Hacking, AppSec, and Bug Bounty newsletter

2017-04-03 | DOMXSS, math.js vuln, and Germany’s new cyber command

Monday, April 3, 2017

Sint Maarten is beautiful this time of year. While those lucky guys and gals at Kaspersky’s SAS 2017 summit are slumming it in the Caribbean, we get to do some real work this week. Make it a good one!


  • Great blog about a vulnerability in math.js, an open source library: How we exploited a remote code execution vulnerability in math.js. Key intuition that led to vuln discovery? ‘Function’ can be accessed indirectly as the constructor of an existing function. The structure of the post is great: Discover, Exploit, Report [then post blog].


  • DOMXSS in Tweetdeck [26 upvotes] - $1,120 bounty for this report to Twitter by @filedescriptor. Details, POC, Fix. Great formula. (And yes, apparently Tweetdeck still exists).

As always, you can see all the latest and greatest disclosures and bounties on



Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

Friends don’t keep good emails to themselves - forward to your friends and colleagues for maximum enjoyment. Want to see who else runs bug bounties?

Have a news tip / story to highlight? We’d love to hear about it. Email:

“Really stay away from the fear, and uncertainty and doubt on the business. Don’t go FUD. Really what you want to do is talk about making your customers love the experience while at the same time feeling good about their privacy and security can actually be a market differentiator.”

Theresa Payton, Fortalice CEO, former CIO at The White House


HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty solutions encompass vulnerability assessment, crowdsourced security testing and responsible disclosure management. Discover more about our hacker powered security testing solutions or Contact Us today.