Podcasts about bug bounties

Episode 147: In this episode of Critical Thinking - Bug Bounty Podcast we're talking tips and tricks that help us in hacking that we really should've learned sooner.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater, rez0 and gr3pme on X: https://x.com/Rhynoraterhttps://x.com/rez0__https://x.com/gr3pme====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Sponsor: ThreatLocker. Check out ThreatLocker Network Controlhttps://www.criticalthinkingpodcast.io/tl-nc====== This Week in Bug Bounty ======Netscaler's new programhttps://hackerone.com/netscaler_public_program?type=teamThe ultimate Bug Bounty guide to HTTP request smuggling vulnerabilitieshttps://www.yeswehack.com/learn-bug-bounty/http-request-smuggling-guide-vulnerabilitiesHackers now have 2 Request-a-Responsehttps://docs.bugcrowd.com/changelog/researchers/request-a-response-researcher/Evan Connelly Spotlighthttps://www.bugcrowd.com/blog/hacker-spotlight-evan-connelly/Epic Games Jobs OpeningsJobs.ctbb.show====== Timestamps ======(00:00:00) Introduction(00:09:23) Command Palette, Auto-decoding, & Evenbetter(00:17:28) Chrome Devtools Edit as html & Raycast(00:33:23) ffuf -request flag(00:41:33) JXScout(00:48:55) Conditional Breakpoints in Devtools & Lightning round tips

Wie realistisch sind deine Security-Massnahmen wirklich? In dieser Folge sprechen Andreas und Sandro über simulierte Angriffe – vom gezielten Red-Team-Einsatz bis zum kollaborativen Purple Teaming. Sie erklären, wie strukturierte Security-Simulationen klassische Pentests und Bug-Bounties ergänzen, welche Rollen Red, Blue und Purple wirklich spielen – und warum die wahren Erkenntnisse oft erst nach dem Angriff kommen. Wer verstehen will, wie man Security im Ernstfall testet, sollte hier reinhören.

X-Request-Purpose: Identifying "research" and bug bounty related scans? Our honeypots captured a few requests with bug bounty specific headers. These headers are meant to make it easier to identify requests related to bug bounty, and they are supposed to identify the researcher conducting the scans https://isc.sans.edu/diary/X-Request-Purpose%3A%20Identifying%20%22research%22%20and%20bug%20bounty%20related%20scans%3F/32436 Proton Breach Observatory Proton opened up its breach observatory. This website will collect information about breaches affecting companies that have not yet made the breach public. https://proton.me/blog/introducing-breach-observatory Microsoft Exchange Server Security Best Practices A new document published by a collaboration of national cyber security agencies summarizes steps that should be taken to harden Exchange Server. https://www.nsa.gov/Portals/75/documents/resources/cybersecurity-professionals/CSI_Microsoft_Exchange_Server_Security_Best_Practices.pdf?ver=9mpKKyUrwfpb9b9r4drVMg%3d%3d MOVEit Vulnerability Progress published an advisory for its file transfer program MOVEIt . This software has had heavily exploited vulnerabilities in the past. https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-CVE-2025-10932-October-29-2025

Neste episódio, exploramos o que realmente faz um programa de Bug Bounty funcionar — além dos prêmios em dinheiro. Conversamos sobre como alinhar a iniciativa às demandas de Application Security, desde o desenho das políticas até o processo de triagem dos relatórios recebidos. Discutimos como priorizar vulnerabilidades, evitar ruído e transformar descobertas da comunidade em melhorias reais de segurança. Um papo direto sobre maturidade, cultura e eficiência em programas de Bug Bounty. Quer que eu deixe a descrição mais curta para usar nas plataformas de streaming (tipo Spotify, Apple Podcasts)?Become a supporter of this podcast: https://www.spreaker.com/podcast/devsecops-podcast--4179006/support.Apoio: Nova8, Snyk, Gold Security, Digitalwolk e PurpleBird Security.

Episode 145: In this episode of Critical Thinking - Bug Bounty Podcast Brandyn lets us in on some of his notetaking tips, including his Templates, Threat Modeling, and ways he uses notes to help with collaboration.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater, Rez0, & gr3pme on Twitter:https://x.com/Rhynoraterhttps://x.com/rez0__https://x.com/gr3pme====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Sponsor: ThreatLocker. Check out ThreatLocker Network Controlhttps://www.criticalthinkingpodcast.io/tl-nc====== This Week in Bug Bounty ======The minefield between syntaxeshttps://www.yeswehack.com/learn-bug-bounty/syntax-confusion-ambiguous-parsing-exploits====== Resources ======Brandyn's Notion Templatehttps://terrific-dart-70e.notion.site/Example-Target-CTBB-294f4ca0f42481cca0b0ca6ac0a7c81d====== Timestamps ======(00:00:00) Introduction(00:07:25) Templates, Target, and Tech Stack(00:13:33) Threat Modeling and Attack Vectors

Apple's reported acquisition of Prompt.ai's team/IP drew thoughts from the MacVoices panel about what it could mean for computer vision across Face ID, HomeKit, a rumored HomePod with a screen, and even a home robot. Chuck Joiner, Dave Ginsburg, Brian Flanigan-Arthurs, Jim Rea, Marty Jencius, and Norbert Frassa debate Apple's new $2M bug bounty—promise vs. payout history—then note Piper Sandler data showing 87% of teens own iPhones. Finally, they discuss Apple's lawsuit against John Prosser over iOS 26 leaks and the risks of ignoring the case.  MacVoices is supported by SurfShark. Go to https://surfshark.com/macvoices or use code macvoices at checkout to get 4extra months of Surfshark VPN! Show Notes: Chapters: [0:00] Opening, topics overview[1:36] Apple's reported Prompt.ai acquisition: team vs. IP[2:24] Where vision could land: Face ID, HomeKit, HomePod with screen, home robot[5:55] New $2M bug bounty: incentives, trust, and payout skepticism[10:29] Arms race: tougher exploits, higher rewards[11:12] Sponsor message – Surfshark[12:49] Teens & iPhones: 87% ownership, upgrade intent[16:48] Apple vs. John Prosser lawsuit over iOS 26 leaks[20:14] Public interest vs. leaking: ethics and consequences[21:31] Closing notes Links: Apple Close to Deal to Acquire Team and Tech from Computer Vision Startup Prompt AIhttps://www.mactrast.com/2025/10/apple-close-deal-to-acquire-team-and-tech-from-computer-vision-startup-prompt-ai/ Apple Announces $2 Million Bug Bounty Reward for the Most Dangerous Exploitshttps://www.wired.com/story/apple-announces-2-million-bug-bounty-reward/ Survey: Eighty-seven percent of teens report they own an iPhonehttps://appleworld.today/2025/10/survey-eighty-seven-percent-of-teens-report-they-own-an-iphone/ Here's the Latest on Apple Suing Jon Prosser Over iOS 26 Leakshttps://www.macrumors.com/2025/10/11/apple-jon-prosser-lawsuit-latest-updates Guests: Brian Flanigan-Arthurs is an educator with a passion for providing results-driven, innovative learning strategies for all students, but particularly those who are at-risk. He is also a tech enthusiast who has a particular affinity for Apple since he first used the Apple IIGS as a student. You can contact Brian on twitter as @brian8944. He also recently opened a Mastodon account at @brian8944@mastodon.cloud. Norbert Frassa is a technology “man about town”. Follow him on Twitter and see what he's up to. David Ginsburg is the host of the weekly podcast In Touch With iOS where he discusses all things iOS, iPhone, iPad, Apple TV, Apple Watch, and related technologies. He is an IT professional supporting Mac, iOS and Windows users. Visit his YouTube channel at https://youtube.com/daveg65 and find and follow him on Twitter @daveg65 and on Mastodon at @daveg65@mastodon.cloud. Dr. Marty Jencius has been an Associate Professor of Counseling at Kent State University since 2000. He has over 120 publications in books, chapters, journal articles, and others, along with 200 podcasts related to counseling, counselor education, and faculty life. His technology interest led him to develop the counseling profession ‘firsts,' including listservs, a web-based peer-reviewed journal, The Journal of Technology in Counseling, teaching and conferencing in virtual worlds as the founder of Counselor Education in Second Life, and podcast founder/producer of CounselorAudioSource.net and ThePodTalk.net. Currently, he produces a podcast about counseling and life questions, the Circular Firing Squad, and digital video interviews with legacies capturing the history of the counseling field. This is also co-host of The Vision ProFiles podcast. Generally, Marty is chasing the newest tech trends, which explains his interest in A.I. for teaching, research, and productivity. Marty is an active presenter and past president of the NorthEast Ohio Apple Corp (NEOAC). Jim Rea built his own computer from scratch in 1975, started programming in 1977, and has been an independent Mac developer continuously since 1984. He is the founder of ProVUE Development, and the author of Panorama X, ProVUE's ultra fast RAM based database software for the macOS platform. He's been a speaker at MacTech, MacWorld Expo and other industry conferences. Follow Jim at provue.com and via @provuejim@techhub.social on Mastodon. Support:      Become a MacVoices Patron on Patreon     http://patreon.com/macvoices      Enjoy this episode? Make a one-time donation with PayPal Connect:      Web:     http://macvoices.com      Twitter:     http://www.twitter.com/chuckjoiner     http://www.twitter.com/macvoices      Mastodon:     https://mastodon.cloud/@chuckjoiner      Facebook:     http://www.facebook.com/chuck.joiner      MacVoices Page on Facebook:     http://www.facebook.com/macvoices/      MacVoices Group on Facebook:     http://www.facebook.com/groups/macvoice      LinkedIn:     https://www.linkedin.com/in/chuckjoiner/      Instagram:     https://www.instagram.com/chuckjoiner/ Subscribe:      Audio in iTunes     Video in iTunes      Subscribe manually via iTunes or any podcatcher:      Audio: http://www.macvoices.com/rss/macvoicesrss      Video: http://www.macvoices.com/rss/macvoicesvideorss

