Disclosed. July 13, 2025. McDonald’s Leak, Django Crypto Heist, Rez0's take on Bug Bounty’s Future in the AI era, and more.

Each week, 3 readers will win a 1-month PentesterLab Pro license, completely free. Refer a friend to the newsletter to enter.

Shout out to this week’s winners (I will email you):

devos
pandyamayur2018
ameensec

PentesterLab is one of the best hands-on platforms for learning web security, with real-world vulnerabilities, private labs, and practical exercises trusted by professionals and bug bounty hunters worldwide.

Huge thanks to PentesterLab for sponsoring this giveaway and supporting the Disclosed. community. ❤️

Vulnerability Exposed in McDonald's AI Chatbot Data Access [🔗 Blog]
by Sam Curry

A critical vulnerability in McDonald's AI-powered chatbot, Olivia, risked exposure of over 64 million chat records due to weak password security.
View the blog →

Django ORM Injection Leads to Cryptocurrency Theft in Shooter Game [🔗 Blog]
by xEHLE

A team discovered a Django ORM injection vulnerability in an online shooter game, enabling theft of cryptocurrency from the game’s wallet, as detailed in their writeup.
View the blog →

This Is How They Tell Me Bug Bounty Ends [📓 Blog]
by Joseph Thacker

This piece examines the future landscape of bug bounty programs amid advancing AI. It argues that while automation will reshape methodologies, the demand for skilled human hackers will persist, particularly to tackle complex vulnerabilities.
Read more →

Join Bug Bounty Village Mailing List
by @BugBountyDEFCON

Quick call asking you to join the bug bounty village mailing list so you can stay in the loop on all things BBV. While I post things here, that list is the best place if you’d like to stay updated on all the details.
Join now →

Have something you want to Spotlight? Tell me.

Okta Launches Bonus Bounties for High-Value Vulnerabilities [🔗 Tweet]
by Bugcrowd

Okta is offering a bonus bounty program until August 31, with substantial rewards for vulnerabilities, including XSS, SSRF, MFA bypass, ATO, and RCE, with payouts ranging from $2k to $25k.
Read more →

Swiss Post's 2025 Public Intrusion Test Offers €230K in Rewards [🔗 Tweet]
by YesWeHack ⠵

Swiss Post is set to conduct a Public Intrusion Test starting July 28, 2025, with rewards up to €230K, plus a €3K bonus for the first three confirmed reports.
View the tweet →

Launch of 0DIN.ai's Threat Intelligence Feed for GenAI Security [🔗 Tweet]
by MarcoFigueroa

0DIN.ai has unveiled a Threat Intelligence Feed that continuously provides validated jailbreak techniques and misconfiguration insights to boost GenAI security.
Read more →

Bugcrowd Ingenuity Awards: Winners to Be Announced at DEFCON [🔗 Event]
by Bugcrowd

The Ingenuity Awards honor exceptional hackers and customers who drive innovation and impact in cybersecurity. With categories like Breakthrough Hacker, Top P1 Hacker, Community Leader, Top Pentester, and Global Security Impact, the awards recognize outstanding skill, dedication, and contributions to the community — with winners announced live at DEFCON in Vegas and featured across Bugcrowd’s channels.
View the event →

Did I miss an important update? Tell me.

Cloud Enum Revived  [🔗 Tool]
by Harrison Richardson (rs0n)

Rs0n revived and enhanced the unmaintained Cloud Enum tool, adding service and region coverage, advanced controls, and improved S3 enumeration to deliver a more powerful reconnaissance solution for AWS, Azure, and GCP.
View the tool →

Copier: Streamlined Request/Response Copying for Burp Suite [🔗 Tool]
by Tib3rius

Tib3rius enhanced the Burp Suite extension Copier, making it easier for testers to copy requests and responses with automated modifications using custom rules — perfect for removing sensitive data, cookies, or headers before adding to reports. The latest updates include cleaner code, new features, and improved default profiles.

