Broken Access Control | Mar 2022 | |
| Injection | Mar 2022 | |
| Insecure Design | Feb 2022 | |
| Information Disclosure | Jan 2022 | |
| Information Disclosure | Jan 2022 | |
| Security Misconfiguration | Jan 2022 |
2021
| Researcher | Vulnerability |
Date |
| Injection | Dec 2021 | |
| Remote Code Execution | Dec 2021 | |
| Remote Code Execution | Dec 2021 | |
| Remote Code Execution | Nov 2021 | |
| Remote Code Execution | Nov 2021 | |
| Remote Code Execution | Nov 2021 | |
| Remote Code Execution | Nov 2021 | |
| Data Integrity | Nov 2021 | |
| Data Integrity | Nov 2021 | |
| Server-Side Request Forgery | Oct 2021 | |
| Security Misconfiguration | Oct 2021 | |
| Security Misconfiguration | Oct 2021 | |
| Insecure Design | Oct 2021 | |
| Insecure Design | Oct 2021 | |
| Security Misconfiguration | Sept 2021 | |
| Data Integrity | Aug 2021 | |
| Broken Access Control | Aug 2021 | |
| Broken Access Control | Aug 2021 | |
| Data Integrity | Aug 2021 | |
| Injection | Aug 2021 | |
| Injection | Aug 2021 | |
| Vulnerable Components | Aug 2021 | |
| Data Integrity | Aug 2021 | |
| Data Integrity | Aug 2021 | |
| Broken Access Control | Aug 2021 | |
| Data Integrity | Aug 2021 | |
| Data Integrity | Aug 2021 | |
| Vulnerable Components | Aug 2021 | |
| Injection | Aug 2021 | |
| Security Misconfiguration | Aug 2021 | |
| Injection | Aug 2021 | |
| Vulnerable Components | Aug 2021 | |
| Injection | Aug 2021 | |
| Security Misconfiguration | July 2021 | |
| Insecure Design | July 2021 | |
| Insecure Design | July 2021 | |
| Data Integrity | July 2021 | |
| Insecure Design | July 2021 | |
| Data Integrity | July 2021 | |
| Insecure Design | July 2021 | |
| Outdated Components | July 2021 | |
| Injection | June 2021 | |
| Injection | June 2021 | |
| Injection | June 2021 | |
| Broken Access Control | June 2021 | |
| Avdi Zumeray | Broken Access Control | June 2021 |
| Data Integrity | June 2021 | |
| Broken Access Control | June 2021 | |
| Broken Access Control | June 2021 | |
| Injection | May 2021 | |
| Injection | May 2021 | |
| Security Misconfiguration | May 2021 | |
| Vulnerable Components | May 2021 | |
| Injection | April 2021 | |
| Broken Access Control | April 2021 | |
| Vulnerable Components | March 2021 | |
| Data Integrity | March 2021 | |
| Insecure Design | March 2021 | |
| Security Misconfiguration | March 2021 | |
| Data Integrity | March 2021 | |
| Injection | March 2021 | |
| Injection | March 2021 | |
| Security Misconfiguration | March 2021 | |
| Injection | March 2021 | |
| Security Misconfiguration | March 2021 | |
| Security Misconfiguration | February 2021 | |
| Injection | February 2021 | |
| Data Integrity | February 2021 | |
| Vulnerable Components | January 2021 | |
| Injection | January 2021 | |
| Data Integrity | January 2021 | |
| Injection | January 2021 | |
| Security Misconfiguration | January 2021 |
2020
| Researcher | Vulnerability |
Date |
| Injection | December 2020 | |
| Data Integrity | December 2020 | |
| Taha Bıyıklı | Injection | December 2020 |
| Injection | December 2020 | |
| Injection | November 2020 | |
| Vulnerable Components | November 2020 | |
| Security Misconfiguration | November 2020 | |
| Insecure Design | November 2020 | |
| Data Integrity | November 2020 | |
| Injection | November 2020 | |
| Vulnerable Components | November 2020 | |
| Brijesh Pandya | Injection | November 2020 |
| Injection | November 2020 | |
| Vulnerable Components | November 2020 | |
| Vulnerable Components | November 2020 | |
| Injection | November 2020 | |
| Injection | November 2020 | |
| Injection | October 2020 | |
| Insecure Design | October 2020 | |
| Kasper Karlsson | Injection | October 2020 |
| Benjamin Barnes (Magna) | Injection | October 2020 |
| Injection | October 2020 | |
| Injection | October 2020 | |
| Injection | October 2020 | |
| Injection | October 2020 | |
| Bharat (Mr.NOOB) | Multiple Vulnerabilities | October 2020 |
| Nathan Jones | Data Integrity | October 2020 |
| Insecure Design | October 2020 | |
| Injection | September 2020 | |
| Data Integrity | September 2020 | |
| Data Integrity | September 2020 | |
| Server side request forgery | September 2020 | |
| Injection | September 2020 | |
| Injection | September 2020 | |
| Injection | September 2020 | |
| Daniel Lidén | Injection | September 2020 |
| Injection | September 2020 | |
| Insecure Design | August 2020 | |
| d3vpoo1 | Server-Side Request Forgery | August 2020 |
| Keshav Malik | Insecure Design | August 2020 |
| Data Integrity | August 2020 | |
| Injection | August 2020 | |
| Data Integrity | August 2020 | |
| Insecure Design | July 2020 | |
| Broken Access Control | July 2020 | |
| Broken Access Control | July 2020 | |
| Data Integrity | July 2020 | |
| Security Misconfiguration | July 2020 | |
| Data Integrity | July 2020 | |
