Bug bounty is a dopamine rush, it's true. But it's also a discipline, a constant grind, an obsession with understanding and exploiting what others have overlooked What a nice payment coming

Next.js 15.2.3 includes a security vulnerability patch. We recommend updating to 15.2.3 or backported patches. If you cannot update, we have included guidance for how to protect your application. Apps on Vercel, Netlify, and Cloudflare are not affected. nextjs.org/blog/cve-2025-…

⏳

the research paper is out: Next.js and the corrupt middleware: the authorizing artifact result of a collaboration with inzo that led to CVE-2025-29927 (9.1-critical) zhero-web-sec.github.io/research-and-t… enjoy the read!

The 9.1 CVSS CVE-2025-29927 authentication bypass vulnerability in Next.js middleware -- covered in a rambling video and teeny tiny demo showcase, ✨ V I B E C O D I N G✨ a vulnerable proof-of-concept app. youtu.be/dL1a0KcAW3Y

new open-source software vulnerability report sent with inzo let's see;

> valid reports frantically closed by the same analyst who doesn't understand the vuln (nor tries/ask) > mediation disabled for these reports(?) > reports resent hoping to find a different analyst > same analyst, reports closed listen, here, what I don't understand doesn't exist

new paper on a vulnerability discovered in React Router, resulting from a collaboration with inzo that led to CVE-2025-31137; React Router and the Remix'ed path zhero-web-sec.github.io/research-and-t… good reading

- d o p a m i n e, more d o p a m i n e Finish the month of March with some nice bounties with zhero;! Who can say better?

back to work, a sleepless night and 2 open-source vulnerability reports submitted; back on track with inzo

another research effort with inzo led to the discovery of two new vulnerabilities in React Router (14M+ downloads/week), resulting in: - CVE-2025-43865 (High-8.2) - CVE-2025-43864 (High-7.5)

Vercel customers are protected from two high-severity vulnerabilities (CVE-2025-43864 and CVE-2025-43865) in Remix and React Router. Read our advisory to understand impact and next steps. vercel.com/changelog/prot…

The real key is to focus on maximizing your bug hunting income, making smart investments, and ultimately transitioning to full-time zero-day research once your investments cover all your living expenses.

Bug bounty, feedback, strategy, and alchemy frequently asked for advice, roadmaps, and more, I finally took the time, after 2–3 years of bug bounty, to write down my vision, thoughts and perspective on the subject non-technical, no research this time! zhero-web-sec.github.io/thoughts/bugbo…

new discovery: cache poisoning on next.js - CVE-2025-49826 indefinite caching of a 204 response, rendering the affected pages inaccessible affected versions: >15.0.4 and <15.2.0 there will be no research paper for this one