Cross-Site Scripting (XSS) is a super-common vulnerability that infects a victim’s browser with malicious JavaScript code, which is then used to hijack the victim's data or, in some cases, take full control of accounts hosted in the application.

In this comprehensive guide, we break down every variant of XSS attack from reflected and stored to DOM and blind. We reveal practical detection methods, exploitation techniques, and real-world scenarios that demonstrate why mastering XSS is essential for any bug bounty hunter. Mastering XSS techniques is essential since it transforms common flaws into high-impact opportunities in Bug Bounty engagements. It is also considered the #1 most dangerous CWE category as well as being the most frequent bug seen on YesWeHack Bug Bounty Programs.

Types of XSS attacks – detection, exploitation, workflows

Exploiting an isolated and authenticated reflected XSS

Example of an isolated and authenticated reflected XSS exploit

Exploit workflow for an isolated and authenticated reflected XSS

Cross-Site Scripting (XSS), classed as CWE-79, refers to a class of security vulnerabilities in web applications where an attacker injects malicious JavaScript code into content that is delivered to users. This vulnerability occurs when applications fail to properly validate or escape user-supplied input. A fundamental understanding of XSS is a core skill for ethical hackers because it lays the foundation for recognising and exploiting weaknesses in how web applications handle user data.

Although XSS security flaws are often categorised as ‘medium’ severity vulnerabilities, impacts and severity can vary significantly. To maximise the impact of your exploits, you should always pay attention to 

 the XSS is being executed. An ideal outcome is an account takeover (ATO) or being able to modify the sensitive data of another user. In rarer cases, an XSS can be executed directly from a local file and rendered, which could allow arbitrary file read or even remote code execution. This, however, fully depends on how the XSS is being handled by the application.

Reinforce your theoretical knowledge with our hands-on labs with realistic XSS exploitation scenarios

A deep understanding of each type of XSS attack is crucial because it allows you to choose the most effective exploitation strategy based on the target’s context and security posture.

Reflected XSS occurs when user input is not properly sanitised and is reflected by the server in its response. The user input being reflected then executes JavaScript code on the vulnerable web application’s client-side code. Reflected XSS is most often exploited by tricking a victim into clicking on a malicious link, which duly executes malicious JavaScript code in the victim’s browser. This is especially valuable for attackers because it provides a direct route to hijacking sessions and exfiltrating data.

Reflected XSS can be found literately in any user input that is controllable and reflected in the server’s response. Where this is the case, it is always worth testing for reflected XSS. These kind of bugs are often found in places such as search forms, login forms or web paths.

Because a reflected XSS is reflected by a controllable user input value that usually occurs in the URL or body parameters, exploitation usually requires user interaction.

This most typically involves some form of phishing attack that dupes the victim into clicking a link that reflects the XSS payload and executes the malicious JavaScript code. Having successfully infected the victim, the attacker can then perform the actions required to hijack sensitive data or take over the victim’s session.

An XSS detected in a search form and successfully executed in the browser can easily be used to create a URL containing the XSS payload. When the victim clicks on the link, the URL is loaded and the payload executed.

XSS can also be used to change a user’s email address or phone number, or to directly access and hijack the victim’s session – potentially leading to account takeover.

If a session is cookie-based and does not contain a HTTP-only flag, then we should be able to read our victim’s session value and send this value to the server under our control.

For instance, we could create this simple exploit code to perform a request to the attacker’s server that includes the victim’s session value:


This example underscores why a simple reflected XSS can have severe consequences, as it directly leads to unauthorised data access.

This workflow illustrates the step-by-step process for exploiting a reflected XSS, and highlights why each phase is necessary to achieve a successful exploit:

In this scenario the reflected XSS is injected and executed within an authenticated account. It is mainly found either within unique endpoints that rely on unique values related to the current logged-in user (eg: UUID) or within the user account settings. An authenticated reflected XSS can often be chained with a cross-site request forgery (CSRF) vulnerability in places such as the login form.

Imagine that a query search is vulnerable to a reflected XSS on an endpoint that is tailored to the current logged-in user, and that the query search contains a none-guessable UUID value such as:

In this scenario, exploitation is dependent on knowing the victim’s UUID, whereas you only know the UUID value for your own logged-in account. To exploit an authenticated reflected XSS in this situation, you need two elements:

A parameter that can be used to redirect to a local endpoint on the web application. In our case we need to redirect the victim to the vulnerable endpoint that reflects our XSS payload

Both of these issues, perhaps surprisingly, exist on most web applications and can be used as a chain for our exploit.

