The 2026 US “Cyber Strategy for America” document is mostly the same thing we’ve seen out of the White House for over a decade, but with a more aggressive tone. But one sentence stood out: “We will unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities.” This sounds like a call for hackback: giv [...]
Code coverage is one of the most dangerous quality metrics in software testing. Many developers fail to realize that code coverage lies by omission: it measures execution, not verification. Test suites with high coverage can obfuscate the fact that critical functionality is untested as software develops over time. We saw this when mutation testing uncovered a high-severity Arkis protocol vulnerabi [...]
Last week, I listened to a fascinating talk by K. Melton on cognitive security, cognitive hacking, and reality pentesting. The slides from the talk are here, but—even better—Menton has a long essay laying out the basic concepts and ideas. The whole thing is important and well worth reading, and I hesitate to excerpt. Here’s a taste: The NeuroCompiler is where raw sensory data get [...]
In March 2026, we ran BugQuest, a 31-day campaign covering everything you need to know about finding and exploiting broken access control vulnerabilities. From understanding the basics of authentication and authorization to spotting subtle authorization bypasses in real code, we broke down one of the most critical vulnerability classes in modern web applications. Broken access controls have consis [...]
curl disclosed a bug submitted by whitehat411: https://hackerone.com/reports/3639277 [...]
curl disclosed a bug submitted by h3xb1tx: https://hackerone.com/reports/3638715 [...]
Posted by Dirk Göhmann, Tony Mendez, and the Vulnerability Rewards Program Team2025 marked a special year in the history of vulnerability rewards and bug bounty programs at Google: our 15th anniversary 🎉🎉🎉! Originally started in 2010, our vulnerability reward program (VRP) has seen constant additions and expansions over the past decade and a half, clearly indicating the value the programs under [...]
Sony disclosed a bug submitted by resurrect20: https://hackerone.com/reports/3355766 [...]
Nextcloud disclosed a bug submitted by eclipse07077: https://hackerone.com/reports/3479692 [...]
Charles Bennett and Gilles Brassard have won the 2026 Turing Award for inventing quantum cryptography. I am incredibly pleased to see them get this recognition. I have always thought the technology to be fantastic, even though I think it’s largely unnecessary. I wrote up my thoughts back in 2008, in an essay titled “Quantum Cryptography: As Awesome As It Is Pointless.” Back then, [...]
This post is adapted from a talk I gave at [un]prompted, the AI security practitioner conference. Thanks to Gadi Evron for inviting me to speak. You can watch the recorded presentation below or download the slides. Most companies hand out ChatGPT licenses and wait for the productivity numbers to move. We built a system instead. A year ago, about 5% of Trail of Bits was on board with our AI initiat [...]
curl disclosed a bug submitted by ankitsingh131225: https://hackerone.com/reports/3636244 [...]
curl disclosed a bug submitted by m42kl33: https://hackerone.com/reports/3636044 [...]
curl disclosed a bug submitted by ok3y: https://hackerone.com/reports/3632427 [...]
arkadiyt-projects disclosed a bug submitted by tipsen: https://hackerone.com/reports/3634400 [...]
arkadiyt-projects disclosed a bug submitted by tipsen: https://hackerone.com/reports/3634571 [...]
An attacker hijacked an axios maintainer's npm account to publish malicious releases that deliver a cross-platform RAT. [...]
Node.js disclosed a bug submitted by sharp_edged: https://hackerone.com/reports/3511792 [...]
Node.js disclosed a bug submitted by stif: https://hackerone.com/reports/3480841 [...]
Node.js disclosed a bug submitted by x_probe: https://hackerone.com/reports/3533945 [...]
Node.js disclosed a bug submitted by xavlimsg: https://hackerone.com/reports/3559715 [...]
Node.js disclosed a bug submitted by yushengchen: https://hackerone.com/reports/3560402 [...]
Node.js disclosed a bug submitted by wooseokdotkim: https://hackerone.com/reports/3449392 [...]
Node.js disclosed a bug submitted by galbarnahum: https://hackerone.com/reports/3531737 [...]
Dimitris Georgiou has been a self-professed computer geek since the early 80s. At university, he studied the convergence of educational technology with computer science as part of his psychology MA – finding, to his disbelief, that systems were perilously insecure. Since then, he’s always worked in and around cybersecurity. He’s had roles as a computer science teacher, a technology manager, a [...]
