Apex has found bugs that, if exploited, would have led to more than $100 billion in losses, earned nearly $1 million in bounties, and currently sits at #1 on the HackerOne Business leaderboard for 2026. A few of its wins:
| Date | Target | Finding | Tags |
|---|---|---|---|
| 09 Apr ’26 | Redacted | A one-wei rounding gift that drained $2.4M from a Solana AMM | criticaldefisolanarust |
| 22 Mar ’26 | Tessarine | How a single missing string comparison let anyone sign as root | criticalCVE-2026-28144authjosecrypto |
| 14 Feb ’26 | Buildah | The symlink race that turned a Dockerfile into a container escape | highCVE-2026-15920containerlinuxracetoctou |
| 28 Jan ’26 | Ollama | A DNS rebinding 'almost' on a local AI inference server | mediumCVE-2026-03311browserrebindinglocalhost |
| 03 Dec ’25 | Stripe | Two JSON parsers that disagreed on the number five | highwebhooksparsergo |
| 11 Nov ’25 | Redacted | Prototype pollution through a payment descriptor, in 31 characters | criticalnodeproto-pollutionfintech |