Q: How to write a BUG BOUNTY report that actually gets paid?: YES! That's one of the topics STÖK and Jason Haddix and KUGG will answer in this episode of Bounty Thursdays.

Nahamcon 2022 - insecurenature - Cloud hacking - malware not needed: One of my favorite talks of NahamCon.

NahamCon2022 - Jason Haddix (jhaddix) - The Bug Hunter’s Methodology: Application Analysis v1: I had to do another one. One of the most anticipated talks (at least for me).

mitmproxy2swagger: A tool for automatically converting mitmproxy captures to OpenAPI 3.0 specifications. This means that you can automatically reverse-engineer REST APIs by just running the apps and capturing the traffic.

Hunting evasive vulnerabilities: Do you ever wonder about the vulnerabilities you've missed? Why didn't they show themselves - and will they be discovered by somebody else later?

reconFTW v2.3: Terraform + Ansible deployment on AWS by Stoo0rmq, added rate limit new flag by Job-de-Bruijn, new default resolvers from trickest, mall fixes and improvements.

DalFox v2.7.5: Improve XSS Patterns, set Maximum for Headless Browser, improve codes and update packages

DOMPurify v2.3.8: Cleaned up a minor issue with the 2.3.7 release, thanks @johnbirds.

unfurl v0.4.0: Adds JSON output option. Thanks, @tracertea.

Cassie workshop at BirminghamDesign Festival - Fri 10th Jun, 2022.

HackTheBox "Cyber Apocalypse" CTF is BACK for 2022 - 14th - 20th May, 2022: Their global community CTF is here again with an intergalactic mission for you.

LYT Conference - May 16-20, 2022: Linking your thinking is where you connect ideas to help you think critically and creatively; fluidly and flexibly; connectively and joyfully—in a way that accumulates in value for them over time.

Save the bees - National day of action for bee-safe plants - May 21th 2022: One of the most important ways we can help pollinators this spring is by increasing the availability of bee-safe plants for gardeners and landscapers.

Azeria Labs - OBTS Course - October 3rd - 5th, 2022: For researchers aiming to keep up with the latest technology trends, the Arm architecture has become more relevant than ever.

1eea10u got her bachelors degree: Let's goooo!

Wishing Hussein a happy birthday: Congrats!

reconftw and FOSS = 💛: Love to see it!

Kristen is joining the Paranoids: Awesome!

Katie et al shouting out Jeremy: Well deserved!

TomNomNom on aligning work timezones: "If you're a bit of night-owl, or just not much of a morning person: I can highly recommend working remotely for a company that's in a timezone several hours behind you :)"

shenetworks network is looking for employment: Anyone hiring security related roles? Mainly blue team but feel free to post anything for others looking.

Trusted Sec and Binary Defense are hiring: 100% full remote work (U.S. only).

Smart Contract Auditing - Career Guidance and RoadMap.

Why I left Google - work-life balance / Scott Kennedy: At the time, he had a hard time expressing why he needed to make the change, even though he knew with certainty.

Six2dez and others are interesting in ZAP.

Julia asks what people are learning.

Louis is open for speaking opportunities.

Multiple bugs chained to takeover Facebook Accounts which uses Gmail.: This bug could allow a malicious actor to takeover a Facebook account after stealing a Gmail OAuth id_token/code used to login to Facebook. This happened due to multiple bugs that were chained.

A tale of a trailing dot: Trailing dots on host names in URLs is the gift that keeps on giving.

Earn $200K by fuzzing for a weekend - Part 2: Below are the writeups for two vulnerabilities they discovered in Solana rBPF, a self-described “Rust virtual machine and JIT compiler for eBPF programs”.

A Fun SSRF through a Headless Browser: But let's talk about the coolest one. So you can learn. Render means to "process information".

GodFather Orwa's new discovery in Oracle E-Business login panel that allowed to access for all employees.

Shodan Cheat Sheet.

Jason's practice target super thread: E.g. for offensive security people that want to take their theory to live targets.

Jack asks about technologies and innovations: "What's a technology or innovation that when you saw it you said hell no. But now you use it all the time?"

forrest-orr/Exploits: This repository contains their personal collection of Windows CVE they have turned in to exploit source, as well as a collection of payloads they've written to be used in conjunction with these exploits.

Datadog Security Labs Research and Proof of Concept Code: This repository aims at providing proof of concept exploits and technical demos to help the community respond to threats.

DEF CON 29 - Red Team Village CTF 2021.

Ippsec taking on HackTheBox - Fingerprint.

We Hack Purple Podcast Episode 53 with Guest Nicole Dove.

Bug Bounty 101 #16 - Login Dialogue Bypass via Password Spray / Brute Force Attack: In this bug bounty video, Z-Wink goes over the subtle differences in brute force, dictionary attack, and password spray and show real examples using Burp Intruder of wow these attacks are conducted to break into login dialogues (for authorized testing targets) without knowing usernames or passwords.

How the FBI Investigated the First Bank Robbing Hacker - Darknet Diaries Ep. 23 Vladimir Levin: When banks started coming online, they almost immediately started being targeted by hackers.

Cloudflare Pages, Hacking a Bank, and Attacking Price Oracles [Bug Bounty Podcast]: Some interesting vulnerabilities this week from a Cloudflare Pages container escape chain, to hacking a bank's web application with some neat tricks to get abuse a file-write in a hardened envrionment, and even another dumb smart-contract bug.

The Privacy, Security, & OSINT Show #261 - A Client Stops By: This week a client stops by to discuss his recent full privacy reboot, plus the latest news.

Smashing Security #274 - Hands off my biometrics, and a wormhole squirmish: Clearview AI receives something of a slap in the face, and who is wrestling over an internet wormhole? All this and more.

Malicious Life - How to Russia-Proof Your Democracy [ML BSide]: In 2007, Estonia - then already a technologically advanced country - suffered a large-scale DDoS attack that crippled many organizations and digital services.