escrow

@p6rkdoye0n But you can just ban the malicious peer that is providing falsified heights and sync w/o an issue post-ban? Plus, the attacker can't do much with this if the workaround is so easy - even if they scale. I also see an informational, and not a 0day or a 7.1 to be honest.

I’m disclosing a 0-day vulnerability in the Cosmos consensus layer (CometBFT). This is a CVSS 7.1 (High) severity issue that can cause nodes in the Cosmos ecosystem—which secures over $8B+ in assets—to stall during the block synchronization phase. However, direct asset theft is not possible using this vulnerability. I made every effort to follow Coordinated Vulnerability Disclosure (CVD) for the safety of the ecosystem; however, due to the vendor’s lack of cooperation and irresponsible decisions, I have decided to proceed with disclosure. This action is taken in accordance with the vendor’s final decision. All resulting security risks are solely the responsibility of the vendor, and I will therefore disclose both the vendor’s irresponsible handling and the detailed vulnerability information in this thread.

@mSanterre @mxcl @yacineMTB FYI, Chrome does not have the biggest bounties. There are many $1m+ on @immunefi for instance, and a $3m got paid out <2 months ago. > They are absolutely not worth millions lol. They are extremely contextual, but they definitely are, if we are talking about vuln + exploit.

@mxcl @yacineMTB They are absolutely not worth millions lol. Most bug bounties don't pay out anything. The biggest one is Chrome's full sandbox from JS for $1M, and AFAIK mythos hasn't found anything there yet.

he's right

This post does not work in your favour my friend. HTB literally state for CWES: "Successfully completing all web penetration testing activities is not enough" and "will have to prove they are market-ready and client-centric professionals" under their "Commercial-grade Report Requirement" heading. 99% of the people/companies who are your clients in the corporate world cannot understand the technicalities. They require generic / concise explanations on a report. The same logic applies to concise explanations on sections which should be deeply technical. Many different eyes see these reports. They need to be good and tailored to everybody (or whatever the relevant conditions are). Your examiner's feedback is really good too. You should definitely be mad at yourself, and not HTB. You could have 200 CVEs next to your name. That does not automatically translate into being able to construct good pentest reports, because of... language barriers which may exist, for example.

HackerOne accepted my Critical 9.8 vulnerability on Netlify. That's real work, real impact. Meanwhile Hack The Box won't give me the cert because my final report "doesn't meet their standard." or just didn't wanna to give me the cert while i achived 100pnts passing score. Brother, a real company validated the finding as CRITICAL. But HTB's exam says I'm not good enough? Certs are a scam i highly not recomend buying or passing them now as they are just useless with what ai is capable of doeing right now. The real exam is the field. and also tell me in the comments if you had similar experience . in the past

@Fav_Truffle "we have the dev team to take car-"

What would you answer?

We triggered WhatsApp 0-click on iOS/macOS/iPadOS. CVE-2025-55177 arises from missing validation that the [Redacted] message originates from a linked device, enabling specially crafted DNG parsing that triggers CVE-2025-43300. Analysis of Samsung CVE-2025-21043 is also ongoing.

Hello, I've received a bunch of notifications today about the "Block Blaster" ... pseudo-takedown that occurred in response to a group of individuals spearphishing and cryptodraining a cancer patient. I appreciate everyone thanking me or giving me a congratulations. I am not fully responsible for the actions which occurred. I did reverse engineer the malware and identify infrastructure, however any work done was accelerated due to a group of people. When I announced I was going to look at the video game closer to determine if it was malware (it was malware), a person contacted me and spun up a group of like minded people interested in examining Block Blaster closer. Here are the cool and badass people I worked with: - @zachxbt - @John5725424446 - @andreee_eeeeee - @escrow_ - @C4L38 - @downsin - "J" - Random nerds who provided "tips" to us I've never really spoken with these people before, omit ZachXBT, but each of us was angry from what we had seen. Before I get off for the evening I want to note that I am uploading Block Blaster to the malware library. "./Samples/Families/Block Blaster" I have also synced all samples in Triage and VirusTotal if you want to examine them closer. I noted the SHA256 hashes in a previous post.

