AI is of course a mixed blessing for security

. ⚖️ The technology is simultaneously an accelerant for vulnerability discovery and a source of novel risks owing to its unpredictable behaviour and interactions with other components. On the positive side of the ledger, 

has publishing an outbound coordinated disclosure policy

 for disclosing vulnerabilities to third-parties because its models “have already uncovered zero-day vulnerabilities in third-party and open-source software, and we are taking this proactive step in anticipation of future discoveries”. ✅ 

15-year old ‘zombie’ path traversal vulnerability

being propagated not only by developers (inadvertently) “but also by LLMs trained on vulnerable code samples scoured from data sets derived from GitHub and Stack Overflow code”. 🧟 And while AI-powered security systems can accelerate “threat detection and response processes”, AI’s hallucination habit raises the spectre of unnecessary and expensive downtime if systems are taken offline because of fictional cyber-attacks, or AI systems recommending unwise security measures based on fabricated data – a topic 

We’re staying on AI for the next story in our latest roundup aimed at CISOs and security teams – and it still won’t be the last (for good or ill, it’s hard to avoid). Continuous security testing based on intended use cases is a must if organisations want to 

, according to Chatterbox Labs CTO Stuart Battersby, who was 

 recently alongside the AI risk company’s CEO, Danny Coleman, by 

.🔒 “So the first thing is to think about what is safe and secure for your use case," he explained. “And then what you have to do is not trust the rhetoric of either the model vendor or the guardrail vendor, because everyone will tell you it's super safe and secure.” When it comes to continuous testing of AI systems, by the way, we believe 

 (after all, Google, Meta, Microsoft, OpenAI and Anthropic all run AI Bug Bounty Programs). 🧠

Relatedly, Javier Castro, CTO of XDR and SIEM protection platform Wazuh, notes that only 42% of CISOs polled by Darktrace profess to have confidence in their AI deployment and truly understand how it fits with their security stack. 

, he warns that “many AI-powered solutions operate as 

, which goes against the grain of the open source, community-driven threat response the industry is now rightly moving toward”. He prescribes a unified, high-visibility approach, given that “fragmented tools with partial views and proprietary, closed-source alert logic only hinder cybersecurity efforts.”💡

“Gartner’s Hype Cycle emphasises the rising importance of 

continuous threat exposure management (CTEM)

, underscoring why red teaming must integrate fully into the DevSecOps lifecycle,” 

article on conducting AI red teaming and adversarial testing

. In our opinion, the increasing role of CTEM also advertises the benefits of consolidating findings from multiple testing mechanisms into a single, unified interface and 

integrating security testing with attack surface management

Two Congressional Democrats have demanded a review of the 

Common Vulnerabilities and Exposures (CVE) program

’s “efficiency and effectiveness” with the scheme limping on after an 11th hour reprieve from the Trump Administration’s swingeing cuts.💰 The pair have 

asked the Government Accountability Office

 to “conduct a study of the federal programs designed to support vulnerability management for discovered vulnerabilities and weaknesses in information technology systems.” As well as the “recent near-lapse of CISA’s contract supporting the CVE program”, they cited concerns over the fact that, “in early 2024, funding challenges at NIST resulted in a backlog of thousands of vulnerabilities” in the National Vulnerability Database (NVD). 📂 Funding challenges are a concern across the board for US cyber defences. President Trump’s nominee for National Cyber Director was recently 

Cybersecurity and Infrastructure Security Agency (CISA)

 and the risk entailed to critical infrastructure. And all this against the backdrop of a “

 in the United States” following American airstrikes against Iranian nuclear facilities.⚠️

, more evidence has emerged that the much-needed ‘

’ in software development is not running entirely smoothly. Devs are feeling overburdened by vulnerability overload, an AI-fuelled acceleration in development and challenges integrating tools, 

according to a survey by AI security firm Pynt

. The poll found that a quarter of developers felt overwhelmed by the sheer volume of vulnerabilities they were having to deal with, while more than a third considered false positives to be the biggest barrier to successfully ‘shifting left’. 🔄

Before we segue to our own recent output, here’s a few more stories that may pique your interest:

