Soft skills and the right mindset are even more important to success in Bug Bounty than technical skills because the latter are easier to learn, according to one of Italy’s most prolific hunters.

Having first registered on YesWeHack in 2021, ‘

’ – aka Simone Paganessi – has climbed to 8th position on YesWeHack’s 

. He has notched 656 reports at the time of writing. All this was achieved while working for an Italian company as a pentester.

In the Q&A and video below, Drak3hft7 also discusses his journey to being a hacker, his best bug find so far and his favourite hacking tools.

Drak3hft7 on the challenging road to becoming a hacker…

I had a long journey. I studied [many] hours [on] software development and networks[s]. After this, I studied [for the] OSCP certification.

I started Bug Bounty three years ago. The road for a hacker is very difficult, because today it’s one technical system; tomorrow it’s a new technical system, new firmware and other updates.

I prefer YesWeHack because it’s a very fantastic structure and very fast triage. I hacked [many] companies, big companies [through] YesWeHack – it’s always exciting.

My favourite critical find is an IDOR. I was able to change the parameter in the cookie and read and edit all user data in the web application: thousands of data [points]. I reported on YesWeHack. After two or three days, it was accepted.

On the personal attributes that most fuel his bug-hunting success…

My best skill for me is persistence – not technical skills but soft skills. Because, if you are a hacker, you are persistent. Very persistent, curious, passionate. The technical skills you can study, you can try [to learn].

I prefer the proxy to analyse the request and the response, to find vulnerabilities in parameters, cookies. And [I often use] Ghauri. Ghauri is the best tool for SQL injection. And the best for me is the Wayback Machine, for getting all the requests.And the best for me is the Wayback Machine [to hunt for bugs via archived URLs].

In Italy, I love the gym – very important for physical and mental health, and stability! I love to read books and watch films at the cinema.

On whether his family and friends understand what hacking is…

My family is a big help for my hacking, because it’s very important for my stability.

My friends don’t know about my hacking skills. My family don’t understand my work in the hacking system and Bug Bounty. Always questions: “What is Bug Bounty?” – it’s a difficult answer for this question.

On his favourite hacking-related art or entertainment…

My favourite TV series is Mr. Robot. [Elliot] Alderson is a very fantastic hacker and the hacker culture in the TV series is the best.

Learn more about hunting through YesWeHack

, or learn about the latest hacking tools and techniques 

‘My best attribute is persistence – technical skills you can learn’: drak3hft7’s Bug Bounty story so far

Vendors of digital products should of course prioritise security testing and vulnerability management for the sake of their users and their own reputation.

Now they have 36 months to do so to the standards set by the EU Cyber Resilience Act (CRA) if they want to sell their software or hardware inside the world’s largest trading bloc. 🇪🇺

The CRA has just been published in the EU’s Official Journal, kickstarting a three-year countdown to full compliance. Covering everything from laptops to smart TVs, the law was introduced primarily to address “widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them”. 📱 Following our 

vulnerability testing/management explainer for NIS 2

 after it came into force last month, we’ve now 

summarised the new vulnerability-focused CRA rules

, which advocate Bug Bounty Programs.🐞

 roundup of OffSec insights (originally published as a LinkedIn newsletter), the global Bug Bounty market is 

 to grow at a compound annual growth rate (CAGR) of nearly 16% between now and 2032 – up from $1.52 billion to $4.95 billion. 📈 Business Research Insights attributes its prediction to “growth and demand returning to pre-pandemic levels”, as well as organisations needing to “regularly test their IT infrastructure” given “constantly evolving” tech stacks and the fact “a hacker could potentially destroy a company's reputation in a matter of minutes”. It also notes that, while Bug Bounty has traditionally been dominated by the software development industry, recent growth has also been fuelled by increasing adoption by governments and large corporations. 

