rahmetu

Yay🥳, I was awarded $750 bounty on @Hacker0x01! #TogetherWeHitHarder It's my first ever bounty. It took me 2 years to get my first payout. Yeah,it took me that long to get a reward and I am so glad I did it. A little tip for those who are struggling with bug bounty hunting A 🧵

Overcoming public speaking fears? Toastmasters is your secret weapon. Recording yourself on video revealed you *don't* look as nervous as you feel. Practice speaking, refine your delivery, and build unshakeable confidence. #PublicSpeaking #Toastmasters

Here's how to deliver reflected XSS through a HTTP request smuggling vulnerability! 👇 Try this Practitioner lab now: portswigger.net/web-security/r…

🚨 Google told devs: API keys aren't secrets. Gemini changed that. 😱 We found ~3,000 public keys silently authenticating to Gemini - exposing private files, cached data & charging for LLM usage 💥Even Google's own keys were vulnerable. 🔗 trufflesecurity.com/blog/google-ap…

It's always great to catch up with @Rhynorater <3

We finally had @thedawgyg on the pod to talk about his origin story, recent Chrome research and how he optimises his AI workflow, his famous 180K payout on Yahoo and a LOT more. This is an episode we know a lot of people have been looking forward to, check it out! youtu.be/kpFfde3rNFs

Are you still searching for your first valid vulnerability? Q2 is just around the corner! It's time to lock in! 🫡 Join us in #BugQuest! Starting today, we'll share bug bounty tips, techniques, and resources that anyone can use to find Broken Access Control (BAC) vulnerabilities, no matter your experience level, background, or skill set, for 31 days. Wish to stay ahead? Be sure to: ✅ Follow @INTIGRITI ✅ Share this post with your hacker friends ✅ Tag your bounty buddies who should join Day 1 is live now! Swipe through to see today's post on learning what Broken Access Control (BAC) vulnerabilities are Come back daily to unlock more tips. Let's end Q1 2026 with at least a valid finding and start Q2 2026 with even more submissions! 💪 #BugBounty #HackWithIntigriti

Leaking FXAuth Token leading to account takeover ($65,000) ysamm.com/uncategorized/… Instagram account takeover via Facebook Pixel script abuse ($32,500) ysamm.com/uncategorized/… Multiple XS-leaks disclosing Facebook users in third-party websites ($8,400) ysamm.com/uncategorized/…

I wish I knew this earlier. There is a website that shows you what CSP bypasses are possible by pasting the CSP policy in it. cspbypass.com Basically you can lookup vulnerable 3rd party JS libs and SDKs from the whitelisted CSP sources #bugbountytips #bugbounty

𝗥𝗲𝘀𝗲𝗮𝗿𝗰𝗵 𝗪𝗼𝗿𝘁𝗵 𝗥𝗲𝗮𝗱𝗶𝗻𝗴 - 𝗪𝗲𝗲𝗸 𝟴, 𝟮𝟬𝟮𝟲 Java x2, Go, JWT and a sprinkling of AI 🦫 𝗖𝗧𝗙𝘁𝗶𝗺𝗲.𝗼𝗿𝗴 / 𝗷𝘂𝘀𝘁𝗖𝗧𝗙 [*] 𝟮𝟬𝟮𝟬 / 𝗚𝗼-𝗳𝘀 / 𝗪𝗿𝗶𝘁𝗲𝘂𝗽 A cool Golang quirk via an unintended CTF solution ctftime.org/writeup/25852. ☕️ 𝗔𝗹𝗺𝗼𝘀𝘁 𝗜𝗺𝗽𝗼𝘀𝘀𝗶𝗯𝗹𝗲: 𝗝𝗮𝘃𝗮 𝗗𝗲𝘀𝗲𝗿𝗶𝗮𝗹𝗶𝘇𝗮𝘁𝗶𝗼𝗻 𝗧𝗵𝗿𝗼𝘂𝗴𝗵 𝗕𝗿𝗼𝗸𝗲𝗻 𝗖𝗿𝘆𝗽𝘁𝗼 𝗶𝗻 𝗢𝗽𝗲𝗻𝗧𝗲𝘅𝘁 𝗗𝗶𝗿𝗲𝗰𝘁𝗼𝗿𝘆 𝗦𝗲𝗿𝘃𝗶𝗰𝗲𝘀 What an adventure in Java Deserialisation... slcyber.io/research-cente…. 😱 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝗗𝗶𝘀𝗰𝗹𝗼𝘀𝘂𝗿𝗲: 𝗝𝗪𝗧 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗕𝘆𝗽𝗮𝘀𝘀 𝗶𝗻 𝗢𝗽𝗲𝗻𝗜𝗗 𝗖𝗼𝗻𝗻𝗲𝗰𝘁 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗼𝗿 𝗳𝗼𝗿 𝗧𝗼𝗺𝗰𝗮𝘁 The exact same vulnerability I found in HarbourJWT but in a much cooler target, still not fixed... insinuator.net/2026/02/jwt-au…. ☕️ 𝗖𝗩𝗘-𝟮𝟬𝟮𝟲-𝟬𝟲𝟬𝟯: 𝗦𝗲𝗰𝗼𝗻𝗱-𝗢𝗿𝗱𝗲𝗿 𝗦𝗤𝗟 𝗜𝗻𝗷𝗲𝗰𝘁𝗶𝗼𝗻 𝗶𝗻 𝗛𝗶𝗯𝗲𝗿𝗻𝗮𝘁𝗲 𝗨𝗣𝗗𝗔𝗧𝗘/𝗗𝗘𝗟𝗘𝗧𝗘 (𝗜𝗻𝗹𝗶𝗻𝗲𝗜𝗱𝘀𝗢𝗿𝗖𝗹𝗮𝘂𝘀𝗲𝗕𝘂𝗶𝗹𝗱𝗲𝗿) A bit of a stretch but an interesting insight into Hibernate: herodevs.com/blog-posts/cve…. 🤖 𝗨𝘀𝗶𝗻𝗴 𝘁𝗵𝗿𝗲𝗮𝘁 𝗺𝗼𝗱𝗲𝗹𝗶𝗻𝗴 𝗮𝗻𝗱 𝗽𝗿𝗼𝗺𝗽𝘁 𝗶𝗻𝗷𝗲𝗰𝘁𝗶𝗼𝗻 𝘁𝗼 𝗮𝘂𝗱𝗶𝘁 𝗖𝗼𝗺𝗲𝘁 The team at Trail of Bits is sharing some key learnings from their audit of Comet (AI browser) blog.trailofbits.com/2026/02/20/usi….

