@0xrudrapratap Sorry to hear that. Best wishes for the future brother.
English
Abiral 🇳🇵
691 posts
Abiral 🇳🇵 retweetledi
Breaking News: At least 12 people were killed in Nepal, officials said, during demonstrations against corruption and new government restrictions on social media platforms. nyti.ms/3V65jQs
English
Hey hackers! We're running a beta for Hai for Hackers, our AI security agent. If you're interested, please reply with your HackerOne username (we will probably limit to ~100 hackers for now). After it's been enabled, you can start using it by clicking the Hai button in the top right corner of the app. It’s free to use (with a limited daily budget for now). It is like any other AI you’ve interacted with, with the added benefit that it has access to a whole bunch of HackerOne data, like reports and programs. We’re shipping improvements to Hai almost every day. Here are some neat use cases:
- “take all the learnings from STÖK, jhaddix, and nahamsec's recon strategy and build one for me!”
- “write a python script for a typical recon process”
- “i need an XSS payload that doesn’t use single or double quotes”
- “my XXE payload doesn't call back to my server, what could go wrong?”
- “write a response for report #133337”
The beta also comes with Hai Plays for you, which allows you to build your own security agents in HackerOne. You can create them at hackerone.com/settings/hai_p…. Some of the cool use cases we’ve seen so far are:
- write reports with minimal input from you (efficiency++!)
- convert reports into blogposts with a single prompt
- AI mentor to give feedback about your communication and increase the likelihood of a reward
In the background we’ve been working on agentic behavior, which we expect will soon come to Hai for Hackers as well. These AI agents can act like your hacking buddy and hack alongside you. We’ll keep you in the loop on our progress.
English
@0xacb dot is not escaped. allowing domain like legitXethiack.ninja to bypass the check.
English
Here's a challenge. There are at least two valid solutions!
Solve it to discover a nice bug bounty tip!
Play here 👉 challenges.ethiack.ninja/leak-the-secre…
English
@jobertabma HackerOne is a great platform, and I've been on it since 2016.
But my experience reporting bugs on H1 itself has been disappointing—my reports ( 2025654 and 1516945 ) were incorrectly marked as duplicates, and once closed, no one seemed to respond.
English
This was a great find and had a super interesting root cause: hackerone.com/reports/3000510
English
Pretty crazy to look back on this as we just hit $8M ARR + 500k MAU!
@SeatsAero is still fully bootstrapped, but I think we are going to have to hire soon. Have hit the limit on being "solo" where you start hampering your own progress. Even just support is quite difficult now
Ian Carroll@iangcarroll
About 1.5 years ago, I started Seats.aero as a fun side project to help me book better award flights with my points. To my surprise, it grew much faster than I ever expected, and ended up becoming my full-time job. As the year ends, we just hit $1.5M in ARR and now serve over a million pageviews per month. We are entirely bootstrapped, have no full-time employees besides myself, and have become very familiar with the Delaware courts. On the technical side, I've had to solve some pretty interesting challenges to keep up with the growth. We pushed traditional PostgreSQL to its breaking point and had to move to Amazon Aurora to support our workload of over several thousand queries per second. We store over a billion rows of flight availability and history, probably the largest dataset for award travel that exists today. Super excited for what's next — we are working on some really cool tools to further help everyone make better use of miles and points. Feel free to reach out if you are interested in this space!
English
This is actually a team photo. You may ask where's the team. They were not able to attend due to visa issues.
Perks of living in a country with a weak passport ;)
English
Abiral 🇳🇵 retweetledi
🎉【Countdown 3 Days! HackProve World WhiteHat Conference 2025 Blessing Video Released!】🎉
Top white hat hackers, experts, and enthusiasts worldwide send their best wishes! 🌟
A platform for groundbreaking work, idea exchange, and unmatched inspiration—whether you're a pro or just starting! 🚀
⏳ 3 Days to Go!
📅 January 11th, Macau
👇 Watch the video now
More information: hackprove.com/events/confere…
English
Abiral 🇳🇵 retweetledi
Fantastic talk by @Jhaddix youtu.be/6SNy0u6pYOc
Super important stuff right here, protect Jason at all costs!