The full technical report details how we took down the C2 infrastructure of Block Blasters drainer malware that @valvesoftware allowed on their platform. We spoke to the threat actors who had no remorse for stealing from a terminally ill cancer patient docs.google.com/document/d/1vI…

tl;dr of today > @rastalandTV gets crypto drained > he has stage 4 cancer > hes targeted specifically for his cancer treatment money > loses $32,000 > nerds band together > @ZssBecker donates $30,000 to him > malware nerds come together > drainer infra found > pull all victim data from infra > victims will be notified > all malware flagged > osint nerds come together > find drainers info from their telegram ids > find info from their steam ids tl;dr tl;dr stage 4 cancer bro gets fucked over, 50+ nerds band together to undo the damage fuck cancer

@Montyly I don't even skim anymore. The minute I realise it's an LLM post, I just straight up mute. Disgusting rate of LLM usage in web3.

Not sure if it's just me, but I am developing an "LLM fatigue". If something looks like it's written by an LLM, I just skim through it Imho, if you want to write impactful content, stop delegating all the writing to LLMs. Otherwise, what you write won't have a lasting impact

@jack__sanford $1 flat is best. However, I think it should be conditional. If the report is valid under any severity, you have $0.5 returned. If the report is rejected, you lose the $1. If you get info'd, you have the $1 returned.

The time has come for this conversation. What should be the fee to submit a finding in an audit contest?

It's not about "protecting" the criminals. It just isn't a good perspective. 1 - You need to understand that not everybody cares about how things should be done, or what should be followed, etc. Take the ransomware industry for instance. There are actors out there who ransom private hospitals. You think they care about proper channels? You will never change their mind. Also, laundering money and keeping a tight opsec is not exactly hard if you know what you are doing. They know they have the advantage, and they know what is possible and what isn't. That in itself allows them to have an ego in whatever way is possible. 2 - True. I personally think this contributes to the problem as it is from inaccurate judging and projects intentionally lowballing whitehats etc. It opens the door to this style of thinking. 3 - Why would they return all funds when they can guarantee the 10% and be in the exact same situation of criminal liability? Whether you keep all, return 90% or return all, you have the same legal problems. The act is done. They are all equal. Which one you deem as correct or wrong is irrelevant because it is subjective. You are already in a tainted context full of wrongs. You need to remember they have the cards in their favour almost always. No limits on scope. No limits on judging. Yet whitehats - within the same hunting context(s) - are limited by those two factors incredibly. Blackhat activity will always exist, because it is also a moral and ethical problem. Improving judging and making projects not lowball whitehats will decrease blackhat activity by quite a fair amount imho, but you won't ever remove the blackhats who simply don't care about anything and/or are reckless. It's like trying to aim for no crime globally. Good luck.

I'm getting a lot of heat for suggesting the GMX hacker should be prosecuted. I'm surprised some people feel so strongly about protecting a criminal so I'd like to feed the flames a little here first I have to say though that in this case, the amount the hacker was allowed to keep was similar to what they would have gotten if they'd submitted the vulnerability through Immunefi ($5M vs $4.2M). I think this is borderline okay and no longer call for @GMX_IO to take legal action (but I think it'd be absolutely fair game if they did). it's important to understand that the victim of a hack does not have the authority to absolve the hacker, so there is always a risk that law enforcement gets involved nonetheless - as they did with Avi and Mango Markets but in general I think arguments such as these are appallingly shortsighted, because: 1. how about this: in the future, hackers would not be incentivised to perform hacks in the first place but to go through the proper channels. if they want a reward, they should go through the protocol's bounty program. if they think better of it after a hack, they should return the funds in full. 2. this is indeed "standard", which is exactly the problem. we should not be doing this. hacking first + then demanding/accepting a 10% (lately trending towards 20%) "whitehat bounty" is usually more lucrative than going through a bbp, which incentivises more hacks. in this case, the Immunefi bounty was capped at 10% of funds at risk, while they got the maximum payout for a crit. it is also unclear whether the hack was fully in scope. GMX's bbp adheres to the "Primacy of Rules" policy, instead of "Primacy of Impact", which would make even a critical like this with an out-of-scope component invalid. whitehats are routinely lowballed on such submissions and this could have played a role here. so that is the other side of the coin on what needs fixing - the incentive to do the right thing is still not good enough. as for "he didn't negotiate": holding $42M of a protocol's funds hostage is a pretty strong negotiating position in itself 3. going by your logic I should likely work as a grayhat instead of a whitehat, since that appears to be an acceptable way of doing business to you. is that how you would prefer me to conduct business with @MantisSwap or projects I hunt on? my point is it'd have been best if he'd returned ALL the funds, but extending the 10% offer completely eliminates the possibility of that happening your POV is we should not make the criminals mad, because they will get even meaner. you're assuming diminishing the incentive to do crime and increasing the risks will have no effect on people's behaviour. you're scared of them and hope that by keeping quiet, they will leave us alone. I'm sorry to break it to you but that's exactly how you embolden bad actors and you're just asking for more of the same