Apple's reported acquisition of Prompt.ai's team/IP drew thoughts from the MacVoices panel about what it could mean for computer vision across Face ID, HomeKit, a rumored HomePod with a screen, and even a home robot. Chuck Joiner, Dave Ginsburg, Brian Flanigan-Arthurs, Jim Rea, Marty Jencius, and Norbert Frassa debate Apple's new $2M bug bounty—promise vs. payout history—then note Piper Sandler data showing 87% of teens own iPhones. Finally, they discuss Apple's lawsuit against John Prosser over iOS 26 leaks and the risks of ignoring the case.  MacVoices is supported by SurfShark. Go to https://surfshark.com/macvoices or use code macvoices at checkout to get 4 extra months of Surfshark VPN! Show Notes: Chapters: [0:00] Opening, topics overview [1:36] Apple's reported Prompt.ai acquisition: team vs. IP [2:24] Where vision could land: Face ID, HomeKit, HomePod with screen, home robot [5:55] New $2M bug bounty: incentives, trust, and payout skepticism [10:29] Arms race: tougher exploits, higher rewards [11:12] Sponsor message – Surfshark [12:49] Teens & iPhones: 87% ownership, upgrade intent [16:48] Apple vs. John Prosser lawsuit over iOS 26 leaks [20:14] Public interest vs. leaking: ethics and consequences [21:31] Closing notes Links: Apple Close to Deal to Acquire Team and Tech from Computer Vision Startup Prompt AI https://www.mactrast.com/2025/10/apple-close-deal-to-acquire-team-and-tech-from-computer-vision-startup-prompt-ai/ Apple Announces $2 Million Bug Bounty Reward for the Most Dangerous Exploits https://www.wired.com/story/apple-announces-2-million-bug-bounty-reward/ Survey: Eighty-seven percent of teens report they own an iPhone https://appleworld.today/2025/10/survey-eighty-seven-percent-of-teens-report-they-own-an-iphone/ Here's the Latest on Apple Suing Jon Prosser Over iOS 26 Leaks https://www.macrumors.com/2025/10/11/apple-jon-prosser-lawsuit-latest-updates Guests: Brian Flanigan-Arthurs is an educator with a passion for providing results-driven, innovative learning strategies for all students, but particularly those who are at-risk. He is also a tech enthusiast who has a particular affinity for Apple since he first used the Apple IIGS as a student. You can contact Brian on twitter as @brian8944. He also recently opened a Mastodon account at @brian8944@mastodon.cloud. Norbert Frassa is a technology “man about town”. Follow him on Twitter and see what he's up to. David Ginsburg is the host of the weekly podcast In Touch With iOS where he discusses all things iOS, iPhone, iPad, Apple TV, Apple Watch, and related technologies. He is an IT professional supporting Mac, iOS and Windows users. Visit his YouTube channel at https://youtube.com/daveg65 and find and follow him on Twitter @daveg65 and on Mastodon at @daveg65@mastodon.cloud. Dr. Marty Jencius has been an Associate Professor of Counseling at Kent State University since 2000. He has over 120 publications in books, chapters, journal articles, and others, along with 200 podcasts related to counseling, counselor education, and faculty life. His technology interest led him to develop the counseling profession ‘firsts,' including listservs, a web-based peer-reviewed journal, The Journal of Technology in Counseling, teaching and conferencing in virtual worlds as the founder of Counselor Education in Second Life, and podcast founder/producer of CounselorAudioSource.net and ThePodTalk.net. Currently, he produces a podcast about counseling and life questions, the Circular Firing Squad, and digital video interviews with legacies capturing the history of the counseling field. This is also co-host of The Vision ProFiles podcast. Generally, Marty is chasing the newest tech trends, which explains his interest in A.I. for teaching, research, and productivity. Marty is an active presenter and past president of the NorthEast Ohio Apple Corp (NEOAC). Jim Rea built his own computer from scratch in 1975, started programming in 1977, and has been an independent Mac developer continuously since 1984. He is the founder of ProVUE Development, and the author of Panorama X, ProVUE's ultra fast RAM based database software for the macOS platform. He's been a speaker at MacTech, MacWorld Expo and other industry conferences. Follow Jim at provue.com and via @provuejim@techhub.social on Mastodon. Support:      Become a MacVoices Patron on Patreon      http://patreon.com/macvoices      Enjoy this episode? Make a one-time donation with PayPal Connect:      Web:      http://macvoices.com      Twitter:      http://www.twitter.com/chuckjoiner      http://www.twitter.com/macvoices      Mastodon:      https://mastodon.cloud/@chuckjoiner      Facebook:      http://www.facebook.com/chuck.joiner      MacVoices Page on Facebook:      http://www.facebook.com/macvoices/      MacVoices Group on Facebook:      http://www.facebook.com/groups/macvoice      LinkedIn:      https://www.linkedin.com/in/chuckjoiner/      Instagram:      https://www.instagram.com/chuckjoiner/ Subscribe:      Audio in iTunes      Video in iTunes      Subscribe manually via iTunes or any podcatcher:      Audio: http://www.macvoices.com/rss/macvoicesrss      Video: http://www.macvoices.com/rss/macvoicesvideorss

Apple is increasing bug bounties for good guys, in theory. We'll talk about how much white hats might be able to get outta Cupertino. First though, Japan's beer bungle was a ransomware attack. An update on that and the changing state of cyberattacks on this edition of The Checklist, brought to you by SecureMac. Check out our show notes: SecureMac.com/Checklist And get in touch with us: Checklist@Securemac.com

