We begin our latest security research roundup (also published as a 

”. Building on Paulos Yibelo’s recent 

, the researcher was enamoured of the hacking technique in part because he liked “using small browser features in creative combinations to make convincing ways of breaking security boundaries”, according to a 

 documenting his adventures exploring this terrain. The PoC that emerged leverages a fake Cloudflare Captcha and iconic video game Flappy Bird. 🐤

Thomas Stacey of Assured Security Consultants meanwhile has 

detailed some overlooked HTTP request tunnelling attacks

 that affect popular servers like IIS, Azure Front Door and AWS Application Load Balancer. He also promises an “innovative detection approach combining the single-packet attack method with established HTTP desync techniques”. His conclusion: “

Well done also to the researchers who managed to 

, the open source JavaScript implementation of the OpenPGP standard for message encryption and signing, by passing a maliciously modified message to openpgp.verify or openpgp.decrypt. 🔑 In a 

, Edoardo Geraci and Thomas Rinsma from Codean Labs said the critical vulnerability “means an attacker can use any previous valid signature made by a victim, and ‘replace’ the signed data with anything while the signature remains valid”. They also explained why “for messages that are signed and encrypted, the situation is even worse.” The flaw was remediated via the 

 of the vulnerability along with related open source bug-hunting opportunities. 🐞

Before we move onto our latest bug-hunting guides, Dojo news and leaderboard update, here’s a 

final roundup of interesting security research

 we’ve spotted over the course of the past month:

Eclipse on Next.js: Conditioned exploitation of an intended race-condition

How to pull off a near undetectable DDoS attack (and how to stop it)

 – BSidesSF presentation from Simon Wijckmans

Security issues found in pre-installed apps on Android smartphones

Poison everywhere: No output from your MCP server is safe

 – writeup by Simcha Kosman of CyberArk Labs

O2 VoLTE: locating any customer with a phone call

 is an uncomplicated, passive way to uncover misconfigured subdomains and exposed credentials within minutes. Our latest Bug Bounty recon guide is a beginner-friendly explainer for 

harnessing the power of Google's search function

Potentially exposing passwords and secret tokens, source code or internal endpoints, 

path traversal or arbitrary file read vulnerabilities

 can achieve significant impacts and Bug Bounty rewards. Should your knowledge of these flaws be less than comprehensive, you may therefore be interested then to 

learn some practical path traversal or arbitrary file read attacks

 to Dojo). 💎 Well done to khimluck4, P0pR0cK5 and duplicatesucks for the three best solutions submitted for ‘Ruby Treasure’. In the 

, the eponymous Pwnii discusses the solution to this challenge, whereby regex validation issue in Ruby – exploited via IO.read's ability to spawn subprocesses with specially crafted input – can lead to remote code execution (RCE). Our current monthly challenge is 

. Submit your solution by 4 July if you wish to be in contention for being among the three best writeups and thus winning exclusive swag. 🎁

Italian hacker drak3hft7 has been proverbially ‘on fire’ in recent months and has further burnished his credentials by climbing into the top three on YesWeHack’s 

 and other attributes, the hunter leverages the power of collaboration and chaining bugs to achieve his burgeoning success on our 

We’re fast approaching one of our biggest events of the year. Taking place in Paris between 27-29 June, 

event with a mystery target unveiled on-site. The marathon live hacking event will run from 10am on 28 June in ‘Le Loft’ and run until the early hours of the following morning. You can also find our team on booth 41 to talk Bug Bounty and of course add to your haul of merch. Finally, prizes will be up for grabs in relation to the successful completion of a CTF challenge crafted by our Tech Ambassador, BitK.🏆

That’s it for this month. Happy bug-hunting!👋

Read this monthly roundup of content aimed at ethical hackers even sooner by subscribing to 

Are you a CISO, other security professional or security-conscious dev? Check out our CISO-focused sister newsletter, 

 – bringing you news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.

Ultimate double-clickjacking exploit, novel HTTP/2 request tunnelling techniques, when encryption makes matters worse – ethical hacker news roundup

Bug Bounty Programs are a boon for DevSecOps environments, according to the red team lead for offensive security at Gong, the revenue AI company.

