HackerOne Bug Bounty Disclosure: security-check-up-ejejohn - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-security-check-up-ejejohn/
HackerOne Bug Bounty Disclosure: use-after-free-or-assert-triggered-with-failed-allocations-in-openssl-catenacyber - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-use-after-free-or-assert-triggered-with-failed-allocations-in-openssl-catenacyber/
HackerOne Bug Bounty Disclosure: mint-oauth-access-token-for-targeted-user-timothyleung - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-mint-oauth-access-token-for-targeted-user-timothyleung/
HackerOne Bug Bounty Disclosure: gnutls-curlinfo-tls-session-curlinfo-tls-ssl-ptr-type-confusion-nyymi - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-gnutls-curlinfo-tls-session-curlinfo-tls-ssl-ptr-type-confusion-nyymi/
Oh, also, the email #HackerOne sent out this morning contradicts itself. In the subject it says people have to enable 2FA "to Avoid Account Lockout." Then in the body it says, "Without 2FA set up, you won’t be able to access your account after July 29."
But then elsewhere in the body it says, "If you don’t make this change by July 29, 2025, you’ll be prompted to complete the setup before you are able to access the platform and submit reports."
That's not "lockout," idiots.
#infosec
All the positive #userExperience points #HackerOne earned for how they were rolling out mandatory #2FA were just erased by them sending out reminder email to all of their users about configuring 2FA without filtering out the users who had already done it.
That's some lazy, user-hostile bullshit, is what that is.
When you know which users have already followed your instructions, you don't need to waste their time making them go back and check. #smdh
#infosec #MFA #UX
P.S. It kind of sucks that #HackerOne has apparently been in the Fediverse as @Hacker0x01 for years but has never posted anything.
On #HackerOne's rollout of mandatory 2FA:
They'll soon require 2FA.
They should've done it long ago. They don't allow SMS or email as primary 2FA. They allow SMS for 2FA "recovery," making that the weakest link and canceling out the choice not to allow it as primary. They require you to generate recovery codes. They make you enter both a recovery code and a TOTP code to prove you saved everything. They still don't support WebAuthn. Very much not OK!
#infosec #2FA #MFA
HackerOne Bug Bounty Disclosure: use-after-free-in-openssl-keylog-callback-via-ssl-get-ex-data-in-libcurl-brobagazzzx - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-use-after-free-in-openssl-keylog-callback-via-ssl-get-ex-data-in-libcurl-brobagazzzx/
HackerOne Bug Bounty Disclosure: arbitrary-file-read-via-file-protocol-in-curl-mr-tufan - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-arbitrary-file-read-via-file-protocol-in-curl-mr-tufan/
HackerOne Bug Bounty Disclosure: csrf-at-network-feature-psfauzi - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-csrf-at-network-feature-psfauzi/
HackerOne Bug Bounty Disclosure: information-disclosure-identified-on-ibm-endpoint-devire - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-information-disclosure-identified-on-ibm-endpoint-devire/
XBOW's AI pentester ranked #1 on HackerOne with 1,060 vulnerabilities found, raising $75M. The kicker? 45% of bugs are still unfixed. We've automated finding problems in hours, but fixing them still takes... time. Progress! 
"A lot of #HackerOne notifications that we're getting, are #AI generated garbage" says the director of #OpenSource @mghaught from @rubygems / @rubycentral at @balticruby.
HackerOne Bug Bounty Disclosure: path-traversal-vulnerability-in-lila-project-immm - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-path-traversal-vulnerability-in-lila-project-immm/
HackerOne Bug Bounty Disclosure: idor-vulnerability-at-addtagtoassets-operation-name-root-geek - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-idor-vulnerability-at-addtagtoassets-operation-name-root-geek/
HackerOne Bug Bounty Disclosure: -xenoblade-chronicles-x-definitive-edition-improper-validation-of-names-allows-injecting-formatting-tags-and-bypassing-profanity-filter-roccodev - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-xenoblade-chronicles-x-definitive-edition-improper-validation-of-names-allows-injecting-formatting-tags-and-bypassing-profanity-filter-roccodev/
HackerOne Bug Bounty Disclosure: weak-rate-limiting-controls-in-the-login-page-expose-system-to-brute-force-and-dos-attacks-hajjaj - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-weak-rate-limiting-controls-in-the-login-page-expose-system-to-brute-force-and-dos-attacks-hajjaj/
HackerOne Bug Bounty Disclosure: bedrock-guardrails-evasion-with-prompt-formatting-nkirk-nrlabs - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-bedrock-guardrails-evasion-with-prompt-formatting-nkirk-nrlabs/
HackerOne Bug Bounty Disclosure: open-redirect-vulnerability-in-oauth-flow-leading-to-potential-phishing-attack-delsec - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-open-redirect-vulnerability-in-oauth-flow-leading-to-potential-phishing-attack-delsec/
