3NTIT_Y

I just published ‘Contextual Hacking’: A Guide To Active Reconnaissance & Vulnerability Exploitation. Please read & give your thoughts! #BugBounty #bugbountytips @entit_y/contextual-hacking-a-guide-to-active-reconnaissance-vulnerability-exploitation-41b266516a5a" target="_blank" rel="nofollow noopener">medium.com/@entit_y/conte…

Here's the link to the research snyk.io/blog/behind-th…

A quick update on my tool, Nimbus Vault. Here I showcase how to create playbooks. And the vulnerability this playbook is made for is the Archive path traversal vulnerability, also known as "Zip-Slip" #infosec #bugbounty #bugbountytools #hacker #bugbountytips

bbradar.io Pro now supports Report Count in both the UI and the API. 👉Wanna hack on a less contested program ? Check how many submissions a program has received, sort by most/least submissions, across all supported platforms and pick the program that fits your needs easily. #bugbounty

My challenge is actually based on a bug I found in Apollo Server; in its default configuration, it uses the same blacklist-based approach to prevent CSRF. I was able to bypass it and use it as an XS-Leak in default configs. I’ll be writing a detailed write-up soon about it :)

@AmirMSafari And I will be there in my best attire to read it!

@krigshaw Congrats!

Been a while since I gave an update on this project, well... It's not dead, it's just been a bit slow, but a major milestone has been reached, so I'll start updating again very soon!

bbradar.io Latest targets use case: - You've found a bug on an endpoint that's out of scope. - You want to know when that endpoint gets into scope asap, so you can report it. - With Pro you can either use the Latest Targets page, Discord Channel, or the API to keep monitoring the target updates for the program. - Once the endpoint gets into scope you get a notification or setup an automation to report the bug immediately. - GG

🚀 bbradar[.]io Pro API is live. You can now programmatically pull: ✅ Latest public programs ✅ Full program targets + eligibility ✅ Target/scope changes (additions/updates) Why this matters: 🔔 Build your own automations (custom notifications, workflows, and scanners) 🎯 Create personal filters (tags/platform/language and more) that match YOUR preferences 📦 Sync targets into your own tooling (Slack/Telegram/Notion/Sheets/your recon pipeline) 🧠 Build dashboards to track new surface area and scope expansions over time 🆓 Core features stay free. Pro supports hosting + continued development.

Just a reminder: I give away many of my tips tricks, research, and methodology via conference talks, podcasts, free workshops, webinars, blogs, here on Twitter, and via my newsletter Executive Offense. I’ve contributed code to many tools. I write and release tools myself, in FOSS. I have done this for 21 years. I never stopped. I just charge for classes now that are the ultimate curation of all those things. Updates? Yeah modern research and updates in charge for. I have a family, sue me I guess. Thanks to the two assholes who sent me dm dissertations on how I’m a sellout influencer and that real hackers release everything for free. Saying that my all my contributions are null and void for running courses. Really makes me want to keep doing it. These aren’t bots either, there are real people in the industry at real consultancies. That’s cool I guess. To be an asshole and meme 💯 of the time is in style. Better be sure that if I see you on the signup list or anyone from your consultancy… you are not welcome at Arcanum stuff. Gl and have a wonderful life 🤗

Bug Bounty is oversaturated with recon scanning tools

@immunefi Hi Immunefi. I am trying to submit a bug on your platform but because I don't have a passport with NFC I can't get through your ZKPassport process. I have all other United States valid identity documents though. I submitted ticket 6571. Please help.

@immunefi @Agnidex Hey @immunefi can you guys please help me? I have a bug to submit but since I don't have a passport I cannot get past your identity verification system through ZKPassport. I have all other United States valid identity documentation. I submitted ticket 6571. Please help.

@YShahinzadeh This is why I have your notifications on

New triage on Google, I asked for permission to publish the previous 12k ATO on Google VRP, I'll drop a blog post once they grant it (1) On top of that, I'm going to publish an OAuth 1-click ATO that I recently uncovered in a MAIN domain of a well-known company (2), stay tuned

At @yeswehack, we use AI to solve security problems, not to harvest human intelligence. 🤖 Our rollout of AI features is grounded in non-negotiable principles 👇 🤝 AI where it helps, humans where it matters – automating repetitive tasks while experts focus on complex challenges and customer context 🧑‍💻 Humans-in-the-loop, always – augmenting analysts, but critical decisions remain firmly in human hands 🛡️ Customers in control – empowering security teams to choose which features to use, on their terms Find out more: yeswehack.com/product/ai-vul…

Looks like hackerone isn't the go to platform anymore

Let’s be clear: @Hacker0x01 is using researchers’ work to train their AI and profit from it without consent. That’s not “innovation” — that’s exploitation. Our reports, our research, our time — turned into their product, while we get nothing. This violates client agreements. Vulnerabilities belong to the companies and the researchers — not HackerOne. Yet they’re monetizing it anyway. Layoffs, shrinking bounties, and now this? The platform is collapsing, and instead of fixing it, they’re squeezing the community that built it. Researchers made HackerOne. Programs trusted HackerOne. And now both are being treated like disposable data sources. If you’re a company, review your contracts immediately. If you’re a researcher, stop feeding them your work. HackerOne isn’t supporting the community anymore it’s exploiting it. And people are finally waking up. Many programs have already shifted to self-hosted , such as Salesforce. #BugBounty

Thanks for participating in this challenge! I analyzed the qs parser source code and wrote about the inconsistency between the backend and frontend query parsers, along with two possible solutions. Hope you enjoy it! blog.voorivex.team/when-two-parse…