Acknowledgements
The BBC wishes to thank the following Security Researchers who have participated in our Vulnerability Disclosure Programme
2026
| Researcher | Vulnerability | Date |
| Riski Permana | Insecure Design | Mar 2026 |
| Smaran Chand | Insecure Design | Mar 2026 |
| Shreyash Ghare | Information Disclosure | Mar 2026 |
| Tharun Avula | Insecure Design | Feb 2026 |
| Musa Hamonangan Lubis | Broken Access Control | Feb 2026 |
| Yaswanth Sai Boligarla | Vulnerable and Outdated Components | Jan 2026 |
| Sanjith Roshan U | Information Disclosure | Jan 2026 |
| Musa Hamonangan Lubis | Insecure Design | Jan 2026 |
| Aryan Chougule (COEP Cybercell) | Information Disclosure | Jan 2026 |
2025
| Researcher | Vulnerability | Date |
| Hepin Radadiya | Injection | Dec 2025 |
| Gurudatt Choudhary | Injection | Nov 2025 |
| Ghifari Azhar | Injection | Nov 2025 |
| x24_HAVOC (NEPAL) | Injection | Nov 2025 |
| Musa Hamonangan Lubis | Injection | Nov 2025 |
| Whiterose.svg | Broken Access Control | Oct 2025 |
| Gurudatt Choudhary | Broken Access Control | Oct 2025 |
| Surya Arigela | Security Misconfiguration | Oct 2025 |
| MD KIMIA SADAT | Vulnerable and Outdated Components | Oct 2025 |
| Adhithya S D | Broken Access Control | Oct 2025 |
| x24_HAVOC | Injection | Sept 2025 |
| Sakil Hasan Saikat | Broken Access Control | Sept 2025 |
| Hepin Radadiya | Broken Access Control | Sept 2025 |
| Mihir Pankhawala | Broken Access Control | August 2025 |
| Rohit Yadav (rohsec) | Server-Side Request Forgery (SSRF) | July 2025 |
| Sushil Phuyal (1337mickey) | Injection | July 2025 |
| Miguel Llamazares | Injection | June 2025 |
| Zer0 Ways | Broken Access Control | May 2025 |
| Pranav R Wattamwar | Injection | May 2025 |
| Prabin Joshi | Injection | May 2025 |
| Kanhaiya Sharma | Injection | May 2025 |
| Rajan Kshedal | Injection | May 2025 |
| Rajan Kshedal | Injection | April 2025 |
| Rajan Kshedal | Injection | April 2025 |
| Wren/Blue Wood | Broken Access Control | April 2025 |
| x24_HAVOC ( NEPAL ) | Injection | April 2025 |
| Karthikeyan C | Insecure Design | April 2025 |
| Parth Narula | Insecure Design | April 2025 |
| Ajay Anand CTG | Insecure Design | April 2025 |
| X24_CAIRO (NEPAL) | Injection | April 2025 |
| Varad P Mene | Insecure Design | April 2025 |
| Varad P Mene | Insecure Design | April 2025 |
| SURAJ BHATTARAI (Nepal) | Insecure Design | April 2025 |
| cyberritzzz | Insecure Design | March 2025 |
| cyberritzzz | Insecure Design | March 2025 |
| Gurudatt Choudhary | Insecure Design | March 2025 |
| SURAJ BHATTARAI (Nepal) | Insecure Design | March 2025 |
| Vishal Kumar | Security Misconfiguration | March 2025 |
| Sushil Phuyal (1337mickey) | Injection | March 2025 |
| Sushil Phuyal (1337mickey) | Injection | March 2025 |
| Gurudatt Choudhary | Injection | March 2025 |
| Varad P Mene | Insecure Design | March 2025 |
| Gurudatt Choudhary | Vulnerable and Outdated Components | March 2025 |
| Noor Mohammad Gagguturi | Vulnerable and Outdated Components | February 2025 |
| Atharv Rokade (Lordofheaven) | Insecure Design | February 2025 |
| Siddesh Ningappa | Insecure Design | February 2025 |
| Raman R Mohurle | Insecure Design | February 2025 |
| MPGODMATCH...! | Identification and Authentication Failure | February 2025 |
| defalt47 | Insecure Design | February 2025 |
| SARATHY D | Insecure Design | February 2025 |