“Many advantages, including inexpensive pricing based on output, software testing in real-time, scalability, and device and geographic coverage, can be obtained through crowdsource testing,” writes Business Research Insights in a separate but related report that notes how crowdsourced security testing is growing particularly fast in the 

Coincidentally, Research and Markets has released its own 

forecast for the global security testing market

, anticipating 24.7% CAGR until 2029 in part due to AI development that will “make anomaly detection and vulnerability prediction more reliable”. 🤖 Application security testing is the fastest growing segment of tech, says the report, while “the healthcare vertical holds the largest market share in the security testing market due to its critical need for stringent security measures”. 🏥

distilled details of a CISA red team engagement

 where they compromised a critical national infrastructure entity through a web shell “left from a third party’s previous security assessment”. 😬 CISA (the US Cybersecurity and Infrastructure Security Agency) wrote that leadership of the entity “deprioritized the treatment of a vulnerability their own cybersecurity team identified, and in their risk-based decision-making, miscalculated the potential impact and likelihood of its exploitation.” About the previous engagement's oversight, the head of research and discovery at Google threat intelligence 

: “I've seen too many red team screw ups like this [...] Stay humble and clean up after yourselves.” An infosec consultant also 

: “CISA red teaming exercise reports have been stellar in the past, but this newly released one is a really great read.” 📚

A bill that would require US federal contractors to implement NIST-compliant vulnerability disclosure policies (VDPs) has moved a step closer to becoming law after clearing a key Senate panel, 

. Civilian federal agencies are already required by law to have VDPs, and the same will soon apply to federal contractors it seems given bipartisan support for the Federal Contractor Cybersecurity Vulnerability Reduction Act. 🏛️

We conclude our roundup of useful OffSec content beyond our own output with these three interesting articles:

 – interview with Canonical CISO Stephanie Domas on 

: With great responsibility comes little or no power

Triage chief on keeping hunters and customers happy

“Giving Bug Bounty customers clear, relevant and actionable vulnerability reports gives them confidence in the process,” says Adrien Jeanneau, who heads up YesWeHack’s in-house triage team. Speaking in an interview 

, Adrien reflects on how the triage team strives to facilitate a “virtuous circle” 🔄 by keeping both customers and bug hunters happy, as well as discussing the role of automation, prioritising vulnerability reports by severity and impact, and beating YesWeHack’s first-response SLA by a wide margin. 🔥

How does an organisation identify – let alone secure – its proliferating internet-facing assets amid tight budgets and increasing cyber-attacks? 🤔 In the first of a new series of articles about attack surface management, we explain the process of 

 and make the case for implementing Continuous Threat Exposure Management (CTEM) to achieve a unified, comprehensive and real-time overview of your exposed vectors. 🚀

“We’ve had around 20 really serious reports that we would never get from a traditional pentest,” said the subject of our 

. 🔥 Transcribed from a video interview we’ve posted previously, this interview sees Erik Täfvander, head of cybersecurity at Swedish betting company ATG, reflects on the intrinsic benefits of Bug Bounty, recalls how ATG fine-tuned its approach to crowdsourced security testing, and offers his peers in other organisations some OffSec advice. 💎

As the year draws to our close, our 2024 events calendar concludes this week with 

 (11-12 December, London). 🇬🇧 Finally, we’re also proud sponsors of the Bug Bounty Village at the upcoming 

 in Brazil (14-15 December, São Paulo). ‍

Read this monthly roundup even sooner by subscribing to 

 – our LinkedIn newsletter curating news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.

Are you a bug hunter or do you have an interest in ethical hacking? Check out our ethical hacking-focused sister newsletter, 

 – offering hunting advice, interviews with hunters and CTF-style challenges, among other things.

Clock ticking on Cyber Resilience Act compliance, Bug Bounty forecasts, intriguing CISA red team find – OffSec roundup for CISOs

Collaborating with ethical hackers whose skills complement his own has apparently been pivotal to the success of ‘Nagli’, one of the biggest earners in the world of 

In just a few years of bug hunting, the 26-year-old hacker has achieved more than simply racking up points and bounties from a steady stream of impressive vulnerabilities.

 – has also harnessed automation creatively to scale up vulnerability discovery, and leveraged his Bug Bounty experience in bootstrapping 

, currently also works at Wiz, the cloud security platform.

In the following interview, Nagli additionally recounts how he became a hacker, details his most memorable bug discovery, and offers several golden tips to peers with designs on emulating his success.

I was always into computers and video games – Counter-Strike, Combat Arms, MapleStory and so on… So I was always technical with computers and the field of hacking was always interesting when you play video games and see people gain advantage in an unwanted way, and do those kinds of other things.

So it was always an interesting world. When you’re a hacker you have some superpower… you can do stuff that other people can’t, and you can actually make an impact and conduct some amazing things. So that’s what I’m doing with hacking and that’s what got me to actually explore it a few years ago.