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive for federal agencies to update their F5 products following a significant breach where hackers accessed source code and undisclosed vulnerabilities. This incident, discovered in August, poses a serious risk to federal networks, as the threat actor could exploit these vulnerabilities to gain unauthorized access and exfiltrate sensitive data. Agencies are required to apply the latest updates by October 22nd and report their F5 deployments by October 29th, highlighting the urgency of addressing these security concerns.In a related development, the National Institute of Standards and Technology (NIST) is encouraging federal agencies to take calculated risks with artificial intelligence (AI) under new federal guidance. Martin Stanley, an AI and cybersecurity researcher, emphasized the importance of risk management in AI deployment, particularly in comparison to more established sectors like financial services. As agencies adapt to this guidance, they must identify high-impact AI applications that require thorough risk management to ensure both innovation and safety.A report from Cork Protection underscores the need for small and medium-sized businesses (SMBs) to adopt a security-first approach in light of evolving cyber threats. Many SMBs remain complacent, mistakenly believing they are not targets for cybercriminals. The report warns that this mindset, combined with the rising financial risks associated with breaches, necessitates a shift towards a security-centric operational model. The cybersecurity services market is projected to grow significantly, presenting opportunities for IT service providers that prioritize security.Apple has announced a substantial increase in its bug bounty program, now offering up to $5 million for critical vulnerabilities. This move reflects the growing importance of addressing security challenges within its ecosystem, which includes over 2.35 billion active devices. The company has previously awarded millions to security researchers, emphasizing its commitment to user privacy and security. As the landscape of cybersecurity evolves, managed service providers (MSPs) are urged to tighten vendor monitoring, incorporate AI risk assessments, and focus on continuous assurance to meet the increasing demands for security. Three things to know today00:00 Cybersecurity Crossroads: F5 Breach, AI Risk, and Apple's $5M Bug Bounty Signal Security Accountability06:44 Nearly a Third of MSPs Admit to Preventable Microsoft 365 Data Loss, Syncro Survey Finds09:22 AI Reality Check: Workers' Overconfidence, Cheaper Models, and Microsoft's Scientific Breakthrough Signal Maturity in the Market This is the Business of Tech.     Supported by:  https://mailprotector.com/mspradio/ 

In Folge 281 sprechen die ApfelNerds über Apples Silikon-Aufsätze für die MagSafe-Charger in den Apple Stores, Apple hat einige „Influencer“ zu einem ominösen Trip nach Colorado eingeladen, Jeff Williams geht Ende 2025 endgültig in den Ruhestand, Apple erhöht die Bug Bounty-Zahlungen deutlich, Apple kauft das AI-Startup „Prompt AI“, Apple Clips wird eingestellt, Apple TV+ wird Apple TV, Apple soll einen neuen „Health+“ Abo-Service planen, das iPhone Fold-Scharnier soll deutlich günstiger werden, Code-Referenzen geben Hinweis auf mögliches Pro Display XDR mit Webcam, es gut um anstehende Geräte-Veröffentlungen, zukünftige AirPods und um Updates.

✨ W33K: il Lunedì che fa la differenza!Un'ora circa per iniziale la settimana con consapevolezza e una marcia in più. I topic di questa puntata:00:07:08 Scontro tra 4chan e governo inglese a causa dell'Online Safety Act00:09:18 Le controverse dichiarazioni di Sam Altman sui lavori sostituiti dall'intelligenza artificiale00:11:46 Microsoft Store in California: i videogiochi diventano licenze, non più acquisti00:16:34 L'Italia introduce il reato di deepfake nella ratifica dell'AI Act europeo00:19:35 Il CSM si pronuncia sull'uso dell'IA per le sentenze, definendola pratica a rischio00:24:45 L'uscita di Sora 2 di OpenAI e il suo utilizzo per la disinformazione politica00:27:16 Il nuovo fenomeno del ''chat phishing'': usare l'intelligenza artificiale per il dating online00:31:20 Studio su Waymo: le auto a guida autonoma sembrano più sicure dei guidatori umani00:32:32 La proposta europea Chat Control è stata rinviata grazie all'opposizione della Germania00:34:36 Taylor Swift criticata dai fan per l'uso dell'IA in contrasto alla body positivity00:36:12 YouTube riammette account sospesi per disinformazione su pressione del governo americano00:38:58 Meta e Google bloccano la pubblicità politica, con impatti negativi sull'attivismo00:43:34 Apple raddoppia i premi del suo programma di Bug Bounty a due milioni00:46:03 La bolla dell'IA: investimenti circolari che gonfiano il valore del settore00:48:17 Un tredicenne viene arrestato dopo aver chiesto a ChatGPT come uccidere un amico~~~~~ INGAGGI E SPONSORSHIP ~~~~~ Per contatti commerciali: sales@matteoflora.comPer consulenze legali: info@42LawFirm.it~~~~~ SOSTIENI IL CANALE! ~~~~~Con la Membership PRO puoi supportare il Canale » https://link.mgpf.it/proSe vuoi qui la mia attrezzatura » https://mgpf.it/attrezzatura~~~~~ SEGUIMI ANCHE ONLINE CON LE NOTIFICHE! ~~~~~» CANALE WHATSAPP » https://link.mgpf.it/wa» CANALE TELEGRAM » https://mgpf.it/tg» CORSO (Gratis) IN FUTURO » https://mgpf.it/nl» NEWSLETTER » https://mgpf.it/nl~~~~~ CIAO INTERNET E MATTEO FLORA ~~~~~ Questo è “Ciao Internet!” la prima e più seguita trasmissione di TECH POLICY in lingua italiana, online su YouTube e in Podcast.Io sono MATTEO FLORA e sono:» Professore in Fondamenti di Sicurezza delle AI e delle SuperIntelligenze (ESE)» Professore ac in Corporate Reputation e Crisis Management (Pavia).Sono un Imprenditore Seriale del digitale e ho fondato:» The Fool » https://thefool.it - La società italiana leader di Customer Insight» The Magician » https://themagician.agency - Atelier di Advocacy e Gestione della Crisi» 42 Law Firm » https://42lf.it - Lo Studio Legale per la Trasformazione Digitale » ...e tante altre qui: https://matteoflora.com/#aziendeSono Future Leader (IVLP) del Dipartimento di Stato USA sotto Amministrazione Obama nel programma “Combating Cybercrime (2012)”.Sono Presidente di PermessoNegato, l'associazione italiana che si occupa di Pornografia Non- Consensuale e Revenge Porn.Conduco in TV “Intelligenze Artificiali” su Mediaset/TgCom.

Three Buddy Problem - Episode 67: We discuss the rise of automated red-teaming, Apple's $2 million exploit chain bounties aimed at outbidding spyware brokers and the iPhone maker's focus on wireless proximity attacks and “tactical suitcase” Wi-Fi exploits. We also hit the news of Paragon spyware targeting European executives and the bizarre story of NSO Group's supposed US investor buyout. Plus, an update on Oracle's zero-day ransomware fiasco, Ivanti's endless patch delays, the ethics of journalists enabling ransomware operations on leak sites, Europe's latest failed push for Chat Control, and VirusTotal's new pricing tiers. Cast: Juan Andres Guerrero-Saade (https://twitter.com/juanandres_gs), Ryan Naraine (https://twitter.com/ryanaraine) and Costin Raiu (https://twitter.com/craiu).

-Apple is updating its Security Bounty program this November to offer some of the highest rewards in the industry. It has doubled its top award from $1 million to $2 million for the discovery of "exploit chains that can achieve similar goals as sophisticated mercenary spyware attacks" and which requires no user interaction. -China's antitrust regulator has opened an investigation into Qualcomm's acquisition of Israeli connected-vehicle chip company Autotalks. The State Administration for Market Regulation (SAMR) alleges that Qualcomm is suspected of violating China's anti-monopoly laws by not disclosing certain details of the deal. -The Programmed Data Processor-1 is perhaps most recognizable as the home of Spacewar!, one of the world's first video games, but it also works as an enormous and very slow iPod, too. In the video, Boards of Canada's "Olson" plays off of paper tape that's carefully fed and programmed into the PDP-1 by engineer and Computer History Museum docent Peter Samson. Here's a link to the video. Learn more about your ad choices. Visit podcastchoices.com/adchoices

This week brings some new insights into the origins and length of the Cl0p extortion attacks tied to the Oracle E-Business Suite vulnerability, big surges in scanning for Cisco ASA, Palo Alto, and Fortinet devices, and a huge upgrade to Apple bug bounty payouts.  Plus: Does Dennis have a dog yet?https://security.apple.com/blog/apple-security-bounty-evolved/https://decipher.sc/2025/10/08/data-connects-scanning-surges-for-cisco-fortinet-pan-devices/https://decipher.sc/2025/10/09/oracle-clop-data-theft-campaign-started-months-ago/

Episode #515  La face cachée du Bug Bounty Avec Adrien Jeanneau The post La face cachée du Bug Bounty appeared first on NoLimitSecu.

