Hacking, AppSec, and Bug Bounty newsletter
2017-05-03 | Mr. Greene’s message, Krypt.co, and who is thedarkoverlord?
Wednesday, May 3
Hello Wednesday. Make it a great day!
Uber’s Collin Greene has a message for you: Better understanding business risks make you a better security person. Key lesson: risk is relative and can be ignored, transferred, reduced (mitigated) or eliminated (remediate). The correct answer to risk is not always to eliminate it and it is our job to know the appropriate action given the many variables. Also, free tip from Scott Piper: Read Yahoo’s 2016 Form 10-K for detailed info on their multiple “Security Incidents”.
DOM XSS on teavana.com via "pr_zip_location" parameter [4 upvotes] - $250 bounty for this report to Starbucks by @nirvana-msu. Exploitable in all major browsers. Vulnerable code was in full.js.
Existence of Folder path by guessing the path through response [8 upvotes] - $250 bounty for this report to BrickFTP by @ashish_r_padelkar. Information leak bug on multiple endpoints. Good find!
You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity.
TWEET OF THE DAY
Epic tweetstorm for any dev’s out there…
As a senior dev, I disagree. Feedback from junior devs is critical to me. If they don't understand it, even if it's "correct", I rewrite. - @sarahmei
OTHER ARTICLES WE’RE READING
Got something to say? NICE 2017 Conference proposals are open.
IoT for all looks at the past, present, and future of LPWAN.
Speaking of IoT, why are factory robot arms freaking out?
On your lunch break, you can read the Intelligence Authorization Act for Fiscal Year 2017, if you’re into that kind of thing.
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: email@example.com
Get this email forwarded to you? Click here to subscribe to the Zero Daily
In time my perspective broadened and I recognized that the root cause of insecurity is both technical and organizational.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty solutions encompass vulnerability assessment, crowdsourced security testing and responsible disclosure management. Discover more about our hacker powered security testing solutions or Contact Us today.