Now we have an exploit server with a link we can send to our victim. When the victim clicks on the link, they are automatically signed into our account and redirected to the vulnerable endpoint containing our XSS payload, which will then execute.

At this point we have a proof of concept whereby we can trigger the authenticated and reflected XSS vulnerability with a single user interaction. Now, to our final step: making this XSS create an iframe or open a new window on top of the web application to trick the victim into logging into their account. When the victim enters their login details, we can hijack the credentials in plaintext and compromise the victim's account. 

This workflow shows the multi-step exploitation process and emphasises the critical points that the attack leverages to achieve its impact:

Exploring JavaScript’s exploits: A deep dive into XSS vulnerabilities

Stored XSS involves malicious scripts being saved persistently on the server, such as to a database or file. The stored XSS payload is later executed whenever users access the infected content. Stored XSS is particularly dangerous because its persistence can impact many users over time, which typically makes it a high or even critical impact bug.

Stored XSS vulnerabilities are found in contexts where user input is saved and later reused, such as comment fields, posts or chats. Since the user input containing the XSS payload is saved, it may go through multiple string rendering processes. These make payload obfuscation and encoding techniques more powerful, as filter collisions are more likely than in a traditional reflected XSS.

The exploitation of a stored XSS requires patience. An attacker obviously cannot know when the XSS payload will be executed or by what user. It’s therefore wise to incorporate user-metrics analysis into your exploitation strategy to evaluate the privilege levels of your theoretical victims.

Imagine you found a stored cross-site scripting vulnerability in a comment field below an article. This means all users who click on the article and have access to the comments are at potential risk of infection.

One exploit technique that works well in almost all stored XSS scenarios, including this XSS attack example, acts like worm malware and follows the victim within the page until he/she closes the browser tab.

Once the victim gets infected by your XSS payload, malicious JavaScript code should immediately execute that creates a listener, while another malware process creates an iframe covering the full page that isolates the victim. This allows you to follow the victim's future actions.

Inside the iframe, another malware script is launched that hijacks any action the user performs (such as key presses, mouse position, response data). Finally, all hijacked data should be sent to your attack server. To bypass cross-origin resource sharing (CORS), you can use images to send HTTP requests in which the hijacked data is embedded.

This workflow illustrates why stored XSS is considered high-impact and how it can covertly persist and continuously exfiltrate sensitive data from multiple users:

Document object model (DOM) XSS bugs happen entirely on the client side, when insecure JavaScript code dynamically modifies the DOM. DOM XSS may appear due to unexpected mutations or improper sanitization of user input when new HTML code is being created.

XSS attacks and exploitation: The ultimate guide to cross-site scripting

“The entire lifecycle of managing vulnerabilities feels off to me,” a security leader observed in a 

 by a security expert formerly employed by Google and GitHub.

The study kicks off our latest roundup of OffSec and SecOps news we think might interest CISOs, security teams and security-conscious devs. 🛡️💻 Maya Kaczorowski, who quizzed 57 security leaders about “what sucks in security?”, noted that security pros too often lacked “a reasonable process to ingest, dedupe, prioritize and assign vulns at scale, across their environment, cross-functionally”. Another participant observed: “We are at the point for vulnerability management that we were in 2010 with EDR.” Vulnerability management was pain point #2 alongside ticket-based and inconsistent access management (#1) and obtaining and using SaaS logs (#3). 😩

It’s perhaps unsurprising that the number of unique vulnerabilities discovered is growing with each passing year 📈 After all, the code in which security flaws lurk is constantly increasing. And despite rising adoption of DevSecOps practices and laudable secure-by-design initiatives like Content Security Policy (CSP) or Cross-Origin Resource Sharing (CORS), hackers simply find ever-more ingenious ways to find weaknesses. 🧐 But it’s still noteworthy that the 2024 rise in the volume of new Common Vulnerabilities and Exposures (CVE) records far outpaced previous year-on-year rises. Jerry Gamblin, maintainer of CVE.ICU, kindly offered some context for the numbers in our 

CISOs are increasingly influential at boardroom level, according to new research that reflects shifting corporate priorities. 🧐 A 

