🐝 Hive Five 138 - From 0 to $100k in one year of bug bounty

Hi friends,

Greetings from the hive!

A powerful earthquake struck Morocco late Friday night and killed thousands of people. My thoughts and prayers go out to all affected.

Here’s how to help victims of the earthquake (taken from the NYT): - Moroccan Red Crescent Society rescue teams were on the ground with the International Federation of Red Cross and Red Crescent Societies to support search and rescue operations and provide medical and transportation. You can donate to their Disaster Response Emergency Fund here. - Global Giving, which helps local nonprofit agencies, is collecting donations to help provide survivors with food, fuel, clean water, medicine and shelter. As needs evolve, the fund will then transition to focus on recovery and rebuilding efforts, the organization said. - The United Nations Children’s Fund, better known as UNICEF, said it is ready to help the Moroccan government with immediate needs. UNICEF is accepting donations. - Doctors Without Borders, which responds to medical emergencies around the world, said it is sending teams to Morocco to assess local needs and provide support if necessary. It is collecting donations here. - CARE, an organization that works with impoverished communities, is accepting donations to support its teams on the ground that are helping provide emergency water, food, shelter, and medical support. - For anyone near the quake area looking to help, the Marrakesh Regional Blood Transfusion Center has also urged people, especially those in Marrakesh, to donate blood.

Let’s take this week by swarm!

🐝 The Bee’s Knees

1. How to go from zero to $100k in one year of bug bounty. Justin breaks it down by month, starting with web fundamentals, and ending with hardcore hacking. TWITTER

2. Shubs on how his time in the industry shaped his mindset and perspective for what to be looking for when auditing an application, and is the reason why he became so deeply invested in server side security. TWITTER

3. Hrishi shares everything he’s learned from using Language Models in production. Some version of this guide probably exists at every AI company, but this one is public. OLICKEL

4. A huge curated list of free courses & certifications. GITHUB

5. Managing the chaos of context switching. Context switching is like mental channel-flipping. However, every time you switch gears from one task to another, you’re not just changing tasks – you’re rewiring your brain’s focus and attention. Thanks to distractions and interruptions, the cognitive toll quietly accumulates. LEADDEV

Which Bee’s Knees was your favorite? Reply with the number (#1, #2, #3, #4, or #5)!

️💪 Sponsor

Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.

🔥 Buzzworthy

✅ Changelog

1. OWASP Juiceshop v15.1.0 added a Web3 challenge suite and more. GITHUB

2. GAP Burp Extension v4.1 is here with bug fixes, more exclusions to reduce time and improve accuracy, and more. TWITTER

3. RetireJS/retire.js 4.3.3 is a scanner detecting the use of JavaScript libraries with known vulnerabilities. GITHUB

4. Noir v0.6.0 Noir is an attack surface detector form source code. GITHUB

5. j3ssie/osmedeus v4.6.0 is a workflow engine for offensive security. GITHUB

📅 News

1. Check out this year’s Disobey Hacker Puzzle: What is going on in Kouvostoliitto? TWITTER

2. Jason significantly updated his bug hunters methodology live course, adding new content and cheat sheets for IDOR, SSRF, recon techniques, and red team cred tactics. TWITTER

3. O.G. hacker Mudge joins CISA to help advance their Secure By Design initiative. He was the most prominent member of the high-profile hacker think tank the L0pht as well as the computer and culture hacking cooperative the Cult of the Dead Cow. TWITTER

🎉 Celebrate

1. Masonhck357 is another year older and swoller. Happy birthday! TWITTER

2. Nathaniel continues to push his body and mind, and has now been running consistently for 4 months. Let’s go! TWITTER

3. Leo reached 3k points on Intigriti. Congrats! TWITTER

💰 Career

1. The Google Red Team has a position open in NYC. Join Calle (ZetaTwo) et al. GOOGLE

2. Advice from the hive mind on landing a junior position. TWITTER

3. 5 Small Changes to Improve Your Presentations Forever. In this video, Jeff dissects real slides from top consulting firms like McKinsey, Bain, and BCG. YOUTUBE

⚡️ Community

1. Some answers to the question: How to balance learning and what to focus on with new research coming out? TWITTER

2. Rana went from being nervous for public speaking to owning her own academy and YouTube channel — A reminder of the accumulation of effort. TWITTER

