- Hive Five
- Posts
- ๐ Hive Five 148 - The OG Bug Bounty King
๐ Hive Five 148 - The OG Bug Bounty King
Hi friends,
Greetings from the hive!
I hope your weekend was relaxing, and not as eventful as in the AI world.
I'm (hopefully) getting over the tail end of my sickness.
"Move faster. Slowness anywhere justifies slowness everywhere."
Let's take this week by swarm!
๐ The Bee's Knees
The OG Bug Bounty King: Frans Rosen. In episode 45 of Critical Thinking - Bug Bounty Podcast, they talk to Frans Rosรฉn, an OG bug bounty hunter and co-founder of Detectify. YOUTUBE
Catching up on the weird world of LLMs, a talk by Simon Willison at North Bay Python 2023. Simon attempts to summarize everything he's learned about them over the past year: how they are built, what they can do, what they can't do and how we can best tame them and use them to solve interesting problems. YOUTUBE
Japanโs Hidden Strength Culture You Didnโt Know Of: Chikara Ishi ๅ็ณ. World's Strongest Man, Martins, takes you on a journey to Strength Unknown โ When I was younger, I watched strongman competitions, envisioning to grow up big and strong. This series cultivates and showcases a thoughtful and spiritual side of strength. YOUTUBE
A Coder Considers the Waning Days of the Craft: "Coding has always felt to me like an endlessly deep and rich domain. Now I find myself wanting to write a eulogy for it." NEWYORKER
Kevin shared his research about Abusing Client-Side Desync on Werkzeug. He'll deep dive into an interesting case of Client-Side Desync (CVE-2022-29361). MIZU | SLIDES
Which Bee's Knees was your favorite? Reply with the number (#1, #2, #3, #4, or #5)!
๏ธ๐ช Sponsor
Sponsor the Hive Five and reach a highly engaged community of engineers, security researchers, and ethical hackers who are at the forefront of the industry.
๐ฅ Buzzworthy
โ Changelog
xnl-h4ck3r released GAP-Burp-Extension v4.3, a Burp Extension to find potential endpoints. parameters, and generate a custom target wordlist. GITHUB
Another xnl-h4ck3r release XnlReveal v2.7, a Chrome/Firefox browser extension to show alerts for reflected query params, show Wayback archive links for the current path, show hidden elements and enable disabled elements. GITHUB
xnl-h4ck3r also updated waymore to v1.29, which helps you find way more from the Wayback Machine. GITHUB
s0md3v released Arjun 2.2.2, a HTTP parameter discovery suite. GITHUB
j3ssie released osmedeus v4.6.2, a workflow engine for Offensive Security. GITHUB
๐ News
๐ Celebrate
bebiks is one year in the bug bounty game and has crossed 1k reputation points. Congrats! TWITTER
Mason finished their annual Friendsgiving, and thanks everyone. No, thank you! TWITTER
Sam has had a really weird last 6 months, but is really looking forward to doing more web security stuff. We miss you! TWITTER
Leo received a hacker portrait from Intigriti. Looking good! TWITTER
Michael was awarded a $30k bounty on HackerOne. Woot! TWITTER
๐ฐ Career
Ian says anyone can give a conference talk, and shares tips for topics. TWITTER
Emily was laid off and is looking for blue team work! TWITTER
People share why they got their certifications, such as getting a job. TWITTER
Zach shares how he quit his $600k data engineering job at Airbnb and made $600k in 7 months from content creation and teaching. It all started when in October 2022, a drunk-driving Tesla crashed into his house... DATAENGINEER
โก๏ธ Community
Jason is beginning to outline his class on security leadership. Do you have any learning for him? TWITTER
Zseano reminding us that it's the end of the year, so bug bounty program will begin to slow down. Be patient. TWITTER
d0nut is back at hacking, and is having a great experience on Bugcrowd so far. TWITTER
Jswzl is asking what features and improvements you would like to see in 2024. TWITTER
Monke's pivotal point in their bug bounty journey was when they genuinely started enjoying the learning process. TWITTER
๐ฐ Read
Large Language Models and chatbots are quite commonly vulnerable to data exfiltration. This post describes how Google Cloud's Vertex AI - Generative AI Studio had this vulnerability. EMBRACETHERED
Derin uncovers a crazy privilege escalation from Chrome extensions. They were rewarded a total of $10,000 for the two bugs. 0X44
The photos. The copy. The gadgets. The pitch. There was so much to take in. Thatโs the DAK Catalog from the 80's. Now, Cabel shares over 55 fully-scanned, 600 DPI DAK catalogs, for us to enjoy โ I wasn't aware of these, but I can't wait to check them out! CABEL
Daniel on how to remove your fear to public speaking. DANIELMIESSLER
๐ก Tips
Nathaniel recommends web hackers to stick to one target for long periods of time. TWITTER
๐ฏ Follow
Awesome accounts to follow. Randomly selected from my curated Twitter lists.
