Hacking, AppSec, and Bug Bounty newsletter
2017-06-02 | Hack thyself, $12K Bug, and Wikileaks' Pandemic
Friday, June 2
As always, TGIF!
Balancing security and data portability can be tricky. Discourse’s Jeff Atwood shares a new post, Hackers, Hack Thyself on designing Discourse securely for the long haul and preaches the notion of ‘designing for evil’ and ‘hacking yourself’. Well written and funny - enjoy.
Use of uninitialized memory in unserialize() [3 upvotes] - $500 bounty for this report to PHP (IBB) by @rc0r. Bug was found using afl-fuzz / afl-utils.
Reflected XSS on a DoD website [3 upvotes] - no bounty for this report to the U.S. Dept Of Defense by @korprit. Cross-site scripting vulnerability was found which may be used by an attacker to trick a web user into executing a malicious script.
HUGE payout of $12,000 for a bug found by @preben_ve in [redacted].
OTHER ARTICLES WE’RE READING
Hashcat wins the award for best product name (pretty cool tool as well)
Pandemic by wikileaks
Cybersecurity is a top management challenge for DHHS
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: email@example.com
Get this email forwarded to you? Click here to subscribe to the Zero Daily
If a programmer gives you a time estimate, you should double it and use the next biggest time unit. So five minutes become ten hours and a day job will take two weeks.