Beautiful photo. Difficult to capture, this mysterious, squid-shaped interstellar cloud spans nearly three full moons in planet Earth’s sky. Discovered in 2011 by French astro-imager Nicolas Outters, the Squid Nebula’s bipolar shape is distinguished here by the telltale blue emission from doubly ionized oxygen atoms. Though apparently surrounded by the reddish hydrogen emission region [...]
1Password - Enterprise Password Manager disclosed a bug submitted by sudosu001: https://hackerone.com/reports/2923061 [...]
The Chinese have a new tool called Massistant. Massistant is the presumed successor to Chinese forensics tool, “MFSocket”, reported in 2019 and attributed to publicly traded cybersecurity company, Meiya Pico. The forensics tool works in tandem with a corresponding desktop software. Massistant gains access to device GPS location data, SMS messages, images, audio, contacts and phone se [...]
The release of Bitchat last week was met with a mixture of glowing praise and sharp criticism. Both extremes bear some truth, but they also miss the mark and reveal gaps in how we discuss security in emerging products. [...]
Security researchers recently revealed that the personal information of millions of people who applied for jobs at McDonald’s was exposed after they guessed the password (“123456”) for the fast food chain’s account at Paradox.ai, a company that makes artificial intelligence based hiring chatbots used by many Fortune 500 firms. Paradox.ai said the security oversight was an i [...]
HackerOne disclosed a bug submitted by boy_child_: https://hackerone.com/reports/3178999 [...]
The ICEBlock tool has vulnerabilities: The developer of ICEBlock, an iOS app for anonymously reporting sightings of US Immigration and Customs Enforcement (ICE) officials, promises that it “ensures user privacy by storing no personal data.” But that claim has come under scrutiny. ICEBlock creator Joshua Aaron has been accused of making false promises regarding user anonymity and privac [...]
Every inline deployment introduces a tradeoff: enhanced inspection versus increased risk of downtime. Inline protection is important, especially for APIs, which are now the most targeted attack surface, but so is consistent uptime and performance. This is where a fail-open architecture comes in. This Wallarm How-To blog outlines how to deploy Wallarm’s Security Edge platform on Azure usi [...]
MainWP disclosed a bug submitted by rishail01: https://hackerone.com/reports/3185205 - Bounty: $50 [...]
MainWP disclosed a bug submitted by rishail01: https://hackerone.com/reports/3181803 - Bounty: $50 [...]
MainWP disclosed a bug submitted by rishail01: https://hackerone.com/reports/3179138 - Bounty: $50 [...]
MainWP disclosed a bug submitted by rishail01: https://hackerone.com/reports/3176981 - Bounty: $50 [...]
Seems like an old system system that predates any care about security: The flaw has to do with the protocol used in a train system known as the End-of-Train and Head-of-Train. A Flashing Rear End Device (FRED), also known as an End-of-Train (EOT) device, is attached to the back of a train and sends data via radio signals to a corresponding device in the locomotive called the Head-of-Train (HOT). C [...]
Weblate disclosed a bug submitted by micael1: https://hackerone.com/reports/3179850 [...]
Backdooring Microsoft's applications is far from over. Adding service principal credentials to these apps to escalate privileges and obfuscate activities has been seen in nation-state attacks, and led to the development of new security controls. Despite these efforts, we uncovered a vulnerable, built-in SP that could have allowed escalation from Application Administrator to any hybrid tenant user, [...]
Node.js disclosed a bug submitted by sharp_edged: https://hackerone.com/reports/3131758 [...]
Node.js disclosed a bug submitted by oblivionsage: https://hackerone.com/reports/3160912 [...]
Marko Elez, a 25-year-old employee at Elon Musk’s Department of Government Efficiency (DOGE), has been granted access to sensitive databases at the U.S. Social Security Administration, the Treasury and Justice departments, and the Department of Homeland Security. So it should fill all Americans with a deep sense of confidence to learn that Mr. Elez over the weekend inadvertently published a [...]
For security leaders protecting fast-growing organizations, the pressure is on to identify vulnerabilities before threat actors do. Continuously testing environments, cost-effectively and at scale, is a significant challenge. This is where bug bounty programs are reshaping the security landscape for CISOs, IT directors, and product security leads. If you are ready to move bey… [...]
HackerOne disclosed a bug submitted by mrmax4o4: https://hackerone.com/reports/1577940 [...]