| Gurudatt Choudhary | Broken Access Control | February 2025 |
| Varad P Mene | Data Integrity Failure | February 2025 |
| Varad P Mene | Data Integrity Failure | January 2025 |
| Billy Sheppard | Injection | January 2025 |
| Mohammed Nafeed (H4cker Nafeed) | Broken Access Control | January 2025 |
2024
| Researcher | Vulnerability | Date |
| Navreet | Insecure Design | Dec 2024 |
| Raman R Mohurle | Insecure Design | Dec 2024 |
| Gurudatt Choudhary | Vulnerable and Outdated Components | Dec 2024 |
| Arif Dudekula | Vulnerable and Outdated Components | Dec 2024 |
| Renganathan | Insecure Design | Dec 2024 |
| Bikram Kharal(@themarkib) | Security Misconfiguration | Nov 2024 |
| Oum V Zarkar | Insecure Design | Nov 2024 |
| Kasani ShivaTeja | Injection | Nov 2024 |
| Richard Hyunho Im (@richeeta) | Broken Access Control | Nov 2024 |
| Harsh N Navgale | Injection | Nov 2024 |
| Raman R Mohurle | Injection | Nov 2024 |
| Althaf Ashraf | Insecure Design | Oct 2024 |
| Late - Khadananda Phuyal | Injection | Oct 2024 |
| ராஜ்குமார் சண்முகம் (Rajkumar Shanmugam) | Broken Access Control | Oct 2024 |
| Rajkumar Shanmugam | Vulnerable and Outdated Components | Sept 2024 |
| Aashutosh Devkota ( Nepal ) | Insecure Design | August 2024 |
| Bruno Garcia | Injection | August 2024 |
| Chinmaya Rana | Broken Access Control | August 2024 |
| Guilherme Gonçalves | Insecure Design | August 2024 |
| Subhankar Paul | Security Misconfiguration | July 2024 |
| Aadesh Jain | Vulnerable and Outdated Components | July 2024 |
| Kartik Garg | Vulnerable and Outdated Components | July 2024 |
| Karthikeyan V (Cappricio Securities) | Security Misconfiguration | July 2024 |
| Claudio Rizzo | Injection | July 2024 |
| Hritom Bhattacharya | Insecure Design | July 2024 |
| Vaibhav Jain | Injection | June 2024 |
| Omri Inbar | Insecure Design | June 2024 |
| Ariel Rachamim | Insecure Design | June 2024 |
| Vedant Roy | Insecure Design | June 2024 |
| Abhith Damodaran | Injection | May 2024 |
| Vikas Anand (kingcoolvikas) | Security Misconfiguration | May 2024 |
| Rohit Yadav (rohsec) | Broken Access Control | May 2024 |
| Harish | Security Misconfiguration | May 2024 |
| Yash kulkarni | Security Misconfiguration | May 2024 |
| Harsh N Navgale | Sensitive Information Disclosure | May 2024 |
| Sanjith Roshan U | Sensitive Information Disclosure | May 2024 |
| Vikas Anand | Security Misconfiguration | April 2024 |
| Shivam Dhingra | Security Misconfiguration | April 2024 |
| Raman R Mohurle | Security Misconfiguration | April 2024 |
| Pruthu Raut | Sensitive Information Disclosure | April 2024 |
| @karthithehacker | Security Misconfiguration | April 2024 |
| Nikhil Rane | Injection | April 2024 |
| Kartik Garg | Information Disclosure | April 2024 |
| Abid Ahmad | Security Misconfiguration | March 2024 |
| Chinmaya Rana | Insecure Design | March 2024 |
| Anže Jenšterle (CraftByte) | Broken Access Control | March 2024 |
| Anurag Mewar | Information Disclosure | February 2024 |
| Vikas Anand | Security Misconfiguration | February 2024 |
| NITYA NAND JHA(Shunux) | Injection | February 2024 |
| Vinit Lakra | Broken Authentication | February 2024 |
| Soham Lad | Injection | January 2024 |
| Raman R Mohurle | Security Misconfiguration | January 2024 |
2023
| Researcher | Vulnerability | Date |
| Vishak V | Security misconfiguration | Dec 2023 |
