HackerOne: Residual Malicious Payloads on HackerOne after Vulnerability Fixes

A vulnerability was previously discovered on the HackerOne platform that allowed users to add malicious payloads to their profile pages. Despite remediation efforts, some of these malicious payloads were not fully removed from user profiles. This situation meant that the malicious content could...

Kryptor: Kryptor/SECURITY.md missing HACKERONE program update.

Hi Team, I was going through code and found that in this https://github.com/samuel-lucas6/Kryptor/blob/master/SECURITY.md , "Security Policy" is missing update regrading Hackerone platform that "Security Bug now be submitted @ https://hackerone.com/kryptor/ this . Please update the policy...

Top 5 Bug Bounty Platforms to Watch in 2021

While Gartner does not have a dedicated Magic Quadrant for Bug Bounties or Crowd Security Testing yet, Gartner Peer Insights already lists 24 vendors in the "Application Crowdtesting Services" category. We have compiled the top 5 most promising bug bounty platforms for those of you who are lookin...

Tencent Ups Top Bug-Bounty Award to $15K

The Tencent Security Response Center TSRC is launching an expanded bug-bounty program, via the HackerOne white-hat platform – and the company has increased its top reward to $15,000. Tencent, a China-based global internet service provider, is opening up its existing bug-bounty program to...

HackerOne: Notifications sent due to "Transfer report" functionality may be sent to users who are no longer authorized to see the report

Hi Hackerone team, I am still able to access other program details etc. when i'm authenticated to HackerOne through SAML . I'm not sure if it's the same bug i reported earlier or there is some weak authorization check in place. PFA for more info i can access related to ██████████ etc. See the dat...

HackerOne: Information disclosure

Summary: Chaining few simple informative issues on HackerOne platform and applying new method of timing attack, exploiting interesting feature in HTML5 https://developer.mozilla.org/en-US/docs/Web/API/ResourceTimingAPI/UsingtheResourceTimingAPI more precise Copy with CORSwe can perform low cost,...

Node.js third-party modules: [file-static-server] Path Traversal allows to read content of arbitrary file on the server

Hi Guys, There is Path Traversal vulnerability in file-static-server module, which allows to read arbitrary file from the remote server. Module file-static-server no description provided https://www.npmjs.com/package/file-static-server version: 1.0.2 Stats 0 downloads in the last day 3 downloads ...

Kaspersky Lab Bug Bounty Program Launches

LAS VEGAS – Kaspersky Lab today at Black Hat USA 2016 announced the launch of a public bug bounty, one of the few offered by a software vendor in the computer security industry. The bounty begins tomorrow on the HackerOne platform, and the first phase will run for six months. The company said tha...

Meet the 18-Year-Old Who Hacked the Pentagon

Ask David Dworken when he was in tenth grade what a cross-site scripting vulnerability is and you might get a strange look from the Alexandria, Va., teen. Fast forward two years and pose the same question Dworken and you’ll get a well-versed answer from the now white hat hacker and recent high...

Bug Bounties Expanding to Individual Developers

Bug bounties once were restricted mainly to large software companies such as Mozilla and Google. But the success of these programs has led many other infrastructure and product companies, including Yahoo, Facebook, Barracuda, PayPal and even Microsoft, to launch their own reward systems. Now, the...