- Hive Five
- Posts
- 🐝 Hive Five 138 - From 0 to $100k in one year of bug bounty
🐝 Hive Five 138 - From 0 to $100k in one year of bug bounty
Hi friends,
Greetings from the hive!
A powerful earthquake struck Morocco late Friday night and killed thousands of people. My thoughts and prayers go out to all affected.
Here’s how to help victims of the earthquake (taken from the NYT): - Moroccan Red Crescent Society rescue teams were on the ground with the International Federation of Red Cross and Red Crescent Societies to support search and rescue operations and provide medical and transportation. You can donate to their Disaster Response Emergency Fund here. - Global Giving, which helps local nonprofit agencies, is collecting donations to help provide survivors with food, fuel, clean water, medicine and shelter. As needs evolve, the fund will then transition to focus on recovery and rebuilding efforts, the organization said. - The United Nations Children’s Fund, better known as UNICEF, said it is ready to help the Moroccan government with immediate needs. UNICEF is accepting donations. - Doctors Without Borders, which responds to medical emergencies around the world, said it is sending teams to Morocco to assess local needs and provide support if necessary. It is collecting donations here. - CARE, an organization that works with impoverished communities, is accepting donations to support its teams on the ground that are helping provide emergency water, food, shelter, and medical support. - For anyone near the quake area looking to help, the Marrakesh Regional Blood Transfusion Center has also urged people, especially those in Marrakesh, to donate blood.
Let’s take this week by swarm!
🐝 The Bee’s Knees
How to go from zero to $100k in one year of bug bounty. Justin breaks it down by month, starting with web fundamentals, and ending with hardcore hacking. TWITTER
Shubs on how his time in the industry shaped his mindset and perspective for what to be looking for when auditing an application, and is the reason why he became so deeply invested in server side security. TWITTER
Hrishi shares everything he’s learned from using Language Models in production. Some version of this guide probably exists at every AI company, but this one is public. OLICKEL
A huge curated list of free courses & certifications. GITHUB
Managing the chaos of context switching. Context switching is like mental channel-flipping. However, every time you switch gears from one task to another, you’re not just changing tasks – you’re rewiring your brain’s focus and attention. Thanks to distractions and interruptions, the cognitive toll quietly accumulates. LEADDEV
Which Bee’s Knees was your favorite? Reply with the number (#1, #2, #3, #4, or #5)!
️💪 Sponsor
Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.
🔥 Buzzworthy
✅ Changelog
OWASP Juiceshop v15.1.0 added a Web3 challenge suite and more. GITHUB
GAP Burp Extension v4.1 is here with bug fixes, more exclusions to reduce time and improve accuracy, and more. TWITTER
RetireJS/retire.js 4.3.3 is a scanner detecting the use of JavaScript libraries with known vulnerabilities. GITHUB
Noir v0.6.0 Noir is an attack surface detector form source code. GITHUB
j3ssie/osmedeus v4.6.0 is a workflow engine for offensive security. GITHUB
📅 News
Check out this year’s Disobey Hacker Puzzle: What is going on in Kouvostoliitto? TWITTER
Jason significantly updated his bug hunters methodology live course, adding new content and cheat sheets for IDOR, SSRF, recon techniques, and red team cred tactics. TWITTER
O.G. hacker Mudge joins CISA to help advance their Secure By Design initiative. He was the most prominent member of the high-profile hacker think tank the L0pht as well as the computer and culture hacking cooperative the Cult of the Dead Cow. TWITTER
🎉 Celebrate
💰 Career
The Google Red Team has a position open in NYC. Join Calle (ZetaTwo) et al. GOOGLE
Advice from the hive mind on landing a junior position. TWITTER
5 Small Changes to Improve Your Presentations Forever. In this video, Jeff dissects real slides from top consulting firms like McKinsey, Bain, and BCG. YOUTUBE
⚡️ Community
Some answers to the question: How to balance learning and what to focus on with new research coming out? TWITTER
Rana went from being nervous for public speaking to owning her own academy and YouTube channel — A reminder of the accumulation of effort. TWITTER
TESS started logging into apps to hack, which he hasn’t done since starting 4-5 years ago. TWITTER
The life of a bug bounty hunter working on their automation: build, run, error, repeat. TWITTER
A day in the life of Dave Kennedy. TWITTER
📰 Read
Annoying Apple Fans: The Flipper Zero Bluetooth Prank Revealed. GITHUB
Code Vulnerabilities Leak Emails in Proton Mail. The Sonar Research team discovered critical code vulnerabilities in multiple encrypted email solutions, including Proton Mail, Skiff, and Tutanota. SONARSOURCE
4,500 of the Top 1 Million Websites Leaked Source Code, Secrets. This research was done in collaboration with Karim Rahal and Luke Stephens from haksec. TRUFFLESECURITY
It’s official: cars are the worst product category Mozilla has ever reviewed for privacy. MOZILLA
When you need search by nickname in public IP addresses search engines. One of the most common tasks in OSINT is to collect information about a person by nickname and/or last name and first name. MEDIUM
💡 Tips
A friendly reminder by Wes to read your credit card features and perks package. Many of them offer insurance on electronics and travel related expenses. TWITTER
LibreWolf is an independent fork of Firefox, with the primary goals of privacy, security and user freedom. LibreWolf is designed to increase protection against tracking and fingerprinting techniques, while also including a few security improvements. LIBREWOLF
🍯 Follow
Awesome accounts to follow. Randomly selected from my curated Twitter lists.