| Rajdip Dey Sarkar | Injection | Dec 2023 |
| Brijesh (Redhet) | Insecure Design | Dec 2023 |
| Aditya Singh | Injection | Dec 2023 |
| Noor Mohammad Gagguturi | Injection | Dec 2023 |
| Usman Idris Chougule | Injection | Dec 2023 |
| Mohamed Akees (Sri Lanka) | Injection | Dec 2023 |
| K.Rajesh Sagar | Security Misconfiguration | Dec 2023 |
| Miguel Segovia Gil | Data Integrity | Dec 2023 |
| Vibhor Sharma | Insecure Design | Nov 2023 |
| Yash kulkarni | Broken Access Control | Nov 2023 |
| Yash kulkarni | Broken Access Control | Nov 2023 |
| Yash kulkarni | Insecure Design | Nov 2023 |
| Yash Kulkarni | Broken Access Control | Nov 2023 |
| Abhith Damodaran | Injection | Nov 2023 |
| Mayur Pandya (GDSCPU, Cybertalk) | Insecure Design | Nov 2023 |
| Yash Kulkarni | Broken Access Control | Nov 2023 |
| Mayur Pandya (Parul University, Cybertalk) | Injection | Oct 2023 |
| Mayur Pandya (Parul University, Cybertalk) | Data Integrity | Oct 2023 |
| Mayur Pandya (Parul University, Cybertalk) | Insecure Design | Oct 2023 |
| Yash Kulkarni | Broken Access Control | Oct 2023 |
| white_rose_0101 | Broken Access Control | Oct 2023 |
| Milan Jain | Injection | Oct 2023 |
| Yash Kulkarni | Insecure Design | Oct 2023 |
| Vinit Lakra | Security Misconfiguration | Oct 2023 |
| Shivam Sharma | Injection | Oct 2023 |
| Durvesh Kolhe | Outdated Components | Sept 2023 |
| Brijesh (Redhet) | Injection | Sept 2023 |
| Martin van Wingerden | Security Misconfiguration | Sept 2023 |
| Parag Bagul | Outdated Components | Sept 2023 |
| Nilabh Rajpoot | Outdated Components | Aug 2023 |
| Mohamed Ibrahim | Injection | Aug 2023 |
| Banavath Aravind | Insecure Design | July 2023 |
| Shivam Sharma | Injection | July 2023 |
| Banavath Aravind | Injection | July 2023 |
| Ankit Kapoor | Security Misconfiguration | June 2023 |
| Nasser Hassen Altowairqi | Injection | June 2023 |
| Ramansh Sharma | Broken Access Control | June 2023 |
| Parag Bagul | Outdated Components | June 2023 |
| Ramansh Sharma | Insecure Design | June 2023 |
| Roshan Poudel | Insecure Design | May 2023 |
| Joshua Provoste | Injection | May 2023 |
| Josef Hassan | Outdated Components | May 2023 |
| Ahmed Hassan | Outdated Components | May 2023 |
| M7arm4n | Injection | May 2023 |
| Vedant Shinde | Injection | April 2023 |
| Jose Carlos Exposito Bueno | Security Misconfiguration | April 2023 |
| Ayush Aggarwal | Injection | April 2023 |
| Mohd.Den Compton | Insecure Design | March 2023 |
| Abir Khan Hridoy | Injection | March 2023 |
| Pedro Cardoso | Injection | March 2023 |
| Prial Islam | Insecure Design | March 2023 |
| Siddharth Pasalapudi | Broken Access Control | March 2023 |
| Momen Eldawakhly (Cyber Guy) | Broken Access Control | March 2023 |
| Karthik U.J. | Injection | March 2023 |
| Abdalla Ali | Data Integrity | March 2023 |
| Łukasz Tlałka | Injection | March 2023 |
| Billy Sheppard | Injection | March 2023 |
| Akshay Ravi | Injection | Feb 2023 |
| Pratham Rajgor | Server-Side Request Forgery | Feb 2023 |
| Vijay Mahajan | Server-Side Request Forgery | Jan 2023 |
| Ayush Aggarwal | Injection | Jan 2023 |
| Vedavyasan S | Injection | Jan 2023 |
| Pratham Rajgor | Injection | Jan 2023 |
| Banavath Aravind | Injection | Jan 2023 |
| Billy Sheppard & Petter Olsen | Data Integrity | Jan 2023 |
| Vishal Vishwakarma | Injection | Jan 2023 |
