Tag: bug-bounty
-
Jenkins Plugin Updates Fix Path Traversal and Stored XSS Bugs
The Jenkins project released a critical security advisory addressing seven vulnerabilities across multiple widely used plugins. The disclosed flaws include high-severity path traversal and stored cross-site scripting (XSS) vulnerabilities that could allow threat actors to execute arbitrary code or hijack user sessions. All vulnerabilities were responsibly disclosed through the Jenkins Bug Bounty Program, which the…
-
GPT-5.5 Bio Bug Bounty Program Aims to Improve AI Safety and Performance
OpenAI has officially launched the GPT-5.5 Bio Bug Bounty program to strengthen safeguards against emerging biological risks. As artificial intelligence models become more advanced, the potential for malicious actors to generate dangerous biological information increases. Advanced persistent threats (APTs) and lone attackers could potentially misuse large language models to accelerate harmful biological research. To address…
-
Nächste KI-Kapitulation: Nextcloud zahlt für gemeldete Lücken keine Prämien mehr
Wer Sicherheitslücken an die Nextcloud-Entwickler meldet, geht künftig leer aus. Erneut wird KI einem Bug-Bounty-Programm zum Verhängnis. First seen on golem.de Jump to article: www.golem.de/news/naechste-ki-kapitulation-nextcloud-zahlt-fuer-gemeldete-luecken-keine-praemien-mehr-2604-207914.html
-
Meta and PortSwigger drive offensive security further to find what others miss
Meta Bug Bounty and PortSwigger have formed a partnership to help security researchers sharpen their skills, collaborate more closely, and improve vulnerability discovery. The … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/04/20/meta-bug-bounty-portswigger-partnership/
-
Durch KI überlastet: Kein Geld mehr für Bug-Reports an Open-Source-Projekte
Internet Bug Bounty zahlt vorerst keine Prämien mehr. Das betrifft unter anderem Node.js. Der Grund: Mit KI wird viel gemeldet, aber wenig gefixt. First seen on golem.de Jump to article: www.golem.de/news/wichtiges-bug-bounty-programm-pausiert-ki-reports-ueberlasten-open-source-projekte-2604-207325.html
-
Wichtiges Bug-Bounty-Programm pausiert: KI-Reports überlasten Open-Source-Projekte
Internet Bug Bounty zahlt vorerst keine Prämien mehr. Das betrifft unter anderem Node.js. Der Grund: Mit KI wird viel gemeldet, aber wenig gefixt. First seen on golem.de Jump to article: www.golem.de/news/wichtiges-bug-bounty-programm-pausiert-ki-reports-ueberlasten-open-source-projekte-2604-207325.html
-
Google’s Bug Bounty Program Hits Record $17 Million in 2025 Payouts
Google has announced a record-breaking year for its Vulnerability Reward Program (VRP). In 2025, the tech giant paid out more than $17 million to ethical hackers worldwide to help secure its platforms. This major milestone marks a massive 40% increase compared to 2024 and perfectly aligns with the program’s 15th anniversary. Over 700 security researchers…
-
Internet Bug Bounty program hits pause on payouts
This article first appeared on InfoWorld. First seen on csoonline.com Jump to article: www.csoonline.com/article/4154216/internet-bug-bounty-program-hits-pause-on-payouts-2.html
-
Adobe Data Breach Allegedly Exposes 13 Million Support Tickets
A threat actor known as >>Mr. Raccoon<< claims to have breached Adobe, stealing a massive amount of sensitive data. According to a report by International Cyber Digest, the stolen files include 13 million customer support tickets, 15,000 employee records, internal documents, and all of the company's HackerOne bug bounty submissions. The attacker did not hack…
-
Make OpenAI’s models misbehave and earn a reward
OpenAI’s public Safety Bug Bounty program focuses on AI abuse and safety risks across its products. The goal is to support safe and secure systems and reduce the risk of … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/03/27/openai-safety-bug-bounty-program/
-
OpenAI Expands Bug Bounty to Cover AI Abuse and ‘Safety’ Concerns
OpenAI’s Safety Bug Bounty program seeks to address AI safety vulnerabilities beyond traditional security flaws First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/openai-bug-bounty-ai-abuse-safety/
-
Meet Khaled Mohamed: the bug hunter who found a Microsoft flaw
We talked to Khaled Mohamed on going from script kiddie to bug bounty hunter, and the moment he uncovered a flaw in Microsoft Authenticator. First seen on securityboulevard.com Jump to article: securityboulevard.com/2026/03/meet-khaled-mohamed-the-bug-hunter-who-found-a-microsoft-flaw/
-
HackerOne Confirms Employee Data Stolen Following Linked Navia Hack
