Attack surface discovery: mapping your exposed vectors with continuous threat exposure management (CTEM)

Mapping an organization’s attack surface is the fundamental first step towards hardening exposed attack vectors.

From web applications to APIs and cloud infrastructure, 

 involves systematically identifying all your internet-facing assets.

Gaps in your inventory of online assets – the ‘known unknowns’ and//or ‘unknown unknowns’ – can exist due to misconfigurations, shadow IT, complex architectures, rapid digital transformation, siloed acquisition of tech, and inadequate asset management processes.

Automated vulnerability scans, pentesting engagements and, in particular, 

 offer effective risk mitigation for tackling your known risks. By definition, they cannot include unknown assets.

But conducting attack surface discovery in an automated and exhaustive fashion, you can then identify, prioritise and fix vulnerabilities across all possible attack vectors, including previously hidden assets.

Yet if the mantra “you cannot secure what you cannot see” is widely understood, far too many CISOs nevertheless have only a patchy overview of their attack surface. More than two thirds of organisations have admitted to having been compromised via an unknown or poorly managed internet-facing asset (IBM report, 2021).

Without the right attack vector analysis tools, InfoSec teams can struggle to identify – let alone secure – their proliferating online assets.

According to TechTarget, 62% of organizations’ attack surfaces have increased over the past two years as organisations launch new apps and websites, store more data in the cloud, add new third-party integrations, use IoT devices and so on. Frequent software updates also heighten the risk of assets going online, or inadvertently remaining online, without security teams realising.

The merits of CTEM in attack surface discovery

So what’s the best way to perform attack surface mapping?

There are many methods and attack surface discovery tools for ascertaining your potential attack vectors: manual network architecture reviews, user access reviews, network scanners, asset management tools, Cloud Security Posture Management (CSPM) tools, attack surface domain discovery tools and Security Information and Event Management (SIEM) systems to name a few.

When it comes to achieving a unified, comprehensive and real-time overview of your internet-facing assets, an increasingly essential model is Continuous Threat Exposure Management (CTEM).

CTEM is a five-step automated process for continuously monitoring an organisation’s environment for new attack vectors, discovering the attack surface’s exposure to vulnerabilities, and remediating the most critical weaknesses first. Implemented well, this can provide a unified, comprehensive and risk-based approach to security testing.

Given your constantly evolving attack surface and the persistent probing of malicious hackers, this continuous and real-time overview of your cyber risks is preferable to periodic ‘point in time’ snapshots.

With digital transformation, accelerating release schedules and tight security budgets demanding an always-on, cost-effective and scalable approach, tech research firm Gartner cited CTEM as a top strategic technology trend for 2024. It forecasts that, by 2026, organisations implementing a CTEM program now could benefit from a two-thirds reduction in breaches.

 enables five operational phases in accordance with the CTEM model. Mapping your attack surface encompasses the first two steps: SCOPE and DISCOVER.

With YesWeHacks’ ASM, you kickstart the CTEM process by ‘scoping’ your assets: declaring your domain names and IP ranges/addresses and letting our solution inventory subdomains, accessible services and associated technologies.

Then our backend scanners can ‘discover’ related subdomains, other domains hidden from the organisation (due to shadow IT for instance), reachable services and associated technologies. Subsequently, they will continuously detect, and notify you of, any newly-surfaced online assets. A value is assigned to each discovered and classified asset according to its business criticality.

The subsequent CTEM phases, which we will cover in future articles, include PRIORITISING the most pressing suspected vulnerabilities discovered across your exposed vectors, through auto-generated priority scores; VALIDATING or rejecting a finding as exploitable in your environment; and MOBILISING by accessing, editing, sharing, assigning and tracking vulnerability reports from all sources to efficiently fix the most urgent security flaws first. In a follow-up article, we will also explore the potential synergy between Bug Bounty Programs and CTEM – with benefits including optimised testing coverage and cost-effective hardening of your exposed vectors.

How the YesWeHack ASM strengthens your security posture

YesWeHack’s ASM product can provide the missing link in your offensive security strategy by providing:

– mapping internet-facing assets and exposed dependencies

Continuous visibility of your organisation’s 

Automated prioritisation of vulnerabilities 

based on an easy-to-understand algorithm – accounting for severity (using CVSS), in-the-wild exploitability (using EPSS) and the related asset’s criticality value (assigned by the client organisation)

Strategised security testing and remediation to 

tackle the most critical vulnerabilities at scale

The turnkey-deployable ASM integrates seamlessly with the existing YesWeHack platform. Vulnerabilities from various security testing channels, including automated scanning by the ASM, Bug Bounty programs, traditional pentesting and Vulnerability Disclosure Policies (VDPs), are therefore consolidated into the same interface. This provides a one-stop-shop for all vulnerabilities – whatever their source and format.

 with YesWeHack today and discover how a risk-based approach can transform your organisation's security strategy.