Reflecting on his experience overseeing Gong’s crowdsourced security testing, Dean Dunbar explains how 

 accommodates rapid release schedules, recounts how scoping challenges were surmounted, and marvels at bounty hunters’ skills, tools and “passion for security”.

 empowers everyone on a modern revenue team to improve productivity, increase predictability, and drive revenue growth by deeply understanding customers and business trends and driving impactful decisions and actions. The Gong Revenue AI Platform captures and contextualises customer interactions, surfaces insights and predictions, and powers actions and workflows that are essential for business success. More than 4,500 companies around the world rely on Gong to unlock their revenue potential.

How has your private Bug Bounty Program evolved so far?

 We launched our Bug Bounty Program with a focused scope, initially targeting critical areas for our clients and product.

As we saw the value hunters brought to the table, we expanded the scope and adjusted bounties to attract even more top talent. It’s been an evolving process, and each round of feedback helps us refine the program to make it more impactful.

What is the biggest challenge you have faced and how have you overcome it?

 Scoping has been a moving target. Historically, scoping for bug bounties a decade ago was working with simpler CIDR ranges, but modern ecosystems might include cloud providers and SaaS providers.

As Gong’s infrastructure grew, our Bug Bounty scope had to adapt to keep pace. YesWeHack has been instrumental in making scope management easy, helping us maximise coverage while clearly defining out-of-scope areas.

 for Bug Bounty researchers. YesWeHack has streamlined this with their credential pools, which allow researchers to access test credentials securely and efficiently.

This has been a game-changer, letting researchers dive deeper into testing our features without needing manual account setups. The credential portal is more secure than manual credential sharing.

What has most surprised you about Bug Bounty?

 I’m consistently impressed by the depth of expertise among the hunters. Over the last decade, I’ve seen submissions from specialists who notice vulnerabilities that automated tools or standard processes would miss.

It’s a powerful reminder of the unique value that fresh perspectives bring.

Browse interviews with YesWeHack customers operating in a variety of regions and industries

What are your plans or hopes for how your crowdsourced security testing operation will evolve in the coming months or years?

 Looking forward, we plan to broaden the scope to cover more features as they roll out, attracting new talent to the program.

We’re also focused on making it easier for developers to incorporate findings into their workflows, streamlining how vulnerabilities are addressed.

Why did you choose YesWeHack over other platforms?

 YesWeHack has been the right partner for us because they make Bug Bounty management, triaging and communication straightforward, which is essential as we scale.

As a fast-growing company, finding tools that grow with us and offer real value can be challenging. YesWeHack provides a comprehensive, cost-effective solution that lets us focus on getting the most out of our program.

What are the most significant benefits of Bug Bounty?

 One of the biggest benefits is that it gives us constant security coverage. Unlike periodic tests, it’s ongoing, so we’re always aware of emerging threats.

We also benefit from the diverse perspectives of security researchers around the world, many of whom specialise in unique or niche vulnerabilities.

In what ways is Bug Bounty distinct from pentesting?

Bug bounties are distinct from pentests in their scope and timing. A pentest is typically a time-boxed engagement that provides a snapshot of the application’s security at that moment.

A Bug Bounty, on the other hand, is ongoing and often involves many researchers with different skillsets. It lets us receive real-time feedback on our security as we release new features, rather than waiting for a scheduled test. This makes bug bounties especially valuable for fast-growing, frequently updated platforms like Gong.

What are the key factors for a successful Bug Bounty Program?

 Clear scopes and prompt response times are crucial. Hunters need to know exactly what’s in scope and what’s out, and they should receive quick, meaningful responses to their submissions.

Fair bounties and transparent communication build trust with hunters and motivate them to participate actively. It’s also important to have strong internal processes to handle triage and get findings to developers quickly so the vulnerabilities can be addressed efficiently.

Any advice for peers who are considering launching a Bug Bounty Program?

 I’d recommend starting with a private scope to understand the process without getting overwhelmed. Make sure you have resources dedicated to triaging and responding to submissions in a timely way, as this is key to maintaining hunter engagement.

Also, don’t rush to make it public right away – take time to refine your scope and process so it’s sustainable long-term. Finally, communicate clearly and openly with hunters to create a positive, collaborative experience for everyone involved.

