Saw this on Mastodon:
https://racingbunny.com/@mookie/114718466149264471
18 rules of Software Engineering
- You will regret complexity when on-call
- Stop falling in love with your own code
- Everything is a trade-off. There’s no “best” 3. Every line of code you write is a liability 4. Document your decisions and designs
- Everyone hates code they didn’t write
- Don’t use unnecessary dependencies
- Coding standards prevent arguments
- Write meaningful commit messages
- Don’t ever stop learning new things
- Code reviews spread knowledge
- Always build for maintainability
- Ask for help when you’re stuck
- Fix root causes, not symptoms
- Software is never completed
- Estimates are not promises
- Ship early, iterate often
- Keep. It. Simple.
Solid list, even though 14 is up for debate in my opinion: Software can be completed. You have a use case / problem, you solve that problem, done. Your software is completed now. There might still be bugs and they should be fixed – but this doesn’t “add” to the program. Don’t use “software is never done” as an excuse to keep adding and adding stuff to your code.
OpenBSD has the wonderful pledge() and unveil() syscalls:
https://www.youtube.com/watch?v=bXO6nelFt-E
Not only are they super useful (the program itself can drop privileges – like, it can initialize itself, read some files, whatever, and then tell the kernel that it will never do anything like that again; if it does, e.g. by being exploited through a bug, it gets killed by the kernel), but they are also extremely easy to use.
Imagine a server program with a connected socket in file descriptor 0. Before reading any data from the client, the program can do this:
unveil("/var/www/whatever", "r");
unveil(NULL, NULL);
pledge("stdio rpath", NULL);
Done. It’s now limited to reading files from that directory, communicating with the existing socket, stuff like that. But it cannot ever read any other files or exec() into something else.
I can’t wait for the day when we have something like this on Linux. There have been some attempts, but it’s not that easy. And it’s certainly not mainstream, yet.
I need to have a closer look at Linux’s Landlock soon (“soon”), but this is considerably more complicated than pledge()/unveil():
↳
In-reply-to
»
So I was using this function in Rust:
⤋ Read More
@lyse@lyse.isobeef.org Rust is so different and, at the same time, so complex – it’s not far fetched to assume that I simply don’t understand what’s going on here. The docs appear to be clear, but alas … is it a bugs in the docs? Is it a lack of experience on my part? Who knows.
By the way, looks like there was a bit of a discussion regarding that name:
Hmmm 🧐 Not what I thought was going on… No bug…
time="2025-06-14T15:24:25Z" level=info msg="updating feeds for 8 users"
time="2025-06-14T15:24:25Z" level=info msg="skipping 0 inactive users"
time="2025-06-14T15:24:25Z" level=info msg="skipping 0 subscribed feeds"
time="2025-06-14T15:24:25Z" level=info msg="updating 80 sources (stale feeds)"
Cracking JWTs: A Bug Bounty Hunting Guide [Part 6] ⌘ Read more
Cracking JWTs: A Bug Bounty Hunting Guide [Part 5] ⌘ Read more
$1,000 Bug: Firefox Account Deletion Without 2FA or Authorization
How a Missing Backend Check Let Attackers Nuke Accounts With Just a Password
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/1-000-bu … ⌘ Read more
How can one write blazing fast yet useful compilers (for lazy pure functional languages)?
I’ve decided enough is enough and I want to write my own compiler (seems I caught a bug and lobste.rs is definitely not discouraging it). The language I have in mind is a basic (lazy?) statically-typed pure functional programming language with do notation and records (i.e. mostly Haskell-lite).
I have other ideas I’d like to explore as well, but mainly, I want the compiler to be so fast (w/ optimisations) that … ⌘ Read more
$7,500 Bug: Exposing Any HackerOne User’s Email via Private Program Invite
How One GraphQL Query Turned Private Invites into Public Data Leaks
[Continue reading on InfoSec Write-ups »](https://infosecwrite … ⌘ Read more
Cracking JWTs: A Bug Bounty Hunting Guide [Part 4] ⌘ Read more
Top File Read Bug POCs that made $20000
Learning & Methodology to find File Read from top 5 POCs by Elite hackers
404 to $4,000: Exposed .git, .env, and Hidden Dev Files via Predictable Paths”
How Bug Bounty Hunters Can Turn Common 404s Into Critical Information Disclosure Bounties
[Continue reading on InfoSec Write-u … ⌘ Read more
**2. Setting Up the Ultimate Hacker’s Lab (Free Tools Only) **
“You don’t need a fortune to break into bug bounty. You just need the right mindset — and the right setup.”
