Wednesday, May 3
Hello Wednesday. Make it a great day!
TOP STORY
Uber’s Collin Greene has a message for you: Better understanding business risks make you a better security person. Key lesson: risk is relative and can be ignored, transferred, reduced (mitigated) or eliminated (remediate). The correct answer to risk is not always to eliminate it and it is our job to know the appropriate action given the many variables. Also, free tip from Scott Piper: Read Yahoo’s 2016 Form 10-K for detailed info on their multiple “Security Incidents”.
HACKTIVITY
DOM XSS on teavana.com via "pr_zip_location" parameter [4 upvotes] - $250 bounty for this report to Starbucks by @nirvana-msu. Exploitable in all major browsers. Vulnerable code was in full.js.
Existence of Folder path by guessing the path through response [8 upvotes] - $250 bounty for this report to BrickFTP by @ashish_r_padelkar. Information leak bug on multiple endpoints. Good find!
Dashlane opened their program to the public! And they be payin fast.
You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity.
TWEET OF THE DAY
Epic tweetstorm for any dev’s out there…
As a senior dev, I disagree. Feedback from junior devs is critical to me. If they don't understand it, even if it's "correct", I rewrite. - @sarahmei
OTHER ARTICLES WE’RE READING
Krypt.co wants to be the new home for your SSH private key. This…. is not the dumbest idea.
Got something to say? NICE 2017 Conference proposals are open.
IoT for all looks at the past, present, and future of LPWAN.
Speaking of IoT, why are factory robot arms freaking out?
On your lunch break, you can read the Intelligence Authorization Act for Fiscal Year 2017, if you’re into that kind of thing.
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com
Get this email forwarded to you? Click here to subscribe to the Zero Daily
In time my perspective broadened and I recognized that the root cause of insecurity is both technical and organizational.
Collin Greene
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty solutions encompass vulnerability assessment, crowdsourced security testing and responsible disclosure management. Discover more about our hacker powered security testing solutions or Contact Us today.