Disclosed. May 6, 2025: Disclosed. May 6, 2025: Deep Dive into DoS, Practical Advice from Jason Haddix, and More

Exploring DoS Exploitation Techniques for Bug Bounty Success 
🔗 Tweet by Bug Bounty Village

Roni Carta's examination of various DoS exploitation methods that have earned over $150,000 in bounties through responsible testing.
Read the full tweet →

Navigating the World of Bug Bounty Programs with Jason Haddix - Coffee & Pizza Podcast #024 
🎥 Video by Coffee&&Pizza

In this episode, Jason Haddix shares insights from his cybersecurity journey, emphasizing the significance of mentorship and continuous learning in bug bounty hunting. He offers practical advice on contributing effectively to programs and discusses the evolving landscape of security in the AI era.
Watch video →

Black Hat Asia 2025 Panel Session: Wen Bin's Cut Only 
🎥 Video by kongwenbin

Wen Bin discusses essential elements for successful bug bounty programs, highlighting the importance of transparent communication and hacker engagement based on his extensive experience.
Watch video →

Keynote at First Hacking APIs Conference on GraphQL 
🔗 Thread by Katie Paxton-Fear

This tweet announces the inaugural Hacking APIs Conference in NYC, focused on GraphQL vulnerabilities and fostering a learning platform for API security.
Read the full thread →

Have something you want to Spotlight? Tell me.

NahamCon2025 Introduces AI-Focused Tracks for Hacking 
🔗 Tweet by Ben Sadeghipour

NahamCon2025 will feature specialized tracks on Hacking AI and more, aiming to enhance learning with notable speakers over two days.
Read the full thread →

Introducing Bugcrowd Red Team as a Service (RTaaS) 
📓 Blog by Julian Brownlow Davies

Bugcrowd's Red Team as a Service provides a crowdsourced approach to red teaming, simulating real-world attacks while integrating findings into security workflows. The service aims to enhance flexibility and efficiency in vulnerability detection.
Read more →

Amazon's In-Person Challenge Yields 45 Critical Bugs 
🔗 Tweet by HackerOne

Amazon's inaugural in-person challenge identified 45 critical vulnerabilities in just nine days, showcasing the effectiveness of collaborative security efforts.
Read the full thread →

Did I miss an important update? Tell me.

New AI Tool for Automated Pentest Reporting Cloud Enum Tool for Bug Bounties | Full Cloud Recon Tutorial 
🎥 Video by PCPL ALEX

This tutorial introduces the Cloud Enum tool, designed for fully enumerating cloud resources across major platforms, showcasing the identification of exposed resources and potential vulnerabilities from misconfigurations.
Watch video →

Have a favorite tool? Tell me.

$3750 Bounty: Account Creation with Invalid Email Addresses 
📓 Blog by Monika Sharma

This write-up reveals a vulnerability in HackerOne’s account creation process allowing users to sign up with invalid emails. It emphasizes the critical role of proper email validation in enhancing application security.
Read more →

Bypassing 2FA in a Public Bug Bounty Program: A $6000 Journey 
📓 Blog by Mohsin Khan

The author shares their journey of exploiting a 2FA bypass vulnerability in a public bug bounty program, detailing techniques used and key takeaways on responsible disclosure and thorough testing.
Read more →

💵 The $2500 bug: Remote Code Execution via Supply Chain Attack 
📓 Blog by Naveen Kumawat

This article details an RCE exploit discovered on a private HackerOne program, highlighting the implications of compromised GitHub accounts and the importance of securing repositories against such risks.
Read more →

How I Simply Bypassed a 400 Bad Request and Escalated My Access from Member to Owner 
📓 Blog by Abu Maryam Rahmat

The author shares a privilege escalation vulnerability in a fictional application, detailing their method of manipulating user roles during the workspace invitation process for a successful bounty.
Read more →

How I Hijacked OAuth Tokens Through a Parallel Auth Flow Race Condition — $8500 P1 Bug Bounty 💰 
📓 Blog by Anmol Singh Yadav

This write-up outlines the successful exploitation of an OAuth token hijacking vulnerability, emphasizing the need for meticulous reviews of authorization flow configurations and the importance of ongoing research in the bug bounty space.
Read more →

Did I miss an important update? Tell me.

