Monday, April 24
Happy Monday!
TOP STORY
BBC Today interviewed former anonymous hacker, Jake Davis and quoted a recent report by the National Cyber Crime Agency. The Guardian wrote a good article about it - read that for the TL;DR version. The gist, hacking the government is a good thing if done through a bug bounty program (as Hack the Pentagon and Hack the Army showed us). The head of the U.S. Defense for Energy, Installations and Environment wants a bug bounty for military bases, “The best and brightest could help us get through that”. The future of hacker-powered security is bright.
HACKTIVITY
[GitHub Extension] Unsanitised HTML leading to XSS on GitHub.com [10 upvotes] - $200 bounty for this report to Algolia by @ysx. Awesome Autocomplete extension (pretty cool name) had broken <img> element that led to XSS.
Bypass to postMessage origin validation via FTP [8 upvotes] for this report to Slack by @a1kmm-. FTP could be used to bypass validation and view XOXS tokens of victims on the local network.
You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity.
OTHER ARTICLES WE’RE READING
27 is a big number
In case you didn’t know - Companies are paying millions to get hacked — on purpose
Even the best of us are susceptible. Krebs can’t get no beats
Doh! DoublePulsar malware ala Shadow Brokers is leading to pwnage thanks to script kiddies everywhere
Laugh along with @sushihack and watch his #bountycraft talk at Nullcon.
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com
"I hacked because I wanted to get online, and then I was online because I was hacking,"
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty solutions encompass vulnerability assessment, crowdsourced security testing and responsible disclosure management. Discover more about our hacker powered security testing solutions or Contact Us today.