Episode 142: In this episode of Critical Thinking - Bug Bounty Podcast Rez0 and Gr3pme join forces to discuss Websocket research, Meta's $111750 Bug, PROMISQROUTE, and the opportunities afforded by going full time in Bug Bounty.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter: ====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Sponsor: ThreatLocker. Check out ThreatLocker DACToday's Guest: https://x.com/gr3pme====== This Week in Bug Bounty ======New Monthly Dojo challenge and Dojo UI designThe ultimate Bug Bounty guide to exploiting race condition vulnerabilities in web applicationsWatch Our boy Brandyn on the TV====== Resources ======murtasecWebSocket Turbo Intruder: Unearthing the WebSocket GoldmineChaining Path Traversal Vulnerability to RCE — Meta's 111,750$ BugFinding vulnerabilities in modern web apps using Claude Code and OpenAI CodexMind the GapPROMISQROUTE====== Timestamps ======(00:00:00) Introduction(00:05:16) Full Time Bug Bounty and Business Startups(00:15:50) Websockets(00:22:17) Meta's $111750 Bug(00:28:38) Finding vulns using Claude Code and OpenAI Codex(00:39:32) Time-of-Check to Time-of-Use Vulns in LLM-Enabled Agents(00:45:22) PROMISQROUTE

Brandyn Murtagh is a full-time bug bounty-hunter and ethical ‘White Hat' hacker who is the founder of MurtaSec. In this episode, he joins host Heather Engel to discuss his work as an ethical hacker and the security assessment he conducted in collaboration with Virgin Media O2, a British media and telecommunications company based in England, which demonstrated how easily he could find the active email passwords of consenting participants. • For more on cybersecurity, visit us at https://cybersecurityventures.com

The finale of HBO's Silicon Valley series pointed up a subtle parallel to the real-world challenges in vulnerability reporting—rather than risk going to jail, Pied Piper chose to burn the company to the ground. For decades, white hat and gray hat hackers had no place to report cybersecurity flaws without fear of legal hassles. Nowadays we have Bug Bounty programs, where hackers get paid to find and disclose security flaws, and even get some cash for their work.ResourcesInternet Scanner Finds Security HolesCERIAS - Center for Education and Research in Information Assurance and SecurityA history of bug bounty programs & incentivised vulnerability disclosureWearing Many Hats: The Rise of the Professional Security HackerHacking the PentagonSend us a textSupport the showJoin our Patreon to listen ad-free!

Episode 133: In this episode of Critical Thinking - Bug Bounty Podcast we're joined by Harley and Ari from H1 to talk some about community management roles within Bug Bounty, as well as discuss the evolution of Bug Bounty Village at DEFCON, and what they've got in store this year.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Guests:x.com/infiniteloginshttps://x.com/Arl_roseToday's Sponsor is Adobe. Use code CTBBP0907 in your first report on Adobe Behance, Portfolio, Fonts or Acrobat Web, and earn a one-time 10% bonus reward!====== This Week in Bug Bounty ======BBV Platform Panel about TriageYesWeHACK Makes Debut at Black Hat USA 2025New Dojo challenge featuring a time-based token prediction combined PyYAML deserializationGMSGadget====== Resources ======Bug Bounty VillageSign up for the Disclosed NewsletterDisclosed OnlineHarley's Youtube Channel====== Timestamps ======(00:00:00) Introduction(00:05:51) Bug Stories and Hacking Journeys(00:32:37) Community Management within Bug Bounty(00:39:43) Bug Bounty Village - Origin & 2025 Plans(01:02:39) Disclosed Online and Harley's Upcoming Ebook

Tänases episoodis räägime küberturvalisusest ja külas on Lyra Rebane – RangeForce'i sisuarendaja ja kübermaailma vabakutseline uudishimulik. Lyra räägib, kuidas ta jõudis bug bounty'de ja turvauuringute juurde, miks ta vahel neli tundi Chrome'i kompileerib ja milliseid põnevaid haavatavusi on ta leidnud Google ökosüsteemis. Lisaks tuleb juttu sellest, kuidas arendajana turvanõrkusi ennetada ja miks Lyra tehisaru ei usalda. Episoodis mainitud lingidKüberNaaskel - https://ecsc.ee/ Estonian Cybersecurity Community - https://discord.gg/6xCsDhkHtu "Web security is fun" - https://www.youtube.com/watch?v=0z1My1gC5Yc CTFtime - https://ctftime.org/ BSides Tallinn - https://tallinn.bsides.ee/ Lyra veebileht (blogi ja kontaktinfo) - https://lyra.horse/-----Jaga meile enda jaoks olulisimat mõtet episoodist meie Discord kanalis: https://discord.gg/8X5JTkDxccEpisoodi veavad Priit Liivak ja Erik JõgiAlgorütmi toetavad Patchstack https://patchstack.comNortal https://nortal.com/Veriff https://www.veriff.com/

Tommy DeVoss—aka "dawgyg"—is back for round two, and it's even wilder. A former black hat who faced prison four times, Tommy turned his life around and became a legend in the bug bounty world. From max-sec prison cells to flexing a championship belt on stage at HackerOne Live, his story is pure hacker folklore. In this episode, he shares how bug bounties bought him mini donkeys, why he still hunts old-school (no tools, no scripts), and how federal judges, rogue AIs, and childhood IRC wars shaped his chaotic path. Expect redemption arcs, sketchy bets, and a surprise detour into Icelandic youth basketball.

Episode 131: In this episode of Critical Thinking - Bug Bounty Podcast we're covering Christmas in July with several banger articles from Searchlight Cyber, as well as covering things like Raycast for Windows, Third-Person prompting, and touch on the recent McDonalds LeakFollow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Sponsor is Adobe. Use code CTBBP0907 in your first report on Adobe Behance, Portfolio, Fonts or Acrobat Web, and earn a one-time 10% bonus reward!====== Resources ======v1 Instance Metadata Service protections bypassWould you like an IDOR with that? Leaking 64 million McDonald's job applicationsHow we got persistent XSS on every AEM cloud site, thriceGoogle docs now supports export as markdownAbusing Windows, .NET quirks, and Unicode Normalization to exploit DNN (DotNetNuke)How I Scanned all of GitHub's “Oops Commits” for Leaked SecretsBug bounty, feedback, strategy and alchemy====== Timestamps ======(00:00:00) Introduction(00:05:39) Metadata Service protections bypass & Mcdonalds Leak(00:12:30) Christmas in July with Searchlight Cyber Pt 1(00:19:43) Export as Markdown, Raycast for Windows, & Third-Person prompting(00:23:56) Christmas in July with Searchlight Cyber Pt 2(00:27:39) GitHub's “Oops Commits” for Leaked Secrets(00:36:53) Bug bounty, feedback, strategy and alchemy

Seth and Ken are _back_ to talk through some recent experiences and news across the industry. To start the episode, Seth highlights the edge cases uncovered during manual code review that require context to understand and identify. Inspired by recent a recent post on AI Slop in the curl bug bounty program, the duo addresses the increase of slop across bug bounty reports and why it happens. Finally, a discussion on McDonald's recent authorization flaw that potentially exposed millions of job applicant's data.

