Working on exploiting a SSRF where the service is using axios. Looking at GH issues shows a PR that would have been perfect, allowing for local file read github.com/axios/axios/pu… Reviewing the profile of this "helpful" PR [that was never merged] shows some suspicious biases 😂

We just released a new article on how we made 50,000$ in #BugBounty by doing a really cool Software Supply Chain Attack🔥 🔗Link: landh.tech/blog/20250211-…

For the past few months I've been talking a lot of Software Supply Chain security and Depi ... Depi is SaaS platform aimed to find ways to backdoor the Software Supply Chain Security of the target we scan 🔥 Here it is ! The full story on how we built Depi and its philosophy 😁

Looks like heathrowdropoffcharge.co.uk has been operating since February, gouging an extra £4 from circa 83,000 travelers by charging £10 for Heathrow's actual £6 drop-off fee. Just casual predatory behaviour that I suppose isn't illegal...

Such a joy talking comprehensive asset discovery! Meeting the amass creator felt full circle - that tool's power to reveal overlooked and obscure subdomains is what kicked off my asset reconnaissance obsession years back and I've never looked back.

Legendary work from Ariel Garcia

🔥Get signing up. It's a neat curation!

Hyped!!

Here’s the second half of our Friday lineup at @DEFCON – and it’s just as stacked. 🔥 Dane Sherrets, Shlomie Liberow, Michael Gianarakis, Jordan Macey, Parsia Hakimian, A-a-ron Guzman, nytr0gen, erbbysam ㋬, and BrunoZero. See you there. 👀 #BugBounty

Just guy next to me at the gym explaining to his friend that before Hitler went for it, Jews boycotted Germany "just like we boycott Israel" and something something Rothschild controls all finances. Good work BBC News (UK) et al for the constant stream of blood libels setting the tone

Excited to be part of #HackAIcon. Great lineup - lots to discuss with AI reshaping everything we thought we knew about security

My 7 year journey at HackerOne recently came to a close🏁 It's been an incredible run working with the best people and being part of something that transformed the security industry. Working there gave me a unique vantage point: the intersection of the world's best security

Day in the life... #claudecode

I’ve been training LLMs to recognise vulnerability chains and revisiting my favorite bug bounty reports to understand what patterns they can be taught to spot. Let’s look at this example of a ticketing platform's booking flow that leaked millions of PII records. This wasn’t  a

Compliance be compliancing

Zero surprises here. Attack vectors don't need to be sophisticated as much as just needing to be persistent and trying all variants possible.