If you’ve ever taken a computer security class, you’ve probably learned about the three legs of computer security—confidentiality, integrity, and availability—known as the CIA triad. When we talk about a system being secure, that’s what we’re referring to. All are important, but to different degrees in different contexts. In a world populated by artificial intel [...]
PortSwigger's Vision In March, PortSwigger hosted its biggest webinar to date and the turnout spoke volumes. With over 7,500 registrants, it’s clear that the future of application security is top of m [...]
John Kelsey and I wrote a short paper for the Rossfest Festschrift: “Rational Astrologies and Security“: There is another non-security way that designers can spend their security budget: on making their own lives easier. Many of these fall into the category of what has been called rational astrology. First identified by Randy Steve Waldman [Wal12], the term refers to something people t [...]
HackerOne disclosed a bug submitted by avinash_: https://hackerone.com/reports/3000510 - Bounty: $25000 [...]
I have heard stories of more aggressive interrogation of electronic devices at US border crossings. I know a lot about securing computers, but very little about securing phones. Are there easy ways to delete data—files, photos, etc.—on phones so it can’t be recovered? Does resetting a phone to factory defaults erase data, or is it still recoverable? That is, does the reset erase [...]
At PortSwigger, we believe AI has the power to transform penetration testing - not by replacing human testers, but by augmenting them. With the release of Burp Suite Professional 2025.2, we’re introdu [...]
Despite advancements in API security, access control vulnerabilities, such as broken object-level authentication (BOLA) and broken function-level authentication (BFLA), remain almost impossible to detect. This blog will explore why these vulnerabilities are so difficult to detect, the limitations of current security tools, and the implications for businesses relying on API-driven applications [...]
US National Security Advisor Mike Waltz, who started the now-infamous group chat coordinating a US attack against the Yemen-based Houthis on March 15, is seemingly now suggesting that the secure messaging service Signal has security vulnerabilities. "I didn’t see this loser in the group," Waltz told Fox News about Atlantic editor in chief Jeffrey Goldberg, whom Waltz invited to the [...]
“Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.” -U.S. Constitution, First Amendment. Image: Shutterstock, zimmytws. In an address to Congress this month, Preside [...]
In another rare squid/cybersecurity intersection, APT37 is also known as “Squid Werewolf.” As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. [...]
Informatica disclosed a bug submitted by growler09: https://hackerone.com/reports/2583500 [...]
This is a truly fascinating paper: “Trusted Machine Learning Models Unlock Private Inference for Problems Currently Infeasible with Cryptography.” The basic idea is that AIs can act as trusted third parties: Abstract: We often interact with untrusted parties. Prioritization of privacy can limit the effectiveness of these interactions, as achieving certain goals necessitates sharing pr [...]
Learn how the Next.js middleware authorization bypass vulnerability works, and how to detect and remediate it. [...]
Posted by Chrome Root Program, Chrome Security Team The Chrome Root Program launched in 2022 as part of Google’s ongoing commitment to upholding secure and reliable network connections in Chrome. We previously described how the Chrome Root Program keeps users safe, and described how the program is focused on promoting technologies and practices that strengthen the underlying security assurances [...]
Hemi VDP disclosed a bug submitted by aaravhex: https://hackerone.com/reports/2991326 [...]
Many successful phishing attacks result in a financial loss or malware infection. But falling for some phishing scams, like those currently targeting Russians searching online for organizations that are fighting the Kremlin war machine, can cost you your freedom or your life. The real website of the Ukrainian paramilitary group “Freedom of Russia” legion. The text has been machine-tran [...]
Shopify disclosed a bug submitted by ooooooo_q: https://hackerone.com/reports/2279572 - Bounty: $800 [...]
NIST just released a comprehensive taxonomy of adversarial machine learning attacks and countermeasures. [...]
Posted by Christiaan Brand, Group Product ManagerWe’re excited to announce that starting today, Titan Security Keys are available for purchase in more than 10 new countries:IrelandPortugalThe NetherlandsDenmarkNorwaySwedenFinlandAustraliaNew ZealandSingaporePuerto RicoThis expansion means Titan Security Keys are now available in 22 markets, including previously announced countries like Austria, Be [...]
Modern organizations are becoming increasingly reliant on agentic AI, and for good reason: AI agents can dramatically improve efficiency and automate mission-critical functions like customer support, sales, operations, and even security. However, this deep integration into business processes introduces risks that, without proper API security, can compromise sensitive data and decision-making. [...]
Cloudflare has a new feature—available to free users as well—that uses AI to generate random pages to feed to AI web crawlers: Instead of simply blocking bots, Cloudflare’s new system lures them into a “maze” of realistic-looking but irrelevant pages, wasting the crawler’s computing resources. The approach is a notable shift from the standard block-and-defend st [...]
Brave Software disclosed a bug submitted by canalun: https://hackerone.com/reports/2958097 - Bounty: $100 [...]
Citizen Lab has a new report on Paragon’s spyware: Key Findings: Introducing Paragon Solutions. Paragon Solutions was founded in Israel in 2019 and sells spyware called Graphite. The company differentiates itself by claiming it has safeguards to prevent the kinds of spyware abuses that NSO Group and other vendors are notorious for. Infrastructure Analysis of Paragon Spyware. Based on a tip [...]