@yaworsk | yaworsk | Author of Web Hacking 101, Hacker Interviewer, Stripe AppSec (former Shopify AppSec).
@Shadow0pz | CONDITION.BLACK | human rights in tech | privacy | research | intelligence | not a fed | cybersecurity | investigation | public figure | american apt | blockchain whisperer.
@mr_hacker0007 | Mr.Hacker | Bug Hunter @intigriti | Ex Bugcrowd.
@tolo7010 | tololovejoi.
@simps0n | 尺Ξn4tø 尺ødɿiguΞ5
🚀 Productivity
Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It’s my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.
🌐 Technology
A look into how LLMs actually work. For any given passage of text, it augments the original text with highlights and annotations. VERCEL
Does Astro make heavy JS frameworks obsolete? Astro is betting on the browser over JavaScript. YOUTUBE
The highly anticipated Bun v1.0 was released. It’s an incredibly fast JavaScript runtime, bundler, test runner, and package manager – all in one. GITHUB | YOUTUBE
Microsoft’s Visual Studio Code now has built-in port forwarding — Though it sounds cool (and scary), I’m not a fan of bloated tools, and it looks like VSCode is moving in that direction. TWITTER
3D mockup images and movies in minutes. Stunning 3D mockups with your own app and web designs on the device screens. No 3D experience needed. ROTATO
🧠 Wisdom
Daniel Miessler: “Doing pentests on orgs with no security is like doing full genome analysis on morbidly obese people. […]” TWITTER
A reminder by Steph Smith that you are the only shareholder in your life: “Stop optimizing for everyone else’s opinion.” TWITTER
Alex shares his recent learnings when failing to port a Chrome sandbox escape exploit for CVE-2021-30633 to Chrome 90. TWITTER
There is nothing less vanilla than vanilla. A 1 minute read by kepano (Obsidian CEO). TWITTER
💛 Cross-pollination
An interesting concept I saw by Patricia: the 4th place. “We have homes as first place, work as second place, public spaces as third place, & communities for meaning-making, as 4th place.” she says. TWITTER
Curated links to the very best documentaries. Over 200 awe-inspiring films and series from your favourite channels. ROCUMENTARIES
ALTI Wireless Charging Desk Mat — This looks useful, I might have to get one in the near future. JOURNEYOFFICIAL
🐝 Fact
There have been reports of people suffering adverse reactions (generally stomach or gastrointestinal upsets) after eating pollen. It is therefore best to begin by eating only small amounts.
This bee fact is brought to you by The Beekeeper’s Bible: Bees, Honey, Recipes & Other Home Uses.
Subscribe to Premium to read the rest.
Become a paying subscriber of Premium to get access to this post and other subscriber-only content.
Already a paying subscriber? Sign In.
A subscription gets you:
- • Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.
- • Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.
- • EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.
- • MEMBER-ONLY events: Take part in digital meetups, focus sessions, and more.
- • Deep DISCOUNTS on paid content.
- • Experience continuously added NEW BENEFITS.