Hacking, AppSec, and Bug Bounty newsletter

2017-06-06 | 3.4B Records exposed, Who is Reality Winner, and Security Fest Videos

Tuesday, June 6

RIP Jean Sammet.   



  • Password Reset link hijacking via Host Header Poisoning [19 upvotes] - no bounty for this report to concrete5 by @cdl. Known issue, resolved by entering a Canonical URL. But cool to see statements like this from security team’s: “It’s a different vector, but resolved by the same solution. Figured we could give you some rep since it was a nice find.”

  • Flash XSS on Buick_RotatingMasthead_JellyBeanSlider.swf [4 upvotes] - no bounty for this report to General Motors by @mystech7. website contained a parameter that allowed XSS injection.

You can see all the latest and greatest disclosures and bounties on



Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

 Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties

Have a news tip / story to highlight? We’d love to hear about it. Email: 

Get this email forwarded to you? Click here to subscribe to the Zero Daily


I thought of a computer as some obscene piece of hardware that I wanted nothing to do with… To my utter astonishment, I loved it.

Jean Sammet


HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty solutions encompass vulnerability assessment, crowdsourced security testing and responsible disclosure management. Discover more about our hacker powered security testing solutions or Contact Us today.