| Benavath Aravind | Broken Access Control | Jan 2023 |
| Sebin Thomas | Injection | Jan 2023 |
2022
| Researcher | Vulnerability | Date |
| Narayanan M | Insecure Design | Dec 2022 |
| Ramansh Sharma | Injection | Dec 2022 |
| Banavath Aravind | Injection | Nov 2022 |
| Milan Jain (scriptkiddie) | Injection | Nov 2022 |
| Banavath Aravind | Data Integrity | Nov 2022 |
| Abdalla Ali | Injection | Oct 2022 |
| Ayush Aggarwal | Injection | Sept 2022 |
| Ahmad Henry Mansour | Injection | Aug 2022 |
| Jeyabalaji | Insecure Design | July 2022 |
| Toby Davenport | Injection | July 2022 |
| Nitesh Singh | Data Integrity | July 2022 |
| Ayush Aggarwal | Injection | July 2022 |
| James Buckley | Broken Access Control | July 2022 |
| Felipe Gabriel Renzi | Data Integrity | Jun 2022 |
| Dzmitry Smaliak | Injection | May 2022 |
| Jordan Glover | Data Integrity | Apr 2022 |
| Alana Witten | Broken Access Control | Mar 2022 |
| Kevin Yehezkiel Gurning | Injection | Mar 2022 |
| Toby Davenport | Insecure Design | Feb 2022 |
| Toby Davenport | Information Disclosure | Jan 2022 |
| Toby Davenport | Information Disclosure | Jan 2022 |
| Vikas Srivastava | Security Misconfiguration | Jan 2022 |
2021
| Researcher | Vulnerability |
Date |
| Ayush Aggarwal | Injection | Dec 2021 |
| Vikas Srivastava | Remote Code Execution | Dec 2021 |
| Crispin JeyaPrakash.A (B1ackHood) | Remote Code Execution | Dec 2021 |
| Ishan Vyas | Remote Code Execution | Nov 2021 |
| Rohit Yadav | Remote Code Execution | Nov 2021 |
| Karthik UJ | Remote Code Execution | Nov 2021 |
| Ai Ho (@j3ssiejjj) | Remote Code Execution | Nov 2021 |
| Mohd.Danish Abid | Data Integrity | Nov 2021 |
| Abhijith A | Data Integrity | Nov 2021 |
| Supras | Server-Side Request Forgery | Oct 2021 |
| Rohit Yadav | Security Misconfiguration | Oct 2021 |
| Pranav K | Security Misconfiguration | Oct 2021 |
| Roshan Poudél | Insecure Design | Oct 2021 |
| Nessim Jerbi (Tunisia) | Insecure Design | Oct 2021 |
| Ayush Aggarwal | Security Misconfiguration | Sept 2021 |
| Momen Ali Eldawakhly (Cyber Guy) | Data Integrity | Aug 2021 |
| Momen Ali Eldawakhly (Cyber Guy) | Broken Access Control | Aug 2021 |
| Momen Ali Eldawakhly (Cyber Guy) | Broken Access Control | Aug 2021 |
| Nourhan Ali Dief (Cyber Girl) | Data Integrity | Aug 2021 |
| Shubham Garg | Injection | Aug 2021 |
| Momen Ali Eldawakhly (Cyber Guy) | Injection | Aug 2021 |
| Momen Ali Eldawakhly (Cyber Guy) | Vulnerable Components | Aug 2021 |
| Nourhan Ali Ibrahim Dief | Data Integrity | Aug 2021 |
| Gourab Sadhukhan | Data Integrity | Aug 2021 |
| Abhijith A | Broken Access Control | Aug 2021 |
| Anirudh Srinivas Balaji | Data Integrity | Aug 2021 |
| Mohit Khemchandani | Data Integrity | Aug 2021 |
| Raajesh.G | Vulnerable Components | Aug 2021 |
| Michele Romano | Injection | Aug 2021 |
| Shubham Garg | Security Misconfiguration | Aug 2021 |
| Jefferson Gonzales (Gonz) | Injection | Aug 2021 |
| Kabeer Saxena | Vulnerable Components | Aug 2021 |
| Prathamesh Surekha Prakash Pawar | Injection | Aug 2021 |
| Nayanjyoti Roy | Security Misconfiguration | July 2021 |
| Abhijeet Sarkar | Insecure Design | July 2021 |
| Roshan Poudél | Insecure Design | July 2021 |
| Rishabh Shrivastava | Data Integrity | July 2021 |
| Roshan Poudél | Insecure Design | July 2021 |
| Kiran Ghimire (From Nepal) | Data Integrity | July 2021 |
| Chandan Rai | Insecure Design | July 2021 |
