Jon Bottarini

Just fully disclosed ~30 reports encompassing over two years of hacking on New Relic - hackerone.com/jon_bottarini - most of the reports are PrivEsc/IDOR but there are some business logic bugs in here as well. No recon here! Just getting really familiar with the application itself :)

@0xLupin Congratulations!! Remember the early demo, great to see the success so far :)

WE DID IT ! WE RAISED $5.9M PRE-SEED 🥳🎉🎉

Vercel's (@vercel) bug bounty program is now live on HackerOne—up to $50k for finding WAF bypasses 👀 hackerone.com/vercel_platfor…

@Hack_All_Things This hurts, RIP Roy

Peace out world. Best wishes to all. ALS has won this battle, but hopefully not the war!

I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-glob…

Facebook Messenger Remote code execution Worth a $111,750 Video Poc Here: youtube.com/watch?v=wvywPU… Report: vulnano.com/2025/09/remote… @Google @intigriti

@zseano Very sorry for your loss @zseano

Unexpectedly lost my dad early hours this morning… completely out of the blue. He was fit & healthy and now he’s gone 😭 lost for words on how I feel. RIP Dad ❤️❤️ love & miss you forever

The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: http1mustdie.com

New writeup: Early last month, @samwcyo, @sshell_, and I found a Django ORM injection in an online shooter game that let us steal cryptocurrency from the game's wallet. Read the blog post here: blog.p1.gs/writeup/2025/0…

@carlvellotti 👏😂

an epic battle between the Growth PM and Legal

Leaking the phone number of any Google user brutecat.com/articles/leaki…

Entire confession is absolutely wild. Talk about an insider threat risk...

Disclosing YouTube Creator emails via Content ID for $20,000 brutecat.com/articles/youtu…

Leaking the email of any YouTube user for $10,000 brutecat.com/articles/leaki…

@NahamSec @GoldmanSachs @Hacker0x01 Oh boy this will be a good one

🎯 New Monthly Target Announced: @GoldmanSachs's bug bounty program on @Hacker0x01 with weekly live streams! 📷 First Stream: This Friday! (on discord only) 💻discord.gg/47HJpyQY

@infosec_au @mgianarakis I remember you telling me at a LHE years ago you were working on an ASM product. Amazing where you've taken it and how it's grown. Huge congratulations to you and the team 🎉

In 2018, @mgianarakis and I set off to build a platform that would provide enterprises with a realistic attacker perspective of their entire network. At the time, we had just begun to try the phrase "attack surface management" in peer conversations. But the vision was always clear. Find and monitor *every* asset and operationalize leading vulnerability research to provide customers with verifiable exposures before attackers even get a chance to exploit them. Over the past 7 years of bootstrapping Assetnote, I am proud to say we were able to build something that has made a significant positive impact for customers like Checkpoint, Canva, LinkTree, and more. I am also proud of the hard work and dedication of the Assetnote Security Research Team, who over the years, have discovered significant vulnerabilities in Citrix, Fortinet, Zoom, and many more. Being able to quickly operationalize these findings and protect our customers before the CVE is even assigned has always been a highlight of the work we do here. Today, I’m excited to share that Assetnote has been acquired by Searchlight Cyber as the next step in our journey. Not only will we continue to improve our market-leading Attack Surface Management solution, it will include the power of Searchlight’s dark web intelligence capabilities to provide our customers with even more high-signal and actionable information. You can check out the full press release here: assetnote.io/acquisition

New blog post with @infosec_au: We found a vulnerability in Subaru where an attacker, with just a license plate, could retrieve the full location history, unlock, and start vehicles remotely. The issue was reported and patched. Full post here: samcurry.net/hacking-subaru

@NahamSec @Meta Huge, congrats Ben!!!

I'm honestly still in disbelief... grateful to receive a $100k bounty from @meta. Feels surreal. Sharing this to show that with time and dedication, it's possible. This was my first and only submission to Facebook - something I've been chasing for a decade! 🙏 Big thank you to @metabugbounty!

@dukrov_ This is awesome, congratulations! 👏 Really good for your first year

2024 was my first year in bug bounty, and what a year it’s been. Had set a $1K goal🥲 and got $1100 as my first bounty. Raised the bar to $3k😅 and well here i am at $7k, all while hacking on weekends only.😌 #BugBounty #bugbountytips

@techycodec08 @Rhynorater Great job 👏

0-100 in Bug Bounty with a 9-5 job Finally, after 125 Hours of Rigorous testing in 56 days of starting bug bounty from scratch, I received my first bounty that too in 4 digits, in the main domain of one of the largest Public Bug Bounty Programs Way more to go!!!!! @Rhynorater

@jon_bottarini But we are wiser now, Jon.

I have some time in November. Someone give me a good hacking challenge 🤔