Episode 129: In this episode of Critical Thinking - Bug Bounty Podcast we chat about the future of hack bots and human-AI collaboration, the challenges posed by tokenization, and the need for cybersecurity professionals to adapt to the evolving landscape of hacking in the age of AIFollow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!====== This Week in Bug Bounty ======Improper error handling in async cryptographic operations crashes processhttps://hackerone.com/reports/2817648Recon Series #6: Excavating hidden artifacts with Wayback Machinehttps://www.yeswehack.com/learn-bug-bounty/recon-wayback-machine-web-archive====== Resources ======This is How They Tell Me Bug Bounty Ends https://josephthacker.com/hacking/2025/06/09/this-is-how-they-tell-me-bug-bounty-ends.htmlWelcome, Hackbots: How AI Is Shaping the Future of Vulnerability Discoveryhttps://www.hackerone.com/blog/welcome-hackbots-how-ai-shaping-future-vulnerability-discoveryGlitch Tokenhttps://www.youtube.com/watch?v=WO2X3oZEJOAConducting smarter intelligences than me: new orchestrashttps://southbridge-research.notion.site/conducting-smarter-intelligences-than-me====== Timestamps ======(00:00:00) Introduction(00:04:05) Is this how Bug Bounty Ends?(00:11:14) Hackbots and handling leads(00:20:50) Hacker chain of thought & Tokenization(00:32:54) Context Engineering

In this podcast, my guest is Arthur Aires, part-time bug bounty hunter and cybersecurity pro from Brazil. He has an amazing approach that combines manual hacking with using a lot of tools for recon and fuzzing.Some links mentioned in the video: https://github.com/pwntester/SerialKillerBypassGadgetCollection https://book.hacktricks.wiki/en/index.html https://portswigger.net/bappstore/e4e0f6c4f0274754917dcb5f4937bb9e https://portswigger.net/bappstore/594a49bb233748f2bc80a9eb18a2e08f https://portswigger.net/bappstore/0e61c786db0c4ac787a08c4516d52ccf https://github.com/PortSwigger/403-bypasser https://github.com/projectdiscovery/nuclei https://github.com/SeifElsallamy/Blind-XSS-Manager/tree/main https://github.com/trufflesecurity/xsshunter https://infosecwriteups.com/easy-xsshunter-discord-alerts-33fcff24a8f7 https://github.com/elkokc/reflector https://portswigger.net/burp/documentation/desktop/tools/dom-invader https://urlscan.io/Timestamps:00:00 Intro01:30 Balancing part-time bug bounty with full-time job02:56 Mixing manual bug bounty hunting with automation22:04 The most useful Burp extensions33:25 Fuzzing in bug bounty46:34 Live Hacking Events

Episode 124: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Joseph cover some news from around the community, hitting on Joseph's Anthropic safety testing, Justin's guest appearance on For Crying Out Cloud, and several fascinating tweets. Then they have a quick Full-time Bug Bounty check-in.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter: https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Sponsor - ThreatLocker Web Controlhttps://www.criticalthinkingpodcast.io/tl-webcontrol====== This Week in Bug Bounty ======Louis Vuitton Public Bug Bounty ProgramCVE-2025-47934 was discovered on one of our Bug Bounty program : OpenPGP.jsStored XSS in File Upload Leads to Privilege Escalation and Full Workspace Takeover====== Resources ======Jorian tweetClipjacking: Hacked by copying text - Clickjacking but betterCrying out Cloud AppearanceWiz Research takes 1st place in Pwn2Own AI categoryNew XSS vector with image tag====== Timestamps ======(00:00:00) Introduction(00:10:50) Supabase(00:13:47) Tweet-research from Jorian and Wyatt Walls.(00:20:24) Anthropic safety testing challenge & Wiz Podcast guest appearance(00:27:44) New XSS vector, Google i/o, and coding agents(00:35:48) Full Time Bug Bounty

Daniel Stenberg, the maintainer of Curl, discusses the increase in AI security reports that are wasting the time of maintainers. We discuss Curl's new policy of banning the bad actors while establishing some pretty sane AI usage guidelines. We chat about how this low-effort, high-impact abuse pattern is a denial-of-service attack on the curl project (and other open source projects too). The show notes and blog post for this episode can be found at https://opensourcesecurity.io/2025/2025-05-curl_vs_ai_with_daniel_stenberg/

Forecast = Expect scattered AI layoffs, a flurry of bogus bug bounties, and a persistent workforce drought-so keep your firewalls up and your résumés handy! ‍ On this episode of GreyNoise Storm⚡️Watch, we kick things off with our usual round of introductions before diving into the latest cyber weather and threat landscape. If you're new here, Storm⚡️Watch is where we break down what's moving the needle in cybersecurity, spotlighting the people, tools, and trends shaping the field. For today's poll, we're feeling nostalgic and asking: What do you miss most from the Slow Internet days? Whether it's the wild west of Myspace, the quirky chaos of Fark, the creative playground of Wattpad, or the endless flash animations on Albino Blacksheep, we want to know what old-school internet experience you'd revive if you could. We're also talking about the pitfalls of AI in bug bounty programs. The open-source project curl has had enough of users flooding them with AI-generated “slop” vulnerabilities that waste maintainers' time and don't actually move security forward. It's a reminder that, despite the hype, AI isn't a silver bullet for finding real bugs and can actually create more noise than signal. Speaking of AI, the conversation shifts to how major companies are reshaping their workforce in the name of artificial intelligence. CrowdStrike just announced it's cutting 5% of its jobs, citing AI-driven restructuring and the need for efficiency. It's not just CrowdStrike-Duolingo is pushing AI into every corner of its product and workflow, with leadership urging engineers to “start with AI for every task,” even as they admit the tech is still error-prone and often less effective than human effort. The end result? Workers are being asked to manage and troubleshoot clumsy AI tools instead of using their expertise, and users are left with content that's sometimes flat-out wrong or just less engaging than before. But while AI is shaking up tech jobs, the cybersecurity workforce shortage isn't going away. The PIVOTT Act has been revived in Congress to address the growing gap, offering full scholarships for two-year degrees in cyber fields in exchange for government service. It's aimed at making it easier for people to pivot into cyber careers, especially as professionals in other sectors worry about AI-driven job cuts. The Act is being administered by CISA and is designed to streamline the path into government cyber roles, including those requiring security clearances. As always, we spotlight some of the latest developments from Censys, VulnCheck, runZero, and GreyNoise; then wrap up with some quick goodbyes and reminders to check out the latest from all our partners and contributors. Thanks for tuning in to Storm⚡️Watch-where the only thing moving faster than the threats is the conversation. Storm Watch Homepage >> Learn more about GreyNoise >>  

In this episode of the Risk Management Show, we debunk common bug bounty myths and explore what risk managers need to know to enhance their cyber security strategies. Joining us is Will Kapcio, Sales Engineer Manager at HackerOne, the world leader in hacker-powered security. Will shares expert insights into the realities of bug bounty programs, how private initiatives often outperform public ones, and the critical role they play in identifying vulnerabilities that evade traditional testing methods. We also discuss the findings of HackerOne's latest Hacker-Powered Security Report, including the top vulnerabilities organizations still struggle with, the impact of AI on both attackers and defenders, and practical advice for launching and scaling a successful bug bounty program. Whether you're a Chief Risk Officer, cyber security professional, or simply interested in the intersection of risk management and sustainability, this episode is packed with actionable insights. If you want to be our guest or suggest a guest, send your email to info@globalriskconsult.com with the subject line "Guest Proposal." Don't miss this invaluable di

CertiK chief business officer Jason Jiang shares the nitty gritty on how North Korea's Lazarus Group stole $1.4 billion in ETH-related tokens from Bybit, who is ultimately at fault, and what the crypto industry and investors can do to protect themselves against the next major hack. (00:00) Introduction to The Agenda podcast and this week's episode(02:17) How Lazarus Group hacked Bybit (07:17) Are hard wallets and cold wallets safe from hacks?(09:19) How AI and quantum computing could compromise blockchains(12:24) Who is most at fault for the Bybit hack?(16:05) Is THORChain facilitating crime or abiding by the rules of decentralization?(18:46) How smart contract audits work(23:31) Securing AI and planning for the quantum computing Cambrian explosion(26:02) Is there a white hat hacker shortage?(30:34) The future of onchain securityThe Agenda is brought to you by Cointelegraph and hosted/produced by Ray Salmond and Jonathan DeYoung, with post-production by Elena Volkova (Hatch Up). Follow Cointelegraph on X (Twitter) at @Cointelegraph, Jonathan at @maddopemadic and Ray at @HorusHughes. Jonathan is also on Instagram at @maddopemadic, and he made the music for the podcast — hear more at madic.art.Check out Cointelegraph at cointelegraph.com.If you like what you heard, rate us and leave a review!The views, thoughts and opinions expressed in this podcast are its participants' alone and do not necessarily reflect or represent the views and opinions of Cointelegraph. This podcast (and any related content) is for entertainment purposes only and does not constitute financial advice, nor should it be taken as such. Everyone must do their own research and make their own decisions. The podcast's participants may or may not own any of the assets mentioned.