Ukraine war spurred infosec vet Mikko Hyppönen to pivot to drones

Vulnerability in Google's password-recovery page that allowed bruteforcing of users’ phone numbers nets researcher $5k bounty

Report: CISO scepticism is clouding CEO’s GenAI ambitions

‘Redefining Hacking’: Review of book on red teaming and Bug Bounty hunting in an AI-driven world

10 tough cybersecurity questions every CISO must answer

‘Valuable for frequently updated platforms’

“I’m consistently impressed by the depth of expertise among the hunters,” says the red team lead for one of our US-headquartered customers.💪 Dean Dunbar from 

 why Bug Bounty is a boon for DevSecOps environments, about a “game-changer” Gong hit upon when finetuning testing conditions, and the benefits of crowdsourced testing, especially compared to time-boxed pentests.⏱️ More than 4,500 companies worldwide leverage Gong’s platform to boost productivity, increase predictability and drive revenue growth.📈

Next up on our 2025 schedule is the grandaddy of hacker cons, Black Hat USA, where we’ll be debuting as exhibitors. If you’re attending the event, which takes place between 6-7 August in Las Vegas, swing by 

 to meet the YesWeHack team. They can walk you through our Bug Bounty and vulnerability management platform and explain how crowdsourced security is helping organisations uncover vulnerabilities at scale. We’ll also be giving away some super-cool swag and running a casino-themed ‘Hide and Seek’ CTF challenge. 👀

Read this monthly roundup even sooner by subscribing to 

 – our LinkedIn newsletter curating news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.

Are you a bug hunter or do you have an interest in ethical hacking? Check out our ethical hacking-focused sister newsletter, 

 – offering hunting advice, interviews with hunters and CTF-style challenges, among other things.

OpenAI VDP for bugs found by AI, CVE funding fears persist, ‘shift left’ towards vulnerability overload – OffSec roundup for CISOs

The mystery organisation providing the targets will, as usual, be unmasked immediately before the competition begins – all will be revealed at 10am this Saturday (28 June) at the 

What better way to build anticipation than resurfacing 

highlights from last year’s resoundingly successful live Bug Bounty

? The YesWeHack customer that provided the scopes – L’Oréal – hardly needs an introduction. Websites, APIs and mobile apps belonging to the iconic cosmetics and personal care brand were strengthened by the remediation of 71 vulnerabilities uncovered during an 18-hour bug hunt at LeHACK 2024. More than 100 hunters took part in pursuit of bounty rewards rising to a maximum of €5,000. 

Asked how L'Oréal had benefited from the event, Guillaume Kermarrec, in charge of the company’s Bug Bounty Program and threat and vulnerability management function, cited “meeting the security researchers, meeting the triage team, and working together to find and fix some complex vulnerabilities”. They also seized the opportunity to “test some new scopes with very specific configurations that couldn’t be added to our continuous program”.

To learn more about how the action unfolded, see the final podium and read feedback from participating hunters, check out our 

. The targets for LeHACK 2023, by the way, were provided by the

 French Red Cross and retail distribution giant Les Mousquetaires Group

, also filmed at leHACK 2024, Guillaume Kermarrec and Jean-Jacques Mallet, group cybersecurity director at L’Oréal, discussed L'Oréal’s security culture, the motivations for starting a Bug Bounty Program with YesWeHack, the benefits observed so far, how the program has evolved, and their advice for maximising your return on investments in crowdsourced security.

Any LeHACK attendees can join this year’s bug hunt at any point during proceedings.

The most obvious benefit of participating is the chance to win hundreds or thousands of euros for discovering valid vulnerabilities on the scopes. However, those who take part typically also enthuse about how much they value the opportunity to connect socially with their peers in the hacking community (as well as getting their hands on some exclusive YesWeHack swag!).

The bug hunt kicks off at 10am on 28 June. You can find the hunters, YesWeHack triage team and security team of the participating organisation in Le Loft at the Cité des Sciences et de l'Industrie, where LeHACK is taking place.

YesWeHack will also be fielding questions about our 

Bug Bounty and vulnerability management platform

, as well has giving out exclusive merch with some fresh designs, from booth 41.

If you’re unable to attend the conference, then you can still follow proceedings on 

. We’re taking you backstage from today as everyone gets ready for day one of LeHACK tomorrow!