| Injection | July 2020 | |
| Security Misconfiguration | June 2020 | |
| Data Integrity | June 2020 | |
| Data Integrity | June 2020 | |
| Security Misconfiguration | June 2020 | |
| Data Integrity | May 2020 | |
| Insecure Design | May 2020 | |
| Insecure Design | May 2020 | |
| Vulnerable Components | May 2020 | |
| Security Misconfiguration | April 2020 | |
| Insecure Design | April 2020 | |
| Injection | April 2020 | |
| Injection | April 2020 | |
| Syed Muhammad Asim | Injection | February 2020 |
| Security Misconfiguration | January 2020 | |
| Data Integrity | January 2020 | |
| Injection | January 2020 | |
| Data Integrity | January 2020 | |
| Injection | January 2020 | |
| Data Integrity | January 2020 | |
| Injection | January 2020 | |
| Vulnerable Components | January 2020 | |
| Injection | January 2020 | |
| Insecure Design | January 2020 |
2019
| Researcher | Vulnerability |
Date |
| Data Integrity | December 2019 | |
| Injection | December 2019 | |
| Injection | December 2019 | |
| Injection | November 2019 | |
| Insecure Design | October 2019 | |
| Safak Aslan | Injection | October 2019 |
| Injection | September 2019 | |
| Security Misconfiguration | August 2019 | |
| Injection | July 2019 | |
| Injection | May 2019 | |
| Injection | May 2019 | |
| Injection | May 2019 | |
| Injection | May 2019 | |
| Injection | April 2019 | |
| Injection | April 2019 | |
| Injection | April 2019 | |
| Injection | March 2019 | |
| Injection | March 2019 | |
| Vineet Kumar | Security Misconfiguration | March 2019 |
| Injection | March 2019 | |
| Data Integrity | March 2019 | |
| Injection | March 2019 | |
| Broken Access Control | February 2019 | |
| B. Franklin | Security Misconfiguration | February 2019 |
| Nicholas Dine | Injection | February 2019 |
| Broken Access Control | January 2019 | |
| Injection | January 2019 |
2018
| Researcher | Vulnerability | Date |
| Injection | December 2018 | |
| Injection | December 2018 | |
| Injection | November 2018 | |
| Injection | November 2018 | |
| Injection | November 2018 | |
| Pranshu Tiwari | Injection | November 2018 |
| Injection | October 2018 | |
| Diego Moicano | Injection | October 2018 |
| Security Misconfiguration | October 2018 | |
| Injection | October 2018 | |
| Sébastien Kaul | Security Misconfiguration | October 2018 |
| Security Misconfiguration | September 2018 | |
| Puneet Kumar Maurya | Security Misconfiguration | September 2018 |
| Injection | September 2018 | |
| Dhiraj Mishra | Insecure Design | September 2018 |
| Data Integrity | September 2018 | |
| Kunal Bahl | Insecure Design | September 2018 |
| Insecure Design | September 2018 | |
| Kenan GUMUS | Injection | September 2018 |
| B.Dhiyaneshwaran | Data Integrity | September 2018 |
| Broken Access Control | August 2018 | |
| Security Misconfiguration | August 2018 | |
| Security Misconfiguration | August 2018 | |
| Thijs Baart | Injection | August 2018 |
| Injection | August 2018 | |
| Sam Gilder | Insecure Design | August 2018 |
| Nicolas Francois | Injection | August 2018 |
| Injection | August 2018 | |
| Data Integrity | August 2018 | |
| Christoph Kisfeld | Injection | August 2018 |
| Injection | August 2018 | |
| Data Integrity | August 2018 | |
| Deepak R Pandey | Broken Access Control | August 2018 |
| Ashutosh Barot | Data Integrity | July 2018 |
2017
| Researcher | Vulnerability |
Date |
| Injection | February 2017 |
Information for reporters
Please note that we are currently backfilling this page with reporter information. If you have reported a vulnerability which has been accepted and your details are not here already but you would like them to be, please contact security@bbc.co.uk and include the reference number you were provided with along with the name/handle and a link to a social media account if you wish that to appear here.
The ´óÏó´«Ã½ relies on consent to publish the personal information of researchers online. We will include a link to the researchers’ social media profiles, but only if the researcher asks us to do so. The researcher can withdraw their consent at any time by contacting security@bbc.co.uk. For further information about how the ´óÏó´«Ã½ processes your personal information including your rights under data protection law, please see the ´óÏó´«Ã½â€™s privacy policy.
Website links
Please note that we only link to security researcher social media profiles. Our trust model does not enable us to link to other websites. Currently LinkedIn, Twitter(X), Instagram, Facebook and HackerOne profile links are accepted. Other social media sites will be reviewed and considered at point of request. Mastodon is a de-centralised system and therefore we will reference handles (please ensure you include the @server element), but will not include hyperlinks as we cannot guarantee the safety of the profile being linked to.