Our latest ethical hacker roundup leads with a 

new open source tool for understanding how browsers parse HTML

 and uncovering mutated XSS vulnerabilities. 🛠️ The handiwork of our resident security researcher, 

, Dom-Explorer incorporates popular HTML sanitizers Ammonia, Angular, DomPurify, JsXss and SafeValues, while supported parsers include DomParser, Parse5, srcdocParser and TemplateParser. “By using this tool, you can generate this weird behaviour where if your input is not valid, it will change to something that might indicate the potential for vulnerabilities,” says Bitk. The researcher believes Dom-Explorer can simplify, accelerate and send in fresh directions this niche area of security research. 🔥

A client-side exploit chain across various Google services has impressed the InfoSec world. Leveraging Google Slides’ YouTube embed feature to access a victim’s Google Drive file, path traversal, open redirects across YouTube subdomains and oddities in Google Docs’ sharing UI, the discovery has 

netted security researcher Lyra/’Rebane’ an oddly specific bounty of $4,133.70.

 as an exemplar of how exploits can become “easier the longer you spend targeting a single company”, and evidence of an unusual combination of hacking skills. “Most white-hats specialize a bit, website logic shenanigans like iframes or the hardcore code analysis stuff like the link I posted for example. But not this [person, she] seems to have mastered both,” 

In other hacking tool news, ‘Cfreal’, highly respected for his PHP work, has made another significant contribution to this field with the 

, which helps ethical hackers exploit blind file read primitives in PHP. The researcher says the utility transcends most limitations undermining similar tools. 🚀

Speaking of PHP, the star of our YouTube channel’s latest hunter Q&A, Blaklis, also favours PHP targets. As well as discussing his preferred scopes, the prolific hunter, who sits 21st on our all-time leaderboard, reflects on how hacking video games introduced him to bug hunting, outlines his typical working day, and tells us which non-computing-related career he thinks most closely resembles Bug Bounty (watch the video below). 🐞 Similarly, we’ve also published a new 

, complete with related video, starring HakuPiku, in which he declares a fondness for hacking Android apps and open-source code. 📱

HakuPiku’s penchant for open source means he features on our new 

, which tracks the most successful hunters in terms of valid vulnerabilities reported to our open source programs. Top spots are currently held by calehuri, mdisec and foobar0x7 (visualised on the image below). 🏆 Hunters are further incentivised by the fact that any valid bugs reported to our open source Bug Bounty Programs will score hunters some exclusive merch, as well as the usual financial rewards. 🎁 Applicable scopes for this swag include 

’s seven public programs, which offer max €10,000 rewards: Log4j, Systemd, GNOME, ntpd-rs, OpenPGP.js, Sequoia PGP and CycloneDX Rust Cargo. The swag is also available via three programs managed by Open-Xchange: 

. Incidentally, the bounty grid for PowerDNS, an open-source DNS server, was recently increased to a €8,000 maximum. 💰 🎯

As for the general leaderboard, Rabhi, Xel and pocsir currently head both the overall 

Using AFL++, afl-cov and basic custom harnesses to find a libsoup bug

Back to the research writeups: we're spotlighting research from a hunter who also stars on the aforementioned open source leaderboard. In a new blog post, 'Sigabrt' 

 in which he used AFL++, afl-cov and basic custom harnesses to find a heap overflow bug in libsoup on a YesWeHack public program, namely that of 

'Ading2210', meanwhile, has recounted how he 

 for reporting Chromium vulnerabilities that allowed for a sandbox escape from malicious browser extensions with just “a tiny bit of user interaction”.  The potential consequences were grave: “Instead of merely stealing your passwords and compromising your browser, an attacker could take control of your entire operating system,” he wrote. Eek. One redditor called it “