| Mayank Mukhi | Outdated Components | July 2021 |
| Luca Consolati | Injection | June 2021 |
| Chirag Ketan Prajapati | Injection | June 2021 |
| Ishan Vyas | Injection | June 2021 |
| Sheikh Rishad | Broken Access Control | June 2021 |
| Avdi Zumeray | Broken Access Control | June 2021 |
| Mike Ralphson | Data Integrity | June 2021 |
| Pratik Khalane | Broken Access Control | June 2021 |
| Anirudh Makkar | Broken Access Control | June 2021 |
| Mohamed Abdellatif Jaber | Injection | May 2021 |
| Bartłomiej Bergier | Injection | May 2021 |
| Diego Bernal Adelantado | Security Misconfiguration | May 2021 |
| Enes Saltik | Vulnerable Components | May 2021 |
| Divya Singh | Injection | April 2021 |
| Faiyaz Ahmad | Broken Access Control | April 2021 |
| Roshan Poudél | Vulnerable Components | March 2021 |
| Ai Ho | Data Integrity | March 2021 |
| Satrya Wira Yudha | Insecure Design | March 2021 |
| Ai Ho | Security Misconfiguration | March 2021 |
| Ahmed Elmalky | Data Integrity | March 2021 |
| Bijay Silwal | Injection | March 2021 |
| Eslam Sayed(eslamXxX) | Injection | March 2021 |
| Abhinav Sharma | Security Misconfiguration | March 2021 |
| Ganesh Bagaria | Injection | March 2021 |
| Colin Barr | Security Misconfiguration | March 2021 |
| Buğra Eskici | Security Misconfiguration | February 2021 |
| Bartłomiej Bergier | Injection | February 2021 |
| Harsh Parekh | Data Integrity | February 2021 |
| Enes Saltik | Vulnerable Components | January 2021 |
| Bartłomiej Bergier | Injection | January 2021 |
| 0xblackbird | Data Integrity | January 2021 |
| Nitesh Singh | Injection | January 2021 |
| Erdoğan Yağız Şahin | Security Misconfiguration | January 2021 |
2020
| Researcher | Vulnerability |
Date |
| Osama Khan | Injection | December 2020 |
| Alfred Nirmal | Data Integrity | December 2020 |
| Taha Bıyıklı | Injection | December 2020 |
| Tayfun AKYILDIZ | Injection | December 2020 |
| René de Sain | Injection | November 2020 |
| Tom Smith | Vulnerable Components | November 2020 |
| Alexandar Thangavel | Security Misconfiguration | November 2020 |
| Sourajeet Majumder | Insecure Design | November 2020 |
| Netanel Rubin | Data Integrity | November 2020 |
| Shaun Budding | Injection | November 2020 |
| Pratik Dabhi | Vulnerable Components | November 2020 |
| Brijesh Pandya | Injection | November 2020 |
| Pentest People | Injection | November 2020 |
| Shaikh Yaser Arafat | Vulnerable Components | November 2020 |
| Sanem Sudheendra | Vulnerable Components | November 2020 |
| Gaurav Mishra | Injection | November 2020 |
| Pritam Mukherjee | Injection | November 2020 |
| Parshwa PareshKumar Bhavsar | Injection | October 2020 |
| Azizul Hakim | Insecure Design | October 2020 |
| Kasper Karlsson | Injection | October 2020 |
| Benjamin Barnes (Magna) | Injection | October 2020 |
| Roberto Urbanus | Injection | October 2020 |
| Pritam Dash | Injection | October 2020 |
| Lucio Sá | Injection | October 2020 |
| Suraj Disoja | Injection | October 2020 |
| Bharat (Mr.NOOB) | Multiple Vulnerabilities | October 2020 |
| Nathan Jones | Data Integrity | October 2020 |
| Ed Williams | Insecure Design | October 2020 |
| Junting Zhu | Injection | September 2020 |
| Gal Nagli | Data Integrity | September 2020 |
| Jeya Seelan S | Data Integrity | September 2020 |
| George Omnet | Server side request forgery | September 2020 |