If your appetite for in-person bug-hunting that is both competitive and collaborative is not sufficiently whetted, then you can also read about last year’s hacking event with 

 (CDC), a French public financial institution, as well as watch highlights from our live Bug Bounty with iconic fashion house Louis Vuitton (this was 

YesWeHack’s second ‘Hack Me I'm Famous’ event

As well as one later in the year with Argentinian bank Banco Galicia…

And finally, another event with Italian sweet-packaged food giant Ferrero:

Every single customer associated with the aforementioned hacking events declared themselves pleased with the outcome in terms of the vulnerabilities discovered and the security lessons learned by collaborating with our hunters. 

Find out more about how your organisation can 

benefit from holding live hacking events with YesWeHack

 to discuss how you can best leverage crowdsourced security testing to suit your testing goals and budgetary constraints.

Flashback to the L’Oréal Live Bug Bounty: Watch last year’s highlights as anticipation builds for leHACK 2025

 to hunt for vulnerabilities? Would you like to access your favourite Bug Bounty Programs from inside this popular AppSec auditing toolkit?

, a new plugin for effortlessly browsing YesWeHack hunting opportunities, monitoring your chosen programs, and adding or updating scopes as they evolve in real-time. This time-saving add-on streamlines your workflow so you can spend even more time hunting for bugs.

In this guide, we'll walk you through everything you need to know about YesWeCaido – including the benefits it brings, and how to install and use the plugin.

 tool used for web application security testing. This increasingly popular tool, which is written in Rust, intercepts HTTP traffic between your browser and target applications, allowing you to inspect, modify and replay requests in real time.

YesWeCaido is a plugin that allows Caido users to fetch 

 from YesWeHack and access their details from within a Caido instance. YesWeCaido is built on 

 server, which ensures that all program details remain up to date as policies evolve and scopes are added.

New or updated scopes, as well as (if required) User-Agents, can be added to your Caido Scopes interface with a click of your mouse.

You can install YesWeCaido from either the 

In Caido, navigate to the plugin page from the left-side panel

Locate the YesWeCaido plugin and click ‘INSTALL’

Download the latest plugin_package.zip file

Click ‘Install Package’ and select your downloaded plugin_package.zip file

YesWeCaido is easy to use and has a user-friendly interface. You can scroll through all YesWeHack Bug Bounty Programs, search for specific programs, and view program details and policies by clicking on the program card.

If you want to work on a particular scope, simple click ‘ADD’ and the scope will be automatically added to, or updated within, Caido's ‘Scopes’ interface. Adding a User-Agent is also a click away, should a given program require you to use one.

Whether you’re an experienced ethical hacker or just starting out as a bug hunter, integrating YesWeCaido with Caido is a smart, simple way to streamline your workflow and stay focused on what matters: finding vulnerabilities.

Installation is quick and easy, while the plugin’s intuitive interface makes it easy to explore hacking opportunities, track policy changes and fetch updated scopes or add new scopes that catch your eye.

 to save time and simplify your workflow!

YesWeCaido: a new Caido plugin for tracking Bug Bounty Programs 

We begin our latest security research roundup (also published as a 

”. Building on Paulos Yibelo’s recent 

, the researcher was enamoured of the hacking technique in part because he liked “using small browser features in creative combinations to make convincing ways of breaking security boundaries”, according to a 

 documenting his adventures exploring this terrain. The PoC that emerged leverages a fake Cloudflare Captcha and iconic video game Flappy Bird. 🐤

Thomas Stacey of Assured Security Consultants meanwhile has 

detailed some overlooked HTTP request tunnelling attacks

 that affect popular servers like IIS, Azure Front Door and AWS Application Load Balancer. He also promises an “innovative detection approach combining the single-packet attack method with established HTTP desync techniques”. His conclusion: “

Well done also to the researchers who managed to 

, the open source JavaScript implementation of the OpenPGP standard for message encryption and signing, by passing a maliciously modified message to openpgp.verify or openpgp.decrypt. 🔑 In a 

