This is a current list of where and when I am scheduled to speak: I’m speaking at the International Conference on Digital Trust, AI and the Future in Edinburgh, Scotland on Tuesday, June 24 at 4:00 PM. The list is maintained on this page. [...]
Node.js disclosed a bug submitted by kenballus: https://hackerone.com/reports/2054283 [...]
Video of the stubby squid (Rossia pacifica) from offshore Vancouver Island. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. [...]
Informatica disclosed a bug submitted by xbow: https://hackerone.com/reports/3096384 [...]
Rootstock Labs disclosed a bug submitted by guido: https://hackerone.com/reports/2412583 [...]
Posted by Google GenAI Security TeamWith the rapid adoption of generative AI, a new wave of threats is emerging across the industry with the aim of manipulating the AI systems themselves. One such emerging attack vector is indirect prompt injections. Unlike direct prompt injections, where an attacker directly inputs malicious commands into a prompt, indirect prompt injections involve hidden malici [...]
Rootstock Labs disclosed a bug submitted by spacewasp: https://hackerone.com/reports/2105808 - Bounty: $5000 [...]
It’s been a whirlwind two months since AI-powered features landed in Burp Suite Professional. Thousands of security testers across the world have been using Burp AI to find vulnerabilities and secure [...]
Paragon is an Israeli spyware company, increasingly in the news (now that NSO Group seems to be waning). “Graphite” is the name of its product. Citizen Lab caught it spying on multiple European journalists with a zero-click iOS exploit: On April 29, 2025, a select group of iOS users were notified by Apple that they were targeted with advanced spyware. Among the group were two journalis [...]
Lichess disclosed a bug submitted by closec4ll: https://hackerone.com/reports/3160210 [...]
Bykea disclosed a bug submitted by bugbountywithmarco: https://hackerone.com/reports/3085742 [...]
Bykea disclosed a bug submitted by bugbountywithmarco: https://hackerone.com/reports/2868164 [...]
Bykea disclosed a bug submitted by grassye: https://hackerone.com/reports/2861888 [...]
Bykea disclosed a bug submitted by back2arie: https://hackerone.com/reports/2374730 [...]
Hemi VDP disclosed a bug submitted by 1_ali_raza: https://hackerone.com/reports/3198394 [...]
Hello hackers, Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: Becoming an Intigriti Pentester Exploiting CORS in 2025 (even when SameSite is set to ‘Strict’) A forgotten tool to quickly score new hidden endpoints (right before you close Burp Suite) 12 API hacking techniques Common ways to find RCEs in your bug bounty target And so … [...]
Late last year, security researchers made a startling discovery: Kremlin-backed disinformation campaigns were bypassing moderation on social media platforms by leveraging the same malicious advertising technology that powers a sprawling ecosystem of online hucksters and website hackers. A new report on the fallout from that investigation finds this dark ad tech industry is far more resilient and i [...]
Mars disclosed a bug submitted by morphykutay: https://hackerone.com/reports/3146996 [...]
Rootstock Labs disclosed a bug submitted by guido: https://hackerone.com/reports/2489843 [...]
Rootstock Labs disclosed a bug submitted by guido: https://hackerone.com/reports/2559404 [...]
This is news: A data broker owned by the country’s major airlines, including Delta, American Airlines, and United, collected U.S. travellers’ domestic flight records, sold access to them to Customs and Border Protection (CBP), and then as part of the contract told CBP to not reveal where the data came from, according to internal CBP documents obtained by 404 Media. The data includes pa [...]
Bykea disclosed a bug submitted by bugbountywithmarco: https://hackerone.com/reports/2894018 [...]
Nestled in a log cabin high in the Rocky Mountains, Rick Bohm starts his day the same way he’s approached his career: intentionally, with a quiet commitment to learning and action. Boasting more than three decades of cybersecurity experience, Rick has watched tech evolve from dial-up ISPs to advanced AI-driven security architectures – and through it all, he’s focused on one enduring mission: prot [...]
