Access to resumes applied through LinkedIn Jobs
LinkedIn disclosed a bug submitted by headhunter: https://hackerone.com/reports/560668 [Source]
Email verification bypass for manual connection setup service credentials
Nord Security disclosed a bug submitted by yozzo_: https://hackerone.com/reports/2049021 [Source]
Hashed data exposure via WebSockets to Workspace Members
Slack disclosed a bug submitted by d3f4u17: https://hackerone.com/reports/1639600 [Source]
AWS keys and user cookie leakage via uninitialized memory leak in outdated librsvg version in Basecamp
Basecamp disclosed a bug submitted by neex: https://hackerone.com/reports/2107680 - Bounty: $8868 [Source]
Top 10 Ways to Get Started with Bug Bounty Hunting
Here are 10 easy ways to get started with bug bounty hunting for free: Participate in public bug bounty programs. There are a number of public bug bounty programs that you can participate in for free. These programs are typically run by open source projects or non-profit organizations. One example...
Top 10 Bug Bounty Resources
The following is a list of the top 10 bug bounty sites in 2023, based on a combination of factors including popularity, reputation, and rewards offered: OpenBugBountyHackerOneBugcrowdIntigritiYesWeHackCobaltSynackImmunefiHackerXHackenproof These sites offer a variety of bug bounty programs from companies of all sizes, from startups to Fortune 500 companies. The rewards offered...
If rate limit is hit, IP address is leaked to anyone who tries to login
Mozilla Critical Services disclosed a bug submitted by anish_kosaraju: https://hackerone.com/reports/1989901 [Source]
NULL Pointer dereference in idn.c
curl disclosed a bug submitted by s0urc3_: https://hackerone.com/reports/2171309 [Source]
Stored Xss on bugzilla.mozilla.org via comment edit feature from non-admin to admin.
Mozilla Critical Services disclosed a bug submitted by r3dpars3c: https://hackerone.com/reports/2111291 [Source]
IDOR – send a message on behalf of other user
Mozilla Core Services disclosed a bug submitted by lamscun: https://hackerone.com/reports/1888545 [Source]
Improper santization of edit in list feature at twitter leads to delete any twitter user’s list cover photo.
X (Formerly Twitter) disclosed a bug submitted by greytesla: https://hackerone.com/reports/1437004 - Bounty: $560 [Source]
Twitter Subscriptions Information Disclosure
X (Formerly Twitter) disclosed a bug submitted by mirhat: https://hackerone.com/reports/2063636 [Source]
Circuit Breaker Authorization Issue
Cosmos disclosed a bug submitted by strikeout: https://hackerone.com/reports/2120609 - Bounty: $2500 [Source]
Permanent CASB Integration Takeover due to Improper Access Controls+Confused Deputy Problem
Cloudflare Public Bug Bounty disclosed a bug submitted by suzuka: https://hackerone.com/reports/2086301 - Bounty: $1000 [Source]
2FA BYPASS
Cloudflare Public Bug Bounty disclosed a bug submitted by imtheking: https://hackerone.com/reports/1805779 [Source]
What Is OpenBugBounty and How It Works
OpenBugBounty is a non-profit bug bounty platform established in 2014. It is a platform for coordinated, responsible, and ISO 29147 compatible vulnerability disclosure. OpenBugBounty allows security researchers to report XSS and similar security vulnerabilities on any website they discover using non-intrusive security testing techniques. The researchers may choose to make...
Coordinated Vulnerability Disclosure
Coordinated Vulnerability Disclosure (CVD) is a process for disclosing security vulnerabilities to affected organizations in a way that minimizes the risk of harm to users. It is a voluntary process that is typically agreed upon by the vulnerability reporter, the affected organization, and a third-party facilitator. The CVD process typically...
Revamped Credential Management and Webhooks Integration
We are delighted to roll out two significant updates that will redefine how you manage your program credentials and integrate your applications through webhooks. Let’s unpack the exciting details! Revamped Credential Management What is it about? We reworked our credential management to flexible and autonomous proces with a CSV structured...
XSS with Visual Language Editor tags
Invision Power Services, Inc. disclosed a bug submitted by mpiosik: https://hackerone.com/reports/2031855 [Source]
Unprotected Atlantis Server at https://132.226..
8x8 disclosed a bug submitted by imranhudaa: https://hackerone.com/reports/1895783 [Source]
Possibility to guess email address from gravatar image URL
RubyGems disclosed a bug submitted by ooooooo_q: https://hackerone.com/reports/1536013 [Source]
Apache Airflow path traversal by authenticated user
Internet Bug Bounty disclosed a bug submitted by kietna20: https://hackerone.com/reports/2070212 - Bounty: $540 [Source]
Potential NULL dereference in libssh’s sftp server
Internet Bug Bounty disclosed a bug submitted by wct: https://hackerone.com/reports/2070810 [Source]
Regular Expression Denial of Service (ReDoS) Vulnerability before 2.6.3
Internet Bug Bounty disclosed a bug submitted by hungtd: https://hackerone.com/reports/2068004 - Bounty: $540 [Source]
Able to see Bonus amount given to a report even if the bounty and Bonus is not visible to public or mentioned in {Report-Id}.json
HackerOne disclosed a bug submitted by callmed0_4: https://hackerone.com/reports/2101087 [Source]
Information Disclosure – Pvt Gitlab Issue Disclosing Through GitLab Unfiltered YouTube channel.