YouTube
English
English
Excited to win the 1st Place on AWS and AWS Most Valuable Hacker Awards at an unforgettable Live Hacking Event H1-0131 with @Hacker0x01, @awscloud, and @amazon!
Also secured 2nd in the overall leaderboard!
English
Abiral 🇳🇵 retweetledi
Important Announcement!!
THREAT CON is taking a break for 2024. After a long and solemn deliberation, our team has decided to take a hiatus for this year. This was not an easy decision to take for us and we know it might be disappointing news for many of you.
English
@scarybeasts @galnagli Thank you for the quick update.
Does this mean the reports that were closed quoting this documentation will be reopened and forwarded to customer ?
English
Thanks @galnagli for the feedback. There is no new policy but there was a documentation error, which is now fixed. Keep the feedback coming!
Nagli@galnagli
The new @Hacker0x01 policy around CVE reports is concerning, especially for High & Critical ones, as it potentially keeps hundreds of their customers vulnerable to critical ransomware-leading risks by withholding information as they are automatically being set as "Informative." A report that could have resulted in a $3,000-$15,000 bounty, based on the customer's assessment of its helpfulness, will very likely become a 6-7 digit Incident Response bill. I hope this policy will change soon, let's break down what happens today when you report a critical CVE to a Managed program: Up until a few weeks ago, programs could set in their policy that they do not accept CVE reports with a public advisory up to 30 days from disclosure. This was a reasonable decision for the program to make when it was harder to exploit, detect, and take down systems. As of the latest update, a site-wide ruling was enforced for the triage teams to not forward any incoming CVE to their customers if it is less than 30 days since disclosure, even if it is a critical LFI/RCE with one simple request, completely overriding the customer's policy that welcomes them. (docs.hackerone.com/en/articles/84…) Some serious questions arise from this policy: Timing: What constitutes a "reasonable period of time"? For example, with the latest Checkpoint LFI, the public exploitation POC came about 5 days after disclosure, make a drop down for customer to decide based on their own threat model? Validity: The policy states, "The following issues will be closed as invalid except in rare circumstances demonstrating clear security impact." Isn't unauth RCE/LFI enough? Rationale: Researchers will still report these issues, customers would appreciate the value from their bug bounty platform, and the platform would benefit from reporting it first to their customers rather than relying on other security tools. Communication: This may push researchers towards off-platform communications, bypassing triage processes. As a researcher and ethical hacker, I want to ensure the programs are aware of serious risks to their infrastructure. Obfuscation: Researchers might obfuscate their findings to bypass the policy, making it harder for clients to implement fixes. Bug Bounty Goals: One main goal of a Bug Bounty program is to report exploitable CVEs. This policy seems to contradict that. Double Policies: Program's own policy is not being taken seriously if site wide restrictions are over-riding them. Yesterday I was fortunate enough to experience three different outcomes when reporting the Checkpoint VPN CVE (a simple LFI that can lead to an easy RCE): 1. HackerOne Managed Program: Report to a program with a >$10B market value on their main VPN was directly closed as informative, not passed to the team, leaving the appliance vulnerable. HackerOne Managed Program: Report to a program with >$10B market value on 10 VPNs was picked up before triage after tagging the program manager, who is evaluating it and will probably pay for it as they take critical risks super serious. BugCrowd Report: Triager passed the issue to the team due to its criticality. The team acknowledged it was out of scope but decided to pay a courtesy award. This is not just a rant. I genuinely think this policy is a mistake and want to improve processes for everyone involved. This situation appears to be a loss for the platform, customers, and hackers. Potential Solutions: Highway Pass for Critical & High CVEs: Forward these reports to programs as "Pending Program Review," allowing the program to decide on the reward. Set a Reasonable Date: Accept reports "5-7 days" after publication. If a customer hasn't addressed a CVE within a week, additional delay is unlikely to help. Opt-in Policies: Allow programs to opt-in to strict rules rather than auto-enforcing them, ensuring critical information isn't hidden from customers. Again, the goal is to improve the experience for everyone involved in the #BugBounty space, we should definitely find those vulnerabilities and notify the customers over their legacy tools, allowing them to double-down and invest more on their programs. 🙏
English
The damage of VDP programs and their Incentivization is far greater than giving some hunters "points" for farming none-bugs that they can later boast on their CV's, I believe it might actually ruin Bug Bounty platforms in the near future, Let's explore the facts 📜
So VDP's, as most people refer to "See something, Say something" type of programs, have gone out of control on most bug bounty platforms, the only one who took significant step against the phenomena is @Bugcrowd about ~2 years ago, completely dropping VDP points and truly making them live to their actual purpose.
