2017-05-18 | PATCH Act, Mar-a-Vuln, and raspberry pi teddy bear hack

Thursday, May 18

Goedemorgen. Early posts this week as we write #zerodaily from Amsterdam. Have a great day!

TOP STORY

PATCH Act would create a vulnerability equities review board for USG held vulns. This would codify and strengthen the existing Vulnerabilities Equities Process (VEP) that was established by the Obama Administration. Oh, Washington and their acronyms.

HACKTIVITY

password reset token leaking allowed for ATO of an Uber account [35 upvotes] - $10,000 bounty for this report to Uber by @procode701. With an email address for a valid Uber account, it was possible to take over that account because the reset token was exposed in the response of a password reset HTTP request.

Inti De Ceukelaire had himself a day yesterday - $10,500 in bounties!

You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity.

OTHER ARTICLES WE’RE READING

Mar-a-vuln
Scholarship competition for kids to get a free trip to Black Hat.
Cyber deals, deals, deals
This week’s Threatwire, via Hak5
11-year old hacker Reuben Paul hacked into his teddy bear with a raspberry pi.
Oracle PeopleSoft RCE
Facebook bug - determine a user from a private phone number

ABOUT ZERO DAILY

Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?

Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com

Get this email forwarded to you? Click here to subscribe to the Zero Daily

If it’s facing the external web or can be easily accessed from the internal network, you should assume everyone can access it.

Naffy + Shubs

HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty solutions encompass vulnerability assessment, crowdsourced security testing and responsible disclosure management. Discover more about our hacker powered security testing solutions or Contact Us today.