On the secrets of his bug-hunting success…

I think what helped me to become successful is a lot of collaboration, networking with other people. I got the insight that I can’t be the best hacker on every section – like hacking Salesforce products or hacking other components – so just find a lot of people who are experts in what they do and give a lot of dedication. Then, whenever you stumble on a lead, you can just pass it to them and you can explore it with them together.

But basically: just a lot of dedication, not giving up and just constantly looking, investing a lot of hours into finding bugs.

So I had a lot of interesting and pretty critical bugs. It can be code executions… but the one I most like was a few weeks ago, on my birthday actually: there was one portal that suddenly became alive and there was tons of production data of a company – like years of development, internal communications… it’s very hard to configure all your SaaS products to make sure they are always configured to have authentication, to have a login panel.

So, every time you have a bug, it allows you to see the PII of customers, of a lot of customers, so every customer of a company; or just to see a lot of internal discussions from the past. It’s a goldmine for attackers so it’s a good thing on your side to report it to the company.

On the importance of staying abreast of fast-evolving tech and techniques…

So we need to evolve and learn for every new technology, like 

, which was introduced a few years ago, APIs, nowadays AI hacking as well. So if you don’t stay on top of the latest trends, latest methodologies, you won’t make it to the top and you won’t be able to do it successfully for a lot of time. So, every time there’s a new technique or new methodology in the manual hacking space or automation, I just like to adapt it as soon as I can into my systems.

On the most productive scopes right now…

A lot of the automation bugs I saw that were very active like one year or two years ago are getting fixed. Like a lot of subdomains takeovers, like on Heroku or Route 53.

Eventually the vendors rolled them out, so you can’t only rely on vendors that have a misconfiguration and use it for your favour so… I think hacking is very valuable if you have credentials, so inside to an inner system, because then it’s constantly evolving, it’s different developers from different companies who don’t know all the security nuances, and then you can find goldmines there.

So definitely focus on manual sides, on companies, getting credentials, getting access, and then, yeah, going deep into the targets.

On founding and running his own SaaS company…

So one year and a half ago, I took my hacking side of automation, which is what I do mostly – automation and participating in live hacking events – into an actual business, a SaaS product. I saw my own vision into a product to help companies as well. It’s called Shockwave, my company.

There’s a lot of other stuff you need to learn, from being a technical hacker to being a businessman. You need to do a lot of sales calls, legal, contracts… it’s pretty challenging but it’s also fun to do and explore.

I’m very much a soccer/football fan. Arsenal is the team I’ve liked for many years. So this season we have a very good season. Watching Netflix shows, playing FIFA [football video game] with friends… so basically around soccer/football/friends is a lot of stuff that I like to do outside of hacking. Also hitting the gym and just maintaining a healthy lifestyle.

His advice for inexperienced Bug Bounty hunters…

My top tip will definitely be: follow everyone on Twitter, ask them questions – like if someone is making a Twitter thread and you don’t understand something, ask him a question.

It’s good to be curious for insights and look for products that you have extra authentication or extra privileges for – like if your bank has a Bug Bounty Program, so you have a privileged account that is not that easy to create, you have an advantage over the other hackers and you could use it to your favour.

‘Collaboration helped me become successful’: Nagli on becoming a world-renowned Bug Bounty hunter

 extension that automates the assessment and exploitation of signed web tokens. Supporting various token types, including Django, Flask, and Express, it enables you to edit, sign, verify and attack these tokens. 

The extension features automatic detection and in-line editing of tokens within HTTP requests/responses and WebSocket messages. It includes prebuilt wordlists for default secret keys and salts, plus support for JSON-encoded strings and custom dictionaries. Users can save known keys for future attacks and modify signed tokens in Proxy and Repeater message editors.

Inline editing of tokens within HTTP requests/responses and WebSocket messages.

Includes default secret keys and salts, plus support for custom dictionaries and JSON-encoded strings.

Automates brute force attacks using known keys and different derivation techniques.

Supports multiple bypass attacks, including user claims, and Flask and Express claims.

 Detects and analyses unknown signed tokens using various hashing functions.

SignSaboteur can be installed from the BApp Store. A tab within the Repeater provides easy access to various functionalities, such as "Brute force", "Attack" and "Sign". The plugin settings, such as default implemented wordlists, can be found higher up in Burp Suite itself.

Case Study: Finding Secret Keys for Unknown Signed Web Tokens

Consider a scenario where you are testing an application that uses custom-signed web tokens for authentication. You need to determine the secret key used to sign these tokens to evaluate potential security flaws.