, the provider of digital resilience software, revealed that 82% of CISOs now report directly to the CEO, a marked increase on the 47% who did so in 2023. An almost identical proportion – 83% – participate in board meetings somewhat often or most of the time. Interestingly, there were significant gaps in the likelihood of CISOs versus board members deeming the following as top priorities: innovation with emerging technologies (52% of CISOs versus 33% of board members) and upskilling or reskilling security employees (51% versus 27%). 📚 “As cybersecurity becomes increasingly central to driving business success, CISOs and their boards have more opportunities to close gaps, gain greater alignment, and better understand each other in order to drive digital resilience,” said Michael Fanning, chief information security officer at Splunk. 🔐

Despite its critical role in national security, CISO has 

 not been exempted, as was expected, from the Trump administration’s offer to government employees to accept a buyout of their jobs. Meanwhile, SANS Institute cybersecurity instructor Moses Frost has 

 President Trump’s dismissal of all advisors from the Department of Homeland Security’s Cyber Safety Review Board (CSRB) to firing federal investigators in the middle of an investigation into airline disasters. ✈️ The CSRB was still conducting an inquiry into US telco breaches by Chinese state-sponsored hackers, and had previously published detailed reports into the Log4Shell vulnerability, LAPSUS$ attacks and the Microsoft Exchange Online breach. Frost’s incredulous reaction was referenced in investigative InfoSec reporter 

 on a flurry of executive orders that stymied various Biden-era cybersecurity initiatives. Trump also cancelled a Biden executive order on artificial intelligence that emphasised the importance of mitigating safety and security risks. South Dakota Governor and Senate-confirmed new DHS director Kristi Noem said that CISA needed to be “much more effective, smaller, more nimble, to really fulfill their mission” to harden federal IT systems, and criticised the agency for veering “far off mission” by fighting misinformation. 🏛️

Lessons from red-teaming 100 generative AI products

Leveraging generative AI in cybersecurity might intrinsically entail more automation, but the human element of AI red teaming is still crucial, according to Microsoft research that presents an “internal threat model ontology” on the subject. 🧑 This was one of eight 

, established by dozens of Microsoft security experts. The other seven? Understand what the system can do and where it is applied; you don’t have to compute gradients to break an AI system; AI red teaming is not safety benchmarking; automation can help cover more of the risk landscape; responsible AI harms are pervasive but difficult to measure; LLMs amplify existing security risks and introduce new ones; and the work of securing AI systems will never be complete (so no different to any other system then!). 🤖

Other articles of note we’ve spotted in the press recently:

The persistent cyber skills gap, complex supply chains and the “disharmony” between “complex or convoluted” regulations are among the greatest cyberspace issues of concern

 – World Economic Forum’s Global Cybersecurity Outlook 2025

40% of organisations have an acute shortage of cyber skills around AI and other emerging technologies

Is DeepSeek AI safe? Or is it just a data minefield waiting to blow up?

We’ve learned a few things about CISOs’ priorities and pain points based on conversations with customers and the ‘hacktivity’ on our Bug Bounty platform. 🧠 As we celebrate our 10th anniversary this year, we’ve decided to share what we’ve heard in interviews with customers and hunters, along with insights based on tens of thousands of vulnerability reports that they’ve resolved over the past 12 months. The upshot is the 

: a one-click download detailing, among other things:

✅ The drivers behind growing adoption of crowdsourced security testing worldwide 🌍

✅ What 2024’s Bug Bounty stats – such as the most common CWEs and highest payouts – tell us about vulnerability trends and the Bug Bounty model 🐞

✅ Interviews with the heads of our triage and customer success management teams 🎙️

✅ A recap of a record year for YesWeHack live hacking events 🏆

✅ And the merits and challenges of leveraging Bug Bounty to secure open source 🔓

Brands that harden their scopes during two-day live hacking events can remediate numerous vulnerabilities in a very short space of time. 🚀 We’ve recently published 

 from one such event (see the video above), which we held in Buenos Aires, with Banco Galicia, the Argentinian bank, providing the targets. 

 filmed at one of our live Bug Bounty events, meanwhile, sees two security pros from iconic sweet-packaged food brand Ferrero discuss the benefits of Bug Bounty more generally and their experiences with YesWeHack (watch the video below). The event in question made history as Italy’s first-ever live Bug Bounty in September.