A thoughtful review of Apple’s system to alert users that the camera is on. It’s really well-designed, and important in a world where malware could surreptitiously start recording. The reason it’s tempting to think that a dedicated camera indicator light is more secure than an on-display indicator is the fact that hardware is generally more secure than software, because it’ [...]
curl disclosed a bug submitted by sakthi02_sk: https://hackerone.com/reports/3633534 [...]
curl disclosed a bug submitted by xkiluar: https://hackerone.com/reports/3630310 [...]
The Hawaiian bobtail squid has bioluminescent bacteria. [...]
Tucows (VDP) disclosed a bug submitted by 2026: https://hackerone.com/reports/3523703 [...]
passhash disclosed a bug submitted by sinic: https://hackerone.com/reports/2441029 [...]
passhash disclosed a bug submitted by sinic: https://hackerone.com/reports/2439734 [...]
Hello hackers, Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: Earning $180K via SSRFs Free Burp Suite Pro licenses for top hackers Bypassing tricky file upload restrictions Injecting malicious code into AI coding assistants And so much more! Let’s dive in! New: PortSwigger collaboration with Intigriti We've teamed up with PortSwigger to reward high-p [...]
A look at how Kubernetes CVE-2020-8561 works [...]
Node.js disclosed a bug submitted by rafaelgss: https://hackerone.com/reports/3546390 [...]
In December, the Trump administration signed an executive order that neutered states’ ability to regulate AI by ordering his administration to both sue and withhold funds from states that try to do so. This action pointedly supported industry lobbyists keen to avoid any constraints and consequences on their deployment of AI, while undermining the efforts of consumers, advocates, and industry [...]
RubyGems disclosed a bug submitted by 6b_jjj: https://hackerone.com/reports/3542546 [...]
curl disclosed a bug submitted by wizard021: https://hackerone.com/reports/3611825 [...]
curl disclosed a bug submitted by ankitsingh_76: https://hackerone.com/reports/3627638 [...]
curl disclosed a bug submitted by 3lcarry: https://hackerone.com/reports/3623064 [...]
Posted by Eric Lynch, Product Manager, Android and Dom Elliott, Group Product Manager, Google Play Modern digital security is at a turning point. We are on the threshold of using quantum computers to solve "impossible" problems in drug discovery, materials science, and energy—tasks that even the most powerful classical supercomputers cannot handle. However, the same unique ability to consider di [...]
Sen. Ron Wyden is warning us of an abuse of Section 702: Wyden took to the Senate floor to deliver a lengthy speech, ostensibly about the since approved (with support of many Democrats) nomination of Joshua Rudd to lead the NSA. Wyden was protesting that nomination, but in the context of Rudd being unwilling to agree to basic constitutional limitations on NSA surveillance. But that’s just a [...]
We’re releasing a new Claude plugin for developing and auditing code that implements dimensional analysis, a technique we explored in our most recent blog post. Most LLM-based security skills ask the model to find bugs. Our new dimensional-analysis plugin for Claude Code takes a different approach: it uses the LLM to annotate your codebase with dimensional types, then flags mismatches mechanically [...]
curl disclosed a bug submitted by tynus: https://hackerone.com/reports/3617719 [...]
At Intigriti, we host monthly web-based Capture The Flag (CTF) challenges as a way to engage with the security researcher community. This month's challenge, brought forward by Kulindu, presented us with a Secure Search Portal that, on the surface, appeared to be well protected. A strict Content Security Policy and DOMPurify sanitization gave the impression that this month's task of executing an XS [...]
IBM disclosed a bug submitted by bugmithalchemist: https://hackerone.com/reports/3592387 [...]
Japan’s election last month and the rise of the country’s newest and most innovative political party, Team Mirai, illustrates the viability of a different way to do politics. In this model, technology is used to make democratic processes stronger, instead of undermining them. It is harnessed to root out corruption, instead of serving as a cash cow for campaign donations. Imagine an election where [...]
Using dimensional analysis, you can categorically rule out a whole category of logic and arithmetic bugs that plague DeFi formulas. No code changes required, just better reasoning! One of the first lessons in physics is learning to think in terms of dimensions. Physicists can often spot a flawed formula in seconds just by checking whether the dimensions make sense. I once had a teacher who even ke [...]