When dealing with unknown signed web tokens, SignSaboteur provides a robust method to identify and exploit potential vulnerabilities.

When you select "Unknown" in the "Enabled signers" menu, the extension looks for patterns that match the size of common hashing functions. Some message payloads might be incorrectly identified by SignSaboteur, and therefore require further manual inspection.

The extension supports various message and key derivation techniques used in brute-force attacks, eliminating the need for manual changes. To find the secret key of an unknown signed token:

Uses a combination of known key derivation techniques for a more efficient search.

 Includes slow hashing functions like Password-Based Key Derivation Function 2 (PBKDF2). Use this mode with caution, and only with small wordlists, as it can be time-consuming.

Account User Claims, Authenticated Claims, User Access Token Attacks

Some frameworks use account wrappers to store authenticated user information, which may require the use of authenticated claims for exploitation. SignSaboteur supports this by implementing 12 well-known authorisation flags.

The ‘User Access Token’ option generates a JWT OpenID Connect ID token signed with the same key and hashing algorithm without key derivation, simplifying the process of forging valid tokens.

These techniques provide multiple vectors for bypassing authentication and gaining unauthorised access to sensitive resources.

Username and Password Claims, Flask Claims, Express Claims Attacks

Applications often store user details using "username" and "password" JSON attributes. SignSaboteur can generate a placeholder token for an admin user using these attributes.

In Flask applications, client-side stored session information typically includes attributes like "

". The extension can create a session token for the first user, usually the admin.

Similarly, in Express applications the "passport" JSON attribute is used to store user details, and SignSaboteur can generate a placeholder for the admin user, facilitating privilege escalation.

SignSaboteur not only saves time by automatically detecting and editing tokens within HTTP requests and WebSocket messages, but also helps identify vulnerabilities that manual inspections might miss. Moreover, by using the extension’s pre-built wordlists to check for common weak secret keys and configurations, you can ensure a thorough security assessment while minimising the risk of server overload.

https://portswigger.net/research/introducing-signsaboteur-forge-signed-web-tokens-with-ease

 https://portswigger.net/bappstore/e62afa49e12543edbfa9df498363153c

PimpMyBurp #11 – Master Signed Token Exploits with SignSaboteur

A 36-month countdown to compliance with the EU 

Vendors of products with digital elements (PDEs) now have three years to fulfil all the law’s security requirements – which are focused heavily on eliminating vulnerabilities – if they want to sell their devices or software in the world’s largest trading bloc.

Cyber Resilience Act timeline, scope and penalties

 in the Official Journal of the EU on Wednesday (20 November). This means the act enters into force from 10 December. However, to give regulated organisations more time to prepare, most of the act’s provisions will apply from 11 December 2027.

Depending on the gravity of the offence, violations could result in fines of up to €15 million, €10 million or €5 million, or, respectively, up to 2.5 %, 2% or 1.5% of an entity’s worldwide annual turnover (whichever is higher). Offending products could also be banned from sale within the single market.

PDEs are defined as any software or hardware that connects to networks or other devices. That definition covers the vast majority of modern devices, from smartphones, laptops and tablets to smart TVs, cameras and toys. There are certain exemptions for open-source software, and products covered by existing rules, such as medical, aviation and automobile products.

EU CRA focused on tackling ‘widespread vulnerabilities’

 in 2022 to address “a low level of cybersecurity” in digital products, the European Commission set out to tackle certain deficiencies above all. As well as observing a lack of security information provided to users, it noted “widespread vulnerabilities and the insufficient and inconsistent provision of security updates to address them.”

As a result, the European Cyber Resilience Act has a big focus on identifying, disclosing and fixing vulnerabilities.

For instance, products must arrive on the market in a secure-by-default configuration (with certain exceptions) and free from “known exploitable vulnerabilities”. Identifying the presence of known vulnerabilities is facilitated by the mandatory creation of a 

 (SBOM), which must cover a product’s top-level dependencies as a minimum.

Vulnerabilities should be addressed and remediated “without delay”, the CRA instructs.

Bug Bounty backed by the Cyber Resilience Act

The CRA requires that coordinated vulnerability disclosure policies (CVD policies or VDPs) are implemented to facilitate the external reporting of vulnerabilities, both directly to the vendor “and where requested anonymously, via CSIRTs”. There should also be a single point of contact to which vulnerability information can be relayed and where the CVD policy can be found.

