Hey there!
Writing this from the dinner table as the Super Bowl plays in the background. Thank you everyone for all of the support on my resource guide launch this past week. If you haven’t seen it yet, you can find it here.
Lots to cover this week, let’s dive in.
I’m available for 1:1 calls if you want to chat about bug bounty, career growth, community building, or anything else you think I can help with. You can book time with me here.
PortSwigger Publishes the Community’s Top 10 Web Techniques of 2025 [𝕏 Tweet]
by James Kettle (@albinowax)
PortSwigger shared the community-voted “Top 10 Web Hacks of 2025,” offering a fast read on what techniques and bug classes actually delivered this year. It’s a useful signal for prioritizing test strategy and for program teams calibrating defenses against real-world attacker workflows.
Have something you want to Spotlight? Tell me.
Bugcrowd Ships “Security Inbox” for Triage Automation [𝕏 Tweet]
by Bugcrowd
Bugcrowd announced Security Inbox, a new triage interface with AI-assisted workflows, saved views, and automation for routing/ticketing. The update is aimed at making report handling more consistent and faster for program teams operating at volume.
YesWeHack Releases Its 2026 Report (Hall of Fame + CWE Trends) [𝕏 Tweet]
by YesWeHack
YesWeHack published its 2026 report, highlighting Hall of Fame researchers and vulnerability trends broken down by CWE. It also includes a recap of 2025 Live Hacking Events, useful for tracking where impact is clustering across programs.
HackerOne Recaps Live Hacking 2025 ($4.3M Paid) [𝕏 Tweet]
by HackerOne
HackerOne posted its Live Hacking 2025 recap, reporting $4.3M paid across global events and summarizing outcomes from on-site testing against production-like systems. The recap is a quick reference for how live formats translate into validated findings and program-side remediation.
Vercel Launches an OSS Bug Bounty Covering the Next.js Ecosystem [𝕏 Tweet]
by vercel (@vercel)
Vercel announced an open-source bug bounty on HackerOne covering projects across its web stack, including Next.js, Nuxt, Turborepo, and related OSS. The move formalizes disclosure and rewards for vulnerabilities in widely deployed framework and build tooling.
Chime Offers Double P1 Bounties Through February (via Bugcrowd) [𝕏 Tweet]
by Bugcrowd
Bugcrowd shared that Chime is paying double for valid P1 reports throughout February. This kind of temporary incentive typically shifts researcher attention toward high-severity auth, access control, and exploit-chain findings that meet P1 criteria.
Bugcrowd Appoints a VP of Offensive AI [𝕏 Tweet]
by Bugcrowd
Bugcrowd amplified the announcement that Kuzushi is joining as VP of Offensive AI. The hire signals continued investment in AI-driven offensive workflows, which may surface as new platform capabilities around triage, validation, and researcher tooling.
Did I miss an important update? Tell me.
Shannon: Autonomous AI Agent for Web Exploitation Pipelines [🛠️ Tool]
by KeygraphHQ/shannon
Shannon is an autonomous web “hacker” agent that orchestrates discovery-to-exploitation workflows, including evidence collection and report generation. The repo emphasizes operational features like multi-stage pipelines, audit logging, retries/cost controls, and containerized setup, and claims strong performance on the XBOW benchmark.
Shazzer Adds Debug-Fuzz Mode for Template Testing [𝕏 Tweet]
by Gareth Heyes (@garethheyes)
Gareth Heyes announced updates to Shazzer, including a debug-fuzz mode that exercises multiple code points and prints template output for quick inspection. The workflow is aimed at tightening feedback loops when iterating on payload templates and edge cases.
VulnLLM-R-7B: Vulnerability-Focused Code Model [𝕏 Tweet]
by Hugging Models (@HuggingModels)
A tweet highlights VulnLLM-R-7B, a code-oriented model positioned for vulnerability identification and review-style reasoning. It’s most relevant as an assistive component for triage, code auditing, or candidate generation—not a substitute for exploit validation.
Massive Web App Pentest & Bug Bounty Notes (Curated Repo) [🛠️ Tool]
by Xalgord
This repository aggregates web app pentest and bug bounty notes into a structured workflow spanning recon, auth, access control, and common web bug classes. It’s a high-density reference of tools, labs, and links that’s useful for building repeatable coverage rather than hunting ad-hoc.
Have a favorite tool? Tell me.
How I Tricked an AI Into Thinking I Owned Your Data [📓 Blog]
by Hazem (@H4cktus)
This write-up describes an AI authorization failure where contextual “proof” (a notification referencing a restricted report ID) caused an assistant to disclose sensitive order data despite initial access denials. It’s a concrete example of why AI agents need explicit, query-level authorization checks instead of inference-driven access decisions.
Full Moltbook DB Access and API Keys Exposed in Minutes [𝕏 Tweet]
by Gal Nagli (@galnagli)
A thread claims full database access to Moltbook, including API keys, user emails, private messages, and write capabilities. The screenshots suggest a critical exposure/auth failure with immediate account and data integrity impact.
