Hacking, AppSec, and Bug Bounty newsletter

2017-06-06 | 3.4B Records exposed, Who is Reality Winner, and Security Fest Videos

Tuesday, June 6

RIP Jean Sammet.   



  • Password Reset link hijacking via Host Header Poisoning [19 upvotes] - no bounty for this report to concrete5 by @cdl. Known issue, resolved by entering a Canonical URL. But cool to see statements like this from security team’s: “It’s a different vector, but resolved by the same solution. Figured we could give you some rep since it was a nice find.”

  • Flash XSS on Buick_RotatingMasthead_JellyBeanSlider.swf [4 upvotes] - no bounty for this report to General Motors by @mystech7. website contained a parameter that allowed XSS injection.

You can see all the latest and greatest disclosures and bounties on



Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

 Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties

Have a news tip / story to highlight? We’d love to hear about it. Email: 

Get this email forwarded to you? Click here to subscribe to the Zero Daily


I thought of a computer as some obscene piece of hardware that I wanted nothing to do with… To my utter astonishment, I loved it.

Jean Sammet