No episódio de hoje do Podcast Canaltech, o foco está em um dos maiores avanços no campo da segurança digital: o modelo Bug Bounty, uma estratégia que está transformando a maneira como as empresas lidam com as ameaças cibernéticas. A IPV7, uma das líderes em cibersegurança, anunciou recentemente a aquisição da plataforma HuntersPay, trazendo para o Brasil uma solução mais eficaz e colaborativa para identificar e corrigir falhas de segurança antes que se tornem um problema. Para falar sobre essa inovação, convidamos Rudnei Carapinheiro, chefe de estratégia da empresa, que compartilhou sua visão sobre como o modelo de segurança ofensiva pode transformar a proteção digital no Brasil e na América Latina. Entre nas redes sociais do Canaltech buscando por @Canaltech Entre em contato pelo nosso e-mail: podcast@canaltech.com.br Entre no Canaltech Ofertas Acesse a newsletter do Canaltech See omnystudio.com/listener for privacy information.

Joseph joins us to share about his career as an ethical hacker. First of all, I didn't know that there were good hackers out there. What a relief! You're going to love this conversation. We cover everything from hacking to faith and AI to international adoption.  This stuff is all so fascinating to me, and it was so fun to get to share these thoughts with you! Class is in session. Let's get curious! . . . . . Have a secretly extraordinary life? Apply to be a guest on my podcast in 2025 here: https://forms.gle/Z13WGj63oEfgmtjJ9 . . . . . Order your copy of my new book Reconnected HERE: ReconnectedBook.com  Let's keep in touch! Sign up for my newsletter to be the first to hear ALL my updates. https://app.e2ma.net/app2/audience/signup/1987227/1965424/ Interested in advertising with us? Reach out here. Book me to speak HERE: https://www.carloswhittaker.com/events  . . . . . Visit CatchingWhimsyBook.com to learn more and download a free chapter sampler today! Learn more about your ad choices. Visit megaphone.fm/adchoices

Joseph joins us to share about his career as an ethical hacker. First of all, I didn't know that there were good hackers out there. What a relief! You're going to love this conversation. We cover everything from hacking to faith and AI to international adoption.  This stuff is all so fascinating to me, and it was so fun to get to share these thoughts with you! Class is in session. Let's get curious! . . . . . Have a secretly extraordinary life? Apply to be a guest on my podcast in 2025 here: https://forms.gle/Z13WGj63oEfgmtjJ9 . . . . . Order your copy of my new book Reconnected HERE: ReconnectedBook.com  Let's keep in touch! Sign up for my newsletter to be the first to hear ALL my updates. https://app.e2ma.net/app2/audience/signup/1987227/1965424/ Interested in advertising with us? Reach out here. Book me to speak HERE: https://www.carloswhittaker.com/events  . . . . . Visit CatchingWhimsyBook.com to learn more and download a free chapter sampler today! Learn more about your ad choices. Visit megaphone.fm/adchoices

Episode 112: In this episode of Critical Thinking - Bug Bounty Podcast Joseph Thacker is joined by Ciarán Cotter (Monke) to share his bug hunting journey and give us the rundown on some recent client-side and server-side bugs. Then they discuss WebSockets, SaaS security, and cover some AI news including Grok 3, Nuclei -AI Flag, and some articles by Johann Rehberger.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter:https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!Today's Guest - Ciarán Cotterhttps://x.com/monkehack====== Resources ======Mstyhttps://msty.app/From Day Zero to Zero Dayhttps://nostarch.com/zero-dayNuclei - ai flaghttps://x.com/pdiscoveryio/status/1890082913900982763ChatGPT Operator: Prompt Injection Exploits & Defenseshttps://embracethered.com/blog/posts/2025/chatgpt-operator-prompt-injection-exploits/Hacking Gemini's Memory with Prompt Injection and Delayed Tool Invocationhttps://embracethered.com/blog/posts/2025/gemini-memory-persistence-prompt-injection/====== Timestamps ======(00:00:00) Introduction(00:01:04) Bug Rundowns(00:13:05) Monke's Bug Bounty Background(00:20:03) Websocket Research(00:34:01) Connecting Hackers with Companies(00:34:56) Grok 3, Msty, From Day Zero to Zero Day(00:42:58) Full time Bug Bounty, SaaS security, and Threat Modeling while AFK(00:54:49) Nuclei - ai flag, ChatGPT Operator, and Hacking Gemini's Memory

Episode 111: In this episode of Critical Thinking - Bug Bounty Podcast Justin interviews Kevin Mizu to showcase his knowledge regarding DOMPurify and its misconfigurations. We walk through some of Kevin's research, highlighting things like Dangerous allow-lists and URI Attributes, DOMPurify hooks, node manipulation, and DOM Clobbering.Follow us on twitter at: https://x.com/ctbbpodcastGot any ideas and suggestions? Feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!====== Links ======Follow your hosts Rhynorater and Rez0 on Twitter:https://x.com/Rhynoraterhttps://x.com/rez0__====== Ways to Support CTBBPodcast ======Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.You can also find some hacker swag at https://ctbb.show/merch!====== Resources ======Exploring the DOMPurify library: Bypasses and Fixes (1/2)https://mizu.re/post/exploring-the-dompurify-library-bypasses-and-fixesExploring the DOMPurify library: Hunting for Misconfigurations (2/2)https://mizu.re/post/exploring-the-dompurify-library-hunting-for-misconfigurationsDom-Explorer toolhttps://yeswehack.github.io/Dom-Explorer/shared?id=772a440c-b0c2-4991-be71-3e271cf7954fCT Episode 61: A Hacker on Wall Street - JR0ch17https://www.criticalthinkingpodcast.io/episode-61-a-hacker-on-wall-street-jr0ch17/====== Timestamps ======(00:00:00) Introduction(00:01:44) Kevin Mizu - Background and Bring-a-bug(00:15:09) DOMPurify(00:29:04) Misconfigurations - Dangerous allow-lists(00:39:09) Dangerous URI attributes configuration(00:46:08) Bad usage(00:59:55) DOMPurify Hooks: before, after, and upon SanitizeAttribute(01:29:15) Node manipulation, nodeName namespace case confusion, & DOM Clobbering DOS(01:36:51) Misc concepts for future research

In this episode of the Ardan Labs podcast, Bill Kennedy interviews Julien Cretel, exploring his journey through technology, education, and personal growth. They discuss Julien's early experiences with computers, the influence of his family on his career choices, and his reflections on high school and intensive studies. The conversation highlights the importance of perseverance and the lasting impact of foundational knowledge in software development. The conversation explores Julien's educational journey in engineering, his transition from academia to industry, and his experiences in marine engineering and renewable energy.The discussion also touches on the differences between backend and frontend development, the importance of error handling, and the balance between performance and complexity in software development.00:00 Introduction 00:30 What is Julien Doing Today?05:10 First Memory of a Computer9:00 Family Influence and Early Choices20:00 Deciding on Intense Education31:30 Transition from Academia to Industry42:00 First Programming Job / Code Talk51:41 Performance vs Complexity in Software1:05:00 Transition to Contract Work1:12:00 Debt in the U.S1:19:00 Security Audits / Bug Bounties1:27:00 Open Source Projects Connect with Julien: Julien's Website: https://jub0bs.com/posts/Bluesky: https://bsky.app/profile/jub0bs.comMentioned in this Episode:Iterutil: https://github.com/jub0bs/iterutilCORS: https://github.com/jub0bs/corsWant more from Ardan Labs? You can learn Go, Kubernetes, Docker & more through our video training, live events, or through our blog!Online Courses : https://ardanlabs.com/education/ Live Events : https://www.ardanlabs.com/live-training-events/ Blog : https://www.ardanlabs.com/blog Github : https://github.com/ardanlabs

In this episode, James sits down with Tommy DeVoss (aka Doggy G), who went from a teenage hacker dodging federal prison to becoming one of the most successful ethical hackers in the world. Tommy spills raw, unfiltered stories about his wild days in IRC channels, running with the infamous World of Hell hacking group, and somehow managing to turn his life around to rake in over $4 million in bug bounties. You'll hear how a 10-year computer ban gave him enough pent-up tech energy to power a small country and how his boredom waiting for a friend led to a $180,000 Yahoo bug discovery. Yeah, some people text while waiting—Tommy casually breaks the internet.