Bug Bounty Programs are explicitly referenced as a vehicle for fulfilling CVD obligations. “Given the fact that information about exploitable vulnerabilities in widely used products with digital elements can be sold at high prices on the black market, manufacturers of such products should be able to use programmes, as part of their coordinated vulnerability disclosure policies, to incentivise the reporting of vulnerabilities by ensuring that individuals or entities receive recognition and compensation for their efforts,” reads the act. “This refers to so-called ‘bug bounty programmes’.”

The Cyber Resilience Act 2024 also urges member states to protect vulnerability researchers from legal harms by adopting “guidelines as regards the non-prosecution of information security researchers and an exemption from civil liability for their activities”.

Specific Cyber Resilience Act requirements are detailed for “high-risk AI systems”, including accounting for “AI specific vulnerabilities such as data poisoning or adversarial attacks, as well as, as relevant, risks to fundamental rights”.

Security updates should be distributed promptly, securely and free of charge, and be accompanied by security advisories, according to the CRA. Where applicable, they should be automatic or separate from functionality updates.

Once patches have been issued, manufacturers are obliged to publicly disclose remediated vulnerabilities, providing a description and information about impact, severity and remediation/mitigation. However, disclosure can be delayed to give users more time to apply patches where “manufacturers consider the security risks of publication to outweigh the security benefits”.

Manufacturers are also expected to notify Computer Security Incident Response Teams (CSIRTs) and ENISA, the EU cyber agency, about “severe incidents” and the active exploitation of vulnerabilities. These requirements apply in 21 months, from 11 September 2026.

Recognising the complexity of the threat landscape, lawmakers have designed the CRA to increase cyber-resilience both throughout the supply chain and lifecycle of digital products.

Vendors must handle vulnerabilities for a minimum support period of five years, unless the product’s lifetime expires sooner. Longer support periods are prescribed for typically long-life components like microprocessors, network devices and operating systems.

When support periods end, “manufacturers should consider releasing the source code of such products” to the public domain or “other undertakings which commit to extending the provision of vulnerability handling services”.

Other CRA requirements cover areas such as authentication, encryption, minimising attack surfaces, reducing the impact of cyber-attacks, and the collection of personal data.

Irrespective of their place of manufacture, PDEs must be compliant if they are sold in the EU single market, encompassing 27 member states plus Norway, Iceland and Liechtenstein. Alongside safety, health and environmental protection standards, CRA compliance is now a condition of bearing a CE mark.

The CRA forms a key plank of the EU’s recent drive to upgrade its cybersecurity framework. Other notable pillars are 

 (introduced a common certification framework for ICT products), 

NIS 2 (Network and Information Security) Directive

 (wide-ranging requirements for member states and ‘essential’ or ‘important’ services) and the 

 (ICT security rules for financial services firms).

These regulations all prioritise – in common with cyber laws emerging elsewhere in the world – a risk-based approach to understanding and minimising your attack surface, and proactively finding, fixing and remediating vulnerabilities.

YesWeHack crowdsourced security testing and VDP solutions can help you fulfil your compliance obligations in a scalable and cost-effective fashion. In particular:

 that provides agile security testing adapted to your development model, results-based pricing, in-house triage, seamless integration with your security tools and more secure development practices

 of our Bug Bounty and vulnerability management platform.

Cyber Resilience Act: compliance countdown set to start for EU law focused on eliminating vulnerabilities

Attack surface discovery: mapping your exposed vectors with continuous threat exposure management (CTEM)

Mapping an organization’s attack surface is the fundamental first step towards hardening exposed attack vectors.

From web applications to APIs and cloud infrastructure, 

 involves systematically identifying all your internet-facing assets.

Gaps in your inventory of online assets – the ‘known unknowns’ and//or ‘unknown unknowns’ – can exist due to misconfigurations, shadow IT, complex architectures, rapid digital transformation, siloed acquisition of tech, and inadequate asset management processes.

Automated vulnerability scans, pentesting engagements and, in particular, 

 offer effective risk mitigation for tackling your known risks. By definition, they cannot include unknown assets.

But conducting attack surface discovery in an automated and exhaustive fashion, you can then identify, prioritise and fix vulnerabilities across all possible attack vectors, including previously hidden assets.