@Hacker0x01 said at 2021 that they will be pushing to that direction, without anything meaningful so far.
So, why is it so bad?
1. "Worsening experience for Bug Bounty Hunters and Paid Bug Bounty Programs"
IMO, this is the most concerning aspect of VDP's and when platforms double-down on them - major platform resources are invested in triaging, communicating and managing VDP "Points Only" programs.
In 2024 alone, there were between ~3,500 to 5,000 VALID VDP submissions on @HackerOne (Had to do an estimate by looking at the top VDP programs).
With the signal/noise ratio on these public programs, and by looking on top VDP programs "last 90 days reports" statistics, we can see that there were around ~15,000 to 20,000 submissions to VDP programs in 2024, those are being handled by the same Triage teams and same queues that Bug Bounty Programs who pay money to researchers are, thats probably more or if not the same amount of total submissions to all paid BBP programs on the platform, which are ~x5/x6 in numbers.
This leads to:
A. Significant Triage Burn-Out, Triage teams go through hundreds of invalid reports, or hundreds of same-issue submissions that are being triaged individually, exhausting the triage experience on paid bug bounty programs, in which the reports usually are more complex and require better in-depth overview.
B. Absurd triage times - critical reports to CLEAR / BBP programs who are not being looked for over a week, programs miss out on their critical bugs while they are exploitable, hunters miss out on their bugs being paid.
C. Almost none-existing communications on submissions, enormous triage queues and VDP overheads leads to the fact that its super challenging and hard to get a feedback on existing submitted reports, or having a dialogue with triage teams, the situation today is usually leaving a comment and "praying" triage member will respond.
D. Mediations are completely dead - the significant number of submissions, often from new-comers could lead to mediation requests on none issues, the same queue today exists for paid programs mediations and points only programs, again - affecting the portion of researchers who actually contribute the most value to platforms, finding valid vulnerabilities on paid programs.
2. "Free Labor" / "Can only find bugs on VDPs"
The most obvious thing that comes to mind is the fact that people "work" for free helping multi-billion companies bolster their security, VDP's can be great training ground for new-comers, but the reality today is that >90% of the people who report to VDP programs do so solely to boost their reputation and platform standings because its easier to find bugs there, the programs don't care if you spam ~200 reports on same XSS on same Endpoint and you fake out parameters, and so on.
Think about it - if you managed to find XSS on a VDP via redirect_uri on login page, you most certainly could have found it on a BBP, but you missed it because you were focused on the VDP while the BBP introduced the issue.
Today, there are ~200 VDPs on @Hacker0x01
133 VDPs on @Bugcrowd (I do like that they have completely separated view on the platform)
3. Leaderboards are not trust-worthy
#BugBounty is well gamified space, we all push ourselves the extra-mile to do well and beat our colleagues in the rankings, however VDP's made the state of public leaderboards so unstable and not trust-worthy that they are not even taken into context when determining "top hackers" for events invites, or so on.
Within Q2 (Apr 1st to Apr 16th) we have 8 VDP-Only Hunters on HackerOne's Top 100 leaderboard, including the #1 hacker in the world.
While on the actual leaderboard you do gain some advantage if you hunt on BBPs, as you get some spare change of reputation points when you are awarded a bounty, the sub-leaderboards as "Highest Critical Reputation" do not distinguish between VDPs and BBPs at at all, it's straight 7 reputation points for any triaged High / Crit, whether a free one / one that got $200k bounty.