View the tool →

Collect 2500 DNS Records and Probe 600 Hosts per Second [🔗 Tweet]
by Profundis.io

Profundis is a search engine that indexes hosts and DNS records (rather than web pages) to help security professionals discover exposed assets and monitor digital infrastructure. It provides enriched data from public sources, supports advanced search and alerts, and is useful for analysts, researchers, and bug bounty hunters to identify and secure online assets.
View the tool →

New BApp Store Tool: UnUnicode for Nested Unicode Decoding [🔗 Tweet]
by BApp Store

Announcing the release of UnUnicode on the BApp Store, this tool automates the decoding of nested Unicode sequences to enhance visibility for manual inspection.
View the tool →

Have a favorite tool? Tell me.

From Image Upload to Account Takeover — Chaining Upload, Storage, and CORS Issues in a Real Pentest [📓 Blog]
by Shazilrao

This write-up illustrates a critical vulnerability discovered during penetration testing, where chaining an image upload vulnerability, stored XSS, and CORS issues led to an account takeover.
Read more →

How I Escalated Simple HTML Injection to SSRF via PDF Rendering [📓 Blog]
by Ahmed Tarek

In this blog, Ahmed Tarek chronicles the escalation of a simple HTML injection vulnerability to SSRF through PDF rendering, showcasing his penetration testing insights on a private bug bounty program.
Read more →

Did I miss an important update? Tell me.

Minecraft Hacks to Google Hacking Star - Valentino (Ep 130) [🎥 Video]
by Critical Thinking - Bug Bounty Podcast

In Episode 130, Valentino discusses his evolution from hacking Minecraft to engaging in sophisticated bug bounty challenges.
Watch video →

Bug Bounty Hunters: The JWT Mistake You’re Probably Missing | Practical Demonstration [🎥 Video]
by BePractical

This video explores a vulnerability involving JSON Web Tokens (JWT), demonstrating the implications of misconfigured tokens in a pentesting context.
Watch video →

How to become smarter with NotebookLM (bug bounty in this case) [🎥 Video]
by atomiczsec

This tutorial on using Notebook LM educates bug bounty hunters on studying various vulnerabilities by generating guided study materials.
Watch video →

Hacking Blogs on Medium — Hits, Misses & WTF Moments [🎥 Video]
by Medusa

This video reviews vulnerabilities discussed in recent Medium bug bounty blogs, offering practical takeaways on exploiting security flaws.
Watch video →

JinjaCare - HackTheSystem CTF [🎥 Video]
by 0xdf

A deep dive into Server-Side Template Injection (SSTI) demonstrated through Hack The Box CTF challenges, illustrating real-world exploitation techniques.
Watch video →

Master Your Recon: The Ultimate Bug Bounty Recon Checklist [🎥 Video]
by 𝙇𝙤𝙨𝙩𝙨𝙚𝙘

This comprehensive guide covers advanced subdomain enumeration techniques that enhance vulnerability discovery for bug bounty hunters.
Watch video →

Maximize Your Bug Bounty Workflow With CaidoIO Tools [🔗 Video]
by YesWeHack ⠵

In this video, Pwnii explores advanced features and customisation, including plugin usage like QuickSSRF, AuthMatrix, YesWeCaido, Param Finder, and more.
Watch video →

Did I miss something? Tell me.

The ultimate guide to Bug Bounty recon and footprinting [📓 Blog]
by YesWeHack

This comprehensive guide compiles six articles on vital bug bounty reconnaissance techniques, focusing on methods to gather intelligence on target systems effectively.
Read more →

ZoomEye Dorking with Nuclei. Mass Dork Crafting + LLM Prompts for… [📓 Blog]
by AbhirupKonwar

This blog details leveraging ZoomEye in conjunction with Nuclei for effective dork query creation to automate vulnerability scanning, showcasing practical applications.
Read more →

GitHub - amrelsagaei/Bug-Bounty-Hunting-Methodology-2025: Bug Bounty Methodology 2025 [📁 Tool]
by amrelsagaei

This methodology guide outlines essential steps for ethical hackers in bug bounty processes, detailing tools and techniques for effective reconnaissance and vulnerability assessment.
Read more →

