The BBC wishes to thank the following Security Researchers who have participated in our Vulnerability Disclosure Programme


Researcher Vulnerability Date
Toby Davenport Stored XSS July 2022
Nitesh Singh Local File Inclusion July 2022
Ayush Aggarwal Broken link hijacking July 2022
James Buckley Exposed Admin Portal July 2022
Felipe Gabriel Renzi Credential Exposure Jun 2022
Dzmitry Smaliak XSS Vulnerability May 2022
Jordan Glover Information Disclosure Apr 2022
Joseph Witten (@Sm9l) Default credentials used on a BBC site Mar 2022
Kevin Yehezkiel Gurning Open redirect Mar 2022
Toby Davenport Account Lockout Vulnerability  Feb 2022
Toby Davenport Information Disclosure Jan 2022
Toby Davenport  Information Disclosure Jan 2022
Vikas Srivastava                        Database Access Jan 2022                   



Researcher Vulnerability


Ayush Aggarwal Open Redirect in TVApps Certification tool Dec 2021
Vikas Srivastava Remote Code Execution Dec 2021
Crispin JeyaPrakash.A (B1ackHood) XSS Vulnerability Dec 2021
Ishan Vyas Open Redirect Nov 2021
Rohit Yadav HTML Injection via Contact mail Nov 2021
Karthik UJ Email Injection Nov 2021
Ai Ho (@j3ssiejjj) XSS Vulnerability Nov 2021
Mohd.Danish Abid Information Disclosure Nov 2021
Abhijith A Information Disclosure Nov 2021
Supras SSRF vulnerability Oct 2021
Rohit Yadav Misconfigured Exposed Audemat Oct 2021
Pranav K Subdomain Takeover Oct 2021
Roshan Poudél Rate limiting Oct 2021
Nessim Jerbi (Tunisia) Multiple Vulnerabilities Oct 2021
Ayush Aggarwal Subdomain Takeover Sept 2021
Momen Ali Eldawakhly (Cyber Guy) Exposure of Secret Key Aug 2021
Momen Ali Eldawakhly (Cyber Guy) Access Control Aug 2021
Momen Ali Eldawakhly (Cyber Guy) Spring Boot Aug 2021
Nourhan Ali Dief (Cyber Girl) Leaked Secret Aug 2021
Shubham Garg XSS  Aug 2021
Momen Ali Eldawakhly (Cyber Guy) Information Disclosure Aug 2021
Momen Ali Eldawakhly (Cyber Guy) SMTP Vulnerability Aug 2021
Nourhan Ali Ibrahim Dief Leaked Secret Key Aug 2021
Gourab Sadhukhan Password Reset Token Leak Aug 2021
Abhijith A  Improper Authentication Aug 2021
Anirudh Srinivas Balaji Credential Exposure Aug 2021
Mohit Khemchandani Credential Exposure Aug 2021
Raajesh.G OpenSSH Vulnerability Aug 2021
Michele Romano Open redirect Aug 2021
Shubham Garg Subdomain Takeover Aug 2021
Jefferson Gonzales (Gonz) XSS Aug 2021
Kabeer Saxena OpenSSH Vulnerability Aug 2021
Prathamesh Surekha Prakash Pawar Broken Link Hijacking Aug 2021
Nayanjyoti Roy Xmlrpc.php file enabled July 2021
Abhijeet Sarkar HTTP Login July 2021
Roshan Poudél Plain Text Transfer July 2021
Rishabh Shrivastava Information Disclosure July 2021
Roshan Poudél Rate Limit Vulnerability July 2021
Kiran Ghimire (From Nepal) Partial Source Code Disclosure July 2021
Chandan Rai Web/App layer vulnerability July 2021
Mayank Mukhi Tomcat Version Disclosure July 2021
Luca Consolati Path Traversal  June 2021
Chirag Ketan Prajapati XSS June 2021
Ishan Vyas Open Redirect June 2021
Sheikh Rishad Privilege Escalation June 2021
Avdi Zumeray Oauth token disclosure June 2021
Mike Ralphson Information disclosure June 2021
Pratik Khalane Default Credentials June 2021
Anirudh Makkar Default Credentials June 2021
Mohamed Abdellatif Jaber HTML-injection May 2021
Bartłomiej Bergier XSS vulnerability May 2021
Diego Bernal Adelantado S3 Bucket Takeover May 2021
Enes Saltik NginX SPDY heap buffer overflow May 2021
Divya Singh Open Redirect April 2021
Faiyaz Ahmad Public XMLRPC April 2021
Roshan Poudél RPC Vulnerability March 2021
Ai Ho Information Disclosure March 2021
Satrya Wira Yudha HTTP Response Splitting March 2021
Ai Ho Subdomain Takeover March 2021
Ahmed Elmalky Information Disclosure March 2021
Bijay Silwal HTML Injection March 2021
Eslam Sayed(eslamXxX) Open Redirect March 2021
Abhinav Sharma Xmlrpc.php file enabled March 2021
Ganesh Bagaria Open Redirect March 2021
Colin Barr Subdomain Takeover March 2021
Buğra Eskici Subdomain Takeover February 2021
Bartłomiej Bergier XSS Vulnerability  February 2021
Harsh Parekh Information Disclosure February 2021
Enes Saltik Buffer Overflow Vulnerability January 2021
Bartłomiej Bergier XSS Vulnerability January 2021
0xblackbird API Keys Disclosed January 2021
Nitesh Singh XSS Vulnerability January 2021
Erdoğan Yağız Şahin Unclaimed Social Media Site January 2021


