Hacking, AppSec, and Bug Bounty newsletter

2017-06-02 | Hack thyself, $12K Bug, and Wikileaks' Pandemic

Friday, June 2 

As always, TGIF! 


  • Balancing security and data portability can be tricky. Discourse’s Jeff Atwood shares a new post, Hackers, Hack Thyself on designing Discourse securely for the long haul and preaches the notion of ‘designing for evil’ and ‘hacking yourself’. Well written and funny - enjoy.


  • Use of uninitialized memory in unserialize() [3 upvotes] - $500 bounty for this report to PHP (IBB) by @rc0r. Bug was found using afl-fuzz / afl-utils.

  • Reflected XSS on a DoD website [3 upvotes] - no bounty for this report to the U.S. Dept Of Defense by @korprit. Cross-site scripting vulnerability was found which may be used by an attacker to  trick a web user into executing a malicious script.

HUGE payout of $12,000 for a bug found by @preben_ve in [redacted].  

You can see all the latest and greatest disclosures and bounties on, and see which company paid out over 25 bounties yesterday (including some big ones to this guy)!



Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?

Have a news tip / story to highlight? We’d love to hear about it. Email: 

Get this email forwarded to you? Click here to subscribe to the Zero Daily


If a programmer gives you a time estimate, you should double it and use the next biggest time unit. So five minutes become ten hours and a day job will take two weeks.

Professor Pottosin


HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty solutions encompass vulnerability assessment, crowdsourced security testing and responsible disclosure management. Discover more about our hacker powered security testing solutions or Contact Us today.