This means that in Q2 3 of the Top 5 Most Critical Hackers in the world are VDP-Only hackers, and ~20 out of the Top 100 on the 2024 Leaderboard.
Eventually, this leads to actually debating whether we should focus on VDPs to improve our rankings on platforms leaderboards.
4. "Same Scope VDP/BBP Scams"
The standardization of having public incentivized VDP accompanied to a private BBP is the worst thing you can do as a program.
A. Programs will tend to think that the "winning model" would be having main application in scope for private BBP, and have public VDP for all their "wildcards", that's a huge mistake if your company are actually looking in preventing their next breach, so many critical vulnerabilities that can cause to a complete incident in matter of minutes will remain unattended for weeks, no-one would bother to give you an actual time sensitive submission on a program without monetary rewards.
B. Sometimes, it's just straight up a scam - same scopes for both programs, researchers submit to VDP and lose on money.
Having an unincentivized responsible disclosure policy submission form on your website and a private BBP is more than okay, thats actually a perfect use-case, have your own set of researchers and accept in-coming reports as "see something - say something" from the crowd, I bet that if you'll find someone reporting super critical submission, It'll probably lead to a private program invite - unlike when having a "Points Reward" program on a platform already, that you feel the "award" was given already.
Solution 💡
Well, if you made it so far - there is a solution, and it's one that will make all parties happy.
The formula:
1. Remove VDP Points from platforms and Leaderboards.
2. VDP Contribution Recognition - Whenever a researcher submits a valid report to a VDP, display the company logo on his profile, and auto-generate a "Thank You" letter in which he could use in his CV.
3. Auto-Invite researchers who discover a valid bug on private BBP scope in a pubic VDP.
4. No Mediations on VDPs.
5. Sales pitches should specify that companies won't be getting time-sensitive issues on VDPs, pushing them to create BBPs.
6. Kill Private VDPs.
Going through the formula, VDP hunters will still receive valuable recognition for their VDP submissions, BBP hunters will enjoy a clean leaderboard who pushes for paid program submissions, Triage teams will go through way less overload, Mediations will start working again, Less VDP's => More BBP's because companies eventually want to be secured, more BBP's => More Money to platforms.
Disclaimer: everything I've wrote here is based on my thoughts and analysis.
Thoughts? Is there any advantage to any party for awarding points on VDP's? am I hallucinating?
#BugBounty
Israel 🇮🇱 English
Today I received a $12,000 bounty using the Sandwich Attack ! 🤑
The vulnerability allowed me to enumerate the API Keys of other users 🤯
How did I do that ? Well the API key was a UUIDv1. If you are not familiar with UUIDv1s you need to know that they are constructed in 6 sections:
High, Mid, Low, Clock Sequence, Node ID, and UUID version.
Interestingly, the Node ID corresponds to the MAC address of the system generating the identifier. This means that if two consequent UUIDs are generated on the same device, this part remains the same, similar to the Clock Sequence.
When High, Mid, and Low are combined, they reveal a timestamp represented in hexadecimal value.
Using some basic mathematics it's possible to subtract the offset between the Gregorian Calendar and the Julian Calendar and then divide by 1000 to get an Epoch TimeStamp.
Ok now that we know that they are generated by a timestamp + machine ID, it means that we could generate them back if we know when the API keys were created 🧐
Luckily enough the API Key that I was using was generated in a batch, meaning I could use the Sandwich Attack in order to brute force the API Keys of other users easily 🔥
If you want to know more about how I exploited the Sandwich Attack, go check my video about this on my YouTube channel 🤟
English
@vortexau @CharlieEriksen Golands good , a little heavier than VScode
English
@Hacker0x01 @proabiral, just mentioned to let tou know.😎
English
In our latest blog, Chief Legal and Policy Officer Ilona Cohen discusses the regulatory landscape around AI and how ethical hackers can help strengthen AI security through AI red teaming.
Read more here 📖: bit.ly/48rM6gz
English
Started working as a Vulnerability Researcher at @patchstackapp ✌️
English