RedPacket SecurityHackerOne Bug Bounty Disclosure: autotranslate-ddp-method-exposes-private-messages-without-authentication-or-room-access-check-deprrous - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-autotranslate-ddp-method-exposes-private-messages-without-authentication-or-room-access-check-deprrous/
The Bad PlaceFeed: All Latest | The AI Era Is Creating a Bug Hunting Arms Race by Lily Hay Newman
AI generated summary, Read the full article for complete information.
The article explains how the rise of autonomous AI models is reshaping the bug‑hunting ecosystem, turning vulnerability discovery and exploit creation into a fast‑moving arms race. As AI tools enable both attackers and researchers to identify and weaponize software flaws at unprecedented speed, bug‑bounty programs are being inundated with high‑volume submissions, forcing companies like Google, Apple, and Curl to adjust payout structures and, in some cases, suspend programs due to low‑quality “AI‑generated” reports. This surge is compressing the traditional 90‑day disclosure timeline, pressuring organizations to release patches more quickly while also highlighting the limitations of patch‑centric defenses. Experts argue that, beyond faster fixes, the industry needs fundamentally more resilient architectures that render many bugs irrelevant, as reliance on patching alone cannot keep pace with AI‑driven vulnerability discovery.
Read more: https://www.wired.com/story/the-ai-era-is-creating-a-bug-hunting-arms-race/
#Apple #Google #HackerOne #security_cyberattacksandhacks #security_securitynews #JosephThacker
Harry SintonenBack in January I reported two low level vulnerabilities to Internet Bug Bounty #hackerone program. At the time the reward for a low level findings was $600.
I was just rewarded 2 x $68 bounty after 5 months.
EDIT: Removed the part where I voiced my frustration unfairly.
HackerOne Bug Bounty Disclosure: memory-corruption-via-toctou-race-in-sharedarraybuffer-utf-decode-stringbytes-encode-v-ct-rv-nd-m - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-memory-corruption-via-toctou-race-in-sharedarraybuffer-utf-decode-stringbytes-encode-v-ct-rv-nd-m/
HackerOne Bug Bounty Disclosure: null-pointer-dereference-in-node-sqlite-databasesync-applychangeset-via-malformed-sqlite-changeset-junius - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-null-pointer-dereference-in-node-sqlite-databasesync-applychangeset-via-malformed-sqlite-changeset-junius/
Analyst207HackerOne Slashes Bug Bounty Rewards Amid AI-Driven Report Surge
HackerOne's Internet Bug Bounty program has slashed payouts, with medium-severity vulnerabilities now earning just $297, down from $1,843, and critical ones fetching $2,257, down from $9,250. The program is currently on pause as the company retools its rewards structure.
#BugBounty #Hackerone #VulnerabilityRewards #AidrivenReports #EmergingThreats
HackerOne Bug Bounty Disclosure: hmac-signature-verification-omits-endpoint-and-payload-allowing-request-forgery-on-coinmate-api-glferreira-devsecops - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-hmac-signature-verification-omits-endpoint-and-payload-allowing-request-forgery-on-coinmate-api-glferreira-devsecops/
HackerOne Bug Bounty Disclosure: post-api-bitcoinwithdrawalfees-returns-financial-data-without-authentication-despite-being-documented-as-a-user-operation-private-endpoint-glferreira-devsecops - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-post-api-bitcoinwithdrawalfees-returns-financial-data-without-authentication-despite-being-documented-as-a-user-operation-private-endpoint-glferreira-devsecops/
Mark EslerI reported this and another vuln to MetaMask over #hackerone . It was the only communication platform available. Clearly, this needed a private report.
MetaMask marked this and another report as Not Applicable.
Curl accepted a report as Informative, which is great. Glad I reported a security bug properly. But, now I have a -5 HackerOne score and am locked out of coordinated vulnerability disclosure via H1.
I put users first by emailing curl a second vuln and breaking the HackerOne ToS.
HackerOne Bug Bounty Disclosure: sql-injection-in-column-type-parameter-allows-arbitrary-sql-execution-suul - https://www.redpacketsecurity.com/hackerone-bugbounty-disclosure-sql-injection-in-column-type-parameter-allows-arbitrary-sql-execution-suul/