 I've read since The Cuckoo's Egg”. 💰

Multiple vulnerabilities in a Realtek SD card reader, meanwhile, apparently “enabled non-privileged users to leak the contents of kernel pool and kernel stack, write to arbitrary kernel memory, and, the most interesting, read and write physical memory from user mode via the DMA capability of the device”. 💻  An 

 details Realtek’s fixes for what were seemingly highly serious flaws. “If your laptop is equipped with an SD card reader, it is highly likely to be manufactured by Realtek, making it susceptible to these vulnerabilities as well,” 

Our latest white-box penetration testing guide explores 

how to debug for JavaScript vulnerabilities

. In testing a web application vulnerable to prototype pollution within a Docker container, Brumens’, another of our resident hackers, demonstrates how to debug JavaScript inside Visual Studio Code in order to track payloads throughout the code process and learn how security filters can hide vulnerabilities. Relatedly, we’ve also detailed our 

top 5 hacking tools for white-box pen testing

Exploiting trust: Weaponizing permissive CORS configurations

’, Outpost24’s Thomas Stacey reveals the results of a project initiated to answer the question: “Are we underestimating CORS vulnerabilities?”. 🤔 Possibly, it seems, given the application security auditor uncovered multiple CORS (Cross-Origin Resource Sharing) flaws affecting customers, including critical issues including user sessions. He observes that both the detection and exploitation of permissive CORS can be tricky, the latter “due to modern security controls like the “SameSite” cookie attribute, or even modern application architectures like single-page applications”. Mindful of these challenges, he sets out some tooling and methodology advice for finding vulnerabilities in CORS implementations.

Other recent writeups and InfoSec news of interest include “

 of an AI agent finding a previously unknown exploitable memory-safety issue in widely used real-world software”; Sonar showing how to turn a file write vulnerability in a Node.js application into RCE 

when the target’s file system is mounted as read-only

data breach involving France’s second largest internet service provider (ISP) and telephone operator

, affecting more than 19 million customers and 5.11 million IBAN numbers. 😮

Next up, Dojo news. Trick or treating might be over for another year, but our platform’s new dark mode 🖤 – 

 to coincide with the celebration – is here to stay, while our Halloween-themed monthly CTF challenge – ‘

’ – has concluded (congrats to the winners: Atlas_py, qu35t3190 and Fravoi). 👻 The current active challenge is ‘

’, open for submissions until 12 December. Elsewhere on Dojo, another new training module has dropped: 

. And finally, check out our new feature, Talkie Pwnii, a series of videos from one of our researcher enablement analysts, pwnwithlove aka pwnii! In the first video, below, pwnii shows you two alternative solutions to our latest Dojo challenge, '

', and a few technical tips and tricks. 🚀

Over the weekend, we ran a successful live Bug Bounty in Buenos Aires, Argentina.

 across two days, the live hacking event involved targets from Galicia Bank. This was the final top 3:

💉 First Blood: Damián Gambacorta aka g4mb4

💥 Best Impact: 🎩 Alan L. aka soyelmago

A huge thank you to Galicia Bank for their trust and involvement. We also want to extend our gratitude to Ekoparty and Bug Bounty Argentina for their support in making this event a resounding success. 🙏

Highlights from the Ferrero live Bug Bounty

And here is the final podium for another live Bug Bounty that took place at the end of September, with legendary sweet-packaged food brand Ferrero providing the targets:

Watch highlights from this competition, which was Italy’s 

Read this monthly roundup of content aimed at ethical hackers even sooner by subscribing to 

Are you a CISO, other security professional or security-conscious dev? Check out our CISO-focused sister newsletter, 

 – bringing you news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.

New tool for finding mutated XSS, $20k Chromium sandbox escape, Live bug bounty results from Ekoparty – ethical hacker news roundup

There’s always vulnerabilities,” said Erik Täfvander, head of cybersecurity at ATG: those you know about, those you don’t know about, and those yet to be created.

When it comes to finding them, he told YesWeHack in the interview below, Swedish betting brand 

 to be more productive than pentesting in multiple ways.

In the video and writeup below, Erik also explains how ATG has optimised its approach to crowdsourced security testing, praises YesWeHack’s customer support and triage team, and assures his peers that they “have very little to lose” by road-testing their own program.

Erik Täfvander on ATG's mission and why security is paramount…

ATG is short for Swedish words – AB Trav och Galopp – and we’re a unique betting company. We’re based in Sweden, and we’re owned by the horseracing industry. We try to offer our customers the world’s best betting experience. And it provides about 30,000 daily jobs in Sweden.

