Kudos to research duo Allam Rachid and Allam Yasser for the discovery and writeup related to CVE-2025-29927, a critical vulnerability in the Next.js web development framework that potentially enables attackers to bypass authorisation checks. The potential impact means it’s a worthy intro to our latest roundup of ethical hacker news and notable security research. Next.js generates more than nine million weekly npm downloads, all versions were affected by the issue and their were “no preconditions for exploitability”. 💥
Some good news for hunters with the right skillset for finding AI-specific bugs: it’s an increasingly lucrative area, with OpenAI increasing maximum Bug Bounty rewards from $20,000 to $100,000. Comparatively generous payouts for AI-specific flaws are among the topics covered in a wide-ranging article we recently published on how probabilistic AI scopes add complexity to security testing and vulnerability management (while it’s aimed more at CISOs and security teams, hunters may nevertheless find value). Relatedly, hunting seems to be getting more potentially lucrative for hunters of the highest calibre when you consider Google’s explanation for upping its top bounties last year by the same ratio – a factor of five. The tech giant said greater financial incentives were needed because bugs were becoming so hard to find in its increasingly secure products. 🤖
The promise of generous bounties did not insulate Microsoft from the discontent of one vulnerability analyst who objected to the Microsoft Security Response Center’s (MSRC’s) request for a Proof of Concept (PoC) video to support his vulnerability report. As reported by The Register, an unimpressed Will Dormann was mystified as to why the screenshots he sent did not suffice. “To request a video that now captures (beyond my already-submitted screenshots) the act of me typing, and the Windows response being painted on the screen adds what of value now?" he said. Dormann apparently sent MSRC a 15-minute PoC video that was about 14.5 minutes too long, which was soundtracked by thumping techno and featured a fleeting still from comedy classic Zoolander of the sign: “Center for Kids Who Can't Read Good”. 😮
Reprieve for CVE database
The cybersecurity industry has breathed a collective sigh of relief after an 11th hour reprieve for the CVE database. Many industry figures expressed alarm when MITRE, the not-for-profit org, revealed that its government contract to operate the CVE program had not been renewed – sparking fears that it had fallen prey to Elon Musk’s cost-cutting drive. ✂️ Thankfully, funding for this index of known security flaws, such an invaluable resource for security teams, was reinstated by the Trump Administration once it expired on 16 April. Phew. 😌
Another heartening update, this time to a story we flagged five editions ago. The Maltese government has recommended a presidential pardon for three university students and their lecturer in relation to criminal charges over their seemingly good-faith reporting of a vulnerability in Malta’s largest student application, FreeHour. The charges had seemed particularly absurd when the government has been seeking to encourage good-faith security research by introducing a National Coordinated Vulnerability Disclosure Policy (NCVDP). Prime minister Robert Abela has called the case “unjust” and noted that “we had laws which were not updated to reflect today’s needs and realities,” a situation they were seeking to remedy with a regulatory overhaul. ⚖️
As always, there’s too much good stuff to summarise in any detail – so let’s conclude with a roundup of other notable infosec research we’ve spotted over the past month:
🔬 Oracle attempt to hide serious cybersecurity incident from customers in Oracle SaaS service – Kevin Beaumont
🔬 A tool that tracks AWS documentation changes and uses LLMs to analyse security implications - unkn0wn11
🔬 SAML roulette: the hacker always wins – Gareth Heyes, PortSwigger
🔬 An analysis of the NSO BLASTPASS iMessage exploit – Ian Beer, Google Project Zero
🔬 Hacking the call records of millions of Americans – Evan Connelly
Foundational hunting skills
We’ve published a few more technical articles of our own, but with a particular focus on fairly foundational skills. This quartet of deep dives should be of particular interest to newbies:
🕵🏻Recon series #3: HTTP fingerprinting – sleuthing for a web application’s hidden vulnerabilities with active and passive techniques such as analysing HTTP headers, default pages and default file structures
🎭The art of payload obfuscation – masking malicious scripts and bypassing defence mechanisms with encoding methods, variable expression assignment, arrays in request parameters, JavaScript obfuscation and obfuscation in shell environments
🐞HTTP header hacks – basic and advanced techniques, ranging from abusing custom headers to leveraging cache poisoning and reverse proxy misconfigurations
🐞Hacking GraphQL endpoints– finding vulnerabilities in this popular, versatile query language via practical techniques that include introspection, query, mutation and batching attacks
From education to inspiration, our latest hunter interview stars Argentinian hacker ‘g4mb4’ , who explains in this video why his favourite bug was an IDOR “at a $1 billion company” and offers an interesting response to the question of whether developers have a head start over non-developers when learning how to hack. 💡
New public programs!