DeclarativeNetRequest Permission Abuse as an Extension Side-Channel [𝕏 Tweet]
by lbherrera_ (@lbherrera_)
A proof-of-concept shows how Chrome’s DeclarativeNetRequest permission—often perceived as “safe” because it’s meant for blocking—can be abused as a side-channel. The demo is a useful reminder that permission granularity and observable network effects can still leak signal across origins.
Claimed Kubernetes Issue Enabling Command Execution Across Pods [𝕏 Tweet]
by Graham Helton (@GrahamHelton3)
A thread amplifies a disclosure claim describing a Kubernetes vulnerability that enables remote command execution across pods in a cluster. The thread is a pointer rather than a full technical breakdown, so the primary write-up is needed for root cause, PoC, and mitigations.
Ticket Tricking OpenSSL.org with Google Groups [📓 Blog]
by Eugene Lim (@spaceraccoonsec)
This post revisits the “Ticket Trick” pattern—abusing public Google Groups as an email sink for verification links/OTPs—and demonstrates it against OpenSSL.org. It focuses on a modern, composable workflow for enumerating groups and validating mailbox control, with notes defenders can use to harden email-based verification flows.
IDORs Are Usually Broken Authorization, Not “Guessable IDs” [𝕏 Tweet]
by XBOW
A retweet underscores that high-impact IDORs typically come from flawed authorization logic, not merely predictable identifiers. It points to XBOW’s “Tales from the Trace” as a source of real-world examples and debugging patterns.
Anthropic Frontier Red Team on Scalable Zero-Day Discovery [𝕏 Tweet]
by Eugene Lim (@spaceraccoonsec)
A tweet points to Anthropic’s Frontier Red Team post on methods for discovering zero-days at scale. It’s a good reference for process and systems-level thinking around vulnerability research pipelines rather than a single exploit write-up.
AI-Assisted Cloud Intrusion to Admin in 8 Minutes (Sysdig) [📓 Blog]
by sysdig (@sysdig)
This link is presented as a Sysdig post about an AI-assisted cloud attack reaching admin in eight minutes, but the landing content is not accessible in the provided view. The item is best treated as a pointer pending access to the full article for the actual attack path, detections, and mitigations.
Did I miss something? Tell me.
HackerNotes Ep. 160: Cloudflare Zero-Days + List-Unsubscribe Abuse [📓 Blog]
by Critical Thinking Podcast
This HackerNotes roundup aggregates recent research including a Cloudflare ACME-path/WAF bypass, List-Unsubscribe abuse leading to XSS/SSRF, and a multi-tenant Postgres escalation pattern where tenant-controlled functions later execute under elevated context. It also flags parser discrepancies (JSON validation vs HTML rendering) and other exploitation primitives, with links out to primary sources.
Intigriti: Using DevTools Console to Surface More Bugs [𝕏 Tweet]
by Intigriti
This thread shares practical DevTools console techniques for validating assumptions and probing client-side behavior during testing. The tips focus on turning browser instrumentation into actionable signal for bug discovery.
YesWeHack Dojo Adds a Hands-On XXE Module [𝕏 Tweet]
by YesWeHack
YesWeHack announced a new Dojo module focused on XML External Entity (XXE) exploitation and the misconfigurations that enable it. The lab-style format is aimed at giving researchers repeatable setups for parser behavior and impact validation.
Intigriti: Break on postMessage in DevTools Event Listener Breakpoints [𝕏 Tweet]
by Intigriti
This tip shows how to use DevTools event listener breakpoints to intercept and inspect inbound postMessage traffic. It’s a quick way to trace message origins, payload handling, and trust decisions in cross-window messaging flows.
Crash Triage and Vulnerability Validation (Part 3 Preview) [𝕏 Tweet]
by DawgyG (@thedawgyg)
A tweet previews Part 3 of a series focused on crash triage and turning a crash into a validated vulnerability. It’s positioned as an announcement rather than a complete standalone walkthrough.
Did I miss something? Tell me.
Cloudflare Zero-Days + List-Unsubscribe Abuse (Episode 160) [🎥 Video]
by Critical Thinking Podcast
This episode reviews recent research including a Cloudflare ACME-path/WAF bypass, List-Unsubscribe header abuse leading to XSS/SSRF, and multi-tenant Postgres isolation failures. It functions as a curated briefing with pointers to primary write-ups and hunting angles rather than new exploit material.
NahamSec Walkthrough + Lab: Hacking a Windows Web App Bug [𝕏 Tweet]
by Ben Sadeghipour (@NahamSec)
NahamSec shared a walkthrough of a Windows web application bug with an accompanying lab for reproduction. The post is a pointer to the longer video and environment for hands-on practice.
Client-Side Path Traversal Walkthrough (Live Hacking Event Bug) [🎥 Video]
by Magn4 (@Magn4_)
Magn4 walks through a client-side path traversal (CSPT) issue found during a live hacking event, including a lab recreation and a working proof-of-concept. The demo shows how a crafted link can drive a destructive action, underscoring the impact of client-side routing + weak server-side authorization.