, Edoardo Geraci and Thomas Rinsma from Codean Labs said the critical vulnerability “means an attacker can use any previous valid signature made by a victim, and ‘replace’ the signed data with anything while the signature remains valid”. They also explained why “for messages that are signed and encrypted, the situation is even worse.” The flaw was remediated via the 

 of the vulnerability along with related open source bug-hunting opportunities. 🐞

Before we move onto our latest bug-hunting guides, Dojo news and leaderboard update, here’s a 

final roundup of interesting security research

 we’ve spotted over the course of the past month:

Eclipse on Next.js: Conditioned exploitation of an intended race-condition

How to pull off a near undetectable DDoS attack (and how to stop it)

 – BSidesSF presentation from Simon Wijckmans

Security issues found in pre-installed apps on Android smartphones

Poison everywhere: No output from your MCP server is safe

 – writeup by Simcha Kosman of CyberArk Labs

O2 VoLTE: locating any customer with a phone call

 is an uncomplicated, passive way to uncover misconfigured subdomains and exposed credentials within minutes. Our latest Bug Bounty recon guide is a beginner-friendly explainer for 

harnessing the power of Google's search function

Potentially exposing passwords and secret tokens, source code or internal endpoints, 

path traversal or arbitrary file read vulnerabilities

 can achieve significant impacts and Bug Bounty rewards. Should your knowledge of these flaws be less than comprehensive, you may therefore be interested then to 

learn some practical path traversal or arbitrary file read attacks

 to Dojo). 💎 Well done to khimluck4, P0pR0cK5 and duplicatesucks for the three best solutions submitted for ‘Ruby Treasure’. In the 

, the eponymous Pwnii discusses the solution to this challenge, whereby regex validation issue in Ruby – exploited via IO.read's ability to spawn subprocesses with specially crafted input – can lead to remote code execution (RCE). Our current monthly challenge is 

. Submit your solution by 4 July if you wish to be in contention for being among the three best writeups and thus winning exclusive swag. 🎁

Italian hacker drak3hft7 has been proverbially ‘on fire’ in recent months and has further burnished his credentials by climbing into the top three on YesWeHack’s 

 and other attributes, the hunter leverages the power of collaboration and chaining bugs to achieve his burgeoning success on our 

We’re fast approaching one of our biggest events of the year. Taking place in Paris between 27-29 June, 

event with a mystery target unveiled on-site. The marathon live hacking event will run from 10am on 28 June in ‘Le Loft’ and run until the early hours of the following morning. You can also find our team on booth 41 to talk Bug Bounty and of course add to your haul of merch. Finally, prizes will be up for grabs in relation to the successful completion of a CTF challenge crafted by our Tech Ambassador, BitK.🏆

That’s it for this month. Happy bug-hunting!👋

Read this monthly roundup of content aimed at ethical hackers even sooner by subscribing to 

Are you a CISO, other security professional or security-conscious dev? Check out our CISO-focused sister newsletter, 

 – bringing you news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.

Ultimate double-clickjacking exploit, novel HTTP/2 request tunnelling techniques, when encryption makes matters worse – ethical hacker news roundup

Bug Bounty Programs are a boon for DevSecOps environments, according to the red team lead for offensive security at Gong, the revenue AI company.

Reflecting on his experience overseeing Gong’s crowdsourced security testing, Dean Dunbar explains how 

 accommodates rapid release schedules, recounts how scoping challenges were surmounted, and marvels at bounty hunters’ skills, tools and “passion for security”.

 empowers everyone on a modern revenue team to improve productivity, increase predictability, and drive revenue growth by deeply understanding customers and business trends and driving impactful decisions and actions. The Gong Revenue AI Platform captures and contextualises customer interactions, surfaces insights and predictions, and powers actions and workflows that are essential for business success. More than 4,500 companies around the world rely on Gong to unlock their revenue potential.

How has your private Bug Bounty Program evolved so far?

 We launched our Bug Bounty Program with a focused scope, initially targeting critical areas for our clients and product.

As we saw the value hunters brought to the table, we expanded the scope and adjusted bounties to attract even more top talent. It’s been an evolving process, and each round of feedback helps us refine the program to make it more impactful.

What is the biggest challenge you have faced and how have you overcome it?

 Scoping has been a moving target. Historically, scoping for bug bounties a decade ago was working with simpler CIDR ranges, but modern ecosystems might include cloud providers and SaaS providers.