HackerOne's co-founder, Michiel Prins walks us through the latest new offensive security service: AI red teaming. At the same time enterprises are globally trying to figure out how to QA and red team generative AI models like LLMs, early adopters are challenged to scale these tests. Crowdsourced bug bounty platforms are a natural place to turn for assistance with scaling this work, though, as we'll discuss on this episode, it is unlike anything bug hunters have ever tackled before. Segment Resources: https://www.hackerone.com/ai/snap-ai-red-teaming https://www.hackerone.com/thought-leadership/ai-safety-red-teaming This interview is a bit different from our norm. We talk to the founder and CEO of OpenVPN about what it is like to operate a business based on open source, particularly through trying times like the recent pandemic. How do you compete when your competitors are free to build products using your software and IP? It seems like an oxymoron, but an open source-based business actually has some significant advantages over the closed source commercial approach. In this week's enterprise security news, the first cybersecurity IPO in 3.5 years! new companies new tools the fate of CISA and the cyber safety review board things we learned about AI in 2024 is the humanless SOC possible? NGFWs have some surprising vulnerabilities what did generative music sound like in 1996? All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-391

HackerOne's co-founder, Michiel Prins walks us through the latest new offensive security service: AI red teaming. At the same time enterprises are globally trying to figure out how to QA and red team generative AI models like LLMs, early adopters are challenged to scale these tests. Crowdsourced bug bounty platforms are a natural place to turn for assistance with scaling this work, though, as we'll discuss on this episode, it is unlike anything bug hunters have ever tackled before. Segment Resources: https://www.hackerone.com/ai/snap-ai-red-teaming https://www.hackerone.com/thought-leadership/ai-safety-red-teaming This interview is a bit different from our norm. We talk to the founder and CEO of OpenVPN about what it is like to operate a business based on open source, particularly through trying times like the recent pandemic. How do you compete when your competitors are free to build products using your software and IP? It seems like an oxymoron, but an open source-based business actually has some significant advantages over the closed source commercial approach. In this week's enterprise security news, the first cybersecurity IPO in 3.5 years! new companies new tools the fate of CISA and the cyber safety review board things we learned about AI in 2024 is the humanless SOC possible? NGFWs have some surprising vulnerabilities what did generative music sound like in 1996? All that and more, on this episode of Enterprise Security Weekly. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-391

HackerOne's co-founder, Michiel Prins walks us through the latest new offensive security service: AI red teaming. At the same time enterprises are globally trying to figure out how to QA and red team generative AI models like LLMs, early adopters are challenged to scale these tests. Crowdsourced bug bounty platforms are a natural place to turn for assistance with scaling this work, though, as we'll discuss on this episode, it is unlike anything bug hunters have ever tackled before. Segment Resources: https://www.hackerone.com/ai/snap-ai-red-teaming https://www.hackerone.com/thought-leadership/ai-safety-red-teaming Show Notes: https://securityweekly.com/esw-391

Bitcoin OG Charlie Shrem is now the chief evangelist of a project called Digital Gold (DGD). In this episode, I ask him and his business partner Digital Gold Yoda all the important questions about the legitimacy of their new cryptocurrency. Time stamps: Introducing Charlie Shrem & Digital Gold Jedi (00:00:48) Is Charlie Still Bullish on Bitcoin? (00:01:40) From Bitcoin to Digital Gold (00:02:05) Details of the Digital Gold Project (00:04:52) Stability and Value Preservation? (00:05:37) Community Engagement and User Growth (00:08:34) Comparison with BitTorrent (00:09:01) There Are Thousands of Digital Golds (00:14:28) Unique Features of the Digital Gold Project (00:15:08) Which Wallets and Exchanges Support Digital Gold? (00:17:05) Community Engagement and Validation (00:17:55) Initial Feedback and Expectations (00:18:50) Purchasing Process and Coin Distribution (00:19:26) Coin Withdrawal Mechanics (00:20:15) Network Growth and Distribution (00:21:02) Exchanges and Market Dynamics (00:22:57) Stablecoin vs. Price Speculation (00:23:25) Price Determination Mechanism (00:24:27) Infrastructure and Value Creation (00:25:09) Market Dynamics and Adoption (00:26:06) Mining vs. Market Factors (00:26:21) Coin Purchase Process Clarification (00:27:13) Community Participation and Evangelism (00:29:20) Address Reuse Concerns (00:31:16) Price Validation by Community (00:32:38) Selling Coins Among Users (00:34:31) Community Exchange Challenges (00:34:43) Decentralized Exchange Considerations (00:35:44) Arbitrage Opportunities (00:36:00) Side Shift (00:36:43) Treasury and Bitcoin Ownership (00:37:42) Concerns About Bitcoin Reserve Safety (00:38:00) Community Trust and Auditing (00:39:26) Charlie Shrem's Long-Term Vision for Digital Gold (00:40:28) Self-Custody and User Understanding (00:41:51) Value of DGB vs. Bitcoin (00:42:07) Name Change Story (00:44:01) Treasury Transparency and Auditing (00:45:24) Future of Auditing in Crypto (00:46:29) Bullish Prediction for Digital Gold (00:47:18) Understanding User Risks and Backup Solutions (00:51:51) Digital Gold Experiment (00:52:56) Challenges of User Adoption (00:54:10) Centralization Concerns (00:57:42) Node Operation Incentives (00:58:16) Concept of Proof of Participation (01:00:55) Contribution vs. Purchase (01:06:52) Intrinsic Value and Market Parity (01:09:07) Discussion on Gold and Currency Value (01:10:04) Clarifying Payment Terminology (01:10:35) Contributions, Not Investments (01:11:57) White Paper Availability (01:12:44) Smart Currency Concept (01:15:20) Comparison with Bitcoin Cash (01:15:49) Participation in the Network (01:16:40) Digital Gold vs Terra Luna (01:17:47) Claiming Coins Without Purchase (01:19:16) Distribution Model Fairness (01:21:04) Becoming a Staker (01:23:25) Node Connection and Validation (01:25:03) Impact of Node Outages (01:27:25) Core Staking Nodes Explained (01:28:09) Government Threats to Network (01:29:10) Initial Market Cap and Podcast Launch (01:30:25) Security Team: How Does It Get Paid? (01:32:44) Bug Bounty and Security Issues (01:36:00) Distribution of Coins and Participation (01:37:29) Peer-to-Peer Transactions (01:39:33) Transparency of Coin Holdings (01:41:51) Labeling The Team's Staking Wallets (01:42:23) First Dancers (01:45:31) Charlie Shrem's Role in Digital Gold (01:45:39) The Litmus Test (01:46:03) Importance of Charlie's Endorsement (01:46:31) Highlighting Charlie's Character (01:47:31) Addressing Potential Concerns (01:48:03) User-Friendly Exchange Integration (01:48:42) Future Selling of Coins (01:49:44) Saying Goodbye (01:50:13)

How will AI redefine cybersecurity in 2025? According to Marco Figueroa, Program Manager for Gen AI at the ODIN Bug Bounty Program, this year is set to be the "Year of the Agent," where AI systems and integrations take a central role.  In this special New Year bonus episode, Ron sits down with Marco to discuss the transformative role of AI in solving cybersecurity challenges. Marco breaks down AI jailbreak techniques, the impact of bug bounty programs on securing AI systems, and why 2025's fast-evolving tech landscape demands creative thinking. Learn how tools like ChatGPT and Gemini 2.0 are reshaping the industry and why staying adaptable is essential.   Impactful Moments: 00:00 - Introduction 02:14 - Speed vs. safety: AI system challenges 05:30 - Why experience matters more than information 07:45 - Legal stakes for deepfakes and AI 18:36 - Marco's creative journey in cybersecurity 28:00 - Jailbreaks: Risks and surprising AI findings 37:13 - 2025 predictions: The rise of agents 41:00 - Closing thoughts and the power of community Links: Connect with our guest, Marco Figueroa: https://www.linkedin.com/in/marco-figueroa-re/ Chuck Brooks' 2025 Cybersecurity Predictions article: https://www.forbes.com/sites/chuckbrooks/2024/12/24/cybersecurity-trends-and-priorities-to-watch-for-2025/ Focus Areas for the FaccT Conference News: https://facctconference.org/2025/focusareas “Unreasonable Hospitality” by Will Guidara Book Link: https://www.amazon.com/Unreasonable-Hospitality-Remarkable-Giving-People/dp/0593418573 Check out our upcoming events: https://www.hackervalley.com/livestreams Join our creative mastermind and stand out as a cybersecurity professional: https://www.patreon.com/hackervalleystudio Love Hacker Valley Studio? Pick up some swag: https://store.hackervalley.com Continue the conversation by joining our Discord: https://hackervalley.com/discord Become a sponsor of the show to amplify your brand: https://hackervalley.com/work-with-us/