| Devang Karelia | Injection | September 2020 |
| Ashley King | Injection | September 2020 |
| Sumit Grover | Injection | September 2020 |
| Daniel Lidén | Injection | September 2020 |
| Alessandro Christo Rumampuk | Injection | September 2020 |
| Vikas Srivastava, India | Insecure Design | August 2020 |
| d3vpoo1 | Server-Side Request Forgery | August 2020 |
| Keshav Malik | Insecure Design | August 2020 |
| Abhinav P | Data Integrity | August 2020 |
| Gamer7112 | Injection | August 2020 |
| Shivang Trivedi | Data Integrity | August 2020 |
| Tommaso De Ponti | Insecure Design | July 2020 |
| Gourab Sadhukhan | Broken Access Control | July 2020 |
| Prakhar Mittal | Broken Access Control | July 2020 |
| Florian Kunushevci | Data Integrity | July 2020 |
| Parag Dave | Security Misconfiguration | July 2020 |
| Hassan Cypher | Data Integrity | July 2020 |
| Pankaj Kumar Thakur (Nepal) | Injection | July 2020 |
| Prasoon Gupta | Security Misconfiguration | June 2020 |
| Utkarsh Agrawal | Data Integrity | June 2020 |
| Joseph Buta | Data Integrity | June 2020 |
| Sumit Grover | Security Misconfiguration | June 2020 |
| Pethuraj M | Data Integrity | May 2020 |
| Subhamoy Guha | Insecure Design | May 2020 |
| Akash Basnet | Insecure Design | May 2020 |
| Ahmad Halabi | Vulnerable Components | May 2020 |
| Vivek Singh | Security Misconfiguration | April 2020 |
| Anurag Muley | Insecure Design | April 2020 |
| Diego Bernal Adelantado | Injection | April 2020 |
| Lütfü Mert Ceylan | Injection | April 2020 |
| Syed Muhammad Asim | Injection | February 2020 |
| Govind palakkal | Security Misconfiguration | January 2020 |
| Abhaychandra Chede- Tarun Mahour | Data Integrity | January 2020 |
| Noman Shaikh | Injection | January 2020 |
| Mike Ralphson | Data Integrity | January 2020 |
| Conny Dahlgren | Injection | January 2020 |
| Mohamad Mohsin Shekh | Data Integrity | January 2020 |
| Raphael Karger | Injection | January 2020 |
| Robbie Wiggins | Vulnerable Components | January 2020 |
| Nathan Hrncirik | Injection | January 2020 |
| Shivam Pandey | Insecure Design | January 2020 |
2019
| Researcher | Vulnerability |
Date |
| Onkar Sonawane | Data Integrity | December 2019 |
| Darkprincesri | Injection | December 2019 |
| Chippa Vijay Kumar | Injection | December 2019 |
| Alessandro Christo Rumampuk | Injection | November 2019 |
| Sourajeet Majumder | Insecure Design | October 2019 |
| Safak Aslan | Injection | October 2019 |
| Diego Bernal Adelantado | Injection | September 2019 |
| Akhil George | Security Misconfiguration | August 2019 |
| Amey Takekar | Injection | July 2019 |
| Parker Daudt | Injection | May 2019 |
| Tinu Tomy | Injection | May 2019 |
| Wasim Shaikh | Injection | May 2019 |
| Acelakshit verma | Injection | May 2019 |
| Angel Tsvetkov | Injection | April 2019 |
| Pethuraj M | Injection | April 2019 |
| Jayateertha G | Injection | April 2019 |
| Dhrudeep Patel | Injection | March 2019 |
| Wai Yan Aung | Injection | March 2019 |
| Vineet Kumar | Security Misconfiguration | March 2019 |
| Anjali Patil | Injection | March 2019 |
| Ashish Kunwar | Data Integrity | March 2019 |
| EdOverflow | Injection | March 2019 |
| Nathan Mahdavi | Broken Access Control | February 2019 |
| B. Franklin | Security Misconfiguration | February 2019 |
| Nicholas Dine | Injection | February 2019 |