 One of the best parts of managing a Bug Bounty program has been getting to know many of the 

These top performers operate at an incredibly high level. They’ve often developed their own custom asset management tools, which let them respond almost instantly when new vulnerabilities are announced.

It’s a reminder of just how dedicated and skilled this global community is – full of resourceful, creative people with a real passion for security. Working with them has been both inspiring and a great learning experience, and it’s reinforced the value that a strong Bug Bounty Program can bring to a company.

Is your security team managing a Bug Bounty Program yet? 

 to find out more about the benefits of crowdsourced security testing and how this model can be adapted to the specific needs of your organisation.

‘More efficient than a pentest and it generates trust’: TeamViewer’s Bug Bounty story so far

‘Valuable for fast-growing, frequently updated platforms’: Gong OffSec lead on the merits of continuous, crowdsourced security testing

“We still have not seen a single valid security report done with AI help,” was the unequivocal conclusion to a 

 by Daniel Stenberg, original author and lead of 

. 🤖 A clearly exasperated Stenberg said he would “now ban every reporter INSTANTLY who submits reports we deem AI slop”. 

, Stenberg said AI-generated reports were invariably “friendly phrased, perfect English, polite, with nice bullet-points” – and useless from a security point of view. Similarly, a software engineer at Open Collective, which manages its own program, recently complained that “

”, suggesting the inundation might ultimately force them to migrate to a Bug Bounty platform that can 

The second story on our monthly roundup (first published as a LinkedIn newsletter) involves a big win for human bug hunters (go, humanity!). A pair of researchers from Codean Labs discovered a significant 

vulnerability in OpenPGP.js that could have allowed attackers to spoof signature verification

😮 The flaw, which was reported to the 

 on YesWeHack, recently hit the headlines – attesting to the rarity, technical sophistication and impact of such cryptographic bypasses. It also reflected the wide deployment of OpenPGP.js and the potential impact on popular downstream applications. We invited researchers Edoardo Geraci and Thomas Rinsma from Codean Labs, plus OpenPGP.js maintainer Daniel Huigens, to

 comment on the discovery and disclosure process

. 💬 For an in-depth analysis of the discovery process and proof-of-concept, also read Thomas Rinsma’s 

 that documents his and Edoardo Geraci’s discovery.

Speaking of prioritising vulnerabilities, “defending against 

 continues to be a race of strategy and prioritisation,” according to an 

analysis of zero days exploited in the wild

 by the Google Threat Intelligence Group. The quartet of Google researchers who penned the blog post said zero-day vulnerabilities are “becoming easier to procure” and that “attackers finding use in new types of technology may strain less experienced vendors”.🚨The writers warn of a shift beyond a “historic focus on the exploitation of popular end-user technologies […] toward increased targeting of enterprise-focused products [which] will require a wider and more diverse set of vendors to increase 

 in order to reduce future zero-day exploitation attempts.”🛡️

Before we round up our own recent CISO-focused content, here’s a few other notable stories of interest we’ve spotted elsewhere:

CISOs bet big on AI tools to reduce mounting cost pressures

 examination of Wipro’s State of Cybersecurity Report 2025

How to survive as a CISO aka ‘chief scapegoat officer’

 reviews a recent RSA Conference panel on CISO whistleblowing

Will AI agent-fueled attacks force CISOs to fast-track passwordless projects?

‘Secure email’: A losing battle CISOs must give up

 opinion piece by Keith Lawson, CISO at the London Health Sciences Centre

How do you decide which vulnerabilities to fix first?

 Should CVSS scores be the overriding metric? 🤔 Instalment #2 in our series on continuous threat exposure management (CTEM) – which Gartner believes could lead to a two-thirds reduction in breaches – focuses on the model’s 

🧐 Learn how automated priority scores can facilitate risk-based remediation, and the benefits of consolidating multiple sources for vulnerability discovery into a single, unified interface.💡

Developers typically spent nearly two hours extra per week on security tasks in 2024 compared to the previous year, according to an IDC report.🧑💻They were even spending an average of more than three hours a week addressing unexpected security issues outside of normal working hours ⏰Suggestive of a reactive rather than proactive security culture, this context suggests two solutions to the 

: streamlining remediation and upskilling devs to prevent vulnerabilities from appearing in the first place without disrupting their workflows.✅ 

, taking place at Clermont-Ferrand in France, between 17-18 June. You can find our team and bag some swag on booth 125. Hope to see you there!