Yet if the mantra “you cannot secure what you cannot see” is widely understood, far too many CISOs nevertheless have only a patchy overview of their attack surface. More than two thirds of organisations have admitted to having been compromised via an unknown or poorly managed internet-facing asset (IBM report, 2021).

Without the right attack vector analysis tools, InfoSec teams can struggle to identify – let alone secure – their proliferating online assets.

According to TechTarget, 62% of organizations’ attack surfaces have increased over the past two years as organisations launch new apps and websites, store more data in the cloud, add new third-party integrations, use IoT devices and so on. Frequent software updates also heighten the risk of assets going online, or inadvertently remaining online, without security teams realising.

The merits of CTEM in attack surface discovery

So what’s the best way to perform attack surface mapping?

There are many methods and attack surface discovery tools for ascertaining your potential attack vectors: manual network architecture reviews, user access reviews, network scanners, asset management tools, Cloud Security Posture Management (CSPM) tools, attack surface domain discovery tools and Security Information and Event Management (SIEM) systems to name a few.

When it comes to achieving a unified, comprehensive and real-time overview of your internet-facing assets, an increasingly essential model is Continuous Threat Exposure Management (CTEM).

CTEM is a five-step automated process for continuously monitoring an organisation’s environment for new attack vectors, discovering the attack surface’s exposure to vulnerabilities, and remediating the most critical weaknesses first. Implemented well, this can provide a unified, comprehensive and risk-based approach to security testing.

Given your constantly evolving attack surface and the persistent probing of malicious hackers, this continuous and real-time overview of your cyber risks is preferable to periodic ‘point in time’ snapshots.

With digital transformation, accelerating release schedules and tight security budgets demanding an always-on, cost-effective and scalable approach, tech research firm Gartner cited CTEM as a top strategic technology trend for 2024. It forecasts that, by 2026, organisations implementing a CTEM program now could benefit from a two-thirds reduction in breaches.

 enables five operational phases in accordance with the CTEM model. Mapping your attack surface encompasses the first two steps: SCOPE and DISCOVER.

With YesWeHacks’ ASM, you kickstart the CTEM process by ‘scoping’ your assets: declaring your domain names and IP ranges/addresses and letting our solution inventory subdomains, accessible services and associated technologies.

Then our backend scanners can ‘discover’ related subdomains, other domains hidden from the organisation (due to shadow IT for instance), reachable services and associated technologies. Subsequently, they will continuously detect, and notify you of, any newly-surfaced online assets. A value is assigned to each discovered and classified asset according to its business criticality.

The subsequent CTEM phases, which we will cover in future articles, include PRIORITISING the most pressing suspected vulnerabilities discovered across your exposed vectors, through auto-generated priority scores; VALIDATING or rejecting a finding as exploitable in your environment; and MOBILISING by accessing, editing, sharing, assigning and tracking vulnerability reports from all sources to efficiently fix the most urgent security flaws first. In a follow-up article, we will also explore the potential synergy between Bug Bounty Programs and CTEM – with benefits including optimised testing coverage and cost-effective hardening of your exposed vectors.

How the YesWeHack ASM strengthens your security posture

YesWeHack’s ASM product can provide the missing link in your offensive security strategy by providing:

– mapping internet-facing assets and exposed dependencies

Continuous visibility of your organisation’s 

Automated prioritisation of vulnerabilities 

based on an easy-to-understand algorithm – accounting for severity (using CVSS), in-the-wild exploitability (using EPSS) and the related asset’s criticality value (assigned by the client organisation)

Strategised security testing and remediation to 

tackle the most critical vulnerabilities at scale

The turnkey-deployable ASM integrates seamlessly with the existing YesWeHack platform. Vulnerabilities from various security testing channels, including automated scanning by the ASM, Bug Bounty programs, traditional pentesting and Vulnerability Disclosure Policies (VDPs), are therefore consolidated into the same interface. This provides a one-stop-shop for all vulnerabilities – whatever their source and format.

 with YesWeHack today and discover how a risk-based approach can transform your organisation's security strategy.