The 24-month implementation window for the Digital Operational Resilience Act (DORA) closed recently. As of 17 January, financial institutions operating within the EU were supposed to be compliant with these exacting new cyber rules. Mindful that compliance is an ongoing journey of improvement not just a destination, we’ve outlined 

 the YesWeHack platform can help financial service entities cost-effectively strengthen their alignment with the DORA framework.💡

We’d like to flag some coverage of YesWeHack outside of our own channels, starting with an 

 (written in French) with our distinguished co-founder and CEO Guillaume Vassault-Houlière. And, writing in 

, our APAC CEO Kevin Gallerin answered the question: “

Are Bug Bounty Programs the solution to rising cybersecurity threats in Southeast Asia?

Read this monthly roundup even sooner by subscribing to 

 – our LinkedIn newsletter curating news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.

Are you a bug hunter or do you have an interest in ethical hacking? Check out our ethical hacking-focused sister newsletter, 

 – offering hunting advice, interviews with hunters and CTF-style challenges, among other things.

Vulnerability management reboot sought, CISOs more influential in boardroom, Trump’s cyber overhaul – OffSec roundup for CISOs

The number of new vulnerabilities discovered in 2024 jumped 38% year-on-year, reaching an all-time record of 40,009 new CVEs (Common Vulnerabilities and Exposures).

This compared to 28,818 CVE records published during 2023. To put this in perspective, this growth far outpaced even the rapid rate of increase since 2016, before which numbers had 

 for many years (see the chart below). Most remarkably, the total number of CVEs published last year accounted for 15.32% of all CVEs that have ever been published.

Since 2016, we’ve now seen a 520% rise in the annual volume of new CVE records, which catalogue publicly known vulnerabilities in software or hardware.

These trends are helpfully documented on 

, an open-source project managed by security researcher Jerry Gamblin.

So what changed around 2016-2017? And what drove the even sharper rise last year?

The most obvious factor driving the increase in vulnerabilities is the inexorable growth in the volume of code where vulnerabilities might lurk. Attack surfaces are ballooning amid growing adoption of cloud computing, IoT devices and edge computing, the persistence of legacy systems, and the ongoing digitisation of modern life generally. Software is also becoming more complex, broadening opportunities for finding security weaknesses.

And for all the praiseworthy efforts to make applications more secure-by-design (including security features such as 

 and wider adoption of DevSecOps development practices), hackers, both malicious and ethical, are getting more sophisticated at finding vulnerabilities. AI, specifically large-language models, has been a game-changing accelerant for innovations in vulnerability discovery and exploitation.

As well as more numerous, vulnerabilities are also potentially more impactful on account of the increased integration of third-party components. 

 are just three of many examples where upstream bugs have caused havoc downstream by affecting hundreds or thousands of applications or organisations.

In this context it’s understandable that organisations and regulators have woken up to the importance of vulnerability and discovery and management. Within the EU, 

 are three notable recent examples of legislation that mandates vulnerability disclosure and/or puts offensive security best practices front and centre. 

, from automated scans to pentests, red team exercises and 

Finally, vulnerability disclosure practices have become more standardised, streamlined and widely ingrained as best practice.

But do any of these trends account for the record CVE rise witnessed last year? Not according to Jerry Gamblin, who documents CVE trends on 

“This year's growth originated almost entirely from the top five CNAs [CVE Numbering Authorities],” he told YesWeHack. “These CNAs were specifically created to report CVEs for open-source projects like VulDB, Kernel.org, and GitHub, as well as for WordPress plugins such as Patchstack and Wordfence.

“Collectively, these five CNAs published 17,473 CVEs, making up 43.67% of all CVEs last year. Notably, the Kernel CNA is entirely new, having been founded in mid-February last year and publishing 4,325 CVEs, which is 10.81% of last year’s total CVEs.”

 revealed that 84% of analyzed codebases contained at least one known open-source vulnerability, with 74% harboring high-risk vulnerabilities – up from 48% in the previous year. Similarly, Patchstack has discussed the rise in WordPress flaws on its 

Hacking for €10k rewards and a secure open source ecosystem: Bug Bounty opportunities from the Sovereign Tech Fund


Whatever weighting you assign to the variables driving the multiyear increase in CVE numbers, one thing seems pretty clear: it seems unlikely we’ll see anything other than further rises for the foreseeable future. Indeed, FIRST (Forum of Incident Response and Security Teams) has 

 “another record-breaking year of CVE production” in 2025.