How One Line of Code Becomes RCE [🎥 Video]
by DeadOverflow (deadoverflow)
DeadOverflow breaks down how a small code change can introduce remote code execution, from root cause to a live proof-of-concept and verification. The walkthrough focuses on recognizing dangerous primitives, building a minimal exploit, and the defensive patterns that prevent similar regressions.
Chaining a Login Flaw into Full Web App Compromise (Kryptsec Part 5) [🎥 Video]
by Medusa (@medusa_0xf)
This lab-style video shows how an authentication weakness can be chained with additional issues to reach full compromise, focusing on practical request manipulation and validation. The emphasis is on how minor auth bugs become critical when combined with insecure state handling and weak server-side controls.
Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls [🎥 Video]
by Gareth Heyes (@garethheyes)
Gareth Heyes presents an in-depth talk on exploiting email parsing discrepancies to bypass domain-based access controls. It covers legacy addressing quirks, Unicode/encoding tricks, and fuzzer-driven methodology, with practical guidance on where validation breaks between application, library, and MTA layers.
Did I miss something? Tell me.
SSO + Local Session Interruptions Can Trigger Auth State Confusion [𝕏 Tweet]
by Critical Thinking Podcast
This tip flags session confusion cases where apps mix local session state with external SSO redirects, and interruptions leave the app in an inconsistent auth state. The suggested testing surface is redirect/callback handling, logout behavior, and whether session binding is re-validated after switching flows.
AI-Assisted Nuclei Template Drafting [𝕏 Tweet]
by Bugcrowd
Bugcrowd highlighted a workflow that generates Nuclei templates from vulnerability descriptions to reduce iteration time on detections. The value is in speeding initial template scaffolding while keeping validation and tuning in human hands.
Port Scanner Picks: Nmap vs Naabu vs RustScan (Plus a Combo Tip) [𝕏 Tweet]
by Jason Haddix (@Jhaddix)
Jason Haddix compares port scanners based on long-term use: Nmap for depth, Naabu for simplicity, and RustScan for speed. He also calls out pairing Naabu with Nmap output via naabu -nmap-cli to get faster discovery without giving up Nmap’s follow-up fidelity.
Recon Mindmap: A Visual Bug Bounty Checklist [𝕏 Tweet]
by pwn4arn
A recon mindmap lays out a visual checklist of common bug bounty recon steps and tooling. It’s most useful as a coverage aid to keep enumeration systematic across large scopes.
Recon One-Liner for Surfacing Hidden Endpoints [𝕏 Tweet]
by Bugcrowd
Bugcrowd shared a compact one-liner intended to automate discovery of additional URLs/endpoints during recon. It’s a lightweight pattern for scaling enumeration before deeper manual validation.
Intercept postMessage Flows with DevTools Breakpoints [𝕏 Tweet]
by Intigriti
Intigriti highlights using DevTools breakpoints to pause on postMessage handling and inspect payloads in-flight. It’s a practical way to map trust boundaries and catch unsafe origin checks or message deserialization behavior.
PHP Filter Evasion via Alternate Execution Primitives [𝕏 Tweet]
by NullSecurityX
A tweet suggests that WAF rules blocking eval() can sometimes be bypassed by reaching other execution primitives (for example via call_user_func or assert()) when attacker-controlled input is passed through. The broader takeaway is to treat “blocked eval” as insufficient if any dynamic execution path remains reachable.
Recon Tip: Pair xnLinkFinder with PathBuster [𝕏 Tweet]
by z0idsec (@z0idsec)
z0idsec recommends xnLinkFinder for extracting endpoints and suggests pairing it with PathBuster to expand coverage. It’s a simple workflow hint for turning discovered links into deeper path enumeration.
GitHub PAT Reports Pay More When Impact Is Proven [𝕏 Tweet]
by Adnan Khan (@adnanthekhan)
This tweet notes that finding a GitHub Personal Access Token is rarely enough on its own; higher payouts usually require demonstrating concrete, in-scope impact. It’s a reminder to focus on permission scope, reachable assets, and reproducible compromise paths within program rules.
Burp Suite Reminder: Set a Default Intercept State [𝕏 Tweet]
by Burp Suite (@burp_suite)
A quick operational reminder to set Burp’s default interception behavior in Proxy settings to avoid unintentionally capturing traffic. It’s a small tweak that prevents accidental workflow disruption during testing.
Consistency Beats Randomness: Maintain a Personal Methodology [𝕏 Tweet]
by 4osp3l
This tweet argues that consistent methodology tends to outperform random chasing of targets and techniques. The underlying point is to standardize coverage and iteration so missed classes and blind spots become visible over time.
Did I miss something? Tell me.
Because Disclosure Matters: This newsletter was produced with the assistance of AI. While I strive for accuracy and quality, not all content has been independently vetted or fact-checked. Please allow for a reasonable margin of error. The views expressed are my own and do not reflect those of my employer.