| Anurag Jain | Broken Access Control | January 2019 |
| Damian Schwyrz | Injection | January 2019 |
2018
| Researcher | Vulnerability | Date |
| Dan Kelley | Injection | December 2018 |
| Varun Thorat | Injection | December 2018 |
| Eric Head | Injection | November 2018 |
| Cyberanteater | Injection | November 2018 |
| Avinash Jain | Injection | November 2018 |
| Pranshu Tiwari | Injection | November 2018 |
| Aldo Moreno | Injection | October 2018 |
| Diego Moicano | Injection | October 2018 |
| Trung Nguyen | Security Misconfiguration | October 2018 |
| Hrishikesh Panse | Injection | October 2018 |
| Sébastien Kaul | Security Misconfiguration | October 2018 |
| Richard Strnad | Security Misconfiguration | September 2018 |
| Puneet Kumar Maurya | Security Misconfiguration | September 2018 |
| JubaBaghdad | Injection | September 2018 |
| Dhiraj Mishra | Insecure Design | September 2018 |
| Efkan Gökbas | Data Integrity | September 2018 |
| Kunal Bahl | Insecure Design | September 2018 |
| Saubhagya Srivastava | Insecure Design | September 2018 |
| Kenan GUMUS | Injection | September 2018 |
| B.Dhiyaneshwaran | Data Integrity | September 2018 |
| Alfie Njeru | Broken Access Control | August 2018 |
| Michael Skelton | Security Misconfiguration | August 2018 |
| Robbie Wiggins | Security Misconfiguration | August 2018 |
| Thijs Baart | Injection | August 2018 |
| Sean Roesner | Injection | August 2018 |
| Sam Gilder | Insecure Design | August 2018 |
| Nicolas Francois | Injection | August 2018 |
| Zeeshan Khalid | Injection | August 2018 |
| Joby John | Data Integrity | August 2018 |
| Christoph Kisfeld | Injection | August 2018 |
| Pedro Cardoso | Injection | August 2018 |
| Naveen.v | Data Integrity | August 2018 |
| Deepak R Pandey | Broken Access Control | August 2018 |
| Ashutosh Barot | Data Integrity | July 2018 |
2017
| Researcher | Vulnerability |
Date |
| Shwetabh Suman | Injection | February 2017 |
Information for reporters
Please note that we are currently backfilling this page with reporter information. If you have reported a vulnerability which has been accepted and your details are not here already but you would like them to be, please contact security@bbc.co.uk and include the reference number you were provided with along with the name/handle and a link to a social media account if you wish that to appear here.
The BBC relies on consent to publish the personal information of researchers online. We will include a link to the researchers’ social media profiles, but only if the researcher asks us to do so. The researcher can withdraw their consent at any time by contacting security@bbc.co.uk. For further information about how the BBC processes your personal information including your rights under data protection law, please see the BBC’s privacy policy.
Info: Website links
Website links
Please note that we only link to security researcher social media profiles. Our trust model does not enable us to link to other websites. Currently LinkedIn, Twitter(X), Instagram, Facebook and HackerOne profile links are accepted. Other social media sites will be reviewed and considered at point of request. Mastodon is a de-centralised system and therefore we will reference handles (please ensure you include the @server element), but will not include hyperlinks as we cannot guarantee the safety of the profile being linked to.