ZERO DAILY

Hacking, AppSec, and Bug Bounty newsletter

2017-06-02 | Hack thyself, $12K Bug, and Wikileaks' Pandemic

Friday, June 2 

As always, TGIF! 

TOP STORY

  • Balancing security and data portability can be tricky. Discourse’s Jeff Atwood shares a new post, Hackers, Hack Thyself on designing Discourse securely for the long haul and preaches the notion of ‘designing for evil’ and ‘hacking yourself’. Well written and funny - enjoy.

HACKTIVITY

  • Use of uninitialized memory in unserialize() [3 upvotes] - $500 bounty for this report to PHP (IBB) by @rc0r. Bug was found using afl-fuzz / afl-utils.

  • Reflected XSS on a DoD website [3 upvotes] - no bounty for this report to the U.S. Dept Of Defense by @korprit. Cross-site scripting vulnerability was found which may be used by an attacker to  trick a web user into executing a malicious script.

HUGE payout of $12,000 for a bug found by @preben_ve in [redacted].  

You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity, and see which company paid out over 25 bounties yesterday (including some big ones to this guy)!

OTHER ARTICLES WE’RE READING

ABOUT ZERO DAILY

Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?

Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com 

Get this email forwarded to you? Click here to subscribe to the Zero Daily

 

If a programmer gives you a time estimate, you should double it and use the next biggest time unit. So five minutes become ten hours and a day job will take two weeks.

Professor Pottosin