The Cambridge Cybercrime Conference was held on 23 June. Summaries of the presentations are here. [...]
Shifting security left promises faster, safer software delivery - but for many teams, that promise is undercut by painful scan performance, false positives, and pipeline friction. In our recent webina [...]
curl disclosed a bug submitted by tryhackplanet: https://hackerone.com/reports/3250490 [...]
WakaTime disclosed a bug submitted by ctrl_cipher: https://hackerone.com/reports/3248712 [...]
Innovating cyber defense by tapping global expertise With an expanding threat landscape, a surge in AI-driven products, and a commitment to innovation, NVIDIA is enhancing cybersecurity with a proactive approach by tapping into the global security researcher community. The Intigriti community includes over 125,000 ethical hackers, equipped to test mission-critical AI infrastruc… [...]
A look at how PKI configuration in Kubernetes clusters works [...]
curl disclosed a bug submitted by tryhackplanet: https://hackerone.com/reports/3250117 [...]
MainWP disclosed a bug submitted by rishail01: https://hackerone.com/reports/3181802 - Bounty: $50 [...]
curl disclosed a bug submitted by youssef111: https://hackerone.com/reports/3249936 [...]
Bug bounty hunters who spend time in content discovery and reconnaissance are always rewarded well for their efforts, as they often come across untested and hidden assets or endpoints. GitHub dorking is another way to leverage public search engines to discover hidden assets, endpoints and even secrets to increase your chances of finding vulnerabilities. This article is a guide … [...]
Khan Academy disclosed a bug submitted by a0xtrojan: https://hackerone.com/reports/3099978 [...]
New research: One reason the early years of squids has been such a mystery is because squids’ lack of hard shells made their fossils hard to come by. Undeterred, the team instead focused on finding ancient squid beaks—hard mouthparts with high fossilization potential that could help the team figure out how squids evolved. With that in mind, the team developed an advanced fossil discove [...]
Long article on the difficulty (impossibility?) of human spying in the age of ubiquitous digital surveillance. [...]
curl disclosed a bug submitted by monkey_dee: https://hackerone.com/reports/3246519 [...]
Authorities in the United Kingdom this week arrested four people aged 17 to 20 in connection with recent data theft and extortion attacks against the retailers Marks & Spencer and Harrods, and the British food retailer Co-op Group. The breaches have been linked to a prolific but loosely-affiliated cybercrime group dubbed “Scattered Spider,” whose other recent victims include multip [...]
Good tutorial by Micah Lee. It includes some nonobvious use cases. [...]
Legislative, regulatory, and advisory bodies the world over are waking up to the importance of API security. Most recently, the UK’s National Cyber Security Centre (NCSC) has published detailed guidance on best practices for building and maintaining secure APIs. In this blog, we’ll break down that guidance and explore how Wallarm’s platform can help you align with each one. Inside the NC [...]
What are duplicate submissions? Within the bug bounty industry, duplicate submissions refer to when two or more researchers report the same issue or vulnerability. When a researcher, who works with a bug bounty platform, identifies a vulnerability, they submit a report to the platform, such as Intigriti, where it is reviewed. If the issue has already been reported, then it is m… [...]
Learn more about the emerging vulnerability affecting Git. [...]
curl disclosed a bug submitted by brobagazzzx: https://hackerone.com/reports/3242005 [...]
This time it’s the Swedish prime minister’s bodyguards. (Last year, it was the US Secret Service and Emmanuel Macron’s bodyguards. in 2018, it was secret US military bases.) This is ridiculous. Why do people continue to make their data public? [...]
curl disclosed a bug submitted by mr_tufan: https://hackerone.com/reports/3242087 [...]
Microsoft today released updates to fix at least 137 security vulnerabilities in its Windows operating systems and supported software. None of the weaknesses addressed this month are known to be actively exploited, but 14 of the flaws earned Microsoft’s most-dire “critical” rating, meaning they could be exploited to seize control over vulnerable Windows PCs with little or no help [...]
TikTok disclosed a bug submitted by eneri: https://hackerone.com/reports/3027478 [...]
Ruby disclosed a bug submitted by ooooooo_q: https://hackerone.com/reports/1485717 [...]
