Hacker News Delta Security
If you find a security hole, please let us know at security@ycombinator.com . We try to respond (with fixes!) as soon as possible, and really appreciate the help.
Thanks to the following people who have discovered and responsibly disclosed security holes in Hacker News:
-
2025-07-08 — Benjamin Flesch
- Poll option rendering could be abused to trigger a cross-site scripting condition.
-
2023-01-02 — Carter Sande, Mark Slater, James Darpinian
- Submission titles were rendered without proper HTML escaping in certain edge cases.
-
2022-09-04 — Dimitris Triantafyllidis
- A voting state inconsistency allowed unintended karma inflation.
-
2021-07-04 — RyotaK
- Crafted URLs could display misleading source domains.
-
2021-06-07 — Atamyrat Hezretgulyyev
- Logout endpoints were vulnerable to CSRF under specific conditions.
-
2021-02-14 — Michael Brooks
- Cookie attributes were updated to improve CSRF protection using stricter SameSite policies.
-
2017-04-30 — Michael Flaxman
- Password hashing configuration used a bcrypt variant susceptible to rare collision scenarios.
-
2017-04-14 — Blake Rand
- Comment links were vulnerable to IDN homograph attacks.
-
2017-03-15 — Blake Rand
- Unicode right-to-left override characters could obscure displayed URLs.
-
2016-02-17 — Eric Tjossem
- Authentication endpoints were vulnerable to CSRF attacks.
-
2015-09-07 — Sandeep Singh
- A mixed-case protocol bypass enabled an open redirect condition.
-
2014-11-01 — Ovidiu Toader
- Limited profile data was inadvertently exposed through an internal API under rare conditions.
-
2009-06-03 — Daniel Fox Franke
- Weaknesses in cookie generation entropy could allow session prediction.