$50,000 Shopify access to source code via leaking GitHub token - Hackerone bug bounty: This video is an explanation of $50,000 vulnerability in Shopify bug bounty program that allowed push and pull access to all Shopify repositories on GitHub. It was achieved by leaking GitHub API Personal Access Token by one of Shopify employees. The bug was reported on Hackerone by Augusto Zanellato

FAV/E - Find A Vulnerability/Exposure: To be a successful bug bounty hunter, you must be on a continuous search for new vulnerabilities and exploits. Aside from staying glued to infosec Twitter feeds, one of the best ways of introducing yourself to new vulnerabilities and exploitation methods is to stay up to date with the latest CVEs.

5 RCEs in npm for $15,000: In this post, they will discuss the root cause of these vulnerabilities, as well as briefly walk through the exploitation process. They’ll also include some thoughts about bug bounty in general at the end. CVE-2021-39134 affects @npmcli/arborist. The others affect node-tar.

Disclosure of three 0-day iOS vulnerabilities and critique of Apple Security Bounty program: Sharing their frustrating experience participating in Apple Security Bounty program.

Apache Dubbo: All roads lead to RCE: During an audit of Apache Dubbo v2.7.8 source code, Alvaro found multiple vulnerabilities enabling attackers to compromise and run arbitrary system commands on both Dubbo consumers and providers.

reconFTW v2.1.0: New minor version, with some cool changes, fixes and a useful new "-c" (custom) mode, it will run a chosen standalone function on an already scanned target.

BeeSecSan teases the next version of PyWhat: The next version of PyWhat is going to be absolutely amazing for bug bounty hunters....

BSidesSF 2022 Call For Participation: BSidesSF is a non-profit organization designed to advance the body of Information Security knowledge, by providing an annual, open forum for discussion and debate for security practitioners.

d0nut was credited by Apple for a resync finding: Nice one!

Sheikh Rishad reached 6k rep on HackerOne: Awesome!

Mazin Ahmed announced the release of FullHunt platform: Congrats!

Brute Logic reminisces on their 9 year journey: Amazing!

Zseano and family welcomed their son: I wish you nothing but the best!

Do companies require a "practical" when hiring hackers via jhaddix.

Don't solely focus on salary via Calvin.

GitHub is hiring engineering manager: They're super excited to be expanding GitHub's Product Security Engineering team.

Offensive security jr. looking for a job via Jason Haddix: A strong woman looking for a break. No past exp but has done almost everything extracurricular (CTF, Hackthebox, pentesterlab, certs, ++).

What would be your reason to move jobs? via STÖK️.

He Escaped the Dark Web's Biggest Bust. Now He's Back: Just over four years ago, the US Department of Justice announced the takedown of AlphaBay, the biggest dark web market bust in history.

Nothing will change until you start building.: This past week, I was in a Lyft. My driver was telling me about all of her ideas for side projects. The problem was she was frozen by indecision.

IntelTechniques Apple iOS 15 Privacy Guide: There are some changes within the latest version of iOS (15) released in September of 2021.

Meet a Hacker Hero - Eva Galperin: When we asked the security community who is their hacker hero, it was unsurprising to see that Eva Galperin, Director of Cybersecurity at EFF and co-founder of the Coalition Against Stalkerware was a finalist on the list.

Note taking in 2021: A list of (digital) solutions (besides the preferred ones).

GraphQL learning resources via HolyBugx.

MasterSEC shares htmlq examples: It's like a JSON parser but for HTML. Basically, you now have an option to have a zero false-positive HTML Injection finder from bash.

ffuf notes by Darshan: Wrote some notes on ffuf while watching codingo's ffuf videos.

grimm-co's NotQuite0DayFriday: This repository documents real bugs in real software.

chorankates/h4ck: A collection of writeups and tools related to ~embedded device ~hacking.

HTTP Smuggling with ippsec: Ever curious about HTTP Smuggling? Check out HTB's Sink video, it abuses a bug between HAPROXY and GUNICORN to trick the server into writing someone else's HTTP Headers into your POST Request.

CSRF - Lab #4 CSRF where token is not tied to user session | Long Version: This lab's email change functionality is vulnerable to CSRF.

Did you really find a vulnerability in Google? - ft. PwnFunction: This video was created in collaboration with PwnFunction and was comissioned by Google VRP.

Absolute AppSec Ep. #147 - James Kettle (albinowax), Security Research: The one and only James Kettle (@albinowax) of Portswigger joins Seth and Ken to talk about his path into security, HTTP request smuggling, and how to perform security research.

NoSQL injection for beginners.

Automators: A podcast that talks about automation, how it makes your life easier and everyone can do it.

Mac Power Users - The Obsidian Deep Dive: Learn about getting the most from your Apple technology with focused topics and workflow guests.

Nico sharing an epic music playlist.