Researcher Vulnerability


Osama Khan XSS Vulnerability December 2020
Alfred Nirmal API Key Exposure December 2020
Taha Bıyıklı XSS Vulnerability December 2020
Tayfun AKYILDIZ XSS Vulnerability December 2020
René de Sain XSS Vulnerability November 2020
Tom Smith Buffer Overflow November 2020
Alexandar Thangavel Subdomain Takeover November 2020 
Sourajeet Majumder Account Impersonation  November 2020
Netanel Rubin Data Leak November 2020
Shaun Budding XSS Vulnerability  November 2020
Pratik Dabhi Stack consumption vulnerability November 2020
Brijesh Pandya XSS Vulnerability November 2020
Pentest People XSS Vulnerability November 2020
Shaikh Yaser Arafat Remote Code Execution November 2020
Sanem Sudheendra OAuth vulnerability November 2020
Gaurav Mishra CORS Vulnerability November 2020
Pritam Mukherjee Text-based Injection November 2020
Parshwa PareshKumar Bhavsar XSS Vulnerability October 2020
Azizul Hakim File Upload Vulnerability October 2020
Kasper Karlsson XSS Vulnerability October 2020
Benjamin Barnes (Magna) XSS Vulnerability October 2020
Roberto Urbanus XXE Vulnerability October 2020
Pritam Dash CRLF Vulnerability October 2020
Lucio Sá XSS Vulnerability October 2020
Suraj Disoja XSS Vulnerability October 2020
Bharat (Mr.NOOB) Multiple Vulnerabilities October 2020
Nathan Jones Information disclosure  October 2020
Ed Williams HTTP method vulnerability October 2020
Junting Zhu Open redirect vulnerability September 2020
Gal Nagli Private Key Exposed September 2020
Jeya Seelan S Credential exposure September 2020
George Omnet Server side request forgery September 2020
Devang Karelia Host Header Injection September 2020
Ashley King XSS vulnerability & Parameter vulnerability September 2020
Sumit Grover XSS vulnerability September 2020
Daniel Lidén XSS vulnerability & Information Disclosure September 2020
R Ando XSS vulnerability September 2020
Vikas Srivastava, India Misconfigured database August 2020
d3vpoo1 CSRF vulnerability August 2020
Keshav Malik No rate limiting set August 2020
Abhinav P Credential disclosure August 2020
Gamer7112 DOM XSS vulnerability August 2020
Shivang Trivedi API key disclosure August 2020
Tommaso De Ponti Account validation bypass July 2020
Gourab Sadhukhan Credential disclosure July 2020
Prakhar Mittal Credential disclosure July 2020
Florian Kunushevci Information disclosure July 2020
Parag Dave Vulnerable domain July 2020
Hassan Cypher Information disclosure July 2020
Pankaj Kumar Thakur (Nepal) SQL Injection July 2020
Prasoon Gupta S3 Bucket Takeover June 2020
Utkarsh Agrawal Information disclosure June 2020
Joseph Buta  Information disclosure June 2020
Sumit Grover Sub-domain takeover June 2020
Pethuraj M Information disclosure May 2020
Subhamoy Guha User enumeration May 2020
Akash Basnet Rate limit bypass May 2020
Ahmad Halabi OpenSSL May 2020
Vivek Singh Sub-domain takeover April 2020
Anurag Muley Improper session management April 2020
Diego Bernal Adelantado Content-type upload vulnerability April 2020
Lütfü Mert Ceylan CSRF vulnerability April 2020
Syed Muhammad Asim Mixed Content (Inc script) February 2020
Govind palakkal Security Misconfiguration January 2020
Abhaychandra Chede- Tarun Mahour Information disclosure January 2020
Noman Shaikh Open redirect January 2020
Mike Ralphson Information disclosure January 2020
Conny Dahlgren XSS vulnerability & SQL Injection January 2020
Mohamad Mohsin Shekh Information disclosure January 2020
Raphael Karger XSS vulnerability January 2020
Robbie Wiggins Citrix vulnerability January 2020
Nathan Hrncirik XSS vulnerability January 2020
Shivam Pandey Denial of Service using Cookie Bombing January 2020