Microsoft today released security updates to fix at least 67 vulnerabilities in its Windows operating systems and software. Redmond warns that one of the flaws is already under active attack, and that software blueprints showing how to exploit a pervasive Windows bug patched this month are now public. The sole zero-day flaw this month is CVE-2025-33053, a remote code execution flaw in the Windows [...]
In October 2023, we audited Silence Laboratories’ DKLs23 threshold signature scheme (TSS) library—one of the first production implementations of this then-novel protocol that uses oblivious transfer (OT) instead of traditional Paillier cryptography. Our review uncovered serious flaws that could enable key destruction attacks, which Silence Laboratories promptly fixed. [...]
There are three key elements that, when combined, support the planning of a bug bounty program to attract the right researchers. These three components are the attack surface, security maturity, and asset complexity. In this article, we explore each of these elements, how they impact one another, and their influence on bug bounty programs. What defines an attack surface? And ho… [...]
Lichess disclosed a bug submitted by immm: https://hackerone.com/reports/3181066 [...]
Researchers have discovered a new way to covertly track Android users. Both Meta and Yandex were using it, but have suddenly stopped now that they have been caught. The details are interesting, and worth reading in detail: Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other bro [...]
HackerOne disclosed a bug submitted by root_geek280: https://hackerone.com/reports/2633771 [...]
Southern New England is having the best squid run in years. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. [...]
Lichess disclosed a bug submitted by oblivionsage: https://hackerone.com/reports/3175928 [...]
On Thursday I testified before the House Committee on Oversight and Government Reform at a hearing titled “The Federal Government in the Age of Artificial Intelligence.” The other speakers mostly talked about how cool AI was—and sometimes about how cool their own company was—but I was asked by the Democrats to specifically talk about DOGE and the risks of exfiltrating our d [...]
OpenAI just published its annual report on malicious uses of AI. By using AI as a force multiplier for our expert investigative teams, in the three months since our last report we’ve been able to detect, disrupt and expose abusive activity including social engineering, cyber espionage, deceptive employment schemes, covert influence operations and scams. These operations originated in many parts o [...]
hostinger disclosed a bug submitted by aziz0x48: https://hackerone.com/reports/3081691 [...]
Image: Mark Rademaker, via Shutterstock. Ukraine has seen nearly one-fifth of its Internet space come under Russian control or sold to Internet address brokers since February 2022, a new study finds. The analysis indicates large chunks of Ukrainian Internet address space are now in the hands of shadowy proxy and anonymity services that are nested at some of America’s largest Internet service [...]
According to the Wallarm Q1 2025 ThreatStats report, 70% of all application attacks target APIs. The industry can no longer treat API security as a sidenote; it’s time to treat it as the main event. NIST seems to be on board with this view, releasing the initial public draft of NIST SP 800-228, a set of recommendations for securing APIs. I recently sat down with AJ Debole, Field CISO at Oracl [...]
Shopify disclosed a bug submitted by bassem_sadaqah: https://hackerone.com/reports/1695604 - Bounty: $3800 [...]
Insightly disclosed a bug submitted by basant0x01: https://hackerone.com/reports/1544236 [...]
You can read the details of Operation Spiderweb elsewhere. What interests me are the implications for future warfare: If the Ukrainians could sneak drones so close to major air bases in a police state such as Russia, what is to prevent the Chinese from doing the same with U.S. air bases? Or the Pakistanis with Indian air bases? Or the North Koreans with South Korean air bases? Militaries that thou [...]
curl disclosed a bug submitted by z2_: https://hackerone.com/reports/3168039 [...]
Reputation – What is CREST? CREST is the gold standard for quality assurance accreditation in the cybersecurity industry. It is a globally recognised not-for-profit cybersecurity authority that rigorously assesses organisations against stringent standards for quality, technical proficiency, and operational integrity. ‘Keeping information safe in today’s digital world is a s… [...]
Lichess disclosed a bug submitted by oblivionsage: https://hackerone.com/reports/3165242 [...]