Calling it now: aided by LLMs for vuln discovery, patch diff, and weaponization, exploitation for initial access and privesc is going to majorly increase in the next 12 months. This is based on my personal success beginning with opus 4.5, and moreso with now with 4.6.

Do not start with fundamentals. This is an awful approach to learning. Start with so-called "advanced" topics and ask questions until every term/concept is understood. This is the correct, rigorous, scientific way to learn, because the advanced topics are embedded in larger, more convoluted, more abstracted constructs. This embedding is what gives the individual pieces their *meaning*. Foundational studies have removed this embedding, and present only the isolated, sterile pieces. They have no meaning. They have no context. The notion that students will piece together fundamentals into some eventual synthesis down the road is absolutely incorrect. It is literally information-theoretically obtuse. Children don't learn language using pieces. They mumble *fully*. They are never not fully embracing the complexity. It is the juxtaposition between their naive attempts and the full picture that imbues their mind with learning. Prerequisites are the dumbest approach to learning. It is utterly indefensible using any scientific argument. The basics-to-advanced directionality is diametrically opposed to how information is encoded, comprehended and used. Prerequisites are why most computer scientists and whiteboard exam-passers can't make software themselves; they can only be cogs in a company. It's why a Princeton math PhD can write the update rule for gradient descent but can't draw the actual process with circles and lines on a damn chalkboard (true story). Idiot level stuff because their learning was all basics to advanced. They never defined terms and concepts in an embedded fashion. It was all disconnected. Meaningless muscle memory with no understanding. It does not work both ways. Only pieces that are seen inside the bigger picture are understood. Do not start with fundamentals.

In case you missed it, all of the talks from both conferences last year are posted on our website for free. Watch all 20+ talks here 👉🏼 nahamcon.org

This was a fun little chat. Was awesome hanging with @IceSolst

NahamSec: Hacker, Content Creator, Pentester, Trainer thehackermaker.com/nahamsec-hacke…

You can find a critical bug on any target by applying 4 simple rules: - Use the target service as a customer - Use every single feature they provide - Read every single doc they have - Test basic common bugs on all of those features This is literally all you need to succeed.

I don't know who needs to hear this, but: If you're bug bounty hunting, test the main scope. There are far more bugs hiding there than you think...

Instead of making a 3rd how to bug bounty and share resources and labs, I decided to reflect on my journey in the last 3 years and share some of things that helped me earn over $1,000,000+ in bounties in these 3 years . Here's what I have learned 👉🏼 youtu.be/oFxcG7yerG4

Introducing my Bug Bounty Masterclass. 100% free. I've made $2,000,000+ finding security bugs. I spent the last year turning my methodology into a complete blueprint. 4 hours of video - foundations, reconnaissance, web proxies, hands-on challenges, and certification. Finish it in a weekend and start hacking real-world applications 🐞

This Hacker (@0xTeflon) made $70,000 from a public bug bounty program with a simple bug! youtu.be/uW7COsIKTXM