LinkedIn disclosed a bug submitted by riadalrashed: https://hackerone.com/reports/3604288 [...]
What you will learn How vulnerability disclosure applies specifically to AI safeguards and systems. The pros and cons of making AI disclosure programs more open/restricted. The kinds of incentives that motivate researchers. Which disclosure program structures can help organizations improve their AI security. In a recent NCSC blog post on adapting vulnerability disclosure for AI safeguards, [...]
On March 24 and 27, 2026, malicious PyPI releases of LiteLLM and Telnyx were published as part of the TeamPCP supply chain campaign. We trace the full campaign from Trivy through npm, Checkmarx, and into PyPI. [...]
A financially motivated data theft and extortion group is attempting to inject itself into the Iran war, unleashing a worm that spreads through poorly secured cloud services and wipes data on infected systems that use Iran’s time zone or have Farsi set as the default language. Experts say the wiper campaign against Iran materialized this past weekend and came from a relatively new cybercrime [...]
It’s an impressive feat, over a decade after the box was released: Since reset glitching wasn’t possible, Gaasedelen thought some voltage glitching could do the trick. So, instead of tinkering with the system rest pin(s) the hacker targeted the momentary collapse of the CPU voltage rail. This was quite a feat, as Gaasedelen couldn’t ‘see’ into the Xbox One, so had to [...]
The population needs better conservation. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. [...]
Python Cryptographic Authority disclosed a bug submitted by uv3doble: https://hackerone.com/reports/3558277 [...]
Mozilla disclosed a bug submitted by adilnbabras: https://hackerone.com/reports/3025797 [...]
curl disclosed a bug submitted by zoroo2: https://hackerone.com/reports/3612891 [...]
The U.S. Justice Department joined authorities in Canada and Germany in dismantling the online infrastructure behind four highly disruptive botnets that compromised more than three million Internet of Things (IoT) devices, such as routers and web cameras. The feds say the four botnets — named Aisuru, Kimwolf, JackSkid and Mossad — are responsible for a series of recent record-smashing [...]
Broken access control vulnerabilities have consistently remained at the top of the OWASP Top 10, and for a good reason. As web applications continue to grow in complexity, with the introduction of role-based access controls, multi-tenant support, and granular permission models, the likelihood of access control flaws increases significantly. Unlike other vulnerability classes that often rely on ins [...]
GitHub disclosed a bug submitted by ahacker1: https://hackerone.com/reports/3527771 [...]
GitHub disclosed a bug submitted by s3rdz0: https://hackerone.com/reports/3522254 [...]
HackerOne disclosed a bug submitted by theokeen: https://hackerone.com/reports/3378540 [...]
curl disclosed a bug submitted by lg_oled77c5pua: https://hackerone.com/reports/3609505 [...]
curl disclosed a bug submitted by am-perip: https://hackerone.com/reports/3608522 [...]
LinkedIn disclosed a bug submitted by dphoeniixx: https://hackerone.com/reports/3475626 [...]
Lovable VDP disclosed a bug submitted by ziadmomen: https://hackerone.com/reports/3591764 [...]
curl disclosed a bug submitted by tavro: https://hackerone.com/reports/3603300 [...]
Basecamp disclosed a bug submitted by perxibes: https://hackerone.com/reports/3467641 - Bounty: $100 [...]
Note: This is a guest post by pentester Julen Garrido Estévez (@b3xal). 1. Acknowledgements 2. Intro 3. Required tools 4. Strategy to solve/exploit the lab 5. Detecting 0.CL 5.1. Practical confirmatio [...]
Consensys disclosed a bug submitted by aszx87410: https://hackerone.com/reports/3507241 [...]
IBM disclosed a bug submitted by cr3ckerxploit: https://hackerone.com/reports/3578842 [...]
curl disclosed a bug submitted by henriqueg: https://hackerone.com/reports/3598444 [...]
curl disclosed a bug submitted by otiscui: https://hackerone.com/reports/3598358 [...]
Register for the webinar: Burp Suite DAST x Burp Suite Professional: Better Together (Thursday, March 19 2026 16:00 UTC) I'm a firm believer that if you want to understand how secure an application re [...]
Your board wants AI. Your developers are building with it. Your budget committee is asking for an ROI timeline. But as CISO, you're the one who has to answer when the inevitable question comes up: "How do we know this is secure?" If you're like most security leaders, you're caught between two impossible positions. Say yes to AI initiatives without proper security controls, and you're responsib [...]
