2024 Annual WordPress Security Report by Wordfence

The 2024 WordPress security landscape saw significant changes, with new Bug Bounty Programs such as Wordfence’s creating opportunities for numerous researchers to earn a sustainable income by examining WordPress software. Despite another record year for disclosed vulnerabilities in 2025, the risi...

How MSRC coordinates vulnerability research and disclosure while building community

In an era where discovering and rapidly mitigating security vulnerabilities is more important than ever before, the Microsoft Security Response Center MSRC is at the center of this work. MSRC focuses on investigating vulnerabilities, coordinating their disclosure, and releasing security updates t...

HackerOne: Public GitHub repositories for multiple HackerOne managed triage team profiles contain private HackerOne reports information

Publicly available GitHub repositories for HackerOne-managed triage team profiles were found to contain private HackerOne vulnerability reports. Several repositories were identified that reproduced exploits for private bug bounty programs. The disclosed information included details such as access...

Denial of Service

This report is not public...

How AI hallucinations are making bug hunting harder

Bug bounty programs that pay people for finding bugs are a very useful tool for improving the security of software. But with the availability of artificial intelligence AI as seen in the popular large language models LLMs like ChatGPT, Bard, and others it looks like there is a new problem on the...

Nodesub - Command-Line Tool For Finding Subdomains In Bug Bounty Programs

Nodesub is a command-line tool for finding subdomains in bug bounty programs. It supports various subdomain enumeration techniques and provides flexible options for customization. Features Perform subdomain enumeration using CIDR notation Support input list. Perform subdomain enumeration using AS...

Probable_Subdomains - Subdomains Analysis And Generation Tool. Reveal The Hidden!

Online tool: https://weakpass.com/generate/domains TL;DR During bug bounties, penetrations tests, red teams exercises, and other great activities, there is always a room when you need to launch amass, subfinder, sublister, or any other tool to find subdomains you can use to break through - like...

Web-Hacking-Playground - Web Application With Vulnerabilities Found In Real Cases, Both In Pentests And In Bug Bounty Programs

Web Hacking Playground is a controlled web hacking environment. It consists of vulnerabilities found in real cases, both in pentests and in Bug Bounty programs. The objective is that users can practice with them, and learn to detect and exploit them. Other topics of interest will also be addresse...

6 of the Best Crypto Bug Bounty Programs

By Waqas Crypto bug bounty programs have become essential as the number of blockchain platforms grows exponentially, making it increasingly difficult for developers to keep up with all the necessary security protocols on their own. This is a post from HackRead.com Read the original post: 6 of the...

The right ASM tools include understanding where the real risk lies

While companies are just scratching the surface of understanding their Internet-facing architecture, hackers have been monitoring growing attack surfaces to find vulnerabilities where companies arent looking or maybe not prioritizing and reaping the reward through bug bounty programs...

U.S. Ban on Sales of Cyberattack Tools Is Anemic, Experts Warn

The launch of a standing offer to pay for Windows virtual private network VPN software zero-day exploits came to light this week, even as the U.S. mulls new regulations on the export of tools that could be used in cyberattacks against the U.S. or its interests. The developments signal that the U....

Where Bug Bounty Programs Fall Flat

Eavesdropping on the chatter of 600+ cybercriminal forums shows that cybercriminals have specific preferences, shown by the flavors of exploits they requisition, and that the bug bounty programs either are too slow, don’t pay enough or are just the start of profit-making. A year-long study into t...

How to Get into the Bug-Bounty Biz: The Good, Bad and Ugly

Zero-day disclosures, those known bugs without a fix, can have potentially catastrophic results. One of the best ways to combat them is by discovering them before the bad guys do. Some of the biggest tech brands on the planet have been pummeled by a rash of high-profile zero-day exploits. In the...

Bug-Bounty Awards Spike 26% in 2020

Cross-site scripting XSS remained the most impactful vulnerability and thus the one reaping the highest rewards for ethical hackers in 2020 for a second year running, according to a list of top 10 vulnerabilities released on Thursday by HackerOne. The vulnerability — which enables attackers to...

Verizon Media, PayPal, Twitter Top Bug-Bounty Rankings

Bug-bounty programs have become a popular way for vendors to root out security flaws in their platforms, attracting talented white-hats with the promise of big rewards. According to HackerOne’s 2020 List of the Top 10 Bug Bounty Programs on its platform, Verizon Media, PayPal and Uber are in the...

OX App Suite / OX Documents 7.10.3 XSS / SSRF / Improper Validation Vulnerabilities

OX App Suite and OX Documents versions 7.10.3 and below suffer from server-side request forgery, cross site scripting, improper parameter validation, and XML injection vulnerabilities. Dear subscribers, we're sharing our latest advisory with you and like to thank everyone who contributed in findi...

OX App Suite / OX Documents 7.10.3 XSS / SSRF / Improper Validation

Dear subscribers, we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at HackerOne. Yours sincerely, Martin Heiland, Open-Xchange GmbH...

Mail.ru: User session access due to Oauth whitelist host bypass and postMessage

A destination for postMessage was not properly restricted on connect.mail.ru allowing crossite access to session, as was shown for 3k.mail.ru application session. Both connect.mail.ru and 3k.mail.ru belong to Ext.B scope, this scope does not offer a bounty for attacks with clientside vectors on t...

Katie Moussouris: The Bug Bounty Conflict of Interest

Since the launch of the Hack the Pentagon program in 2016, bug bounty programs continue to increase in popularity – however, as more programs are created, some companies are forgetting the real reason behind bug bounties. Instead of aiming to make their systems more secure, companies are viewing...

CISA Pushing U.S. Agencies to Adopt Vulnerability Disclosure Policies

The U.S. government’s cybersecurity agency has issued a draft directive mandating all agencies to develop vulnerability disclosure policies, which would give ethical hackers clear guidelines for submitting bugs found in government systems. Security experts hope that the directive will light a fir...