shubs

if you've ever had to decompile hundreds of JARs/DLL just to find the 38 that actually matter we built something for that 👀 Hyoketsu filters vendor dependencies out of your target before you even open your decompiler. 🪿 hash-matched against tens of millions of files. 👇

We got frustrated with dealing with vendor dependencies when reverse engineering large applications. @ITSecurityguard from @SLCyberSec’s Sec Research Team built Hyoktesu to solve this problem forever: github.com/assetnote/hyok… - releasing this today! Blog: slcyber.io/research-cente…

@0xLupin Congrats!! Excited for you and your team

WE DID IT ! WE RAISED $5.9M PRE-SEED 🥳🎉🎉

I have been doing bug bounty since 2011 and ran a program for a multinational bank. Put everything I've learned into bugbounty.info. Target selection, recon pipelines, chain patterns, report templates, the business side. Free, no paywall, no course upsell.

@arcwhite @assetnote Yes! What a good beer!

@infosec_au @assetnote Named for the beer!?

IP whitelisting is fundamentally broken. At @assetnote, we've successfully bypassed network controls by routing traffic through a specific location (cloud provider, geo-location). Today, we're releasing Newtowner, to help test for this issue: github.com/assetnote/newt…

I finally let Claude do my pentest this week. Full 5-day engagement, zero human input. Here's what the client got: 😏 clawd.it/posts/10-repla… #bugbounty #pentesting #AI #cybersecurity #infosec #claudeai

Cloudflare built a Next.js replacement in a week with vibe-coding. We vibe-hacked and found numerous vulnerabilities, multiple critical and high severity. On Cloudflare Workers, one of the bugs leaks one user's session to another by default. hacktron.ai/blog/hacking-c…

This was some really nice research by @zerodaykb from late last year: lab.ctbb.show/research/unico… - this trick can be super useful in secondary contexts!

V12 is now live for open beta. It can: - Find valuable bugs - Generate working, runnable PoC - Generate patch and test the PoC against it In our testing during audits at Zellic, Zenith, and Code4rena we've been consistently impressed. Best of all: it's free. (Don't abuse it!)

@steventseeley @SLCyberSec We didn’t get an RCE gadget running :( I mentioned this in my linkedin post as well, it may be possible but we aren’t confident about it given how long it took us to get URLDNS to work and the constraints.

@infosec_au @SLCyberSec You know I gotta ask this right, did you folks get an RCE gadget running?

Sometimes you spot a sink and know it's vulnerable, but proving it is a challenge. @SLCyberSec's team broke through layers of crypto to reach a pre-auth deserialization sink in OpenText Directory Services. Breaking the encryption was a journey. slcyber.io/research-cente…

Samstung Part 2 :: Remote Code Execution in MagicINFO 9 Server srcincite.io/blog/2026/01/2…

ICYMI: I created an LLM-powered tool to detect CVEs before they're even published - and it's now powering vulnerabilityspoileralert.com. This is a simple GitHub page statically generated using vulnerability-spoiler-alert-action. Check out the backtest findings at github.com/spaceraccoon/v… and let me know what you think the hit rate is! I'm running this open-source vulnerability intelligence project using a personal API token, but maybe @AnthropicAI... or @OpenAI might want to support this? 👀

@Arl_rose Will miss you, Ariel. I know how much work you did for our community, and the care you took in making sure hackers were appreciated. Wish you the best for whatever you're planning to do next!

After almost seven years, my journey at HackerOne comes to an end today. This has been one of the most impactful experiences of my life, and I wanted to share a bit more about the ride. It all started in 2018. I had a dream of bringing a Live Hacking Event to Argentina after seeing the magic of the community in Las Vegas. I am forever grateful for the trust placed in me back then. Someone took a chance on a random guy from Argentina and made my hire happen, and I wouldn't be where I am today without that shot. In the years since, I have been lucky enough to build things from the ground up. I was tasked with building the pentest community from scratch when we launched the product, and seeing it grow into a home for hundreds of professional pentesters has been incredible. My biggest passion project was always focused on a worldwide hacking competition. My early pitches for a regional tournament eventually evolved into building a global network of hackers instead. We started that program with just seven people. Today, I leave a network of 90 ambassadors across 45 countries. That network finally allowed me to execute the Ambassador World Cup. Watching that tournament evolve into a global phenomenon that paid out 2.4 million dollars in its latest edition was a dream come true. From the finals in my hometown of Buenos Aires to the trophy presentation in Dubai, seeing hackers find their first bugs through this program has been the highlight of my career. After 20 Live Hacking Events as an employee, traveling the world and meeting the community in person kept my passion alive for years. None of this was a solo effort. I was only able to be creative because my team was the best in the business and I was given the room to run. Thank you to the global community of hackers and the rockstars on the community team for being such a massive part of my life. I am moving on to a new chapter to do some fun stuff. More to come on that soon. Thank you for everything and stay in touch!

You may have read @AnthropicAI Frontier Red Team's blogpost about finding zero-day vulnerabilities at scale. I think it's more than that - LLM workflows greatly improve "negative-day" and "never-day" discovery. Here's the tool I built to do this. spaceraccoon.dev/discovering-ne…

@assetnote @SLCyberSec My work on the novel SSRF technique that landed a critical payout at a Live Hacking Event: slcyber.io/assetnote-secu…

@assetnote / @SLCyberSec has two nominations this year! Novel SQL Injection Technique in PDO Prepared Statements & Novel SSRF Technique Involving HTTP Redirect Loops. Both are research pieces that come directly from our experience breaking software. Links in comments!

@assetnote @SLCyberSec Our researcher @hash_kitten's work on an impossible SQLi: slcyber.io/research-cente…

@OriginalSicksec nice work! there's some other pretty good options out there too in case you wanted to try and improve yours with anything it's missing -- github.com/bp0lr/dmut & github.com/AlephNullSK/dn…

Been working on a little project—altdns-ng. It’s basically altdns rewritten in Go (shoutout @infosec_au), with better speed and some extra features. Check it out: github.com/Sicks3c/altdns… #BugBounty

New blog post: Ruby Array Pack Bleed PoC + breakdown of a simple out-of-bounds reads in Ruby's Array#pack