Researcher Vulnerability


Onkar Sonawane Account information disclosure December 2019
Darkprincesri XSS vulnerability December 2019
Chippa Vijay Kumar SQL Injection & XSS vulnerability December 2019
R Ando XSS vulnerability November 2019
Sourajeet Majumder Account Verification vulnerability October 2019
Safak Aslan XSS vulnerability October 2019
Diego Bernal Adelantado XSS vulnerability and XML External Entity September 2019
Akhil George Sub-domain takeover August 2019
Amey Takekar XSS vulnerability July 2019
Parker Daudt XSS vulnerability May 2019
Tinu Tomy CSRF vulnerability May 2019
Wasim Shaikh XSS vulnerability May 2019
Acelakshit verma XSS vulnerability May 2019
Angel Tsvetkov XSS Reflected vulnerability April 2019
Pethuraj M Reflected XSS vulnerability April 2019 
Jayateertha G XSS vulnerability April 2019
Dhrudeep Patel Open redirect vulnerability March 2019
Wai Yan Aung XSS vulnerability March 2019
Vineet Kumar Sub-domain takeover March 2019
Anjali Patil XSS vulnerability March 2019
Ashish Kunwar Information disclosure March 2019
EdOverflow XSS vulnerability March 2019
Nathan Mahdavi Transcoder exposed February 2019
B. Franklin Vulnerable configuration February 2019
Nicholas Dine XSS vulnerability February 2019
Anurag Jain GitHub exposed January 2019
Damian Schwyrz Multiple XSS vulnerabilities January 2019


Researcher Vulnerability Date
Dan Kelley GET-based Reflective XSS December 2018
Varun Thorat Open Redirection resulting in phishing & XSS attacks December 2018
Eric Head XSS vulnerability November 2018
Cyberanteater XSS vulnerability November 2018
Avinash Jain XSS vulnerability November 2018
Pranshu Tiwari  CSRF vulnerability November 2018
Aldo Moreno Blind XSS vulnerability October 2018
Diego Moicano XSS vulnerability October 2018
Trung Nguyen Sub-domain takeover October 2018
Hrishikesh Panse XSS vulnerability October 2018 
Sébastien Kaul Vulnerable PHP configuration October 2018 
Richard Strnad Sub-domain takeover September 2018
Puneet Kumar Maurya SPF records missing September 2018
JubaBaghdad XSS vulnerability  September 2018
Dhiraj Mishra Account takeover September 2018 
Efkan Gökbas Vulnerability via SWF File September 2018 
Kunal Bahl Improper session validation September 2018 
Saubhagya Srivastava Session fixation September 2018 
Kenan GUMUS XSS vulnerability September 2018 
B.Dhiyaneshwaran Directory disclosure September 2018 
Alfie Njeru Insufficient access controls, XSS August 2018
Michael Skelton Sub-domain takeover August 2018
Robbie Wiggins Sub-domain takeover August 2018
Thijs Baart XSS vulnerability August 2018
Sean Roesner XSS vulnerability August 2018
Sam Gilder Web cache poisoning August 2018
Nicolas Francois XSS vulnerability August 2018
Zeeshan Khalid Reflected XSS vulnerability August 2018
Joby John Public Trello Boards August 2018
Christoph Kisfeld XSS vulnerability August 2018
Pedro Cardoso XSS vulnerability August 2018 
Naveen.v Information disclosure August 2018 
Deepak R Pandey Improper Access Control August 2018
Ashutosh Barot Information Disclosure July 2018


Researcher Vulnerability


Shwetabh Suman XSS vulnerability February 2017

Information for reporters

Please note that we are currently backfilling this page with reporter information. If you have reported a vulnerability which has been accepted and your details are not here already but you would like them to be, please contact and include the reference number you were provided with along with the name/handle and a link to a social media account if you wish that to appear here.

The BBC relies on consent to publish the personal information of researchers online. We will include a link to the researchers’ social media profiles, but only if the researcher asks us to do so. The researcher can withdraw their consent at any time by contacting For further information about how the BBC processes your personal information including your rights under data protection law, please see the BBC’s privacy policy.

Website links

Please note that we only link to security researcher social media profiles. Our trust model does not enable us to link to other websites. Currently LinkedIn, Twitter and Facebook profile links are accepted. Other social media sites will be reviewed and considered at point of request.