Hacking, AppSec, and Bug Bounty newsletter

2017-04-14 | The Internet of Broken Things, Google Play banking trojan, and inmates building computers in the ceiling

Friday, April 14

Have a good Friday!



  • Remote Code Execution (RCE) in a DoD website [15 upvotes] - no bounty for this report to Department of Defense by @joaomatosf. This was the hackers first report on HackerOne! You have a bright future, friend. DoD quote in summary “This was a very clever demonstration.”

  • Unfiltered `class` attribute in markdown code [ 8 upvotes] - no bounty for this report to GitLab by @skovorodan. Very cool to see the amount of work a researcher puts into the report, for the good of the internet. No monetary compensation, but credit for the hard work. Well done to all.

You can see all the latest and greatest disclosures and bounties on



Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?

Have a news tip / story to highlight? We’d love to hear about it. Email:

“Whenever you find yourself on the side of the majority, it is time to pause and reflect.”
Mark Twain

HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty solutions encompass vulnerability assessment, crowdsourced security testing and responsible disclosure management. Discover more about our hacker powered security testing solutions or Contact Us today.