@samengmg | samuel eng.
@InfosecChlobo | I N F O S E C C H L ร B O | Infosec Zennial | Likes hacks, cooking and doggos! Security Consultant | Co-founder and organiser of @BSidesLeeds (2018-Present).
@KurenoLola | CyberLola | Cyber security engineer @INE | Compliance | AWS Security | @hacknotcrime Advocate | cat lover(=^ใง^=) | mizrahi Jewish lady living in Tokyo.
@AseemShrey | Aseem Shrey | Security Engineer @Rippling | ex-@gojektech | CTF player NULLKrypt3rs | Web App Exploitation & Reverse Eng.
๐ Productivity
Effective Neovim setup for web development towards 2024. YOUTUBE
pashashocky worked on an Obsidian plugin that allows you to display notes in a gallery style. GITHUB
Taylin gives actionable tips and frameworks on how to scape overthinking and underacting. TWITTER
Jason shares a peek behind the scenes of the HEY calendar project, which involves weekly summaries and hill charts. I dig it! TWITTER
Thomas on how to get things done: write down the top 3 most important tasks, log out of social media, and set a 25-minute timer to work on the first one. TWITTER
Get $200 to try DigitalOcean. Level up your bug bounty game with the ultimate VPS solution. It's my go-to for all recon, automation, and even VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.
๐ Technology
Must-have macOS apps, including my favs. TWITTER
AI Engineering 101 and 201 Workshops, covering Agents and Cognitive Architectures, Function Calling, and more. LATENT
rkk3 came up with a new solution for YouTube's adblocker crackdown. This extension automatically mutes and fastforwards or skips through video advertisements. GITHUB
4 Web Devs, 1 App Idea. A fun new show where Salma Alam-Naylor, Scott Tolinski, and Eve Porcello build a productivity app that is NOT a todo list. YOUTUBE
Authorization is the number one security risk in the OWASP Top 10. But does it have to be? Nathanial Lattimer presents Rust, but Verify - Compile-Time Authorization. YOUTUBE
๐ง Wisdom
Jack on how to differentiate yourself by skilling up on things that can be learned but not taught. TWITTER
David on a misconception of reading: "Writing is how you discover what you think." TWITTER
Alex on the importance of sleep, crucial for focus when finding vulnerabilities. TWITTER
T.H.I.N.K before you speak: T - is it True? H - is it Helpful? I - is it Inspiring? N - is it Necessary? K - is it Kind? SUBSTACK
Jason and Daniel share their successful business strategy: "Take care of the downside, and let the upside take care of itself." TWITTER
๐ Cross-pollination
Find out what work/office purchases transformed people's life. YCOMBINATOR
Tim Ferriss's 2023 Holiday Gift Guide: 12 Gifts to Make Your Holidays Extra Fun, Relaxing, and Delicious. TIM
Eva shared this one: Breaking up is hard to do. Digitally disentangling yourself from your former partner is harder. Avast and Refuge have written a handy guide. REFUGETECHSAFETY
Tarah shares a process for large meal cooking. TARAH
๐ Fact
Most local beekeeping associations operate a swarm collection service. If you see a hanging swarm and are unable to collect it yourself, notify them to come and remove it before it finds a new home in an inaccessible place.
This bee fact is brought to you by The Beekeeper's Bible: Bees, Honey, Recipes & Other Home Uses.
Subscribe to Premium to read the rest.
Become a paying subscriber of Premium to get access to this post and other subscriber-only content.
Already a paying subscriber? Sign In.
A subscription gets you:
- โข Join a private Discord COMMUNITY: Engage in chat, uplift one another, grow together, and explore shared interests.
- โข Access to COMPLETE HIVE ARCHIVE: Unlock a treasure trove of tools, resources, videos, and audio, catering to all your needs.
- โข EXCLUSIVE & BONUS content: Delve into hundreds of curated links that didn't make it into the newsletter.
- โข MEMBER-ONLY events: Take part in digital meetups, focus sessions, and more.
- โข Deep DISCOUNTS on paid content.
- โข Experience continuously added NEW BENEFITS.