GitLab disclosed a bug submitted by mrrajputhacker2: https://hackerone.com/reports/2097377 - Bounty: $100 [Source]
CVE-2023-38039: HTTP header allocation DOS
curl disclosed a bug submitted by selmelc: https://hackerone.com/reports/2072338 [Source]
Multiple cross-site scripting (XSS) vulnerabilities in Revive Adserver
Revive Adserver disclosed a bug submitted by l4stb1t: https://hackerone.com/reports/1694171 [Source]
‘Request English versions of web pages for enhanced privacy’ keeps previous (grayed out) settings
Tor disclosed a bug submitted by andreien: https://hackerone.com/reports/2123957 - Bounty: $200 [Source]
IDOR: Authorization Bypass in LockReport Mutation for public reports
HackerOne disclosed a bug submitted by 0verw4tch: https://hackerone.com/reports/2139190 [Source]
Bug Bytes #211 – Hacking Casinos, Microsoft’s Key Mishap, Read the Docs and ImageMagick Strikes Again
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The second series is curated by InsiderPhD. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources. This issue covers the week from September 5th to September 10th...
Stored XSS Via Ads Account Name
TikTok disclosed a bug submitted by rioncool22: https://hackerone.com/reports/1647248 - Bounty: $1000 [Source]
SSRF Vulnerability through Connection test feature
Internet Bug Bounty disclosed a bug submitted by sayoojbkumar: https://hackerone.com/reports/2123113 - Bounty: $2550 [Source]
Admin account/panel takeOver and Doing actions in admin panel via DOM-based XSS
Radancy disclosed a bug submitted by mouhannadlrx: https://hackerone.com/reports/1619445 [Source]
Mozilla Mastodon Staging Instance Admin API Key Disclosure Through Slack
Mozilla Core Services disclosed a bug submitted by griffinf: https://hackerone.com/reports/2137154 [Source]
Response Manipulation to enable Account recovery key with out current password
Mozilla Critical Services disclosed a bug submitted by saiteja1231323: https://hackerone.com/reports/1995595 [Source]
No Rate Limit On Forgot Password Page
Tennessee Valley Authority disclosed a bug submitted by sailesh01nik: https://hackerone.com/reports/1438213 [Source]
xss reflected – pq.tva.com
Tennessee Valley Authority disclosed a bug submitted by tvmbug: https://hackerone.com/reports/1362995 [Source]
the domain is truck-admin.eu-east-1.indriverapp.com and Enter the management system of the blasting mobile phone verification code
inDrive disclosed a bug submitted by trustworthy: https://hackerone.com/reports/1991376 [Source]
process.binding() can bypass the permission model through path traversal
Node.js disclosed a bug submitted by rafaelgss: https://hackerone.com/reports/2051257 [Source]
fs.statfs bypasses Permission Model
Node.js disclosed a bug submitted by rafaelgss: https://hackerone.com/reports/2051224 [Source]
CVE-2023-24488 xss on https:///
U.S. Dept Of Defense disclosed a bug submitted by 0xmaruf: https://hackerone.com/reports/2045549 [Source]
stored cross site scripting in https://.edu
U.S. Dept Of Defense disclosed a bug submitted by maskedpersian: https://hackerone.com/reports/1665648 [Source]
XSS Reflected
U.S. Dept Of Defense disclosed a bug submitted by fklet: https://hackerone.com/reports/1892317 [Source]
Blind Sql Injection in https:///qsSearch.aspx
U.S. Dept Of Defense disclosed a bug submitted by hackdog0ne: https://hackerone.com/reports/2081316 [Source]
Blind Sql Injection in https:///
U.S. Dept Of Defense disclosed a bug submitted by hackdog0ne: https://hackerone.com/reports/2072306 [Source]
LDAP Anonymous Login enabled in
U.S. Dept Of Defense disclosed a bug submitted by shuvam321: https://hackerone.com/reports/2081332 [Source]
SqlInject at
U.S. Dept Of Defense disclosed a bug submitted by kirs112: https://hackerone.com/reports/2073717 [Source]
Adobe ColdFusion – Access Control Bypass [CVE-2023-38205] at
U.S. Dept Of Defense disclosed a bug submitted by mega7: https://hackerone.com/reports/2082528 [Source]
CVE-2023-40195: Apache Airflow Spark Provider Deserialization Vulnerability RCE
Internet Bug Bounty disclosed a bug submitted by happyhacking123: https://hackerone.com/reports/2127968 [Source]