For CISOs navigating complex regulatory and threat landscapes, it only heightens the importance of increasing the effectiveness of their security testing and vulnerability management regime within the constraints of stagnating or only modestly increasing budgets.

Other notable stats about 2024 CVE trends to emerge from CVE.ICU:

, peaking in May, which accounted for 5,010 or 12.5% of the total, with 3 May the busiest single day with 824 new records

average CVSS (Common Vulnerability Scoring System) score was 6.67

, with 231 vulnerabilities achieving the highest-possible score of 10.0, and 

, a high severity buffer overflow issue in the Resource Reservation Protocol (RSVP) feature of Cisco IOS accounted for the 

highest number of unique vulnerable configurations 

, with 6,227 assignments (15.56%) (incidentally, this was also the most common CWE among bugs reported on YesWeHack, as the chart below shows)

most prolific five of all 433 CVE Numbering Authorities (CNAs) 

were: Patchstack (4,566 CWEs) Kernel.org (4,325), Wordfence (3,525), Vuldb (2,936) and Github (2,121) – all established to log CVEs for open-source projects or (in the case of Patchstack and Wordfence) focused on WordPress plugins

, which is inherently agile, continuous and scalable, is cost-effectively adding depth and breadth to the testing regimes of growing numbers of organisations. Combine a YesWeHack Bug Bounty Program with our 

 (ASM) product and you can continuously track your proliferating online assets, strategise your testing initiatives and prioritise vulnerability remediation based on vulnerabilities from various security testing channels – also including ASM auto-scans, traditional pentesting and Vulnerability Disclosure Policy (VDP). 

CVE surge: Why the record rise in new vulnerabilities?

, asked participants to perform a format string injection, read the system environment variables and reveal the flag.

Want to create your own monthly Dojo challenge? Send us a message on Twitter!

 feeds to be notified of upcoming challenges.

Read on to find out how one of the winners managed to solve the challenge.

TALKIE PWNII #3: VIDEO CHALLENGE WRITE-UP

We want to thank everyone who participated and reported to the Dojo challenge. Below is the best write-up overall:

The use of Externally-Controlled Format String vulnerability occurs when an attacker can control the format string used in functions like printf(), str.format(), or similar mechanisms. This can lead to unintended behavior, such as information disclosure, code execution, or crashes, depending on how the format string is handled.

When attempting to identify and exploit security flaws in an application, one of the most crucial steps is conducting a thorough analysis of the source code. A solid understanding of how the application works provides insight into potential attack vectors that might be vulnerable.

By carefully examining the code, you can identify areas where input from untrusted sources (such as user input or external systems) is processed. These inputs often serve as entry points for malicious actors to manipulate the application’s behavior.

The first lines of the code of the application (check below) give some information about the libraries that are used. It also shows that Jinja2 is used. Jinja2 is a template engine for the Python language used to render templates. In this case, it is used to render a template with the main HTML code of the application, but this part of the code is not really important in this case.

The next we can find in the code is the definition of the class 

, which contains a property and some methods that handles the 

Going step by step in the definitions of the 

, which is a python dictionary that contains 

. Data in python dictionaries are stored in 

 method, which is a constructor that will be automatically called when an object of the class is created.

. This method doesn't have much functionality, it just returns a value of a given product name but is not even used in the code of the application.

. This method handle the main functionality of the application.

The method expects a given argument called: 

First the application will check if this argument is empty, and if it is, it will return an empty string, otherwise, it will load the argument with the 

 library. This library is used for parsing TOML (Tom's Obvious, Minimal Language) configuration files. It provides a way to read and interpret 

 files directly into Python objects such as dictionaries. TOML is a 

 that is easy to read and write for humans. It is commonly used for configuration purposes in software projects.

 argument, it is also trying to access the key called 

 inside the given data and storing the content inside the 

With the given data stored in the variable 

, the application will check if there is a key called 

 inside the data and will verify if the value associated with this key is different from 

, the application will raise an error through the method 

 that we will analyze later in this post.

On the other hand, the application also validates if a 

 key exists on the given data and if its value is valid. This is done by checking if the value is inside the defined values at the 

 property previously analyzed. If both conditions are met, the application will return a string saying 

Your have selected: {item}. The gift is on its way!

program flow will go through the except definition

. This definition will save the program error in a variable called: 

 variable, the application will send this error to the 

 method and return the result of this call.

