Acknowledgements

The BBC wishes to thank the following Security Researchers who have participated in our Vulnerability Disclosure Programme

2020

Researcher Vulnerability

Date

Tom Smith Buffer Overflow November 2020
Alexandar Thangavel Subdomain Takeover November 2020 
Sourajeet Majumder Account Impersonation  November 2020
Netanel Rubin Data Leak November 2020
Shaun Budding XSS Vulnerability  November 2020
Pratik Dabhi Stack consumption vulnerability November 2020
Brijesh Pandya XSS Vulnerability November 2020
Pentest People XSS Vulnerability November 2020
Shaikh Yaser Arafat Remote Code Execution November 2020
Sanem Sudheendra OAuth vulnerability November 2020
Gaurav Mishra CORS Vulnerability November 2020
Pritam Mukherjee Text-based Injection November 2020
Parshwa PareshKumar Bhavsar XSS Vulnerability October 2020
Azizul Hakim File Upload Vulnerability October 2020
Kasper Karlsson XSS Vulnerability October 2020
Benjamin Barnes (Magna) XSS Vulnerability October 2020
Roberto Urbanus XXE Vulnerability October 2020
Pritam Dash CRLF Vulnerability October 2020
Lucio Sá XSS Vulnerability October 2020
Suraj Disoja XSS Vulnerability October 2020
Bharat (Mr.NOOB) Multiple Vulnerabilities October 2020
Nathan Jones Information disclosure  October 2020
Ed Williams HTTP method vulnerability October 2020
Junting Zhu Open redirect vulnerability September 2020
Gal Nagli Private Key Exposed September 2020
Jeya Seelan S Credential exposure September 2020
George Omnet Server side request forgery September 2020
Devang Karelia Host Header Injection September 2020
Ashley King XSS vulnerability & Parameter vulnerability September 2020
Sumit Grover XSS vulnerability September 2020
Daniel Lidén XSS vulnerability & Information Disclosure September 2020
R Ando XSS vulnerability September 2020
Vikas Srivastava, India Misconfigured database August 2020
d3vpoo1 CSRF vulnerability August 2020
Keshav Malik No rate limiting set August 2020
Abhinav P Credential disclosure August 2020
Gamer7112 DOM XSS vulnerability August 2020
Shivang Trivedi API key disclosure August 2020
Tommaso De Ponti Account validation bypass July 2020
Gourab Sadhukhan Credential disclosure July 2020
Prakhar Mittal Credential disclosure July 2020
Florian Kunushevci Information disclosure July 2020
Parag Dave Vulnerable domain July 2020
Hassan Cypher Information disclosure July 2020
Pankaj Kumar Thakur (Nepal) SQL Injection July 2020
Prasoon Gupta S3 Bucket Takeover June 2020
Utkarsh Agrawal Information disclosure June 2020
Joseph Buta  Information disclosure June 2020
Sumit Grover Sub-domain takeover June 2020
Pethuraj M Information disclosure May 2020
Subhamoy Guha User enumeration May 2020
Akash Basnet Rate limit bypass May 2020
Ahmad Halabi OpenSSL May 2020
Vivek Singh Sub-domain takeover April 2020
Anurag Muley Improper session management April 2020
Diego Bernal Adelantado Content-type upload vulnerability April 2020
Lütfü Mert Ceylan CSRF vulnerability April 2020
Syed Muhammad Asim Mixed Content (Inc script) February 2020
Govind palakkal Security Misconfiguration January 2020
Abhaychandra Chede- Tarun Mahour Information disclosure January 2020
Noman Shaikh Open redirect January 2020
Mike Ralphson Information disclosure January 2020
Conny Dahlgren XSS vulnerability & SQL Injection January 2020
Mohamad Mohsin Shekh Information disclosure January 2020
Raphael Karger XSS vulnerability January 2020
Robbie Wiggins Citrix vulnerability January 2020
Nathan Hrncirik XSS vulnerability January 2020
Shivam Pandey Denial of Service using Cookie Bombing January 2020