After that comes one of our most important events of the year. Taking place in Paris between 27-29 June, 

 sees us, as usual, host a live Bug Bounty event with a mystery target unveiled on-site. The marathon live hacking event will run from 10am on 28 June in ‘Le Loft’ and run until the early hours of the following morning. You can also find our team on booth 41 to talk Bug Bounty and vulnerability management. Finally, prizes will be up for grabs in relation to the successful completion of a CTF challenge crafted by our Tech Ambassador, BitK. 🏆

More conferences and live hacking events will be announced soon! 📅

Read this monthly roundup even sooner by subscribing to 

 – our LinkedIn newsletter curating news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.

Are you a bug hunter or do you have an interest in ethical hacking? Check out our ethical hacking-focused sister newsletter, 

 – offering hunting advice, interviews with hunters and CTF-style challenges, among other things.

‘AI slop’ bug reports and outsourcing triage, OpenPGP.js signature-spoofing bug, race to combat zero-day exploits – OffSec roundup for CISOs

Mining web archives and analysing logs is a powerful reconnaissance technique every Bug Bounty hunter should master.

Ever missed a six-figure bounty because a forgotten debug endpoint slipped through the cracks? Archive-based recon reveals the hidden treasures developers thought were buried forever. This passive approach generates zero ‘noise’ on the target’s systems, so you can scout vulnerabilities entirely undetected.

In this article, you’ll learn more about the value of archive-based recon, how to wield logs and snapshots, and a few handy commands and tools for uncovering intel that might reveal hidden security flaws.

Popular web archive recon tools
- Wayback Machine and waymore
- GetAllURLs (Gau)

Deep-dive web archive recon techniques
- Parsing archived JavaScript with LinkFinder
- Analysing logs for forgotten endpoints with TruffleHog

Putting it all together: A concise recon workflow

Expanding your toolkit: more passive recon techniques

Best practices for mitigating web archive recon

Web archive reconnaissance involves capturing and analysing historical snapshots and crawled data of a website to unearth information that is no longer visible on the live domain. Ethical hackers can then potentially leverage this info to find and exploit vulnerabilities that still exist on live systems.

This historical data can be gathered from public archives, such as Wayback Machine, CommonCrawl, Archive.today and URLScan, passively – so your traffic stays away from live servers.

So passive recon reliably evades detection and invariably steers ethical hackers away from legal risks and grey areas.

The uninitiated might surmise that a technique that eschews live, up-to-date systems in favour of months’ or years’ old data would have dubious utility.

Each archived screen capture freezes a moment in development time, preserving the so-called “nightmare leftovers”: debug panels, test APIs and credentials that developers forgot to remove.

These remnants often point directly to serious vulnerabilities, so their discovery cuts your reconnaissance time and puts you on a path to potentially high-severity and critical findings.

Web archive recon can reveal invaluable intel about:

 URLs or APIs disabled in production but still accessible, offering hidden attack surfaces

 Hardcoded tokens, credentials or configuration values in old JavaScript or config files

 Admin panels, debug consoles or staging pages that still linger in archives despite having been removed by developers

 Changelogs, README files and developer notes revealing logic or business workflows

The following are the most popular web archive recon tools – and for good reason. They are user-friendly and effective at yielding actionable insights about your targets.

These tools automate large-scale retrieval of historical data, eliminating manual effort and enabling systematic analysis.

 is an archive of snapshots that reveal how websites, and their attack surfaces, have evolved over time.

 collects archived URLs and downloads historical responses from Wayback Machine, 

Some useful information about the capabilities of various API keys, which can be stored in 

 Fetches full HTTP headers, screenshots and inline scripts

 Tags URLs with malware or suspicious content verdicts

 Uncovers shadowed references or removed assets missed by standard archives

Example 1: List all archived URLs (mode U)

This command harvests every archived endpoint in order to build your attack surface list:

Example 2: Download pages and extract JS (mode R)

This command retrieves all JavaScript responses for deep offline analysis:

Example 3: Collect archived URLs within a specific time frame (mode U + date filters)

The following command fetches only archived URLs captured between 1 January 2022 and 1 January 2023. Focusing on a specific development window, such commands can make otherwise lengthy results more manageable:

 aggregates URL lists from multiple archives in seconds, eliminating manual merging. Pulling from Wayback Machine, CommonCrawl, 

 and URLScan, it offers broad coverage. Users can filter results by extension, status code and subdomain. API keys can be stored in 

This command focuses on dynamic pages and scripts where secrets and logic hide: 

 files can expose hidden endpoints or tokens.