Episode 102: In this episode of Critical Thinking - Bug Bounty Podcast Justin grabs Jason Haddix to help brainstorm the concept of AI micro-agents in hacking, particularly in terms of web fuzzing, WAF bypasses, report writing, and more.They discuss the importance of contextual knowledge, the cost implications, and the strengths of different LLM Models.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Check out our new SWAG store at https://ctbb.show/swag!Today's Guest - https://x.com/JhaddixResourcesKeynote: Red, Blue, and Purple AI - Jason Haddixhttps://www.youtube.com/watch?v=XHeTn7uWVQMAttention in transformers,https://www.youtube.com/watch?v=eMlx5fFNoYcShifthttps://shiftwaitlist.com/The Darkest Side of Bug Bountyhttps://www.youtube.com/watch?v=6SNy0u6pYOcTimestamps(00:00:00) Introduction(00:01:25) Micro-agents and Weird Machine Tricks(00:11:05) Web fuzzing with AI(00:18:15) Brainstorming Shift and micro-agents(00:34:40) Strengths of different AI Models, and using AI to write reports(00:54:21) The Darkest Side of Bug Bounty

Episode 99: In this episode of Critical Thinking - Bug Bounty Podcast Justin and Roni dissect an old thread of Justin's talking about how best to start bug bounty with the goal of making $100k in the first year.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today's Sponsor - AssetNote: Check out their ASMR board (no not that kind!)https://assetnote.io/asmrToday's Guest - https://x.com/0xLupinResourcesJustin's Twitter Threadhttps://x.com/Rhynorater/status/1699395452481769867Timestamps(00:00:00) Introduction(00:03:00) Web Fundamentals Education(00:46:01) Threat Modeling and Hacking Goals(01:18:58) Vuln Types and finding Specialization

Episode 98: In this episode of Critical Thinking - Bug Bounty Podcast Justin Gardner sits down with Sharon,to discuss his journey from early iOS development to leading a research team at Claroty. They address the differences between HackerOne and Pwn2Own, and talk through some intricacies of IoT security, and some less common IoT attack surfaces.Follow us on twitter at: @ctbbpodcastWe're new to this podcasting thing, so feel free to send us any feedback here: info@criticalthinkingpodcast.ioShoutout to YTCracker for the awesome intro music!------ Links ------Follow your hosts Rhynorater & Teknogeek on twitter:https://twitter.com/0xteknogeekhttps://twitter.com/rhynorater------ Ways to Support CTBBPodcast ------Hop on the CTBB Discord at https://ctbb.show/discord!We also do Discord subs at $25, $10, and $5 - premium subscribers get access to private masterclasses, exploits, tools, scripts, un-redacted bug reports, etc.Today's Sponsor - ThreatLocker: Check out Network Control!https://www.criticalthinkingpodcast.io/tl-ncAnd AssetNote: Check out their ASMR board (no not that kind!)https://assetnote.io/asmrToday's Guest: https://sharonbrizinov.com/ResourcesThe Claroty Research Teamhttps://claroty.com/team82Pwntoolshttps://github.com/Gallopsled/pwntoolsScan My SMShttp://scanmysms.comGotta Catch 'Em All: Phishing, Smishing, and the birth of ScanMySMShttps://www.youtube.com/watch?v=EhNsXXbDp3UTimestamps(00:00:00) Introduction(00:03:31) Sharon's Origin Story(00:21:58) Transition to Bug Bounty and Pwn2Own vs HackerOne(00:47:05) IoT/ICS Hacking Methodology(01:10:13) Cloud to Device Communication(01:18:15) Bug replication and uncommon attack surfaces(01:30:58) Documentation tracker, reCaptcha bypass, and ScanMySMS

(Disclaimer: Click 'more' to see ad disclosure) Geobreeze Travel is part of an affiliate sales network and receives compensation for sending traffic to partner sites, such as MileValue.com. This compensation may impact how and where links appear on this site. This site does not include all financial companies or all available financial offers. Terms apply to American Express benefits and offers. Enrollment may be required for select American Express benefits and offers. Visit americanexpress.com to learn more.  ➤ Free LIVE training to maximize your points https://geobreezetravel.com/webinar   ➤ Free points 101 course (includes hotel upgrade email template) https://geobreezetravel.com/freecourse   ➤ Free credit card consultations https://airtable.com/apparEqFGYkas0LHl/shrYFpUr2zutt5515   ➤ Seats.Aero: https://geobreezetravel.com/seatsaero   ➤ Request a free personalized award search tutorial: https://go.geobreezetravel.com/ast-form If you are interested in supporting this show when you apply for your next card, check out https://geobreezetravel.com/cards and if you're not sure what card is right for you, I offer free credit card consultations at https://geobreezetravel.com/consultations! Timestamps: 00:00 Introduction / Get to know Ian 01:24 Ian's Cybersecurity Background 02:39 Bug Bounties and Earning Miles 05:12 Hotel Lock Security Flaws 08:44 TSA Known Crew Member Vulnerability 16:08 Building Seats.Aero 20:51 Challenges and Features of Seats.Aero 26:10 Community and Support 30:15 Final Thoughts and Tips You can find Julia at:  ➤ Website: https://geobreezetravel.com/  ➤ Instagram: https://www.instagram.com/geobreezetravel/  ➤ Credit card links: https://www.geobreezetravel.com/cards  ➤ Patreon: https://www.patreon.com/geobreezetravel   Opinions expressed here are the author's alone, not those of any bank, credit card issuer, hotel, airline, or other entity. This content has not been reviewed, approved or otherwise endorsed by any of the entities included within the post. The content of this video is accurate as of the posting date. Some of the offers mentioned may no longer be available.

After spending a decade working for appsec vendors, Grant McKracken wanted to give something back. He saw a gap in the market for free or low-cost services for smaller organizations that have real appsec needs, but not a lot of means to pay for it. He founded DarkHorse, who offers VDPs and bug bounties to organizations of all sizes for free, or for as low of cost as possible. While not a non-profit, the company's goal is to make these services as cheap as possible to increase accessibility for smaller or more budget-constrained organizations. The company has also introduced the concept of "fractional pentesting", access to cyber talent when and how you need it, based on what you can afford. This implies services beyond just offensive security, something we'll dive deeper into in the interview. We don't see DarkHorse ever competing with the larger Bug Bounty platforms, but rather providing services to the organizations too small for the larger platforms to sell to. Microsoft delays Recall AGAIN, Project Zero uses an LLM to find a bugger underflow in SQLite, the scourge of infostealer malware, zero standing privileges is easy if you have unlimited time (but no one does), reverse engineering Nintendo's Alarmo and RedBox's... boxes. Bonus: the book series mentioned in this episode The Lost Fleet by Jack Campbell. Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-306

Lawfare Editor-in-Chief Benjamin Wittes sits down with Katie Moussouris of Luta Security to talk bug bounties. Where do they come from? What is their proper role in cybersecurity? What are they good for, and most importantly, what are they not good for? Moussouris was among the hackers who first did bug bounties at scale—for Microsoft, and then for the Pentagon. Now she helps companies set up bug bounty programs and is dismayed by how they are being used.To receive ad-free podcasts, become a Lawfare Material Supporter at www.patreon.com/lawfare. You can also support Lawfare by making a one-time donation at https://givebutter.com/c/trumptrials.Support this show http://supporter.acast.com/lawfare. Hosted on Acast. See acast.com/privacy for more information.