Essential Recon Techniques for Bug Bounty Hunters [🔗 Tweet]
by YesWeHack ⠵

This tweet provides a recap of a six-part series focused on critical recon techniques, suitable for both new and aspiring bug bounty hunters.
Read more →

Common OAuth 2.1 Mistakes in Remote MCP Security [🔗 Tweet]
by Ron Chan

This tweet directs developers to a resource identifying frequent mistakes in OAuth 2.1 related to Remote MCP Server security, aiding in better security practices.
Read more →

Hacking Web: Account Takeover (ATO) Attacks [📓 Blog]
by Israel Aráoz Severiche

Drawing attention to Account Takeover vulnerabilities, this article discusses exploit techniques that can aid researchers in identifying weaknesses in web applications.
Read more →

Web Application Firewall (WAF) Bypass Techniques that Work in 2025 [📓 Blog]
by Karthikeyan Nagaraj

The article presents practical techniques for bypassing WAF protections in 2025, highlighting the need for ongoing updates and layered security approaches.
Read more →

Overcoming Procrastination in Bug Bounty Programs [🔗 Blog]
by trieulieuf9

Promoting an article aimed at beginners facing procrastination in bug bounty work, underscoring the urgency of proactive participation.
Read more →

Did I miss something? Tell me.

Comprehensive SSTI and CSTI Payloads for Bug Bounty [🔗 Tweet]
by thereceman

A tweet sharing a cheat sheet of test payloads for server-side and client-side template injection, beneficial for researchers.
Read more →

Using Reverse CNAME Lookups for Subdomain Takeover Hunting [🔗 Tweet]
by Abdullah

A strategy shared for using reverse CNAME lookups to hunt for potential subdomain takeovers on vulnerable services.
Read more →

Exploiting Booking Deletion via IDOR Manipulation [🔗 Tweet]
by VIEH Group

This tweet outlines how manipulating request structures through an insecure IDOR vulnerability led to unauthorized booking deletions.
Read more →

Google Docs Adds Markdown Export for Simpler HTML Conversion [🔗 Tweet]
by James Kettle

Google Docs introduces markdown export to facilitate easier HTML conversion, enhancing document formatting capabilities.
Read more →

Optimism in Bug Bounty: Thriving Opportunities Ahead [🔗 Tweet]
by zseano

Highlighting the current growth in the bug bounty industry, this tweet underscores the positive impacts of AI on research efforts.
Read more →

Exploring Android Apps with Drozer Tool [🔗 Tweet]
by YesWeHack ⠵

The tweet introduces Drozer, a tool that aids security researchers in discovering vulnerabilities in Android applications.
Read more →

Five Steps to Writing Effective Semgrep Rules [🔗 Tweet]
by spaceraccoon | Eugene Lim

A succinct outline of five key steps for crafting more accurate Semgrep rules, aimed at reducing false positives during code analysis.
Read more →

Chrome's New Framebusting Intervention Aims to Thwart Exploits [🔗 Tweet]
by Critical Thinking - Bug Bounty Podcast

Recent announcements from the Chrome/Blink team on the Framebusting Intervention highlight efforts to counter an exploit primitive involving cross-origin iframes.
Read more →

New Cache Poisoning Vulnerability Discovered in Next.js [🔗 Tweet]
by zhero

A newly identified cache poisoning vulnerability in Next.js (CVE-2025-49826) results in indefinite caching of 204 responses, impacting specific versions.
Read more →

Exploring Cursor's Automated Hackbot for SQL Injection [🔗 Tweet]
by sw33tLie

A look at how Cursor's built-in hackbot features can automate solutions for SQL injection vulnerabilities, as demonstrated via a PortSwigger lab video.
Read more →

Effective Techniques for Discovering SSRF Vulnerabilities [🔗 Tweet]
by Pratik Dabhi

This tweet shares essential strategies for uncovering SSRF vulnerabilities, leveraging parameter testing and Burp Collaborator for blind SSRF.
Read more →

Did I miss something? Tell me.

Because Disclosure Matters: This newsletter was produced with the assistance of AI. While I strive for accuracy and quality, not all content has been independently vetted or fact-checked. Please allow for a reasonable margin of error. The views expressed are my own and do not reflect those of my employer.