Disclosed. January 05, 2026. Vercel's $1M React2Shell WAF, H1-3120 MVH & Winners, Anonymous Bug Bounty Forums, and more.

Hey everyone! Welcome to 2026.

2025 was wild for me in so many ways. From launching this newsletter, to running the 2nd annual Bug Bounty Village at DEF CON, getting promoted at HackerOne, and traveling to five different countries, including a literal around-the-world trip last fall from the US to Europe, the Middle East, Asia, and back home, all in two weeks.

I’m incredibly grateful for the opportunities I’ve had, but I won’t sugarcoat it. The last couple of months hit me hard, and the burnout was very real. I apologize for ghosting you. I genuinely needed time to disconnect and reset.

That said, I have been vibe coding some really cool private projects. One highlight has been building my own recon automation framework, which already helped me land a pretty solid crit with minimal effort. Shoutout to Tess for hooking me up with some domains. Side note, if you have any apps running Salesforce Aura, please message me 😉

As I head into 2026, I’m making a conscious effort to be less scattered and keep my energy aligned around three core goals:

I have a habit of diving into too many side projects, but this year I am committing to laser focus on the above. Over the holiday break, I doubled down on improving my Disclosed automation pipeline and rebuilt a new newsletter generation framework to help ensure I can reliably get content out every week.

You will also notice some design changes in this email. While I liked the old layout, it took way too long to maintain. I was spending countless hours each month just tweaking templates. Unfortunately, my newsletter platform does not support an API or MCP for draft publishing, so I have simplified the design to keep things sustainable.

What do you think of the new look? Feedback is genuinely welcome as I continue to iterate.

All of that said, it’s great to be back, and I hope you are ready for an incredible 2026.

Now, on to the content. Let’s dive in.

alexandrio Named Most Valuable Hacker of H1-3120 [𝕏 Tweet]
by Hacker0x01

This announcement recognizes alexandrio as the Most Valuable Hacker for H1-3120, a HackerOne Live Hacking Event that took place in Amsterdam with Salesforce. The focus was on AI vulnerabilities.

Read More →

--

New Anonymous Forum for Bug Bounty Discussions Launched [𝕏 Tweet]
by pxmme1337

This post shares the launch of an anonymous bug bounty discussion forum with an optional verification mechanism for bounty earnings. Its positioned as a new venue for trading techniques, triage experiences, and program intel without tying discussions to a public identity.

Read More →

Bug Bounty Daily [📓 Website / Tool]
by @busf4ctor

This site functions as a link aggregator for bug bounty and AppSec content rather than publishing original technical analysis. It curates external posts across common hunting themes (OAuth, XSS, SSRF), making it useful for keeping a running reading queue.

Read More →

--

Vercel paid $1M to harden WAF against React2Shell [𝕏 Tweet]
by @vercel

Vercel details a $1M payout effort focused on hardening its WAF against React2Shell-style exploitation, including a newly described runtime mitigation layer. The post provides a rare look at how a platform vendor operationalizes offensive research into layered defenses with external researcher support.

Read More →

New Features in xnldorker v3.2 Released [𝕏 Tweet]
by xnl_h4ck3r

This update notes xnldorker v3.2 adding Google Custom Search as a source alongside configuration tweaks aimed at smoother operation. Its a practical incremental improvement for dork-driven recon workflows.

Read More →

--

Google Dorks for Bug Bounty [🛠️ Website / Tool]
by @TakSec

This post compiles Google dork patterns aimed at surfacing exposed files, endpoints, and common bug bounty targets such as test environments, admin panels, and juicy parameters. It
s a quick reference for building recon queries, especially when pivoting across filetypes and known vulnerability footprints.

Read More →

--

Mongobleed Tool for Detecting MongoDB Vulnerabilities [🛠️ Tool]
by joe-desimone

Mongobleed is a Python scanner for CVE-2025-14847 in MongoDB, targeting unauthenticated memory disclosure behavior. It’s geared toward quickly validating exposure across fleets where MongoDB may be reachable or unintentionally internet-facing.