2019

Researcher Vulnerability

Date

Onkar Sonawane Account information disclosure December 2019
Darkprincesri XSS vulnerability December 2019
Chippa Vijay Kumar SQL Injection & XSS vulnerability December 2019
R Ando XSS vulnerability November 2019
Sourajeet Majumder Account Verification vulnerability October 2019
Safak Aslan XSS vulnerability October 2019
Diego Bernal Adelantado XSS vulnerability and XML External Entity September 2019
Akhil George Sub-domain takeover August 2019
Amey Takekar XSS vulnerability July 2019
Parker Daudt XSS vulnerability May 2019
Tinu Tomy CSRF vulnerability May 2019
Wasim Shaikh XSS vulnerability May 2019
Acelakshit verma XSS vulnerability May 2019
Angel Tsvetkov XSS Reflected vulnerability April 2019
Pethuraj M Reflected XSS vulnerability April 2019 
Jayateertha G XSS vulnerability April 2019
Dhrudeep Patel Open redirect vulnerability March 2019
Wai Yan Aung XSS vulnerability March 2019
Vineet Kumar Sub-domain takeover March 2019
Anjali Patil XSS vulnerability March 2019
Ashish Kunwar Information disclosure March 2019
EdOverflow XSS vulnerability March 2019
Nathan Mahdavi Transcoder exposed February 2019
B. Franklin Vulnerable configuration February 2019
Nicholas Dine XSS vulnerability February 2019
Anurag Jain GitHub exposed January 2019
Damian Schwyrz Multiple XSS vulnerabilities January 2019

2018 

Researcher Vulnerability Date
Dan Kelley GET-based Reflective XSS December 2018
Varun Thorat Open Redirection resulting in phishing & XSS attacks December 2018
Eric Head XSS vulnerability November 2018
Cyberanteater XSS vulnerability November 2018
Avinash Jain XSS vulnerability November 2018
Pranshu Tiwari  CSRF vulnerability November 2018
Aldo Moreno Blind XSS vulnerability October 2018
Diego Moicano XSS vulnerability October 2018
Trung Nguyen Sub-domain takeover October 2018
Hrishikesh Panse XSS vulnerability October 2018 
Sébastien Kaul Vulnerable PHP configuration October 2018 
Richard Strnad Sub-domain takeover September 2018
Puneet Kumar Maurya SPF records missing September 2018
JubaBaghdad XSS vulnerability  September 2018
Dhiraj Mishra Account takeover September 2018 
Efkan Gökbas Vulnerability via SWF File September 2018 
Kunal Bahl Improper session validation September 2018 
Saubhagya Srivastava Session fixation September 2018 
Kenan GUMUS XSS vulnerability September 2018 
B.Dhiyaneshwaran Directory disclosure September 2018 
Alfie Njeru Insufficient access controls, XSS August 2018
Michael Skelton Sub-domain takeover August 2018
Robbie Wiggins Sub-domain takeover August 2018
Thijs Baart XSS vulnerability August 2018
Sean Roesner XSS vulnerability August 2018
Sam Gilder Web cache poisoning August 2018
Nicolas Francois XSS vulnerability August 2018
Zeeshan Khalid Reflected XSS vulnerability August 2018
Joby John Public Trello Boards August 2018
Christoph Kisfeld XSS vulnerability August 2018
Pedro Cardoso XSS vulnerability August 2018 
Naveen.v Information disclosure August 2018 
Deepak R Pandey Improper Access Control August 2018
Ashutosh Barot Information Disclosure July 2018

2017

Researcher Vulnerability

Date

Shwetabh Suman XSS vulnerability February 2017

Information for reporters

Please note that we are currently backfilling this page with reporter information. If you have reported a vulnerability which has been accepted and your details are not here already but you would like them to be, please contact security@bbc.co.uk and include the reference number you were provided with along with the name/handle and a link to a social media account if you wish that to appear here.

The BBC relies on consent to publish the personal information of researchers online. We will include a link to the researchers’ social media profiles, but only if the researcher asks us to do so. The researcher can withdraw their consent at any time by contacting security@bbc.co.uk. For further information about how the BBC processes your personal information including your rights under data protection law, please see the BBC’s privacy policy.

Website links

Please note that we only link to security researcher social media profiles. Our trust model does not enable us to link to other websites. Currently LinkedIn, Twitter and Facebook profile links are accepted. Other social media sites will be reviewed and considered at point of request.