Finally, if none of the earlier conditions or exception handling blocks are met, the program flow will go through the last 

 in the below code. For example, one practical case could be: a valid wishlist is given, but expected keys are missing. This last flow will return the output of the 

The gift was lost among all the Christmas presents!

 previously mentioned. This method is used to create and return a 

, however, this creates a risk, as in Python is possible to 

access object properties through placeholders

. A placeholder in programming refers to a part of a string (or other data structure) that is temporarily used to represent a value that will be provided later. These placeholders are represented in Python as curly braces 

a="test"; mystring = "Hello {}".format(a)

 in this example, the variable mystring will have the value: 

 as the curly braces will be replaced with the 

 is included, it will refer to the current object instance, so if an attacker is able to inject curly braces with properties inside , it will be possible to format the message with internal data of the object. For example, 

 will be formatted with the value of the 

 property. This creates an attack vector that will be exploited later.

 class, few lines of code are left. This remaining code is used to load the user input in the application logic.

 method is called, giving as an argument the 

 POST parameter, and the returned value is saved at the 

 is compared to render the message returned in different ways; this is used to show the message with green colors when the request is successful and with red colors when some issue happens.

Having understood the application logic, we know that in order to use the application we need to send valid 

 standards and the application validations, a valid payload could be something like 

.This payload gives a successful response.

Now that we know how to send valid data to the application, we know there is a vulnerable function, the 

 one, so we need to find a way to give that function a malicious payload to exploit it.

 flow we analyzed previously, as it is sending the error to the 

 method. If we find a way to control what error is coming to this 

 flow we will be able to inject our payload there.

 flow, we will need some of the below lines of code to fail.

A good way to make the application crash will be with the 

 function, this function is used to convert a value into an integer number, so if we give it a random string with characters different that numbers it will crash, as it is supposed to work with numeric values. The best part of this crash is that python will include on the error our value given to the 

 function. With the following testing payload we can verify that: 

wishlist={"item"="hoodie","price"="test"}

As shown in the above image, we find a way to control the error sent to 

 method. Now we could access object properties and more by sending curly braces that will be formatted.

With the following payload it was possible to retrieve the 

wishlist={"item"="hoodie","price"="{.gifts}"}

With this injection it is possible to access internal data of the python code. As 

 library was imported, it was possible to access to the 

 property. The following payload was used: 

wishlist={"item"="hoodie","price"="{.__init__.__globals__[os].environ}"}

Internal environment variables were exposed and the FLAG was found: 

An attacker could exploit this vulnerability to disclose internal information like environment variables, object properties, code variables and more, creating a high impact on the confidentiality.

To fix this vulnerability several measures can be taken:

Implement a regex validation to price parameter to allow only numbers, so it will not crash.

Avoid direct user input in format strings

Sanitize user input to avoid curly braces be interpreted at the 

Dojo challenge #38 - Xmas wishlist, winners and writeup

The 24-month implementation window for the 

As of Friday (17 January), financial institutions operating within the EU had to be compliant with DORA, which obliges them to strengthen their cyber resilience across multiple domains.

There will inevitably be compliance stragglers, and regulators will likely be more forgiving of implementation gaps during the law’s early phase. And of course, compliance is an ongoing process rather than a milestone reached and then ignored. Even if regulators are satisfied, risks can always be further mitigated – and done so more cost-effectively.

The YesWeHack Blog

XSS attacks and exploitation: The ultimate guide to cross-site scripting

Vulnerability management reboot sought, CISOs more influential in boardroom, Trump’s cyber overhaul – OffSec roundup for CISOs

CVE surge: Why the record rise in new vulnerabilities?

XSS attacks and exploitation: The ultimate guide to cross-site scripting

Dojo challenge #38 - Xmas wishlist, winners and writeup

DORA now in force: 5 ways YesWeHack’s offensive security platform can bolster your Digital Operational Resilience Act compliance

The YesWeHack Bug Bounty Report 2025

Dojo challenge #38 - Xmas wishlist, winners and writeup

Recon Series #1: Discover and Map Hidden Endpoints and Parameters

‘There are a lot of vulnerabilities on public programs’: pwnii’s Bug Bounty journey so far

‘Hacking is essentially about curiosity’: Blaklis on the art and science of Bug Bounty hunting

Recon Series #1: Discover and Map Hidden Endpoints and Parameters

Don't wait for threats to strike

Products

Researchers

Resources

Company

Follow us