As Gong’s infrastructure grew, our Bug Bounty scope had to adapt to keep pace. YesWeHack has been instrumental in making scope management easy, helping us maximise coverage while clearly defining out-of-scope areas.

 for Bug Bounty researchers. YesWeHack has streamlined this with their credential pools, which allow researchers to access test credentials securely and efficiently.

This has been a game-changer, letting researchers dive deeper into testing our features without needing manual account setups. The credential portal is more secure than manual credential sharing.

What has most surprised you about Bug Bounty?

 I’m consistently impressed by the depth of expertise among the hunters. Over the last decade, I’ve seen submissions from specialists who notice vulnerabilities that automated tools or standard processes would miss.

It’s a powerful reminder of the unique value that fresh perspectives bring.

Browse interviews with YesWeHack customers operating in a variety of regions and industries

What are your plans or hopes for how your crowdsourced security testing operation will evolve in the coming months or years?

 Looking forward, we plan to broaden the scope to cover more features as they roll out, attracting new talent to the program.

We’re also focused on making it easier for developers to incorporate findings into their workflows, streamlining how vulnerabilities are addressed.

Why did you choose YesWeHack over other platforms?

 YesWeHack has been the right partner for us because they make Bug Bounty management, triaging and communication straightforward, which is essential as we scale.

As a fast-growing company, finding tools that grow with us and offer real value can be challenging. YesWeHack provides a comprehensive, cost-effective solution that lets us focus on getting the most out of our program.

What are the most significant benefits of Bug Bounty?

 One of the biggest benefits is that it gives us constant security coverage. Unlike periodic tests, it’s ongoing, so we’re always aware of emerging threats.

We also benefit from the diverse perspectives of security researchers around the world, many of whom specialise in unique or niche vulnerabilities.

In what ways is Bug Bounty distinct from pentesting?

Bug bounties are distinct from pentests in their scope and timing. A pentest is typically a time-boxed engagement that provides a snapshot of the application’s security at that moment.

A Bug Bounty, on the other hand, is ongoing and often involves many researchers with different skillsets. It lets us receive real-time feedback on our security as we release new features, rather than waiting for a scheduled test. This makes bug bounties especially valuable for fast-growing, frequently updated platforms like Gong.

What are the key factors for a successful Bug Bounty Program?

 Clear scopes and prompt response times are crucial. Hunters need to know exactly what’s in scope and what’s out, and they should receive quick, meaningful responses to their submissions.

Fair bounties and transparent communication build trust with hunters and motivate them to participate actively. It’s also important to have strong internal processes to handle triage and get findings to developers quickly so the vulnerabilities can be addressed efficiently.

Any advice for peers who are considering launching a Bug Bounty Program?

 I’d recommend starting with a private scope to understand the process without getting overwhelmed. Make sure you have resources dedicated to triaging and responding to submissions in a timely way, as this is key to maintaining hunter engagement.

Also, don’t rush to make it public right away – take time to refine your scope and process so it’s sustainable long-term. Finally, communicate clearly and openly with hunters to create a positive, collaborative experience for everyone involved.

 One of the best parts of managing a Bug Bounty program has been getting to know many of the 

These top performers operate at an incredibly high level. They’ve often developed their own custom asset management tools, which let them respond almost instantly when new vulnerabilities are announced.

It’s a reminder of just how dedicated and skilled this global community is – full of resourceful, creative people with a real passion for security. Working with them has been both inspiring and a great learning experience, and it’s reinforced the value that a strong Bug Bounty Program can bring to a company.

Is your security team managing a Bug Bounty Program yet? 

 to find out more about the benefits of crowdsourced security testing and how this model can be adapted to the specific needs of your organisation.

‘More efficient than a pentest and it generates trust’: TeamViewer’s Bug Bounty story so far

‘Valuable for fast-growing, frequently updated platforms’: Gong OffSec lead on the merits of continuous, crowdsourced security testing

“We still have not seen a single valid security report done with AI help,” was the unequivocal conclusion to a 

 by Daniel Stenberg, original author and lead of 

. 🤖 A clearly exasperated Stenberg said he would “now ban every reporter INSTANTLY who submits reports we deem AI slop”. 