Tags: breach, bug-bounty, cyber, cyberattack, data, data-breach, network, security-incident, service, vulnerabilityHackerOne, a leading vulnerability coordination and bug bounty platform, has officially confirmed a data breach impacting its employees. The security incident did not occur directly on HackerOne’s internal network or infrastructure. Instead, the sensitive data was exposed through a targeted cyberattack on a third-party service provider known as Navia. Employee Data Stolen According to a…
-
HackerOne discloses employee data breach after Navia hack
Bug bounty platform HackerOne is notifying hundreds of employees that their data was stolen after attackers hacked Navia, one of its U.S. benefits administrators. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/hackerone-discloses-employee-data-breach-after-navia-hack/
-
UIDAI Introduces Bug Bounty Program to Strengthen Aadhaar Defenses
The Unique Identification Authority of India (UIDAI) has officially launched its first structured bug bounty program to fortify the Aadhaar system. As the foundation of a massive national identity database, securing Aadhaar requires continuous innovation and rigorous testing. This new initiative invites top cybersecurity experts to proactively identify and responsibly disclose potential vulnerabilities within UIDAI’s…
-
AWS Bedrock’s ‘isolated’ sandbox comes with a DNS escape hatch
Tags: access, bug-bounty, credentials, cvss, data, dns, iam, infrastructure, jobs, network, service, strategy, update, vulnerabilityAWS allegedly rolled back a fix: BeyondTrust said it discovered and reported the vulnerability to AWS on September 1, 2025, via the bug bounty platform HackerOne. AWS reportedly acknowledged receipt of the report and deployed an initial fix to production in November.However, BeyondTrust was informed a few days later that the initial fix was rolled…
-
USENIX Security ’25 (Enigma Track) Everything Old Is New Again: Legal Restrictions On Vulnerability Disclosure On Bug Bounty Platforms
Author, Creator & Presenter: Kendra Albert, Albert Sellars LLP Our thanks to USENIX Security ’25 (Enigma Track) (USENIX ’25 for publishing their Creators, Authors and Presenter’s tremendous USENIX Security ’25 (Enigma Track) content on the Organizations’ YouTube Channel. Permalink First seen on securityboulevard.com Jump to article: securityboulevard.com/2026/03/usenix-security-25-enigma-track-everything-old-is-new-again-legal-restrictions-on-vulnerability-disclosure-on-bug-bounty-platforms/
-
14 old software bugs that took way too long to squash
Tags: access, api, attack, authentication, automation, bug-bounty, communications, computer, control, credentials, cve, cvss, cyber, data, data-breach, dns, dos, encryption, exploit, flaw, hacker, Hardware, infosec, infrastructure, Internet, kaspersky, linux, malicious, malware, microsoft, mitigation, network, nist, open-source, password, programming, remote-code-execution, risk, service, software, stuxnet, supply-chain, technology, theft, threat, tool, update, usa, vulnerability, windows, zero-dayAge: 30 yearsDate introduced: 1995Date fixed: February 2026Researchers unearthed a legacy flaw in the widely used libpng open-source library that had existed since the technology was first released more than 30 years ago.The heap buffer overflow vulnerability (CVE-2026-25646) meant that applications using the flawed software would crash when presented with a maliciously constructed PNG raster…
-
14 old software bugs that took way too long to squash
Tags: access, api, attack, authentication, automation, bug-bounty, communications, computer, control, credentials, cve, cvss, cyber, data, data-breach, dns, dos, encryption, exploit, flaw, hacker, Hardware, infosec, infrastructure, Internet, kaspersky, linux, malicious, malware, microsoft, mitigation, network, nist, open-source, password, programming, remote-code-execution, risk, service, software, stuxnet, supply-chain, technology, theft, threat, tool, update, usa, vulnerability, windows, zero-dayAge: 30 yearsDate introduced: 1995Date fixed: February 2026Researchers unearthed a legacy flaw in the widely used libpng open-source library that had existed since the technology was first released more than 30 years ago.The heap buffer overflow vulnerability (CVE-2026-25646) meant that applications using the flawed software would crash when presented with a maliciously constructed PNG raster…
-
Psychische Belastung – cURL stoppt Bug-Bounty-Programm wegen KI-generierten Falschmeldungen
First seen on security-insider.de Jump to article: www.security-insider.de/ende-bug-bounty-programm-curl-ki-falschmeldungen-a-7918a628a41352e4cc170987f1788dee/
-
Open-source benchmark EVMbench tests how well AI agents handle smart contract exploits