3. TESS started logging into apps to hack, which he hasn’t done since starting 4-5 years ago. TWITTER

4. The life of a bug bounty hunter working on their automation: build, run, error, repeat. TWITTER

5. A day in the life of Dave Kennedy. TWITTER

📰 Read

1. Annoying Apple Fans: The Flipper Zero Bluetooth Prank Revealed. GITHUB

2. Code Vulnerabilities Leak Emails in Proton Mail. The Sonar Research team discovered critical code vulnerabilities in multiple encrypted email solutions, including Proton Mail, Skiff, and Tutanota. SONARSOURCE

3. 4,500 of the Top 1 Million Websites Leaked Source Code, Secrets. This research was done in collaboration with Karim Rahal and Luke Stephens from haksec. TRUFFLESECURITY

4. It’s official: cars are the worst product category Mozilla has ever reviewed for privacy. MOZILLA

5. When you need search by nickname in public IP addresses search engines. One of the most common tasks in OSINT is to collect information about a person by nickname and/or last name and first name. MEDIUM

💡 Tips

1. A friendly reminder by Wes to read your credit card features and perks package. Many of them offer insurance on electronics and travel related expenses. TWITTER

2. LibreWolf is an independent fork of Firefox, with the primary goals of privacy, security and user freedom. LibreWolf is designed to increase protection against tracking and fingerprinting techniques, while also including a few security improvements. LIBREWOLF

🍯 Follow

Awesome accounts to follow. Randomly selected from my curated Twitter lists.

1. @yaworsk | yaworsk | Author of Web Hacking 101, Hacker Interviewer, Stripe AppSec (former Shopify AppSec).

2. @Shadow0pz | CONDITION.BLACK | human rights in tech | privacy | research | intelligence | not a fed | cybersecurity | investigation | public figure | american apt | blockchain whisperer.

3. @mr_hacker0007 | Mr.Hacker | Bug Hunter @intigriti | Ex Bugcrowd.

4. @tolo7010 | tololovejoi.

5. @simps0n | 尺Ξn4tø 尺ødɿiguΞ5

🚀 Productivity

1. How To Create The Ultimate Dashboard for Your Ideas (Using the ACE framework). YOUTUBE

2. Dickie shares an alternative to building a meditation habit. Streaks are fragile, so he tracks total number of mindfulness minutes instead — I’m going to leverage this for my habit building as well. TWITTER

Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It’s my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

🌐 Technology

1. A look into how LLMs actually work. For any given passage of text, it augments the original text with highlights and annotations. VERCEL

2. Does Astro make heavy JS frameworks obsolete? Astro is betting on the browser over JavaScript. YOUTUBE

3. The highly anticipated Bun v1.0 was released. It’s an incredibly fast JavaScript runtime, bundler, test runner, and package manager – all in one. GITHUB | YOUTUBE

4. Microsoft’s Visual Studio Code now has built-in port forwarding — Though it sounds cool (and scary), I’m not a fan of bloated tools, and it looks like VSCode is moving in that direction. TWITTER

5. 3D mockup images and movies in minutes. Stunning 3D mockups with your own app and web designs on the device screens. No 3D experience needed. ROTATO

🧠 Wisdom

1. Daniel Miessler: “Doing pentests on orgs with no security is like doing full genome analysis on morbidly obese people. […]” TWITTER

2. A reminder by Steph Smith that you are the only shareholder in your life: “Stop optimizing for everyone else’s opinion.” TWITTER

3. Alex shares his recent learnings when failing to port a Chrome sandbox escape exploit for CVE-2021-30633 to Chrome 90. TWITTER

4. There is nothing less vanilla than vanilla. A 1 minute read by kepano (Obsidian CEO). TWITTER

💛 Cross-pollination

1. An interesting concept I saw by Patricia: the 4th place. “We have homes as first place, work as second place, public spaces as third place, & communities for meaning-making, as 4th place.” she says. TWITTER

2. Curated links to the very best documentaries. Over 200 awe-inspiring films and series from your favourite channels. ROCUMENTARIES

3. ALTI Wireless Charging Desk Mat — This looks useful, I might have to get one in the near future. JOURNEYOFFICIAL

🐝 Fact

There have been reports of people suffering adverse reactions (generally stomach or gastrointestinal upsets) after eating pollen. It is therefore best to begin by eating only small amounts.

This bee fact is brought to you by The Beekeeper’s Bible: Bees, Honey, Recipes & Other Home Uses.

Subscribe to the Hive Five to read the rest.