Security is important for us. We need to keep our customers’ trust, and one thing is to make sure that if you bet at ATG, your money is safe and your bet is fair.

On what prompted ATG to launch a Bug Bounty Program…

It was good timing actually. We had been looking into it for a bit. It didn’t really tip over at first, but we did struggle with traditional pentesting. We needed something to keep up [with our needs] – to not only [test assets at] a point in time but continuously get reports.

And what kind of tipped the scale was also the business model: that we reward hunters for providing us with valuable information, and we only reward them when we get the information.

On the program’s evolution since launch…

If I’m not mistaken, we launched in 2021. And we started with a private program with a small, limited scope to see if this was something for us. And frankly, in the beginning, I was a little bit bored, because we had for a couple of weeks not a single report. It was that quiet. And then, something happened – we got an instant 20 reports.

After that, we tried to evolve the program to include new scopes, new assets, improve on our reward levels to keep it attractive. And since, I think it’s two years now, we have been running a public program, which has a wildcard scope – so you’re allowed to basically try anything out that is [one of our digital assets].

On the biggest challenge they’ve overcome so far…

Oh… good question. The first challenge we met was: who will help us to patch these bugs? That wasn’t that clear in the beginning, so we kind of developed our own documentation and developed techniques to find out who’s responsible for what line of code, and it’s been running much smoother after that.

On the value of YesWeHack’s customer support and triage service…

I appreciate that you make me feel like a partner more than a client. I really, really, really want to send some kudos to the triage team. They are on the ball 24/7 almost, really rapidly giving us their insights on reports that we receive, and helping us during the process.

I think it gives you great insights into what’s going on, because you use basically the same techniques for malicious hacking, and we learn a lot from that. Also that we pay a reward to someone who is trying to help us.

And you get fast return on investment. If we get serious vulnerabilities reported to us, it’s worth it all day long to reward the hunter for those vulnerabilities.

On the merits of Bug Bounty versus pentesting…

I would say the political answer is it’s 

 pentesting. But with that said, we have had, I would say, 20 really serious reports that we would never get from a traditional pentest. The collective knowledge that we get from a Bug Bounty Program is huge, compared to a pentest where you hire a couple of researchers or consultants to help you.

On keeping hunters engaged after three years and counting…

We’ve done a lot to keep it attractive but that’s a challenge that we need to work on. It was easier in the beginning – when you started to ramp up scopes, you started to ramp up rewards.

But now we’re in a wildcard situation, we can’t add many scopes because they are already there. Now we work with how we interact with hunters – that we are really keen to keep them in the loop, appreciate their work, collaborate and try to be as rapid as we can when we pay out the rewards.

It’s a collective effort because you need colleagues within development, operations and other parts of the business to remediate the bugs reported, because knowing that you have a bug is one thing, but when you actually solve it and patch it, then you have completed the loop.

On whether running a Bug Bounty Program is time-consuming…

From my point of view, there’s not a lot to do. I try to keep my fingers out of the ‘cookie jar’, in terms of looking at the reports! My team manages it beautifully. That’s one [great] thing about this kind of service: the main focus is on remediating vulnerabilities.

Advice for organisations that haven’t yet launched a Bug Bounty Program…

I would suggest trying it out. You actually have very little to lose, because it’s easy to start, easy to quit if you want – but I don’t think you will. You learn about your security posture in a way that you probably didn’t know before.

If you try and you don’t get any reports, I would probably have to buy you a drink or something like that! Because I was afraid in the beginning for us, but now we receive reports continuously. And now, it’s like a self-playing piano in some way.

With the knowledge that we have about ourselves, we know that there’s always vulnerabilities. There’s those that you know of, those that you don’t know of yet, and those that you haven’t deployed yet. So there’s continuous work to be done in terms of keeping your application secure.

 for further details on rules, rewards and scopes.

Want to learn more about the YesWeHack Bug Bounty & Vulnerability Management platform? 

 to schedule a demo with one of our experts.

