2017-06-15 | Muni bond cyber risks, Vine bug, and XSS-radar

Thursday, June 15

Have a great day!

TOP STORY

Reuters digs into how the U.S. municipal bond market is slowly starting to pay heed to cyber risks. Even S&P Global has begun to quiz states, cities and towns about their cyber defenses. Some credit analysts are starting to factor cyber security when they look at bonds but Fitch Ratings still does not consider cyber security in its ratings, and many investors still are not concerned enough to ask for details - yet.

HACKTIVITY

Vine - overwrite account associated with email via android application [16 upvotes] - $280 bounty for this report to Twitter by @mishre. A logic issue in the Vine signup flow allowed a user to create a new account that would be associated with a user’s email, which could result in the user being unable to access their original account.
Open redirect / Reflected XSS payload in root that affects all your sites (store.starbucks.* / shop.starbucks.* / teavana.com) [9 upvotes] - $375 bounty for this report to Starbucks by @inhibitor181.

You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity

OTHER ARTICLES WE’RE READING

XSS-radar by Bug Bounty Forum. Fuzz away.
How-To: Server Side Request Forgery (SSRF) by H1 co-founder Jobert Abma
Hunting in Memory
Detect Beaconing with Flare, Elastic Stack, and Intrusion Detection Systems

ABOUT ZERO DAILY

Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?

Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com

Get this email forwarded to you? Click here to subscribe to the Zero Daily

We're trying to get sense of who has their head in the sand and who doesn't.

Geoffrey Buswick

HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty solutions encompass vulnerability assessment, crowdsourced security testing and responsible disclosure management. Discover more about our hacker powered security testing solutions or Contact Us today.