The Intigriti team have recently observed an abuse scenario, trending across the industry, where malicious actors are posing as legitimate white-hat hackers, deceiving targeted companies into believing their actions are carried out in good faith. Bad actors will always try to exploit the system, in any industry, for personal gain. At Intigriti, we help customers navigate this l… [...]
So, you've found a valid security vulnerability in one of your bug bounty programs, now it's time to write the report. Finding the vulnerability was half the story. Writing effective reports is also an essential phase in bug bounty. Clear, well-written, and to-the-point bug bounty reports often get triaged faster and have more chance of getting well received by companies. In th… [...]
Imagine trying to disable a malicious user in your Azure environment, only to find it can't be modified! We recently identified a timing-based bug in Entra ID's restricted administrative units (AUs) that could have allowed just this scenario to occur. [...]
Learn how the Kubernetes Ingress NGINX Controller vulnerabilities work, how to detect and remediate them. [...]
AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3022516 [...]
Autodesk disclosed a bug submitted by yunxohang: https://hackerone.com/reports/3035275 [...]
Last month, I wrote about the UK forcing Apple to break its Advanced Data Protection encryption in iCloud. More recently, both Sweden and France are contemplating mandating backdoors. Both initiatives are attempting to scare people into supporting backdoors, which are—of course—are terrible idea. Also: “A Feminist Argument Against Weakening Encryption.” [...]
Trendyol disclosed a bug submitted by samark19: https://hackerone.com/reports/2917062 [...]
Authorities in at least two U.S. states last week independently announced arrests of Chinese nationals accused of perpetrating a novel form of tap-to-pay fraud using mobile devices. Details released by authorities so far indicate the mobile wallets being used by the scammers were created through online phishing scams, and that the accused were relying on a custom Android app to relay tap-to-pay tr [...]
Shopify disclosed a bug submitted by samux: https://hackerone.com/reports/1457471 [...]
A message posted on Monday to the homepage of the U.S. Cybersecurity & Infrastructure Security Agency (CISA) is the latest exhibit in the Trump administration’s continued disregard for basic cybersecurity protections. The message instructed recently-fired CISA employees to get in touch so they can be rehired and then immediately placed on leave, asking employees to send their Social Secu [...]
Most organizations are using AI in some way today, whether they know it or not. Some are merely beginning to experiment with it, using tools like chatbots. Others, however, have integrated agentic AI directly into their business procedures and APIs. While both types of organizations are undoubtedly realizing remarkable productivity and efficiency benefits, they may not know they are putting thems [...]
Autodesk disclosed a bug submitted by metereorpreter: https://hackerone.com/reports/3024673 [...]
Autodesk disclosed a bug submitted by khoof: https://hackerone.com/reports/2965143 [...]
Posted by Rex Pan and Xueqin Cui, Google Open Source Security TeamIn December 2022, we released the open source OSV-Scanner tool, and earlier this year, we open sourced OSV-SCALIBR. OSV-Scanner and OSV-SCALIBR, together with OSV.dev are components of an open platform for managing vulnerability metadata and enabling simple and accurate matching and remediation of known vulnerabilities. Our goal is [...]
Nextcloud disclosed a bug submitted by vulnerability_is_here: https://hackerone.com/reports/2946927 [...]
A clever malware deployment scheme first spotted in targeted attacks last year has now gone mainstream. In this scam, dubbed “ClickFix,” the visitor to a hacked or malicious website is asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware. ClickFix attacks mimic the “Verify You are [...]
Drugs.com disclosed a bug submitted by dedoxd2: https://hackerone.com/reports/2885636 [...]
Autodesk disclosed a bug submitted by the-white-evil: https://hackerone.com/reports/2971572 [...]
A devastating new remote code execution (RCE) vulnerability, CVE-2025-24813, is now actively exploited in the wild. Attackers need just one PUT API request to take over vulnerable Apache Tomcat servers. The exploit, originally published by a Chinese forum user iSee857, is already available online: CVE-2025-24813 PoC by iSee857. Exploit Breakdown: How a Simple PUT Request Leads to Full RCE This att [...]
Hey hackers, Each month, we team up with bug bounty experts to bring you insights, platform updates, new programs, and upcoming community events—all to help you find more bugs! Product updates New Feature: Gain Deeper Insights into Researcher Activity We're excited to introduce a new way for researchers to gain valuable insights into their time allocation across different domai… [...]
MercadoLibre disclosed a bug submitted by elmago: https://hackerone.com/reports/1955485 [...]
HackerOne disclosed a bug submitted by sarthakbhingare015: https://hackerone.com/reports/2553026 [...]
PortSwigger Web Security disclosed a bug submitted by floyd: https://hackerone.com/reports/2733994 - Bounty: $200 [...]
Security is a team sport. Whether you're a pentester, bug bounty hunter, student, or just love breaking (and fixing) things, our field thrives on shared knowledge, collaboration, and support. We want [...]
Why is the retail industry being targeted? Large-scale operations and the extensive attack surface of the retail industry render it particularly susceptible to cybercrime, on a global scale. Websites, mobile apps, and company programs create numerous entry points for malicious actors. The high volume of payment transactions and financial incentives of successful attacks present… [...]
Why now? Artificial intelligence is rapidly transforming industries, and security testing is no exception. At PortSwigger, we’ve always been driven by innovation, but we don’t chase trends for the sak [...]