, Stenberg said AI-generated reports were invariably “friendly phrased, perfect English, polite, with nice bullet-points” – and useless from a security point of view. Similarly, a software engineer at Open Collective, which manages its own program, recently complained that “

”, suggesting the inundation might ultimately force them to migrate to a Bug Bounty platform that can 

The second story on our monthly roundup (first published as a LinkedIn newsletter) involves a big win for human bug hunters (go, humanity!). A pair of researchers from Codean Labs discovered a significant 

vulnerability in OpenPGP.js that could have allowed attackers to spoof signature verification

😮 The flaw, which was reported to the 

 on YesWeHack, recently hit the headlines – attesting to the rarity, technical sophistication and impact of such cryptographic bypasses. It also reflected the wide deployment of OpenPGP.js and the potential impact on popular downstream applications. We invited researchers Edoardo Geraci and Thomas Rinsma from Codean Labs, plus OpenPGP.js maintainer Daniel Huigens, to

 comment on the discovery and disclosure process

. 💬 For an in-depth analysis of the discovery process and proof-of-concept, also read Thomas Rinsma’s 

 that documents his and Edoardo Geraci’s discovery.

Speaking of prioritising vulnerabilities, “defending against 

 continues to be a race of strategy and prioritisation,” according to an 

analysis of zero days exploited in the wild

 by the Google Threat Intelligence Group. The quartet of Google researchers who penned the blog post said zero-day vulnerabilities are “becoming easier to procure” and that “attackers finding use in new types of technology may strain less experienced vendors”.🚨The writers warn of a shift beyond a “historic focus on the exploitation of popular end-user technologies […] toward increased targeting of enterprise-focused products [which] will require a wider and more diverse set of vendors to increase 

 in order to reduce future zero-day exploitation attempts.”🛡️

Before we round up our own recent CISO-focused content, here’s a few other notable stories of interest we’ve spotted elsewhere:

CISOs bet big on AI tools to reduce mounting cost pressures

 examination of Wipro’s State of Cybersecurity Report 2025

How to survive as a CISO aka ‘chief scapegoat officer’

 reviews a recent RSA Conference panel on CISO whistleblowing

Will AI agent-fueled attacks force CISOs to fast-track passwordless projects?

‘Secure email’: A losing battle CISOs must give up

 opinion piece by Keith Lawson, CISO at the London Health Sciences Centre

How do you decide which vulnerabilities to fix first?

 Should CVSS scores be the overriding metric? 🤔 Instalment #2 in our series on continuous threat exposure management (CTEM) – which Gartner believes could lead to a two-thirds reduction in breaches – focuses on the model’s 

The YesWeHack Blog

Flashback to the L’Oréal Live Bug Bounty: Watch last year’s highlights as anticipation builds for leHACK 2025

OpenAI VDP for bugs found by AI, CVE funding fears persist, ‘shift left’ towards vulnerability overload – OffSec roundup for CISOs

Flashback to the L’Oréal Live Bug Bounty: Watch last year’s highlights as anticipation builds for leHACK 2025

YesWeCaido: a new Caido plugin for tracking Bug Bounty Programs

OpenAI VDP for bugs found by AI, CVE funding fears persist, ‘shift left’ towards vulnerability overload – OffSec roundup for CISOs

Ultimate double-clickjacking exploit, novel HTTP/2 request tunnelling techniques, when encryption makes matters worse – ethical hacker news roundup

‘Valuable for fast-growing, frequently updated platforms’: Gong OffSec lead on the merits of continuous, crowdsourced security testing

‘AI slop’ bug reports and outsourcing triage, OpenPGP.js signature-spoofing bug, race to combat zero-day exploits – OffSec roundup for CISOs

Ultimate double-clickjacking exploit, novel HTTP/2 request tunnelling techniques, when encryption makes matters worse – ethical hacker news roundup

Recon Series #6: Excavating hidden artifacts with Wayback Machine and other web-archive tools

Critical signature-spoofing vulnerability in OpenPGP.js hits the headlines

Dojo challenge #41 - Ruby treasure winners & writeup

Recon Series #6: Excavating hidden artifacts with Wayback Machine and other web-archive tools

Don't wait for threats to strike

Produits

Chercheurs

Ressources

A propos

Suivez-nous