A trio of exciting fresh hunting opportunities to highlight now in the form of new public programs:
💸 Decathlon – €2,500 max rewards for valid bugs found in two web applications belonging to Europe’s largest sports goods retailer
🤑 OneDoc – The Swiss online medical appointment platform is offering bounties rising to €5,000 for vulnerabilities in an API or any of three web applications within scope
💰FDJ UNITED – up to €7,000 on offer for valid vulnerabilities reported in more than 30 scopes belonging to this lottery, online gaming and sports betting company
Our latest Talkie Pwnii video is the first of a two-parter on Caido, exploring this increasingly popular web security tool’s core features such as HTTP interception, request inspection, parameter fuzzing and workflow automation.
The presenter, ‘Pwnii’, has also just featured in a video produced by HugoDécrypte, a French journalist with seven million followers on Tiktok, about what sparked her interest in hacking, her career in Bug Bounty so far and the importance of ethical hacking for securing organisations and protecting their customers. 🎥
Dojo challenges
Very much a rising star, Pwnii has now climbed to#42 on our all-time leaderboard, having only registered on YesWeHack three years ago. Also demonstrating the frequent replenishment of our talent pool, we’d like to spotlight the achievements so far this year of xavoppa (fourth on the 2025 Q2 leaderboard so far having registered on YesWeHack only last year and already up to a ranking of #60 overall). h0rus3c (#5 in Q2, registered in 2024, #107 overall), goodmanhero1337 (#9 for Q2 and registered this year). Rabhi and Xel, the top two for 2025, are once again locked in a titanic struggle for top spot. 🏆
YesWeHack’s Dojo platform now supports the Ruby programming language – so you can now create your own Capture the Flag (CTF) challenges in Ruby code within a dedicated new sandbox environment! 🏁
Naturally, the latest monthly CTF challenge (merch up for grabs as usual for the winners!) takes advantage of this opportunity: Dojo #41, which is open for competition submissions until 29 May, invites hunters to hack a brand new online shop, ‘Ruby treasure’. 💎
The results are in for our previous monthly CTF challenge, ‘Hacker Profile’: congrats to owne, 7utu_x and sarju18 for producing the three best writeups. You can read the best overall solution to the challenge, which involved exploiting a prototype pollution issue to trigger a catch exception handler and execute arbitrary JavaScript code, here.
🤘 Meet the YesWeHack Team
The events are starting to come thick and fast. Here’s where you can meet the YesWeHack team, learn about bug hunting on our platform and score yourself some swag in the coming weeks:
📍 GISEC Global – Dubai, 6-8 May, booth B180
📍 SINCON– Singapore, 22-23 May, Bug Bounty Kampung (Village)
📍 Vietnam Security Summit – Ho Chi Minh, 23 May, booth 23
📍 Infosecurity Europe – London, 3-5 June, booth F130
More conferences and live hacking events will be announced in due course! 📅
And that’s it for this month – happy bug-hunting! 👋
Read this monthly roundup of content aimed at ethical hackers even sooner by subscribing to Bug Bounty Bulletin.
Are you a CISO, other security professional or security-conscious dev? Check out our CISO-focused sister newsletter, CrowdSecWisdom – bringing you news, insights and inspiration around offensive security topics like Bug Bounty, vulnerability disclosure and management, pentest management and attack surface protection.