Friday, June 2
As always, TGIF!
TOP STORY
Balancing security and data portability can be tricky. Discourse’s Jeff Atwood shares a new post, Hackers, Hack Thyself on designing Discourse securely for the long haul and preaches the notion of ‘designing for evil’ and ‘hacking yourself’. Well written and funny - enjoy.
HACKTIVITY
Use of uninitialized memory in unserialize() [3 upvotes] - $500 bounty for this report to PHP (IBB) by @rc0r. Bug was found using afl-fuzz / afl-utils.
Reflected XSS on a DoD website [3 upvotes] - no bounty for this report to the U.S. Dept Of Defense by @korprit. Cross-site scripting vulnerability was found which may be used by an attacker to trick a web user into executing a malicious script.
HUGE payout of $12,000 for a bug found by @preben_ve in [redacted].
You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity, and see which company paid out over 25 bounties yesterday (including some big ones to this guy)!
OTHER ARTICLES WE’RE READING
This is what @meals does on a Wednesday evening: Django Privilege Escalation – Zero To Superuser
Hashcat wins the award for best product name (pretty cool tool as well)
Pandemic by wikileaks
Cybersecurity is a top management challenge for DHHS
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com
Get this email forwarded to you? Click here to subscribe to the Zero Daily
If a programmer gives you a time estimate, you should double it and use the next biggest time unit. So five minutes become ten hours and a day job will take two weeks.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty solutions encompass vulnerability assessment, crowdsourced security testing and responsible disclosure management. Discover more about our hacker powered security testing solutions or Contact Us today.