Now you know the basics, here are some methods for digging deeper:

Parsing archived JavaScript with LinkFinder

 extracts endpoints from offline JS files. For instance:

LinkFinder is useful because endpoints often reveal hidden API routes.LinkFinder is useful because endpoints often reveal hidden API routes.

Analysing logs for forgotten endpoints with TruffleHog

Archived logs often conceal hidden API routes, panels or tokens. 

 can scan those files and spit out any URLs or high-entropy strings directly to your console.

 to collect every path – including HTML, scripts, APIs and images.

 Test endpoints on the live site to see if they still expose data.

 to verify which assets are still active.

 CLI to reveal new subdomains without touching the target

 for historical DNS records to map past infrastructure

 to gather past registrant information and related domains

 Remove sensitive files, debug consoles and test APIs before deployment – thereby preventing archives from immortalising secrets

 and strict robots.txt rules to deter most crawlers

 Enforce authentication on log storage, rotate keys and sanitise entries to strip IPs, tokens or stack traces – thus minimising leakage

Mastering web archive and log-based reconnaissance gives you a unique window into a target’s forgotten past – unearthing endpoints, secrets and interfaces that live on in historical records.

Combine tools like waymore, gau and trufflehog with techniques such as LinkFinder parsing and methodical offline analysis and you can turn snapshots with nostalgic appeal into fuel for actionable attack paths. Following a structured workflow – harvesting every URL, analysing content offline, extracting hidden parameters and validating findings on live sites – can ensure you leave no stone unturned without running the risks entailed by implementing active recon techniques.

As for security teams, always remember to purge artefacts, steer crawlers away from sensitive sections and lock down your logs.

Whether you’re chasing your next bug or fortifying your own applications, archive-based recon is an indispensable recon method. Sometimes the past really does hold the key to your next high-impact finding in the present.

Recon Series #6: Excavating hidden artifacts with Wayback Machine and other web-archive tools

Headlines generated by a critical signature-spoofing flaw reported to the 

 attest to the rarity, technical sophistication and impact of such cryptographic bypasses.

 likely also covered the story because of the wide deployment of OpenPGP.js and the potential impact on popular downstream applications.

OpenPGP.js is an open source JavaScript implementation of the OpenPGP standard for message encryption and signing. OpenPGP is typically used for end-to-end encrypted email, signing of git commits and software releases, and encrypted file storage, among other things.

Now addressed, the OpenPGP.js vulnerability (CVE-2025-47934) could have enabled attackers to spoof signature verification and therefore dupe victims into trusting malicious messages or software commits. Credit for the discovery goes to Edoardo Geraci and Thomas Rinsma from Codean Labs, who have together netted a €7,500 bounty.

The discovery demonstrates how patience and thoroughness are the highest of virtues when it comes to finding vulnerabilities.

“We could only find this issue by taking the time to properly understand both the software's architecture and the relevant data formats,” Thomas Rinsma told YesWeHack. “It shows that when you search thoroughly, even in such a widely-used (and, presumably, widely reviewed) open source component, critical bugs may be found.”

Bug Bounty Programs allow security researchers to invest as much time as they need in performing reconnaissance and probing targets – whether their efforts take hours, weeks or even months to reach fruition. The fact that Bug Bounty rewards scale up with severity helps to incentivise and reward hunters for the time they invest (albeit high or critical severity issues aren’t necessarily 

 more time-consuming to find than lower severity flaws).

Interestingly, the Codean Labs researchers experimented on this occasion with a time-boxed approach. This “helped us stay focused on the most impactful threats,” said Thomas. “There is an optimal balance somewhere between having enough time to dig deep enough, but also having someone tell you to move on after a while.”

