Hacking, AppSec, and Bug Bounty newsletter
2018-05-07 | The billion dollar bank heist, Iframes and harmless buttons by filedescriptor, and Michigan’s CySAFE framework
Monday, May 7
Persistent XSS in [redacted] [20 upvotes] - $400 bounty for this report to Reverb.com by @bigshaq.
Team object in GraphQL discloses team group names and permissions [52 upvotes] - $2,500 bounty for this report to HackerOne by @haxta4ok00.
You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity
TWEET OF THE DAY
Let’s play a game. Assume you’ve been hired as the CISO of a 1000 employee org that has literally no security infrastructure.
What types of product-based security solutions are REQUIRED purchases to build an effective sec program within 3 years? - @chrissanders88
OTHER ARTICLES WE’RE READING
MacOS Security with Osquery and AWS Kinesis Firehose by Craig Huber
CySAFE framework distills more than 400 controls from popular frameworks into 36 cybersecurity best practices. Developed in a collaborative effort by 5 counties in Michigan and the state of Michigan.
All hail collaboration: Atlantic Council researcher Jason Healey thinks Cyber Incident Collaboration Organizations (CICOs) can make multi-party incident response processes streamlined and well, better, faster, stronger.
Collection of bug bounty report templates by Gwendal Le Coguic
“Harmless” buttons and iframe fun in filedescriptor’s newest post: Google YOLO
This is entertaining: a virus scan is not incident response and more, Base64 is not encryption, a scan is not a pentest…
For a late night read check out The billion dollar bangladesh bank heist by the New York Times Magazine
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: firstname.lastname@example.org
Get this email forwarded to you? Click here to subscribe to the Zero Daily
In cybersecurity, it is time to go beyond sharing and ad hoc cooperation,
to collaboration at scale across borders, stakeholders, and sectors.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.