Smart contract exploits continue to drain funds from blockchain projects, even as auditing tools and bug bounty programs grow. The problem is tied to how Ethereum Virtual … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/02/19/evmbench-open-source-benchmark-ai-agents/
-
Disclosure: SupportCandy Ticket Attachment IDOR (CVE-2026-1251)
During independent security research conducted as part of the Wordfence Bug Bounty Program, we identified a broken access control vulnerability in the SupportCandy plugin for WordPress. SupportCandy is a helpdesk and customer support ticketing plugin that enables organisations to manage user-submitted support requests directly within their WordPress environment, including the ability to upload files and”¦…
-
When responsible disclosure becomes unpaid labor
Tags: ai, bug-bounty, ciso, cloud, compliance, control, credentials, cve, cvss, cybersecurity, data, email, exploit, finance, flaw, governance, healthcare, incident response, infrastructure, jobs, open-source, ransom, risk, security-incident, service, software, threat, tool, update, vulnerability, warfaresupposed to function and how it increasingly does in practice. Enter the gray zone of ethical disclosure: The result is a growing gray zone between ethical research and adversarial pressure. Based on years of reporting on disclosure disputes, that gray zone tends to emerge through a small set of recurring failure modes.Silent treatment and severity…
-
NDSS 2025 PropertyGPT
Tags: blockchain, bug-bounty, conference, crypto, guide, Internet, LLM, network, oracle, strategy, tool, vulnerability, zero-daySession 11A: Blockchain Security 2 Authors, Creators & Presenters: Ye Liu (Singapore Management University), Yue Xue (MetaTrust Labs), Daoyuan Wu (The Hong Kong University of Science and Technology), Yuqiang Sun (Nanyang Technological University), Yi Li (Nanyang Technological University), Miaolei Shi (MetaTrust Labs), Yang Liu (Nanyang Technological University) PAPER PropertyGPT: LLM-driven Formal Verification of Smart Contracts…
-
Wegen KI-Spam: curl stellt Bug-Bounty ein
Das curl-Projekt muss nach Jahren und Tausenden Dollar an Sicherheitsforscher sein Bug-Bounty-Programm einstellen. Der Grund: LLMs. First seen on tarnkappe.info Jump to article: tarnkappe.info/kommentar/wegen-ki-spam-curl-stellt-bug-bounty-ein-325472.html
-
Unplugged holes in the npm and yarn package managers could let attackers bypass defenses against Shai-Hulud
Tags: authentication, bug-bounty, control, corporate, defense, email, github, guide, hacker, malicious, malware, microsoft, vulnerabilitydisabling the ability to run lifecycle scripts, commands that run automatically during package installation,saving lockfile integrity checks (package-lock.json, pnpm-lock.yaml, and others) to version control (git). The lockfile records the exact version and integrity hash of every package in a dependency tree. On subsequent installs, the package manager checks incoming packages against these hashes, and if…
-
Node.js Sets New Standard for HackerOne Reports, Demands Signal of 1.0 or Higher
Node.js has implemented a new quality control measure on its HackerOne bug bounty program, requiring researchers to maintain a minimum Signal reputation score of 1.0 before submitting vulnerability reports. This policy change, announced by the OpenJS Foundation, aims to reduce the growing volume of low-quality submissions that have overwhelmed the security team’s triage capacity. The…
-
Node.js Sets New Standard for HackerOne Reports, Demands Signal of 1.0 or Higher
Node.js has implemented a new quality control measure on its HackerOne bug bounty program, requiring researchers to maintain a minimum Signal reputation score of 1.0 before submitting vulnerability reports. This policy change, announced by the OpenJS Foundation, aims to reduce the growing volume of low-quality submissions that have overwhelmed the security team’s triage capacity. The…
-
Curl ending bug bounty program after flood of AI slop reports
The developer of the popular curl command-line utility and library announced that the project will end its HackerOne security bug bounty program at the end of this month, after being overwhelmed by low-quality AI-generated vulnerability reports. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/curl-ending-bug-bounty-program-after-flood-of-ai-slop-reports/
-
Curl ending bug bounty program after flood of AI slop reports
The developer of the popular curl command-line utility and library announced that the project will end its HackerOne security bug bounty program at the end of this month, after being overwhelmed by low-quality AI-generated vulnerability reports. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/curl-ending-bug-bounty-program-after-flood-of-ai-slop-reports/