Kirill Firsov

285 posts

Kirill Firsov banner
Kirill Firsov

Kirill Firsov

@k_firsov

Co-founder and CTO of @FearsOff | Protecting the World’s Top Crypto Exchanges & Financial Institutions | Cybersecurity Enthusiast

Dubai, United Arab Emirates Katılım Nisan 2011
403 Takip Edilen4.9K Takipçiler
Sabitlenmiş Tweet
Kirill Firsov
Kirill Firsov@k_firsov·
Our latest research is out! If you missed a good write-up for nice vulnerabilities, I brought you one! Enjoy the reading! @FearsOff @Cloudflare
Kirill Firsov tweet media
English
10
107
503
142.3K
忘山
忘山@stam_325·
@k_firsov I got hit hard by the Fastjson vulnerabilities. I drove the fix across hundreds of applications, but new issues kept emerging shortly afterward.
English
1
0
1
91
Kirill Firsov
Kirill Firsov@k_firsov·
We found a gadget-free RCE in Fastjson 1.2.83 - the final release of the 1.x line, and still one of the most widely-deployed Java JSON libraries in production today, even with 2.x around. No classpath gadget. One payload-> RCE.
English
2
18
115
4.8K
忘山
忘山@stam_325·
@k_firsov Why are people still researching Fastjson after all these years?🤣
English
1
0
1
179
Kirill Firsov
Kirill Firsov@k_firsov·
We're doing coordinated disclosure with affected organizations first. Full technical write-up to follow once they've had time to remediate. Stay tuned.
English
0
0
4
356
Kirill Firsov
Kirill Firsov@k_firsov·
The Fastjson 1.x repo was archived on Oct 23, 2024 - read-only. There will be no patch. The only remediation is enabling SafeMode, or migrating to Fastjson 2.x (which is not affected by this).
English
1
0
5
542
Kirill Firsov
Kirill Firsov@k_firsov·
@richardvanorton @FearsOff @Hacker0x01 Hackerone(via) paid me almost a million dollars just for 2025 knowing I am an UAE resident. I haven't had any problems with any service as UAE resident. I don't think it's related. I believe there is a mistake done by their new AI features yet they don't want to communicate.
English
0
0
1
107
Richard Van Orton
Richard Van Orton@richardvanorton·
@k_firsov @FearsOff @Hacker0x01 I don't know if it's connected, but many platforms (outside cybersecurity) used to have a blanket ban on UAE residents due to the EU AML blocklist. The EU recently removed the UAE from its list, but historically, the UAE has been on and off.
English
1
0
1
95
Kirill Firsov
Kirill Firsov@k_firsov·
I got permanently banned from @Hacker0x01. Account deleted. No explanation. Years of work gone overnight. Submission history, achievements, leaderboard ranks, every contribution I made to the security and crypto ecosystems through HackerOne. Wiped, like I was never there.
Kirill Firsov tweet media
English
69
69
710
133.6K
Kirill Firsov
Kirill Firsov@k_firsov·
Maybe their ToS allow them to ban their users randomly, but not giving an explanation for the ban goes completely against the very ethos of ethical hacking/security research: trial and error, hard work, and a constant pursuit of improvement... how are we supposed to do that if we don’t even know what we did wrong?
English
1
0
1
282
Richard Van Orton
Richard Van Orton@richardvanorton·
@k_firsov @FearsOff @Hacker0x01 They are probably planning to launch a competing service against your company? I'm sure they have a clause buried somewhere in their terms of service justifying random bans.
English
1
0
1
327
GiuseppeDeLaZara
GiuseppeDeLaZara@windhustler·
bug bounty platforms prohibit white hats from providing security services to projects where they score bounties this is perhaps the biggest talent waste there is. You have someone who has spent substantial time breaking a protocol and who's unable to continue contributing to its security how do we change this?
English
6
0
66
4.5K
Chadi
Chadi@sb_chadi·
We need a serious non profit organism for security researchers You can’t depend on the goodwill of platforms and you can’t have your career achievements denied or deleted whenever it pleases them We are important actors of the ecosystem and yet most of the time we are treated like shit
English
1
0
3
564
SAFE
SAFE@0x21SAFE·
@k_firsov @Hacker0x01 Hi Kirill, it is sad how unfair is this world. I know that you are one of the best web3 hackers. If you earned that much, and you already have a team. You may start your own bug bounty platform and I will be happy to hunt there.
English
1
0
1
161
HackerOne
HackerOne@Hacker0x01·
Today, HackerOne joins Project Glasswing, Anthropic's controlled-access program for Claude Mythos 5. We'll use it to harden our own security and evaluate it across the full CTEM workflow, including discovery, validation, prioritization, and remediation. Two things up front, because researchers will ask. Your reports are not training data. Vulnerability submissions stay where they belong: with the customer and the researcher who found them. And AI is not replacing the bounty model. In the first 6 months of this year, researchers earned approximately $47M in bounties through HackerOne, up 25% year-on-year. More AI on offense and defense means more code shipped, more attack surface created, more reports filed, and more bounty work. What we learn from applying Mythos to HackerOne’s internal scope will be shared with the wider community. Read the announcement. bit.ly/3SW96lx
English
15
11
117
24.9K
uglybyte
uglybyte@uglybyte·
@k_firsov @Hacker0x01 That’s insane, hope they make it right otherwise you should prob start your own, I’d join :)
English
1
0
10
2.8K
0xYaLex
0xYaLex@Man8out181406·
@k_firsov @Hacker0x01 Maybe the vendor can't afford to pay you for finding the bug, so they choose to do this 🤔🤔
English
1
0
2
2.4K
reclu3a
reclu3a@reclu3a·
@k_firsov @Hacker0x01 The suspension caused by HackerOne’s mistake is ultimately a loss for both the vendors and HackerOne. I hope they give you a satisfactory explanation and make things right.
English
1
1
15
3.7K