‘The collective knowledge ATG gets is huge’: cyber chief on Betting brand’s Bug Bounty story

Security teams should note two fresh milestones in the EU’s regulatory framework, begins our latest 

 roundup of OffSec insights (originally published as a LinkedIn newsletter). 

 by the European Commission. With market access to the world’s largest trading bloc contingent on compliance and multimillion-euro fines the potential penalties for violations, CISOs from around the world will certainly be paying attention. 🚨

In light of this, we have published a new guide to the 

security testing and vulnerability management dimensions of NIS 2

, which introduces wide-ranging requirements for member states and ‘essential’ or ‘important’ services. We’re publishing a guide to the CRA, which applies to vendors of products with digital elements (PDEs), soon. 📱 These laws form key planks of the 

EU’s recent drive to upgrade its cybersecurity framework

. The emerging framework, in common with cyber laws emerging elsewhere in the world, has many prescriptions and recommendations for undertaking activities we happen to be experts in: understanding and minimising your attack surface, proactively and continuously finding vulnerabilities, and adopting a risk-based approach to their remediation. 😉

(Image credit: CC-BY-4.0 © European Union 2024 – Source EP)

 suggests the ongoing global shortage of cybersecurity skills helps to explain how 

spending growth on security software and services

 is outstripping that of recruitment and staffing. 📈 The article points out that Gartner expects security service spending to increase 15.8% next year, while IDC forecasts a global CAGR of 12.2% between 2023-2028 for managed security services. As CSO senior writer John Leyden writes, “CISOs are turning to managed security services to take advantage of seasoned practitioners that they would struggle to hire and retain internally.”👨🏼‍💻

With security teams growing more slowly than attack surfaces, we believe growing demand for crowdsourced security testing is partly fuelled by the same dynamics. And even if the skills shortage were magically addressed tomorrow, no organisation will ever have the kind of internal OffSec resources they can access when they launch a Bug Bounty Program – namely the diverse skills of tens of thousands of ethical hackers. Relatedly, 

Foundry’s 2024 Security Priorities Study

22% of new vulnerability assessment roles are outsourced

US Cybersecurity and Infrastructure Security Agency (CISA)

 about the performance of its Vulnerability Disclosure Policy (VDP) platform. “Since launching in 2021, the VDP Platform has triaged over 12,000 submissions (over 7,000 in 2023) on behalf of 51 onboarded agency programs, saving agencies a significant amount of time and resources,” the annual report disclosed. “Over 2,400 unique, valid vulnerability disclosures have been identified, of which nearly 2,000 have been remediated by agencies. Since launch, over 3,200 security researchers have participated.” VDPs, as we’re rather fond of reminding our readers, offer 

 and are increasingly a compliance must-have not just nice-to-have. 🛡️

is confirmed as the president elect for a second time, there’s a lot of uncertainty about his agenda for funding CISA and policies related to cybersecurity. 

, cyber reporter David DiMolfetta gives a decent summary of the fears (notably about budget cuts) and more positive takes (for instance, cyber has recently been one of vanishingly few bipartisan issues) expressed by current and former government officials. 🤔

, about the need to defend their organisations against the 

 in creating and distributing malware, phishing lures and deepfake videos. 🤖

Back to our own output, and Bug Bounty beating pentesting in terms of both the breadth of skills available and the depth of their deployment, as per the views of TeamViewer’s senior project manager for security, Michael Gillig, expressed in our 

. In this interview Michael marvels at the 

Bug Bounty discoveries missed by pentesting

, lauds YesWeHack’s triage team and recounts how TeamViewer, whose remote access/control software is installed on more than 2.5 billion devices worldwide, has grown and fine-tuned its program since launch. 🛡️

We recently collaborated with another instantly recognisable brand, the makers of Ferrero Rocher and Kinder Surprise no less, in the successful delivery of 

Read what Ferrero, one of the world's largest sweet-packaged food companies, made of the event

, and watch highlights from this live Bug Bounty below. 🍫 

Our next live Bug Bounty is imminent, taking place in Buenos Aires, Argentina at 

 this week. The two-day competition, running between 14-15 November, will help an as-yet-unnamed brand (unmasked when the event kicks off) significantly harden their digital assets thanks to the dozens of vulnerabilities routinely reported during these events. Our team will discuss our platform on booth 10 throughout the three-day Ekoparty event. Learn about the 

 to the organisations providing the targets. 🚀 

Read this monthly roundup even sooner by subscribing to 

 – our LinkedIn newsletter curating news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.

Are you a bug hunter or do you have an interest in ethical hacking? Check out our ethical hacking-focused sister newsletter, 

 – offering hunting advice, interviews with hunters and CTF-style challenges, among other things.

NIS 2 in force, Cyber Resilience Act adopted, CISA hails VDP impact – OffSec roundup for CISOs

, asked participants to exploit a broken access control in a SQL statement combined with a command injection vulnerability to achieve a remote code execution (RCE) to capture the flag.