Lovable VDP disclosed a bug submitted by marioniangi: https://hackerone.com/reports/3599248 [...]
Ethical hacking, often via Bug Bounty Programs or VDPs, operates within defined frameworks. These include a community Code of Conduct (CoC), setting program Rules of Engagement (RoE), and clarifying platform Terms of Service (ToS). Companies that invest in proactive security need to understand what these terms mean and the function they play in maintaining a secure and compliant program. The chall [...]
curl disclosed a bug submitted by m777m0: https://hackerone.com/reports/3597359 [...]
A hacktivist group with links to Iran’s intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan. News reports out of Ireland, Stryker’s largest hub outside of the United States, said the company sent home more than 5,000 workers there today. Meanwhile, a voicemail message at Stryker’s main U. [...]
AI systems are no longer just isolated models responding to human prompts. In modern production environments, they are increasingly chained together – delegating tasks, calling tools, and coordinating decisions with limited or no human oversight. Almost all that communication happens through APIs. This shift offers enormous productivity benefits. But it has also complicated secu [...]
Account abstraction transforms fixed “private key can do anything” models into programmable systems that enable batching, recovery and spending limits, and flexible gas payment. But that programmability introduces risks: a single bug can be as catastrophic as leaking a private key. After auditing dozens of ERC‑4337 smart accounts, we’ve identified six vulnerability patterns that frequently appear. [...]
At PortSwigger, we’re always looking for ways to enable the world to secure the web, and today we’re excited to take that mission a step further. We’re pleased to announce a new collaboration bringing [...]
curl disclosed a bug submitted by rat5ak: https://hackerone.com/reports/3591944 [...]
curl disclosed a bug submitted by nobcoder: https://hackerone.com/reports/3584903 [...]
curl disclosed a bug submitted by spectreglobalsec: https://hackerone.com/reports/3583983 [...]
Microsoft Corp. today pushed security updates to fix at least 77 vulnerabilities in its Windows operating systems and other software. There are no pressing “zero-day” flaws this month (compared to February’s five zero-day treat), but as usual some patches may deserve more rapid attention from organizations using Windows. Here are a few highlights from this month’s Patch Tue [...]
Intigriti and PortSwigger collaborate to reward hard-working hackers Best known as the creator of Burp Suite, the industry-standard toolkit for manual web application security testing, PortSwigger is a UK-based cybersecurity company on a mission to help the world secure the web. Today, their tools are trusted by over 20,000 organizations worldwide to detect and prevent cyber threats. To further su [...]
curl disclosed a bug submitted by sabari_n: https://hackerone.com/reports/3595753 [...]
curl disclosed a bug submitted by sabari_n: https://hackerone.com/reports/3595764 [...]
During research, we sometimes encounter scenarios that remind us that it's a good idea to trust but verify. In September 2025, we noticed that certain Microsoft Copilot Studio agent settings did not log certain administrative actions related to sharing, authentication, logging, and publication of Copilot Studio agents. [...]
AWS VDP disclosed a bug submitted by locus-x64: https://hackerone.com/reports/3557138 [...]
Lovable VDP disclosed a bug submitted by hossam25: https://hackerone.com/reports/3370430 [...]
curl disclosed a bug submitted by brewm4ster: https://hackerone.com/reports/3584491 [...]
Datadog Security Research identified an active adversary-in-the-middle (AiTM) phishing campaign targeting AWS Console credentials via typosquatted domains that mimic AWS infrastructure. [...]
AI-based assistants or “agents” — autonomous programs that have access to the user’s computer, files, online services and can automate virtually any task — are growing in popularity with developers and IT workers. But as so many eyebrow-raising headlines over the past few weeks have shown, these powerful and assertive new tools are rapidly shifting the security priori [...]
curl disclosed a bug submitted by y_security: https://hackerone.com/reports/3584865 [...]
Kubernetes disclosed a bug submitted by fisjkars: https://hackerone.com/reports/2701701 [...]
LinkedIn disclosed a bug submitted by safehacker_2715: https://hackerone.com/reports/1734639 [...]
LinkedIn disclosed a bug submitted by riadalrashed: https://hackerone.com/reports/2339192 [...]
Lovable VDP disclosed a bug submitted by jdc94: https://hackerone.com/reports/3581815 [...]