Ruby disclosed a bug submitted by ooooooo_q: https://hackerone.com/reports/1487889 [...]
curl disclosed a bug submitted by haydradz: https://hackerone.com/reports/3241304 [...]
curl disclosed a bug submitted by haydradz: https://hackerone.com/reports/3241308 [...]
Sony disclosed a bug submitted by trapedev: https://hackerone.com/reports/2642615 [...]
Posted by David Adrian, Javier Castro & Peter Kotwicz, Chrome Security Team Android recently announced Advanced Protection, which extends Google’s Advanced Protection Program to a device-level security setting for Android users that need heightened security—such as journalists, elected officials, and public figures. Advanced Protection gives you the ability to activate Google’s strongest sec [...]
IBM disclosed a bug submitted by devire: https://hackerone.com/reports/2402842 [...]
Lichess disclosed a bug submitted by psfauzi: https://hackerone.com/reports/3230359 [...]
AI has officially moved out of the novelty phase. What began with people messing around with LLM-powered GenAI tools for content creation has rapidly evolved into a complex web of agentic AI systems that form a critical part of the modern corporate landscape. However, this transformation has given new life to old threats, transforming the API security landscape all over again. I recently sat [...]
Deptective, our new open-source tool, automatically finds the packages needed to install software dependencies. It does so not based on the software’s self-reported requirements, but by observing what the software needs at runtime. [...]
Las Vegas. August. Protocols are getting torn apart. This summer, PortSwigger returns to Black Hat USA and DEF CON 33 with a host of new talks, events and ways to meet PortSwigger and the the teams be [...]
Academic papers were found to contain hidden instructions to LLMs: It discovered such prompts in 17 articles, whose lead authors are affiliated with 14 institutions including Japan’s Waseda University, South Korea’s KAIST, China’s Peking University and the National University of Singapore, as well as the University of Washington and Columbia University in the U.S. Most of the pap [...]
curl disclosed a bug submitted by nyymi: https://hackerone.com/reports/2859735 [...]
curl disclosed a bug submitted by haithamzakaria: https://hackerone.com/reports/2853023 [...]
curl disclosed a bug submitted by rono_07: https://hackerone.com/reports/2841436 [...]
curl disclosed a bug submitted by nyymi: https://hackerone.com/reports/2831558 [...]
curl disclosed a bug submitted by mdakh404: https://hackerone.com/reports/2861797 [...]
curl disclosed a bug submitted by aadityaathehacker: https://hackerone.com/reports/2864414 [...]
curl disclosed a bug submitted by spongebhav: https://hackerone.com/reports/2864859 [...]
curl disclosed a bug submitted by bulter: https://hackerone.com/reports/2904921 [...]
curl disclosed a bug submitted by tefa_: https://hackerone.com/reports/2915426 [...]
curl disclosed a bug submitted by extramayoextracheeseextrafries: https://hackerone.com/reports/3238249 [...]
Nintendo disclosed a bug submitted by crazy_man123: https://hackerone.com/reports/1813453 [...]
curl disclosed a bug submitted by zzq1015: https://hackerone.com/reports/2981303 [...]
curl disclosed a bug submitted by skrcprst: https://hackerone.com/reports/3235428 [...]
In May 2025, the U.S. government sanctioned a Chinese national for operating a cloud provider linked to the majority of virtual currency investment scam websites reported to the FBI. But a new report finds the accused continues to operate a slew of established accounts at American tech companies — including Facebook, Github, PayPal and Twitter/X. On May 29, the U.S. Department of the Treasur [...]
Mozilla disclosed a bug submitted by northsea: https://hackerone.com/reports/2686750 [...]
Mozilla disclosed a bug submitted by northsea: https://hackerone.com/reports/2261577 [...]
Mozilla disclosed a bug submitted by martinvw: https://hackerone.com/reports/2899858 - Bounty: $500 [...]
The US government has taken another significant step towards strengthening cloud security with the release of CISA’s Binding Operational Directive (BOD) 25-01. Aimed at improving the security posture of federal cloud environments, BOD 25-01 mandates robust configuration, visibility, and control across cloud-based services. While the directive doesn’t explicitly name API security, securing mo [...]
curl disclosed a bug submitted by stogusho: https://hackerone.com/reports/3000639 [...]
curl disclosed a bug submitted by justlikebono_official: https://hackerone.com/reports/2941920 [...]
curl disclosed a bug submitted by voggerloops: https://hackerone.com/reports/2946924 [...]