The vulnerability in question was uncovered when the researchers managed to validate a signature that hadn’t actually been signed by passing a maliciously modified message to either the openpgp.verify or openpgp.decrypt functions.

“In order to spoof a message, the attacker needs a single valid message signature (inline or detached) as well as the plaintext data that was legitimately signed, and can then construct an inline-signed message or signed-and-encrypted message with any data of the attacker's choice, which will appear as legitimately signed by affected versions of OpenPGP.js,” reads the relevant 

“In other words, any inline-signed message can be modified to return any other data (while still indicating that the signature was valid), and the same is true for signed+encrypted messages if the attacker can obtain a valid signature and encrypt a new message (of the attacker's choice) together with that signature.”

Discussing the discovery process, Rinsma said: “We followed our standard asset-based methodology, where we take into account the relevant assets and attack surfaces, and analysed the flows between them. This led us to the signature verification logic where we found this flaw. Besides relying on code review, we wrote some one-off scripts to generate PGP payloads to test various edge cases in flows like this.”

For an in-depth analysis of the discovery process and proof-of-concept, read Thomas Rinsma’s 

The OpenPGP.js team released a fix and advisory just 13 days after receiving the initial vulnerability report (on 6 May), once YesWeHack’s triage team and they themselves had swiftly evaluated the issue.

“The disclosure process through YesWeHack has gone very smoothly,” said Rinsma. “The OpenPGP.js team have been nice to work with. They understood the impact and quickly coordinated with their users.”

In particular, Rinsma singled out Daniel Huigens, a maintainer of OpenPGP.js who oversaw validation and remediation, for praise.

Daniel, who also co-authored the latest version of the OpenPGP standard, told YesWeHack: “I would like to thank Edoardo Geraci and Thomas Rinsma for finding and responsibly disclosing this vulnerability, YesWeHack for hosting the Bug Bounty Program and triaging the report, and (last but not least) the Sovereign Tech Agency for sponsoring the Bug Bounty Program.”

A patch is available for users of affected versions (5.0.1 to 5.11.2 and 6.0.0-alpha.0 to 6.1.0). Should users be unable to upgrade to the patched versions, then they can alternatively follow mitigation advice contained within the advisory.

Again, for more details about this vulnerability, including mitigation advice, please check out Thomas Rinsma’s 

Open source Bug Bounty opportunities from the Sovereign Tech Resilience Program

Offering up to €10,000 for critical issues and €5,000 for high severity bugs, the bounty grid for the 

 is highly competitive. In scope at present are three assets: the high-level API of OpenPGP.js, interoperability issues in OpenPGP.js and the OpenPGP standard.

The YesWeHack Blog

Ultimate double-clickjacking exploit, novel HTTP/2 request tunnelling techniques, when encryption makes matters worse – ethical hacker news roundup

Ultimate double-clickjacking exploit, novel HTTP/2 request tunnelling techniques, when encryption makes matters worse – ethical hacker news roundup

‘Valuable for fast-growing, frequently updated platforms’: Gong OffSec lead on the merits of continuous, crowdsourced security testing

‘AI slop’ bug reports and outsourcing triage, OpenPGP.js signature-spoofing bug, race to combat zero-day exploits – OffSec roundup for CISOs

Ultimate double-clickjacking exploit, novel HTTP/2 request tunnelling techniques, when encryption makes matters worse – ethical hacker news roundup

Recon Series #6: Excavating hidden artifacts with Wayback Machine and other web-archive tools

Critical signature-spoofing vulnerability in OpenPGP.js hits the headlines

Dojo challenge #41 - Ruby treasure winners & writeup

Recon Series #6: Excavating hidden artifacts with Wayback Machine and other web-archive tools

Recon series #5: A hacker’s guide to Google dorking

Vulnerability prioritisation and validation: continuous threat exposure management (CTEM) series #2

‘Airborne’ AirPlay attacks, netting $64k from deleted files, triaging AI slop – ethical hacker news roundup

Recon series #5: A hacker’s guide to Google dorking

Don't wait for threats to strike

Products

Researchers

Resources

Company

Follow us