Уязвимости в мессенджере MAX

С момента запуска программы Bug Bounty в июле 2025 года в системе накопилось уже 454 отчёта, из которых признаны валидными 288. Это не просто «рабочий процесс», а показатель
https://enep-home.ru/2026/04/13/%d1%83%d1%8f%d0%b7%d0%b2%d0%b8%d0%bc%d0%be%d1%81%d1%82%d0%b8-%d0%b2-%d0%bc%d0%b5%d1%81%d1%81%d0%b5%d0%bd%d0%b4%d0%b6%d0%b5%d1%80%d0%b5-max/

#BugBounty #IDOR #MAX #безопасность #мессенджер #уязвимость

If you are doing legitimate security research with #Claude, #Anthropic is rolling out new guardrails. I just got stopped in the middle of a #bugbounty, and was asked to fill out this form. The approved me with an hour.

Wanted to get the word out. You might want to go ahead and fill this out before you get blocked mid-hack.
https://claude.com/form/cyber-use-case

https://youtube.com/watch?v=V6pgZKVcKpw

If you only watch one video on cyber security this year, make it this one

#infosec #informationsecurity #security #computersecurity #internetsecurity #vulnerability #bugs #bugbounty #cybersecurity #monoculture #cyber

I don't know enough about security research. For a project like Node.js does stopping bug bounties drastically impact anything?

On the face of it, no money means people may be less incentivised to help or report, which feels bad.

But Node.js is a massive concern, so is there enough goodwill and surface area that people will help and report anyway? Simply because big orgs rely on it?

https://nodejs.org/en/blog/announcements/discontinuing-security-bug-bounties

#Node #NodeJS #Security #SecurityResearch #BugBounty

A lot of XSS testing turns into guessing payloads and hoping something works.

It doesn’t have to be that way.

I wrote a short guide on a 3-step process to identify context quickly and approach reflections more methodically.

https://medium.com/@marduk.i.am/stop-guessing-xss-payloads-881cad409624

#infosec #xss #bugbounty #cybersecurity #websecurity

Subdomain Takeover Vulnerabilities and Prevention

In this article, I cover:
* How subdomain takeover vulnerabilities occur
* Real-world exploitation scenarios
Reconnaissance and detection techniques
* Practical prevention and DNS hygiene strategies

https://denizhalil.com/2026/02/16/subdomain-takeover-vulnerabilities-prevention/

#CyberSecurity #SubdomainTakeover #DNS #AttackSurface #BugBounty #RedTeam #BlueTeam #InfoSec #CloudSecurity #WebSecurity #EthicalHacking

Bug bounty SLA transparency:

A Critical-severity account takeover affecting millions of users was submitted via @hackerone on March 11, with complete attack chain and code-level evidence.

28 days: no vendor response.
Mediation requested on day 16: still pending.
Program's published SLA: 2 days.

Sharing this timeline publicly because the internal process has stalled.

#InfoSec #BugBounty #ResponsibleDisclosure 1/3