They’re interesting: Tracked as CVE-2025-5054 and CVE-2025-4598, both vulnerabilities are race condition bugs that could enable a local attacker to obtain access to access sensitive information. Tools like Apport and systemd-coredump are designed to handle crash reporting and core dumps in Linux systems. […] “This means that if a local attacker manages to induce a crash in a priv [...]
Mozilla disclosed a bug submitted by z3phyrus: https://hackerone.com/reports/3154983 - Bounty: $6000 [...]
Reconnaissance plays an integral part in bug bounty hunting, with hidden parameter discovery an even more crucial role as they are often left with inadequate validation. Making these types of parameters usually more susceptible to common injection vulnerabilities such as SQLs, XSS, IDORs and even command injections. In this article, we will cover 5 various ways to detect possi… [...]
HackerOne disclosed a bug submitted by w2w: https://hackerone.com/reports/2937622 - Bounty: $1200 [...]
Posted by Chrome Root Program, Chrome Security Team Note: Google Chrome communicated its removal of default trust of Chunghwa Telecom and Netlock in the public forum on May 30, 2025. The Chrome Root Program Policy states that Certification Authority (CA) certificates included in the Chrome Root Store must provide value to Chrome end users that exceeds the risk of their continued inclusion. It [...]
Over two audits in 2023, we reviewed a blockchain system developed by Axiom that allows computing over the entire history of Ethereum, all verified by zero-knowledge proofs (ZKPs) on-chain using ZK-verified elliptic curve and SNARK recursion operations. This system is built using the Halo2 framework—a complex, emerging technology that presents many challenges when building a secure application, in [...]
We’re proud to announce that PortSwigger has been awarded the prestigious King’s Award for Enterprise in the category of International Trade - a recognition that reflects our sustained international s [...]
8x8 Bounty disclosed a bug submitted by kauenavarro: https://hackerone.com/reports/1365076 [...]
Omise disclosed a bug submitted by vulnerability_is_here: https://hackerone.com/reports/3119034 [...]
Image: Shutterstock, ArtHead. The U.S. government today imposed economic sanctions on Funnull Technology Inc., a Philippines-based company that provides computer infrastructure for hundreds of thousands of websites involved in virtual currency investment scams known as “pig butchering.” In January 2025, KrebsOnSecurity detailed how Funnull was being used as a content delivery network that ca [...]
Internet Bug Bounty disclosed a bug submitted by saurabhb: https://hackerone.com/reports/3073507 [...]
We recently hosted a webinar to introduce Burp Suite DAST, the new name for Burp Suite Enterprise Edition, the best-in-class, automated web application and API security scanning solution for modern Ap [...]
Mike Wilkes has had a career many cybersecurity professionals could only dream of. An adjunct professor, former CISO of Marvel and MLS, member of the World Economic Forum, drummer, and board member at the National Jazz Museum in Harlem, his interests and achievements are as eclectic as they are impressive. In the first edition of CISO Spotlight, we sat down with Mike to explore the skill [...]
Introducing the Custodial Stablecoin Rekt Test; a new spin on the classic Rekt Test for evaluating the security maturity of stablecoin issuers. [...]
Authorities in Pakistan have arrested 21 individuals accused of operating “Heartsender,” a once popular spam and malware dissemination service that operated for more than a decade. The main clientele for HeartSender were organized crime groups that tried to trick victim companies into making payments to a third party, and its alleged proprietors were publicly identified by KrebsOnSecur [...]
Fastify disclosed a bug submitted by oblivionsage: https://hackerone.com/reports/3122019 [...]
curl disclosed a bug submitted by kurohiro: https://hackerone.com/reports/3153497 [...]
curl disclosed a bug submitted by kurohiro: https://hackerone.com/reports/3150884 [...]
AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/2800091 [...]
AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/2951803 [...]
AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3021618 [...]
AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3029552 [...]
AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3042588 [...]
AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3072841 [...]
AWS VDP disclosed a bug submitted by nick_frichette_dd: https://hackerone.com/reports/3044471 [...]