Our latest ethical hacker roundup leads with a 

new open source tool for understanding how browsers parse HTML

 and uncovering mutated XSS vulnerabilities. 🛠️ The handiwork of our resident security researcher, 

, Dom-Explorer incorporates popular HTML sanitizers Ammonia, Angular, DomPurify, JsXss and SafeValues, while supported parsers include DomParser, Parse5, srcdocParser and TemplateParser. “By using this tool, you can generate this weird behaviour where if your input is not valid, it will change to something that might indicate the potential for vulnerabilities,” says Bitk. The researcher believes Dom-Explorer can simplify, accelerate and send in fresh directions this niche area of security research. 🔥

A client-side exploit chain across various Google services has impressed the InfoSec world. Leveraging Google Slides’ YouTube embed feature to access a victim’s Google Drive file, path traversal, open redirects across YouTube subdomains and oddities in Google Docs’ sharing UI, the discovery has 

netted security researcher Lyra/’Rebane’ an oddly specific bounty of $4,133.70.

 as an exemplar of how exploits can become “easier the longer you spend targeting a single company”, and evidence of an unusual combination of hacking skills. “Most white-hats specialize a bit, website logic shenanigans like iframes or the hardcore code analysis stuff like the link I posted for example. But not this [person, she] seems to have mastered both,” 

In other hacking tool news, ‘Cfreal’, highly respected for his PHP work, has made another significant contribution to this field with the 

, which helps ethical hackers exploit blind file read primitives in PHP. The researcher says the utility transcends most limitations undermining similar tools. 🚀

Speaking of PHP, the star of our YouTube channel’s latest hunter Q&A, Blaklis, also favours PHP targets. As well as discussing his preferred scopes, the prolific hunter, who sits 21st on our all-time leaderboard, reflects on how hacking video games introduced him to bug hunting, outlines his typical working day, and tells us which non-computing-related career he thinks most closely resembles Bug Bounty (watch the video below). 🐞 Similarly, we’ve also published a new 

, complete with related video, starring HakuPiku, in which he declares a fondness for hacking Android apps and open-source code. 📱

HakuPiku’s penchant for open source means he features on our new 

, which tracks the most successful hunters in terms of valid vulnerabilities reported to our open source programs. Top spots are currently held by calehuri, mdisec and foobar0x7 (visualised on the image below). 🏆 Hunters are further incentivised by the fact that any valid bugs reported to our open source Bug Bounty Programs will score hunters some exclusive merch, as well as the usual financial rewards. 🎁 Applicable scopes for this swag include 

’s seven public programs, which offer max €10,000 rewards: Log4j, Systemd, GNOME, ntpd-rs, OpenPGP.js, Sequoia PGP and CycloneDX Rust Cargo. The swag is also available via three programs managed by Open-Xchange: 

. Incidentally, the bounty grid for PowerDNS, an open-source DNS server, was recently increased to a €8,000 maximum. 💰 🎯

As for the general leaderboard, Rabhi, Xel and pocsir currently head both the overall 

Using AFL++, afl-cov and basic custom harnesses to find a libsoup bug

Back to the research writeups: we're spotlighting research from a hunter who also stars on the aforementioned open source leaderboard. In a new blog post, 'Sigabrt' 

 in which he used AFL++, afl-cov and basic custom harnesses to find a heap overflow bug in libsoup on a YesWeHack public program, namely that of 

'Ading2210', meanwhile, has recounted how he 

The YesWeHack Blog

‘My best attribute is persistence – technical skills you can learn’: drak3hft7’s Bug Bounty story so far

Clock ticking on Cyber Resilience Act compliance, Bug Bounty forecasts, intriguing CISA red team find – OffSec roundup for CISOs

‘Collaboration helped me become successful’: Nagli on becoming a world-renowned Bug Bounty hunter

‘My best attribute is persistence – technical skills you can learn’: drak3hft7’s Bug Bounty story so far

PimpMyBurp #11 – Master Signed Token Exploits with SignSaboteur

Cyber Resilience Act: compliance countdown set to start for EU law focused on eliminating vulnerabilities

Attack surface discovery: mapping your exposed vectors with continuous threat exposure management (CTEM)

PimpMyBurp #11 – Master Signed Token Exploits with SignSaboteur

New tool for finding mutated XSS, $20k Chromium sandbox escape, Live bug bounty results from Ekoparty – ethical hacker news roundup

‘The collective knowledge ATG gets is huge’: cyber chief on Betting brand’s Bug Bounty story

NIS 2 in force, Cyber Resilience Act adopted, CISA hails VDP impact – OffSec roundup for CISOs

New tool for finding mutated XSS, $20k Chromium sandbox escape, Live bug bounty results from Ekoparty – ethical hacker news roundup

Don't wait for threats to strike

Products

Researchers

Resources

Company

Follow us