How I Got an AI Chatbot to Spill Its Secrets Using Just a Prompt 
🎥 Videoby NahamSec

This video explores prompt injection techniques to manipulate AI chatbots, demonstrating how such methods can allow attackers to extract sensitive information.
Watch Video →

Abusing iframes from a Client-side Hacker (Ep. 119) 
🎥 Video by Critical Thinking - Bug Bounty Podcast

In this episode, Justin delves into iframes, exploring their security ramifications and potential abuses from a client-side perspective.
Watch video →

From Easy Wins to Epic Challenges - Blaklis
 🔗 Video by Bug Bounty Village

Daniel Le Gall (@Blaklis_) shares a ride through real-world bug bounty wins — from SMS token leaks and XPath exfiltration to MIME header RCEs and logic flaws that pay on coffee breaks. $2M+ earned, 15+ years of hacking.
Watch Video →

🔍 How I Found Internal Dashboards Using Google Dorks + OSINT 
📓 Blog by Abhijeet Kumawat

The author shares techniques for uncovering internal tools with Google Dorks and OSINT, offering valuable insights into ethical hacking and reporting practices.
Read more →

$1000+ Passive Recon Strategy You’re Not Using (Yet) 
📓 Blog by It4chis3c

This article emphasizes advanced reconnaissance methods for bug bounty hunters and introduces tools to enhance the efficiency of vulnerability identification beyond traditional methods.
Read more →

The Ultimate Guide to Email Input Field Vulnerability Testing 
📓 Blog by coffinxp

A detailed guide that provides strategies for testing email input fields against common vulnerabilities like XSS and SSRF, featuring practical test cases for improving security.
Read more →

Inside the Mind of a $Million Bug Bounty Hunter | SecMeet 0x01 
🎥 Video by AmrSec

Nikhil Shrivastava shares his successful journey in bug bounty hunting, offering advice on strategic vulnerability selection and the role of learning and persistence in achieving success.
Watch video →

NoSQL Injection: Advanced Exploitation Guide 
📓 Blog by Intigriti

This guide covers the nuances of identifying and exploiting NoSQL injection vulnerabilities with practical examples and hands-on exercises recommended for improving skills.
Read more →

Evasion Techniques for Bypassing Spring Boot WAFs 
🔗 Thread by Shaurya Sharma

This tweet shares effective evasion techniques for manipulating path filters and WAFs in Spring Boot applications, relevant for identifying security vulnerabilities.
Read the full thread →

Did I miss something? Tell me.

MonkeHacks #62: Bug Bounty Tips from NahamCon 
🔗 Tweet by Ciarán Cotter

This tweet discusses the 62nd edition of MonkeHacks, focusing on bug bounty tips shared at NahamCon without detailing specific techniques.
Read the full thread →

Extracting JWTs from JavaScript Files for Bug Bounties 
🔗 Tweet by infosecresearcher

This tweet highlights a method to extract base64-encoded JWT tokens from JavaScript files, underlining related security vulnerabilities.
Read the full thread →

Account Takeover via Password Reset Link Poisoning Exploited 
🔗 Tweet by Vipul 🇮🇳

The author shares an account takeover vulnerability discovered through header manipulation during a password reset process, receiving a £1500 reward for the finding.
Read the full thread →

Information Disclosure Bug Found Through Local Storage Inspection 
🔗 Tweet by Archer

The author discusses their bounty earned from discovering an information disclosure bug caused by sensitive data exposure through Local Storage.
Read the full thread →

Exploring SSRF Vulnerabilities in PDF Generation Tools 
🔗 Tweet by infosecresearcher

This tweet outlines potential SSRF vulnerabilities in applications that convert URLs to PDFs, demonstrating risks related to URL manipulation.
Read the full thread →

Critical Info Disclosure Leads to $15k Bug Bounty Success 
🔗 Tweet by Gotcha1G

The author celebrates a $15,000 bounty earned through the exploitation of a critical information disclosure vulnerability leading to full application control.
Read the full thread →

Did I miss something? Tell me.

Because Disclosure Matters: This newsletter was produced with the assistance of AI. While I strive for accuracy and quality, not all content has been independently vetted or fact-checked. Please allow for a reasonable margin of error. The views expressed are my own and do not reflect those of my employer.