The Day I Found an Unsecured FTP — A Responsible Disclosure Story
This responsible disclosure article documents the discovery of an unsecured FTP server during security reconnaissance. **Vulnerability Type**: Unsecured FTP service with information disclosure and potential anonymous access. **Reconnaissance Process**: The researcher used assetfinder for subdomain discovery, DNS lookup to resolve target.example to 203.0.113.45, and nmap to identify open services (FTP, SMTP, SMTP-S, MySQL, POP3, HTTP). **Security Flaw**: The FTP service allowed session establishment with some directory listings visible even without valid credentials, indicating weak configuration. **Technical Details**: The researcher connected via FTP client and observed that while authentication was technically required, the service exposed directory contents and allowed informational commands (ls, dir, pwd) without full authentication - a classic misconfiguration. **Impact**: Exposed directory structures could reveal sensitive filenames, system paths, or data files. The service combination (FTP + MySQL + other services) also indicated poor security posture. **Responsible Approach**: The researcher practiced ethical disclosure by stopping at observation, taking screenshots without documenting specific files, and avoiding destructive actions. They focused on identifying the vulnerability for responsible reporting rather than exploitation. **Mitigation**: Secure FTP configurations should disable anonymous access, restrict directory visibility, implement proper authentication, and ensure least-privilege access controls. Regular security audits of exposed services are essential. #infosec #BugBounty #Cybersecurity #ResponsibleDisclosure #FTPSecurity
https://medium.com/@H4RUK7/the-day-i-found-an-unsecured-ftp-a-responsible-disclosure-story-00caf67ec647?source=rss------bug_bounty-5

How Bug Bounty Programs are Improving Software Security
This article demonstrates the tangible impact of bug bounty programs on enterprise security through a real-world case study. **Case Study**: A 19-year-old Brazilian computer science student discovered a critical payment system vulnerability allowing unlimited fund transfers between accounts, which had been missed by senior engineers for months. The student earned a $5,000 bounty and provided valuable security insights. **The Power of Diversity**: While the internal security team consisted of 6 engineers, the bug bounty program provided access to thousands of global researchers with diverse perspectives, unique testing methodologies, and persistent curiosity that no single internal team could match. **Cost-Effectiveness**: Traditional penetration testing costs $25,000 for one-time assessments, while their bug bounty program spent $48,000 over two years but prevented potential losses in the millions of dollars. **Global Army of Ethical Hackers**: Bug bounty programs create a distributed network of ethical hackers who continuously probe systems, providing ongoing security testing rather than one-time assessments. **Business Impact**: This approach allowed the company to prevent massive financial losses while building relationships with the security research community and improving their overall security posture. The article highlights how crowdsourced security testing can outperform traditional methods both in effectiveness and cost efficiency. #infosec #BugBounty #Cybersecurity #ResponsibleDisclosure #SecurityTesting
https://osintteam.blog/how-bug-bounty-programs-are-improving-software-security-f1b8efa64d3f?source=rss------bug_bounty-5

The Day I Found an Unsecured FTP — A Responsible Disclosure Story
This responsible disclosure article documents the discovery of an unsecured FTP service during security reconnaissance targeting a specific domain. **Vulnerability Type**: Unsecured FTP service with information disclosure and improper access controls. **Reconnaissance Process**: The researcher used assetfinder for subdomain discovery, identified target.example domain, performed DNS lookup resolving to 203.0.113.45, then conducted nmap service enumeration revealing FTP, SMTP(S), MySQL, POP3, and HTTP services. **Security Flaw**: The FTP service accepted connections and exposed directory listings even without valid authentication credentials, allowing unauthorized information disclosure. **Technical Details**: The researcher connected using basic FTP client commands and observed that while authentication was technically required, the service leaked directory contents and allowed informational commands (ls, dir, pwd) without proper validation. **Responsible Approach**: The researcher practiced ethical disclosure by stopping at observation, taking redacted screenshots, and avoiding destructive exploitation techniques. They focused on documenting the misconfiguration for responsible reporting rather than accessing sensitive data. **Impact**: Exposed directory structures could reveal system architecture, file naming conventions, or sensitive data paths, potentially facilitating further attacks or reconnaissance. **Mitigation**: Proper FTP configuration should disable anonymous access, implement strict authentication requirements, restrict directory visibility, and ensure least-privilege access controls with proper file system permissions. Regular security audits of exposed services are essential. #infosec #BugBounty #Cybersecurity #ResponsibleDisclosure #FTPSecurity #VulnerabilityDisclosure
https://medium.com/@H4RUK7/the-day-i-found-an-unsecured-ftp-a-responsible-disclosure-story-00caf67ec647?source=rss------bug_bounty_tips-5

Unfair Experience in a Bug Bounty Program
A researcher discovered a critical sensitive information disclosure vulnerability, allowing access to system files like changelog, webconfig, and other sensitive data. The issue was fixed but the report remains unaccepted after two months, causing frustration and potentially discouraging responsible disclosure. Bug bounty platforms should prioritize fairness, transparency, and proper recognition for researchers to maintain motivation in the cybersecurity community. #BugBounty #CyberSecurity #EthicalHacking #Infosec #ResponsibleDisclosure #BugBountyCommunity
url
https://medium.com/@junedsilavata/unfair-experience-in-a-bug-bounty-program-d00803899e3e?source=rss------bug_bounty-5

@BMDS Hallo, schon mal was von #ModernSolutionGmbH und dem #Hackerparagraphen gehört. Nach dem jetzt auch die letzte Instanz das #BVG den Programmierer hängen lässt nur zur Info. #ResponsibleDisclosure ist vorbei. In Moskau und Penking lachen Sie über uns. Ein Passwort im Klartext in einer Exe ist keine Sicherheitsmaßnahme. Wundert Euch nicht wenn es Demnächst noch viel mehr Schwachstellen im Darknet gibt. Die gehen mit Ihren Quellen besser um. #justmy2cents

#Bundesverfassungsgericht @BGH_Bund lehnt Beschwerde im Fall #ModernSolution ab | heise online https://www.heise.de/news/Bundesverfassungsgericht-lehnt-Beschwerde-im-Fall-Modern-Solution-ab-10663649.html #Hacking #Hackerparagraf #Datenschutz #privacy #StGB202a #Verfassungsbeschwerde #ResponsibleDisclosure #Deutschland