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/2-se … ⌘ Read more
Cracking JWTs: A Bug Bounty Hunting Guide [Part 3] ⌘ Read more
GNOME OS ready for more extensive testing
While it’s still early days and it’s not recommended for non-technical audiences, GNOME OS is now ready for developers and early adopters who know how to deal with occasional bugs (and importantly, file those bugs when they occur). ↫ Tobias Bernard This is great news, and means GNOME OS is progressing nicely. I’m a proponent of this and KDE’s equivalent project, because it allows the people working on GNOME and KDE to really showcase their work in … ⌘ Read more
$540 Bounty: How a Misconfigured Warning Endpoint in Apache Airflow Exposed DAG Secrets
CVE-2023–42780: An Improper Access Control Bug That Let Low-Privileged Users View DAG Impo … ⌘ Read more
Bug Bounty from Scratch | Everything You Need to Know About Bug Bounty
📌Free Article Link
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/bug-bounty-from-scratch-everything-you-need-to-know … ⌘ Read more
Bypassing Regex Validations to Achieve RCE: A Wild Bug Story
Free Article Lin
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/bypassing-regex-validations-to-achieve-rce-a-wild-bug-story-6476faccbc23?source=r … ⌘ Read more
GitHub Recon: The Underrated Technique to Discover High-Impact Leaks in Bug Bounty
Master the Art of Finding API Keys, Credentials and Sensitive Data in Public Repositories
[Continue re … ⌘ Read more
Cracking JWTs: A Bug Bounty Hunting Guide [Part 1] ⌘ Read more
I Tried 10 Recon Tools for 7 Days — Here’s What Actually Found Bugs
Free Article Link
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/i-tried-10-recon-tools-for-7-days-heres-what-actually-found-bug … ⌘ Read more
↳
In-reply-to
»
@prologic Mosaic (2.7) works fine, I maintain that package in the AUR and test my website regularly. 😅
⤋ Read More
@bender@twtxt.net Not sure if you’re serious or joking, but: IE3 introduced support for CSS, Mosaic completely ignores it. 😅 Besides, it looks fine in IE3 now as well, after I fixed my CSS bug. 🤪
↳
In-reply-to
»
My website is compatible with many old browsers, but Internet Explorer 3, uhm, not so much.
⤋ Read More
… but as it turned out, this was a bug in my CSS. It works now. 🥳
**One Endpoint to Rule Them All: How I Chained 3 Bugs into Full Account Takeover **
Hey there!😁
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/one-endpoint-to-rule-them-all-h … ⌘ Read more
Demystifying Cookies : The Complete Guide for Bug Bounty Hunters — Part 1
Everything you need to know about cookies to expand your attack surface and find real bugs.
[Continue reading on InfoSec Write-ups »](h … ⌘ Read more
The Ultimate Roadmap to Becoming a Bug Bounty Hunter ⌘ Read more
I Gave Myself 60 Minutes to Find a Bug — This Is What Happened
Free Article Link
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/i-gave-myself-60-minutes-to-find-a-bug-this-is-what-happened-e5fa76563a33?so … ⌘ Read more
From Zero to $1000/Month | Bug Bounty Automation Blueprint
Proven Tactics, Tools, and Code to Automate Your Way to Consistent Bounties
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/from-zero-to-1000-month-bug-boun … ⌘ Read more
️My Top 7 Mistakes as a New Bug Hunter (And How to Avoid Them)
Free Article Link only for you
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/%EF%B8%8Fmy-top-7-mistakes-as-a-new-bug-hunter- … ⌘ Read more
Google’s “AI” is convinced Solaris uses systemd
Who doesn’t love a bug bounty program? Fix some bugs, get some money – you scratch my back, I pay you for it. The CycloneDX Rust (Cargo) Plugin decided to run one, funded by the Bug Resilience Program run by the Sovereign Tech Fund. That is, until “AI” killed it. We received almost entirely AI slop reports that are irrelevant to our tool. It’s a library and most reporters didn’t even bother to read the rules or even look at what the intend … ⌘ Read more
$1 Million Tax Payer Grant for “Gender Inclusive Open Source”
A cancelled grant, worth a million bucks, for Oregon State University to create “best practices for fixing gender-bias bugs”. ⌘ Read more
Mastering SQL Injection Recon: Step-by-Step Guide for Bug Bounty Hunters
A practical guide to uncovering SQL injection flaws using automation, payloads and deep reconnaissance techniques.
[Continue reading … ⌘ Read more
$20,000 Bounty: How a Leaked Session Cookie Led to Account Takeover on HackerOne
How one accidental copy-paste exposed sensitive data and what you can learn to find similar bugs
[Continue rea … ⌘ Read more
The Most Dangerous Bug I’ve Ever Found (And No One Was Looking)
👉Free Article Link
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/the-most-dangerous-bug-ive-ever-found-and-no-one-was-looking-2e96e5079a01? … ⌘ Read more
0 to First Bug: What I’d Do Differently If I Started Bug Bounty Today
Free Article Link
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/0-to-first-bug-what-id-do-differently-if-i-started-bug … ⌘ Read more
Part-2️♂️Bug Bounty Secrets They Don’t Tell You: Tricks From 100+ Reported Bugs
✨Free Article Link
[Continue reading on InfoSec Write-ups »](https://infosecwri … ⌘ Read more
Secret to find bugs in five minutes. Juicy reality. ⌘ Read more
Microsoft blinks, extends Office support for Windows 10 by three years
At the start of this year, Microsoft announced that, alongside the end of support for Windows 10, it would also end support for Office 365 (it’s called Microsoft 365 now but that makes no sense to me) on Windows 10 around the same time. The various Office applications would continue to work on Windows 10, of course, but would no longer receive bug fixes, security plugs, and so on. Well, it se … ⌘ Read more
Cracking the Dave & Buster’s anomaly
Let’s dive into a peculiar bug in iOS. And by that I mean, let’s follow along as Guilherme Rambo dives into a peculiar bug in iOS. The bug is that, if you try to send an audio message using the Messages app to someone who’s also using the Messages app, and that message happens to include the name “Dave and Buster’s”, the message will never be received. ↫ Guilherme Rambo As I read this first description of the bug, I had no idea what could possibly be causing th … ⌘ Read more
Bug Chain: pre-auth takeover to permanent access. ⌘ Read more