Disclosed. April 27 2025: Welcome to the Future of Bug Bounty News

Ambassador World Cup Finals Kick Off
🔗 Tweet by @Hacker0×01

The AWC is kicking off soon in Dubai. The finals will contain Spain vs Egypt and Greece vs Netherlands.

Recent Critical Bug Reports Earned Big Bounties 
🔗 Tweet by @h0rus3c 

Shout-out to h0rus3c for reporting six critical vulnerabilities, including a 0-click mass account takeover and multiple instances of blind SQL injection across various programs on YesWeHack.

View the tweet →

New Burp Repeater Features for Power Users
🔗 Tweet by James Kettle

The latest release of Burp Repeater introduces 'Custom actions' that empower users to create personalized features, complete with sample actions provided.
View the tool →

Have something you want to Spotlight? Tell me.

The Bug Bounty Radar - The Latest Public Bug Bounty Programs 
📓 Platform by bbradar.io

This website showcases the latest public bug bounty programs, featuring a dynamic list that refreshes every seven minutes. It highlights opportunities across platforms like HackerOne and Immunefi, categorized by type for easy access. This includes web programs and blockchain initiatives, promoting a diverse range of targets for researchers.
Read more →

Did I miss an important update? Tell me.

New AI Tool for Automated Pentest Reporting 
🔗 Tweet by @garethheyes
The announcement introduces 'Document My Pentest', an AI extension that automates pentest reporting by documenting testing activities and integrating with existing workflows.
View the tool →

Enhance JavaScript Analysis with JXScout Plugin 
🔗 Tweet by Caido
The JXScout plugin is launched for improved JavaScript analysis, enabling users to integrate requests from Caido for enhanced results.
View the tool →

GitHub - kevin-mizu/domloggerpp: A browser extension for monitoring JavaScript sinks 
📁 Tool by kevin-mizu
The article introduces 'DOMLogger++', a browser extension that allows users to monitor, intercept, and debug JavaScript sinks using customizable configurations. It features dynamic debugging, extensive theme customization, and remote logging via webhooks.
View the tool →

GitHub - aliasrobotics/cai: Open Bug Bounty-ready AI 
📁 Tool by Alias Robotics
The post highlights Cybersecurity AI (CAI), an open-source framework designed for bug bounty hunters. It emphasizes an agent-based architecture, modular design, and tools that streamline the vulnerability validation process for researchers.
View the tool →

Have a favorite tool? Tell me.

Escalating Impact: Full Account Takeover in Microsoft via XSS in Login Flow 
📓 Blog by Asem Eleraky
This article explores a Cross-Site Scripting (XSS) vulnerability in Microsoft's login flow that facilitates full account takeover. It covers the complexities of Azure Active Directory authentication and presents the testing and exploitation methods, emphasizing the implications of both initial and escalated impacts.
Read more →

How I Hijacked OAuth Tokens Through a Parallel Auth Flow Race Condition — $8500 P1 Bug Bounty 💰 
📓 Blog by Anmol Singh Yadav
The author details how they exploited a race condition in a popular cloud-based business management platform, allowing the hijacking of OAuth tokens. The write-up underscores the critical nature of reviewing OAuth implementations and discusses the steps of exploitation along with the $8500 bounty awarded.
Read more →

How I got a Zero-Click Account Takeover Bounty — Using Nothing But Logic 
📓 Blog by Ahmed Atef
This article by Ahmed Atef discusses discovering a zero-click account takeover vulnerability leveraged through logical reasoning rather than tools. It delves into the bypassing of validation checks in OTP verification, detailing code flaws and mitigations necessary to prevent similar issues.
Read more →

Did I miss an important update? Tell me.

Abusing iframes from a Client-side Hacker (Ep. 119) 
🎥 Video by Critical Thinking - Bug Bounty Podcast

In this episode, Justin delves into iframes, exploring their security ramifications and potential abuses from a client-side perspective.
Watch video →

The No BS Bug Bounty & Web Hacking Roadmap 
🎥 Video by NahamSec
This video outlines a pragmatic roadmap for aspiring bug bounty hunters, stressing the importance of foundational skills like Linux and networking over certifications. Key tools and hands-on practice approaches are highlighted as essential for success.
Watch video →

Bug Bounty Tip: How I Hunt For GraphQL IDORs 
🎥 Video by ChillingAndTalking
This video shares valuable techniques for identifying Insecure Direct Object References (IDORs) in GraphQL APIs through practical testing examples, using Yelp as a case study.
Watch video →

The Ultimate Guide to WAF Bypass Using SQLMap, Proxychains & Tamper Scripts 
📓 Blog by coffinxp
This comprehensive guide provides strategies for bypassing Web Application Firewalls (WAFs) using SQLMap and associated tools against platforms like Cloudflare and ModSecurity, with a strong emphasis on ethical testing practices.
Read more →

Automating GraphQL Bug Bounty Hunting with GrapeQL 
📓 Blog by Aleksa Zatezalo
The blog introduces GrapeQL, a tool designed to automate GraphQL security assessments, detailing its functionality for detecting vulnerabilities and generating comprehensive reports.
Read more →

Did I miss something? Tell me.

Earned P1 Bug Bounty for Full PII Access Vulnerability 
🔗 Tweet by Walid Hossain
This tweet recounts earning a critical bug bounty for a vulnerability that exposed sensitive user information, with potential widespread implications.
View the tweet →

Effective LFI Hunting Tips for Ethical Hackers 
🔗 Tweet by MahMoud Elko
This tweet recounts earning a critical bug bounty for a vulnerability that exposed sensitive user information, with potential widespread implications.
View the tweet →t

Evasion Techniques for Bypassing Spring Boot WAFs 
🔗 Tweet by Shaurya Sharma
The tweet outlines evasion techniques to manipulate path filters and WAFs in Spring Boot applications, useful for identifying vulnerabilities in these frameworks.
View the resource →

Top Bug Bounty Blogs for New Hackers to Follow 
🔗 Thread by Het Mehta
This tweet compiles essential blogs for new bug bounty hunters, focusing on techniques like XSS exploitation and tool recommendations to enhance their skills.
View the resource →

Did I miss something? Tell me.

Because Disclosure Matters: This newsletter was produced with the assistance of AI. While I strive for accuracy and quality, not all content has been independently vetted or fact-checked. Please allow for a reasonable margin of error. The views expressed are my own and do not reflect those of my employer.