Read More →

--

GitHub - assetnote/surf: Escalate your SSRF vulnerabilities on Modern Cloud Environments. surf allows you to filter a list of hosts, returning a list of viable SSRF candidates. [🛠️ Tool]
by AssetNote

Surf is an open-source Go utility from Assetnote that helps triage SSRF candidates by probing hostlists and separating targets that resolve externally but fail HTTP access from the attacker perspective versus internal/private address space. By leaning on httpx output and error classification, it prioritizes endpoints that are more likely to be reachable only from the victim network
making SSRF validation faster in modern cloud environments.

Read More →

--

Introducing NoMore403: Bypass 403 Restrictions with Ease [🛠️ Tool]
by Behi_Sec

NoMore403 is a bypass helper that automates common 403 evasion mutations, such as path and header variations, to map weak access controls. It can accelerate initial enumeration when front-door ACLs are inconsistently enforced across proxies, CDNs, or backend routes.

Read More →

Blind trust: what is hidden behind the process of creating your PDF file? [📓 Blog]
by @ptswarm

This research dissects HTML-to-PDF conversion stacks as a high-risk trust boundary, showing how resource fetching and renderer behaviors can introduce SSRF, local file disclosure, deserialization, and DoS. It includes a threat model and PoCs across popular libraries, emphasizing why converters are frequently positioned close to sensitive internal networks and credentials.

Read More →

--

Can you compromise a multi-billion dollar company via /health? [📓 Blog]
by Hacktus

This write-up shows how a publicly reachable /health endpoint exposed environment variables containing sensitive cloud credentials. It walks through safe validation steps and explains how configuration leakage from operational endpoints can translate directly into infrastructure compromise.

Read More →

--

Two crits, one zip [📓 Blog]
by Bergee's Stories on Bug Hunting

This post details two critical issues in a hosting providers ZIP upload pipeline, including abuse of symlinks to read arbitrary files and a path to RCE. It also highlights a common triage failure mode where impactful server-side primitives are mischaracterized as self-attack despite cross-tenant impact.

Read More →

--

Intigriti December XSS Challenge (1225) Write-Up [📓 Blog]
by Jorian Woltjer

This solution write-up breaks down the Intigriti December XSS Challenge with a step-by-step exploration of constraint-driven XSS primitives. It demonstrates advanced browser abuse techniques (including iframe messaging and regex/property quirks) that are directly transferable to real-world filter bypass work.

Read More →

--

OAuth Misconfiguration Leads to Full Account takeover [📓 Blog]
by Yasser Mohammed (@n3r0li)

This report describes an OAuth account takeover caused by state/CSRF weaknesses and a manipulable popup/init flow that allowed a crafted callback to be accepted. It includes the debugging process used to trace client-side SDK behavior and build a working HTML PoC, reinforcing why OAuth state and init endpoints must be treated as security-critical.

Read More →

How to find RCE: A list of pathways and detection methods [📓 Blog]
by Bugcrowd

This guide surveys common RCE pathways across web stacks, including command injection sinks, unsafe evaluation, and SSTI. It focuses on detection patterns and verification strategies that help researchers distinguish reachable code execution from noisy false positives.

Read More →

--

Guide to 403 Forbidden Bypass
[📓 Blog]
by 𝙇𝙤𝙨𝙩𝙨𝙚𝙘

This guide compiles common 403 bypass techniques rooted in proxy and routing inconsistencies, including method variations, path normalization tricks, and header-based edge cases. Its most relevant for quickly probing for split enforcement between CDN/WAF layers and origin access controls.

Read More →

--

CSP Bypasses: Advanced Exploitation Guide [📓 Blog]
by Intigriti

This article catalogues real-world CSP bypass patterns, focusing on misconfigurations such as permissive source expressions, weak nonce/hash usage, and overly broad host allowlists. It explains how these failure modes translate into practical script execution or exfiltration despite a nominal CSP.

Read More →

--

The Fragile Lock:Novel Bypasses For SAML Authentication [📓 Blog]
by Portswigger

PortSwigger Research presents SAML authentication bypasses driven by parser differentials in Ruby and PHP ecosystems, including attribute/namespace confusion and a Void Canonicalization technique. The impact is full auth bypass via XML signature validation defeat, with a concrete demo chain illustrating why canonicalization and strict parsing are non-negotiable in SAML implementations.

