jarom
1.4K posts

jarom
@_jarom_
Bug bounty hunter | Software engineer in security | Building & breaking with automation + AI | DEFCON fan | Sharing tips & weird bugs
Texas, USA Katılım Şubat 2009
628 Takip Edilen356 Takipçiler

Just completed a CTF challenge in #TheUltimateCloudSecurityChampionship by @Wiz_io 🥊 Put your cloud security skills to the test in this monthly series and join the competition cloudsecuritychampionship.com/certificate/cl…
English

As of this week, this is officially my best year on the @Hacker0x01 platform...and it's only August 😎

English

If you’re going to DEFCON this year, would love to meet up and connect, I’ll be spending time at the @BugBountyDEFCON village. Come say hi!
English

Hey hackers! We're running a beta for Hai for Hackers, our AI security agent. If you're interested, please reply with your HackerOne username (we will probably limit to ~100 hackers for now). After it's been enabled, you can start using it by clicking the Hai button in the top right corner of the app. It’s free to use (with a limited daily budget for now). It is like any other AI you’ve interacted with, with the added benefit that it has access to a whole bunch of HackerOne data, like reports and programs. We’re shipping improvements to Hai almost every day. Here are some neat use cases:
- “take all the learnings from STÖK, jhaddix, and nahamsec's recon strategy and build one for me!”
- “write a python script for a typical recon process”
- “i need an XSS payload that doesn’t use single or double quotes”
- “my XXE payload doesn't call back to my server, what could go wrong?”
- “write a response for report #133337”
The beta also comes with Hai Plays for you, which allows you to build your own security agents in HackerOne. You can create them at hackerone.com/settings/hai_p…. Some of the cool use cases we’ve seen so far are:
- write reports with minimal input from you (efficiency++!)
- convert reports into blogposts with a single prompt
- AI mentor to give feedback about your communication and increase the likelihood of a reward
In the background we’ve been working on agentic behavior, which we expect will soon come to Hai for Hackers as well. These AI agents can act like your hacking buddy and hack alongside you. We’ll keep you in the loop on our progress.

English

Don't always have time to hack and the reports don't always turn out in my favor, but it's fun when they do!
Just got a reward for a critical vulnerability submitted on @yeswehack -- Insecure Storage of Sensitive Information (CWE-922). #YesWeRHackers

English


Cheeky buggers at AWS casually returning "NoSuchBucket" to every request after a few hundreds tests from a single IP.
testbucket.s3.amazonaws.com did exist a few mins ago :O

English

@HackingDave Awesome man, looks great! I was half expecting to see a stash of airsoft equipment in there as it was opening.
English

Just got a reward for a vulnerability submitted on @yeswehack -- Unrestricted Upload of File with Dangerous Type (CWE-434). #YesWeRHackers
English

I recently had the opportunity to speak @fwdcloudsec in Arlington, VA alongside some amazing people. My talk leveraged research published by Sam Cox and Ben Bridts that allows anyone to discover the AWS account ID of any S3 bucket. I go into detail of what I did (and any attacker could do 😉) with this information.
I've even been able to send in a few #BugBounty reports with some of the data I've collected.
youtu.be/iMYbne-tD20?si…

YouTube
English

After almost 6 years in #bugbounty, I am VERY excited to announce that starting tomorrow, I will be doing Bug Bounty / Consulting FULL TIME! That's right, today is my last day at Elastic.
I am super grateful for everything I accomplished while working at Elastic, but being entirely self-employed has been my dream for years. After a very successful LHE in Miami earlier this year, and reading the incredible Courage is Calling by Ryan Holiday, I knew 2024 was the year to make the jump.
Bug Bounty has been an incredible blessing in my life, drastically altering my life trajectory and giving me the opportunity to create a life for my kids/family that may not have been possible otherwise. It bought my house, my car, and my wife’s van. It let me secure some of the biggest companies in the world, and make some of the best friends I have. This was all possible with just 10-15 hrs/week over the last 6 years. How much more bountiful will it be when I'm able to devote 3x the time? Only time will tell 😎.
Of course, there is the fear of uncertainty, the fear of failure, and the fear of financial instability. But I figure those pale in comparison to the pain of never actually getting off my butt and trying.
Thanks @rez0__, @triviatroy, @luhkoh, @hacker_, @ajxchapman, @nahamsec, and @rhynorater for the encouragement to give it a shot.
Thanks @hacker0x01 & @bugcrowd for giving us hackers a platform to change our lives.
Thanks @noahkagan for your interviews with Cal Newport and @artofmanliness. Both of which gave me hope that I’d do alright.
Thanks @ryanholiday for Courage is Calling. It made me certain I was making the right decision.
And thank YOU all for being part of this journey with me. Let’s Hack the Planet together.
Gloria Deo
#bugbounty #togetherwehitharder #ittakesacrowd
English

Had an absolutely stellar time at @Hacker0x01 's #h1305 ! The @CapitalOne team was a real joy to work with, and Miami felt like just the perfect location.
As this was my 16th LHE, I was beginning to think I would never make MVH, but having a positive attitude, grit, and stick-to-itiveness really goes a long way.
Some things that I learned were:
- It really truly does make a difference to go for impact. As someone who normally farms IDORs/PrivEscs, this was an experiment, but getting a single High bounty felt wayyyy better than getting 10 Mediums.
- I spent nearly the entire LHE on a single application. By the end of the event, no one at the event new that API better than I did. This meant that I had _very_ few duplicates. I didn't split a single one of my big bounties. Go deep.
- Have patience. One of my best bugs took me _literally_ 15 hours to complete. A bug that takes you 15 hours will almost NEVER be a dupe.
- Working very closely with the customer made success possible. My Slack conversation with one of the CapOne security engineers could nearly fill a novel. We were able to work together to escalate my findings and find maximum impact. The customer is _not_ your adversary.
- Despite hacking solo and despite LHE's being a competition, other hackers _really do_ want to see you succeed. The best thing about winning MVH wasn't the belt, but seeing dozens of other hackers LEGITIMATELY excited for me. The hacker community is AWESOME!
I loved this event. I love the #bugbounty community. And I love both the H1 & C1 team's.
Here's to a great start to 2024 - let's hack the world!
#gloriaDeo

English

@naglinagli @hacker_ @m0chan98 @Hacker0x01 @CapitalOne Great job to all involved! Very impressive work!
English

Super Stoked to win the Eradicator award and scoop $24,170 together with @hacker_ @m0chan98 by finding a critical vulnerability on-site at @Hacker0x01's Miami Beach Live Hacking Event targeting @CapitalOne 🌴
A Perfect way to wrap up a Fantastic event!
#BugBounty #H1305

Miami Beach, FL 🇺🇸 English

I am so happy and thankful to take home my first LHE trophy on @Hacker0x01. Executioner of #H1305 - most impactful report. I cannot disclose details but the bug is a cool one!
Shout-out to all the friends I talked to and the new faces as well 💪😎 keep up the good work.
#hackforgood #bugbounty
English