Stay on topic [impossible challenge]. I don't need to understand your internal business affairs to tell you how absurd of a statement (for instance) "CertiK, Trail of Bits, OpenZepplin and many other similar auditing platforms are not able to do the same so there won’t be much of a competition" is. Anybody who does bug bounty (or overall red teaming or blue teaming) will understand why I'm critiquing a statement like this or the previous ones. And no, your statements don't make sense because all of your posts are generically worded for hits. You then invoke delusional cybersec takes and that's why I'm calling you out on them. You don't see them as delusional because you don't have enough experience to be able to realise what is (or sounds) bs or not. It is extreme corporate / PR talk. "and yesterday found a half a million dollar bug for this month which I’m reporting soon this week we’ll see how that goes" I wish you the best on the report, but why are you even mentioning it when the result isn't confirmed? It is irrelevant to mention. Invoking this doesn't add some guaranteed credibility to you, especially when you claim there are 30 other reports waiting. Even the best of the best can be wrong at times. I genuinely wish you the best Ehsan. But I've been in cybersec for many years, and cybersec is full of liars and cert collectors who can't even ssh into a server or scan ports. People know this scene makes serious money. Remember that how you word things and what you say directly shows whether you are living up to the truth or not. People who do this for a living can see right through this. You have a softdev background. Your YouTube is all about AI creations and startups. Many of your X posts are wall posts which turn into hits. Your opsec is weak. You dive into solving P=NP problem (per your LinkedIn) and you were interested in quantum field theory. Respectfully, I have 0 info to believe you have good cyber security skills to the point you can write tweets like that.

I made a lot of money and yesterday found a half a million dollar bug for this month which I’m reporting soon this week we’ll see how that goes, and have around 30 more reports I haven’t sent out yet because of some technical details I can’t disclose with you for security reasons, I can’t explain all the stuff I do to you for you to understand if what I say makes or doesn’t make sense, there’s a ton of things in the background and you only see the front and judge based on the front. @thoughtfault bet 10k I was bullshitting and I already showed I’m not and he sent me 10k Vietnamese dong instead and I was promised an apology. My statements don’t make sense because I work 12h a day 7 days a week non stop like no one else. We are patenting things, working with lawyers, testing and writing a research paper on the results which will be published in a couple of months. You don’t see all that, so it’s normal to not understand and only see the outcome like this magically happened. I don’t come out of nowhere, I’ve worked and learned so much to build sophisticated systems for years, done a lot, failed a lot and learned a lot. Don’t get distracted by others, I never look or compare myself even when I was broke. Believe in yourself and work very hard, shitting on me won’t stop the insane progress and hard work I’ll be putting nor it will help you progress. I post every 2 weeks there and then then disappear for another 2 weeks and then share about what I’ve done so far with people, they either get encouraged to work harder or just decide to hate on me. Which one do you want to be? Peace out.

A lot of people probably wonder what my company, Pantheon Labs, actually is and what the goal is. Basically, in a couple months, once I build more of a name in the cybersecurity space, we’ll be offering full audits to blockchain companies directly. Each audit will guarantee that every bug in the codebase is found. Doesn’t matter if it’s critical or low severity, when we’re done, there won’t be a single bug or security flaw left in the protocol. Zero. It doesn’t matter how many aspects of attack there could be. It’s something that simply doesn’t exist right now and nobody else can guarantee such results. CertiK, Trail of Bits, OppenZepplin and many other similar auditing platforms are not able to do the same so there won’t be much of a competition. Each audit will cost between $500K to $1M. Now I know that sounds insane. But these companies would easily spend more than that running bug bounties just to find the same issues. Paying $500K–$1M to eliminate all bugs at once is actually cheap, might have to increase the price or make it proportional to their protocol total funds, we shall see as the company shapes. Excited to see what the future holds. I’m not very active on X these days as I get busier and busier by day, I’ll write on the progress once a week or more often if I can.

