Bug bounty businesses bombarded with AI slop

https://arstechnica.com/ai/2026/05/bug-bounty-businesses-bombarded-with-ai-slop/

#AI #Security #BugBounty

Wayback Machine как архив IDOR: как временные ссылки перестали быть временными

В марте 2026 многие обсуждали ситуацию с доступом к изображениям из ЛС мессенджера MAX по ссылкам, сохранённым через WebArchive. Тогда же многих не устроил ответ компании. К сожалению, ситуация хуже, чем кажется. Т.к. проблемы не видят не только в MAX, но и в других компаниях (столкнулся с этим, оповещая компании о похожих проблемах). В статье я расскажу, почему считаю ситуацию - проблемой для всех: пользователей, компании, багхантеров. И как связка "WebArchive + IDOR" может стать бомбы замедленного действия для компании. Более того, эта ситуация - наглядный пример, как отлаженный механизм повышения безопасной разработки (что не найдут внутренние безопасники компании - отловят багхантеры) иногда даёт сбой.

https://habr.com/ru/articles/1035516/

#idor #bola #webarchive #wayback_machine #багбаунти #bugbounty #Standoff365

Published a new article: “Gadget Hunting in Practice”

The article focuses on practical prototype pollution hunting methodology:
• confirming pollution correctly
• identifying gadgets
• tracing execution sinks
• understanding weak vs strong sinks
• using DOM Invader and ppmap effectively

One of the biggest mistakes beginners make is trying to prove pollution, gadget discovery, and exploitation all at once.

https://medium.com/@marduk.i.am/a7f8b08e7d53

#bugbounty #xss #infosec #cybersecurity #websecurity

Zero Zero-Days.
https://na3niel.substack.com/p/zero-zero-days

May 12, 2026. Microsoft #PatchTuesday. Official #zeroday count: 0.

Same day. A researcher dropped two.

This is a field report on who's counting, and what they count.

Here's what others were doing.

Google pays $17.1 million a year in bug bounties — HackerOne's all-time annual record. Project Zero applies a 90-day public disclosure rule to every vendor. Including Google itself. In 2025 they added one more thing: they now publish the discovery date and the deadline before the patch even exists. The clock is public. The world knows it's running.

Apple had no public #bugbounty before 2020. The community noticed. They launched one. $35M paid, 800+ researchers credited over five years. October 2025: top reward doubled to $2M. $1,000 floor added for low-impact, first-time reports. Their stated reason: "we want researchers to have an encouraging experience."

Meta has paid a minimum of $500 per report since 2011. Not contingent on severity. Not contingent on final triage. The researcher showed up. The $500 ships.

OpenAI launched Daybreak in May 2026. An AI-powered vuln detection tool handed directly to external researchers. A tool to find problems with their own products. Given to the people looking for problems.

Anthropic's policy, as written: "We fully support researchers' right to publicly disclose vulnerabilities they discover."

xAI: March 2, 2025. A developer committed an .env file — API keys included — to a public GitHub repo. GitGuardian found it the same day. Sent an alert. No action followed.

Two months later, an independent researcher found the same key still active. GitGuardian reinvestigated. Still valid. No security.txt at xAI's domain. HackerOne contact for X: expired since January 2024, unrenewed. xAI's reply: "Please submit to HackerOne." The repo was deleted. No update sent. The fix happened silently, out of bounds of the process that found the problem.

And then there's Microsoft.

November 2, 2023 — Secure Future Initiative: "Security above all else."

April 2026 — Zero Day Quest 2026: "Zero Day Quest remains a core part of our ongoing partnership with the security research community." $2.3M awarded.

April 2 — BlueHammer published. #CVE-2026-33825 issued. Patched. Real exploitation observed by April 10.

April 16 — RedSun published. Live exploitation observed: compromised FortiGate VPN credentials, Russian IP, hands-on-keyboard operator. No #CVE issued. Patch quietly shipped. No announcement.

May 12, Patch Tuesday — Official zeroday count: 0.

May 12, same day — Chaotic Eclipse dropped YellowKey (#BitLocker bypass, Windows 11 / Server 2022/2025) and GreenPlasma (privilege escalation to SYSTEM).

The researcher's note: "Microsoft silently patched the RedSun vulnerability." "There will be a big surprise on June 9."

Microsoft's statement: "We support coordinated vulnerability disclosure — a broadly adopted industry practice that ensures issues are carefully investigated and addressed before being publicly disclosed."

The researcher didn't ask for money. Didn't ask for credit. Asked to be seen.

The mirror is there. No one has to look.

Full piece: what a silent patch does to the count — why CVE-based tooling is structurally blind to exactly this — the economics of recognition vs. money in the research community — Ballmer, 2001, and the distance between the stage and the MSRC triage queue — what to do instead of trusting the count.

All sources and related URLs are in the Substack post.

#bluehammer #yellowkey #WindowsSecurity #cybersecurity

The Wonders of AI: We Are Retiring Our Bug Bounty Program

｢ It became too high a reward to just point an LLM at Turso, and try to find a bug. And as you all know, if you instruct an LLM to go find a bug and collect a bounty, it will produce some output. Whether or not it makes sense, is a completely different story. I want to share some of those with you ｣

https://turso.tech/blog/the-wonders-of-ai

#turso #bugbounty #ai #cybersecurity #opensource

HackerNewsTop5 (@hackernewstop5)

Turso가 AI 시대를 이유로 버그 바운티 프로그램을 종료한다고 밝혔다. 보안 대응 체계를 외부 인센티브 모델에서 다른 방식으로 전환하는 결정으로, 개발자 인프라 보안 운영 관점에서 주목할 만하다.

https://x.com/hackernewstop5/status/2055290923211432118

#security #bugbounty #ai #turso

Vibe-chaos. Hacker zgłosił podatności do AI-owej platformy do tworzenia aplikacji bez kodowania (Lovable)…

Chodzi o ten incydent. Zgłoszenie poszło przez HackerOne. Ale ziomki z HackerOne zamknęły zgłoszenia (“no elo, duplikat, kaski nie będzie, have a nice day ;-) No to hacker poczekał 48 dni, z nadzieją że może jednak obsłużą tego buga, po czym ruszył do hackowania. Hackowanie: “Założyłem dziś bezpłatne konto w...

#Aktualności #Ai #BugBounty #Hackerone #IDOR #Websec

https://sekurak.pl/vibe-chaos-hacker-zglosil-podatnosci-do-ai-owej-platformy-do-tworzenia-aplikacji-bez-kodowania-lovable/

P2.

Then exactly one month later they opened a public bug bounty on HackerOne. Anyone who finds a vulnerability will be rewarded.
If Mythos is truly that capable why does Anthropic still need me and you poking holes in their systems the old fashioned way?

#cybersecurity #AI #Bugbounty