Want to create your own monthly Dojo challenge? Send us a message on Twitter! 

 feeds to be notified of upcoming challenges.

Read on to find out how one of the winners managed to solve the challenge.

TALKIE PWNII #1: VIDEO CHALLENGE WRITE-UP 

We want to thank everyone who participated and reported to the Dojo challenge. Below is the best write-up overall:

OS Command Injection is a security vulnerability that occurs when an attacker is able to execute arbitrary operating system commands on a server. This typically occurs when an application improperly sanitizes user input, allowing malicious commands to be injected into dangerous function or bad functionality implementation. This vulnerability can lead to unauthorized access, data theft, or full system compromise if exploited.

In this challenge we are presented with a web application that allow us to check for the availability of our local hosted services. The application waits for the user to send a token along with a command argument. The 

 argument is used to perform a sort of authorization access and the 

 argument allows the user to specify the IP of the host he wants to check the availability of.

If we inspect the source code and the different components on the network processing our input, we have the following things :

) --> This one is classic and we do not really need to think about it here

WAF Blacklist --> This will blacklist the 

 keyword, but as we will see, we do not need to worry about this blacklist either.

Finally the python code handling our input :

This simply do the reverse of the URL encoding --> URL decoding.

Nothing very special for now. But things will get more complex in the following parts

When examining the source code, the interesting class is the 

 class. This class mainly gives the functionality to execute the 

 variable. Our goal is to see if we can inject arbitrary shell commands within it in order to exploit an OS command injection vulnerability. However, as we will see, this parameter is protected (or should I say : almost...)

This variable is coming directly from the 

 argument the user is able to supply. However, before getting into the 

 command, it is sanitized by "one" function that has two different implementations depending on the user we are executing the code with :

 is a custom filter implemented by the developer who made the app. But before analyzing this, we must determine how to get to this function. In other words, we must find a way to fill the 

Code analysis - PART 3: Let me be the 'dev' I just want to 'test'...

In order to be able to reach the (hypothetical) vulnerable function 

, we need to supply the correct value to the 

 class. The code that is doing all of this is the following :

Okay, we have quite a few things here. First, we have a request to a database, which is selecting all the 

 function to get the first row of the database. Then it gets the index 

 to get the first element of the set returned (basically first column) and use this value to fill the 

 variable. However, if nothing is returned by the database, the 

With all of this, we may already infer something. The only way to get the 

 value, is to get it from the database. But can we do that ?

an unknown string of 0 or more characters

And if we combine the two examples above :

This means that we can match an arbitrary string, as long as the "middle" character is within it.

With this in mind, and based on the name of the variable on which is made the SQL "filter" (

 for the user will look like a long string composed of random alpha-numerical characters such as

Now that we know all of this, we can try the following idea :

 user is very likely to be in it. Furthermore, since it is the developer, it is likely to be in the first entry of the database since it must have been created first. What we will try then, is to supply the payload 

 parameter in order to make the SQL request return the 

If we put the following standard values, we execute the command as the 

The YesWeHack Blog

Attack surface discovery: mapping your exposed vectors with continuous threat exposure management (CTEM)

New tool for finding mutated XSS, $20k Chromium sandbox escape, Live bug bounty results from Ekoparty – ethical hacker news roundup

‘The collective knowledge ATG gets is huge’: cyber chief on Betting brand’s Bug Bounty story

Attack surface discovery: mapping your exposed vectors with continuous threat exposure management (CTEM)

NIS 2 in force, Cyber Resilience Act adopted, CISA hails VDP impact – OffSec roundup for CISOs

Dojo challenge #36 - Shell Escape winners and writeup

‘Happy hunters equal happy customers and vice versa’: YesWeHack vulnerability triage chief Adrien Jeanneau on creating a virtuous Bug Bounty circle

NIS 2 in force, Cyber Resilience Act adopted, CISA hails VDP impact – OffSec roundup for CISOs

Dom-Explorer tool launched to reveal how browsers parse HTML and find mutated XSS vulnerabilities

‘I like Android apps and open-source code’: HakuPiku on Bug Bounty, CTFs and his favourite targets

‘More efficient than a pentest and it generates trust’: TeamViewer’s Bug Bounty story so far

Dom-Explorer tool launched to reveal how browsers parse HTML and find mutated XSS vulnerabilities

Don't wait for threats to strike

Products

Researchers

Resources

Company

Follow us