You randomly pull up into web3sec with insane hopium claiming to outperform the big players from the get go. Some of your statements don't even make sense. This post is something I'd see on LinkedIn. Nobody on this planet is going to claim they will find some new non-existing revolutionary bugs that others will not. What are you? A fake web2 cyber security CISSP holder? You just entered the space, and you are posting like you have been here for many years. I don't even want to flame you but this smells like BS and you keep making fake hit posts and it's getting a bit annoying. I don't care about your Porsche 911 either LOL. How is this relevant to what I'm saying to you?

And he regretted it, still waiting on the apology he promised me @thoughtfault This time I want to bet 10k USD and not Vietnamese dong. Focus on yourself instead of shitting on people who made something out of themselves at the end of the day, I’m buying a Porsche 911 cause I worked hard to get where I am ;)

@0xSorryNotSorry I think they simply knew it wouldn't have been accepted - or expected it to be a rocky road at least - because it contained (technically) out of scope logic.

Why didn’t the attacker go through Immunefi’s bug bounty and instead exploit GMX directly? Could it be a frustrated whitehat who finally passed to the dark side after getting fed up with the sponsors?

Projects just need to enable full scopes. It really is that simple. It has happened in web2 for many years as you know, and still nothing has changed. WHs have a permanent disadvantage in finding bugs versus BHs. Until that is fixed, all projects and companies will continue getting smoked unfortunately.

@huntoor I agree. But, I mean, can you blame them for abusing this when the majority of platforms are not doing much to combat it? No harsh penalties exist, so it indirectly supports this behaviour.

Those type of people are really harming the industry, DEVs will opt out of BB and running a contest if it continues the same way, effect on contests has been already seen.

One thing that I would like to see is the response time metric applied to all projects publicly. For instance, out of all the 311 bbp on Immunefi, only 56 have a public average resolution time. That is ~18% of all programs. I think so far only a few opt in for that to be revealed, but it should be fundamental. After all, SRs check a project's code for free *until* they find something. Then, they might have to be in an n month conversation / dispute / whatever about the bug. If I see a program for $100k per crit, yet the average resolution time is 6 months or something, then I will probably skip it. With the current implementation, nobody knows what they are really in for and have to gamble with not only finding something, but also at it being handled in a timely manner. Clearly, if there are no fast responses, then you also kind of know that you might be entering a heaven of duplicates due to such slow resolutions. It really says a lot. If a project is on Immunefi and that is their response time, then someone may wonder whether it is fair to skip it. I think you can answer that with the opposite question: is it fair for you (the researcher) to be in those conditions for the service you provide? Also, the same response time change logic can be applied to payouts. Hackenproof publish program payouts and it is nice to see. I think there was a program with like 40 reports and only $2k paid out, with $2k for meds or lows - I can't remember exactly. That in itself says something though. A project is not harmed (at least from the way I see it) from revealing these metrics. Low payouts could signal a protocol attempting to always invalidate findings, or simply have had poor reports from low quality SRs. Average resolution however, is entirely on them. These are all relatively small metrics which make a big difference for SRs.

@WhiteHatMage @0xpessimist @_SEAL_Org Hmm, I have tried to operate @immunefi as the schelling point of whitehat interests, balanced with projects, with the hypothesis that the balance will drive the best outcomes (balanced for $scale and quality). Could I be doing more? What am I missing?

We need to recognize that things like arbitration, a vault program, and an active support channel are not just features; they represent a stance. And I don’t know a single security researcher who doesn’t support that stance. We can debate how well these features are implemented and how effective they are, but I wish this was what we were discussing regarding all bounty platforms.

@0xpessimist @WhiteHatMage Oh I definitely agree! But Immunefi is unfortunately -- or fortunately -- an anomaly here. My post was more so directed at the other platforms who have a somewhat equal or higher dominance and do not perform changes on the concerns raised by the community.

@escrow_ @WhiteHatMage don't be so pessimistic imo :) this was just two days ago, things like this are extremely rare in web2 x.com/immunefi/statu…