Read More →

--

From Self-XSS, HttpOnly Cookies and no iframes to ATO [📓 Blog]
by aretekzs

This post demonstrates how an apparent self-XSS escalated to account takeover by chaining DOM injection with workflow weaknesses around login CSRF and cookie state manipulation. Its a useful reminder that low impact client-side bugs can become critical when they intersect with brittle auth and session handling.

Read More →

--

Exploiting Logic Flaws: Exploitation Guide [📓 Blog]
by Intigriti

This guide breaks down business logic vulnerabilities by category, focusing on how broken assumptions in workflows enable abuse such as authorization bypass, price manipulation, and state desynchronization. It emphasizes impact framing and exploitability criteria
critical for turning weird behavior into a reportable security issue.

Read More →

--

Essential Bug Bounty Roadmap for 2026 [𝕏 Tweet]
by Behi_Sec

This post shares a 2026-oriented roadmap resource that organizes foundational topics and practice areas for bug bounty. Its positioned as a structured syllabus for progressing from basics into repeatable hunting workflows.

Read More →

Cracking Broken Access Control (BAC) in Bug Bounty [🎥 Video]
by ZACK0X01

This video focuses on practical Broken Access Control testing strategies, emphasizing systematic role and object-mapping rather than one-off endpoint poking. It includes a purpose-built lab and demonstrations that mirror common real-world BAC/IDOR failure modes.

Read More →

--

How to Learn Web & API Hacking in 2026 (Complete Roadmap) [🎥 Video]
by Medusa

This roadmap video outlines a learning sequence for web and API security, spanning core web fundamentals, common vulnerability classes, and lab-driven practice. Its aimed at building repeatable skills through consistent hands-on work rather than isolated payload memorization.

Read More →

--

2025 Hacker Stats & 2026 Goals (Ep. 155) [🎥 Video]
by Critical Thinking - Bug Bounty Podcast

This podcast episode reviews 2025 bug bounty trends and community observations, including how reporting and triage dynamics shifted over the year. It then pivots to 2026 goals and expectations around workflows, tooling, and the broader market signal researchers should watch.

Read More →

--

Why Learning OAuth Made Me a Better Bug Bounty Hunter [🎥 Video]
by LoganSec

This video argues that deeper understanding of OAuth primitives
redirect handling, trust boundaries, and state management
improves bug bounty output more than collecting payloads. It frames common OAuth failure modes as logic problems and shows how modeling the flow helps spot breakpoints for ATO-class issues.

Read More →

--

Monitor Bug Bounty Targets in Real Time and Catch New Assets Early [🎥 Video]
by LostSec

This video covers asset-change monitoring tactics aimed at catching newly deployed subdomains, endpoints, and infrastructure early in their lifecycle. It focuses on building a lightweight pipeline for watching target surface area expansion, which often correlates with misconfigurations and immature controls.

Read More →

--

My Favorite Bug Bounty Findings In 2025 [🎥 Video]
by NahamSec

This video is a highlights reel of notable bug bounty findings from 2025, framed through the creators personal takeaways and stories. Its more retrospective and motivational than deeply technical, but can be useful for identifying recurring bug classes that kept paying last year.

Read More →

--

How I EARNED $1,000 Bounty From A Simplest Bug Ever [🎥 Video]
by DeadOverflow

This video recounts a low-complexity bug that resulted in a $1,000 payout, focusing on the reporting experience more than the exploit mechanics. Its primarily a perspective piece on finding value in simple misconfigurations and staying within authorization boundaries.

Read More →

WAF Bypass Technique Using Double Encoding [𝕏 Tweet]
by NullSecurityX

This tweet references WAF bypass patterns using double encoding combined with atypical path constructions. Its a quick reminder that normalization differences between edge layers and origins can still create exploitable parsing gaps.

Read More →

--

Always Fuzz with Multiple HTTP Methods for Better Results [𝕏 Tweet]
by lex_is1

This tweet argues that method diversity during fuzzing (POST/PUT/PATCH/DELETE, etc.) can expose discrepancies in routing, authz, and input handling. Its especially relevant for APIs where GET is well-guarded but write-method handlers are less mature.

Read More →

--

Exploring Error Handling for Hidden Vulnerabilities [𝕏 Tweet]
by thedawgyg

This tweet highlights error handling paths as a frequent source of security bugs, where exceptional flows skip validation or leak internals. Its a useful prompt to test malformed inputs and boundary conditions rather than only happy path requests.

Read More →