How a top bug bounty researcher got their start in security
For this year’s Cybersecurity Awareness Month, the GitHub Bug Bounty team is excited to feature another spotlight on a talented security researcher — @xiridium!
The post How a top bug bounty researcher got their start in security appeared first on The GitHub Blog. ⌘ Read more
How a Single Signup Flaw Exposed 162,481 User Records
My $8,500 Bug Bounty Story and the Critical Lesson in Authentication
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/how-a-single-signup-flaw-exposed-162-481-user-re … ⌘ Read more
Comment on GIMP 3.0.6 Update is a Bug-Fix Backport Bonanza by CLOUD STORAGE
Rainx Drive is the Best Cloud Storage Platform ⌘ Read more
Mastering Google Dorking: Discovering Website Vulnerabilities
Deep Recon Made Simple: Powering Bug Hunting with Dorking Strategies
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/mastering-google-dorking-d … ⌘ Read more
MacOS Tahoe 26.0.1 Update Released to Fix Mac Studio Installation Bug
Apple has issued MacOS Tahoe 26.0.1 as a software update for Tahoe users. The update focuses primarly on resolving an issue for Mac Studio owners who were not able to install the initial MacOS Tahoe 26 release onto the M3 Ultra version of the Studio. Apparently other bug fixes and security improvements are included as … [Read More](https://osxdaily.com/2025/09/29/macos-tahoe-26-0-1-update-releas … ⌘ Read more
iOS 26.0.1 Update Released to Fix Various iPhone 17 Issues, & Blank Screen Icons
Apple has released the first update for iOS 26.0.1, which includes a handful of bug fixes specifically aimed at the new iPhone 17 lineup, as well as addressing an issue for all devices where Home Screen icons can appear blank after using various Liquid Glass customization settings, and another issue where VoiceOver might disable itself … [Read More](https://osxdaily.com/2 … ⌘ Read more
DietPi September 2025 Update Brings Faster Backups and Roon Server Early Access
The September 20th release of DietPi v9.17 introduces smaller and more efficient system images, faster backups with reduced disk usage, and a new toggle for Roon Server’s early access builds. The update also addresses SPI bootloader flashing issues on Rockchip devices, improves Raspberry Pi sound card handling, and includes multiple bug fixes across tools and […] ⌘ Read more
@lyse@lyse.isobeef.org That looks like an older bug report. Which groff version is that (groff --version)?
@movq@www.uninformativ.de I got an empty line through the table, similarly to one of the linked bug reports, just at a different location:

Okay, now that I knew what to look for, I found existing bug reports:
Most importantly:
This is resolved in the groff trunk.
🥳
Kicking off Cybersecurity Awareness Month 2025: Researcher spotlights and enhanced incentives
For this year’s Cybersecurity Awareness Month, GitHub’s Bug Bounty team is excited to offer some additional incentives to security researchers!
The post [Kicking off Cybersecurity Awareness Month 2025: Researcher spotlights and enhanced incentives](https://github.blog/security/vulnerability-research/kicking-off-cybersecurity-aware … ⌘ Read more
@kat@yarn.girlonthemoon.xyz Mine shows 1/1 of 14 Twts 😆 I think this is a bug 🤯
Ignite Realtime Blog: Openfire 5.0.2 release!
The IgniteRealtime community is happy to announce a new release of its open source, real-time communications server server Openfire! Version 5.0.2 brings a number of stability improvements and bug fixes.
Notably, it addresses a recently identified security vulnerability, identifies as CVE-2025-59154. The issue allows for potential identity spoofing via unsafe Common Nam … ⌘ Read more
<details> tag in HTML; it lets you write a sentence or so that someone can then click to expand to see the actual post. it's called a CW because most people use it to warn for potentially triggering/harmful subjects, but you can really use it for anything, like spoilers in a TV show or even for joke punchlines
@kat@yarn.girlonthemoon.xyz Ta. The only good use for <details> is to collapse long logs in bug analysis reports. Other than that, I find it rather annoying to expand sections manually.
As for spoilers, personally, I don’t care at all. Not the slightest bit. If there is something that I don’t wanna read, I just stop reading. ¯_(ツ)_/¯
But I’ve got the feeling that I’ve got an unpopular opinion on that matter. ;-)
Mathieu Pasquet: slixmpp v1.11
This new version includes a few new XEP plugins as well as fixes, notably
for some leftover issues in our rust JID code, as well as one for a bug that
caused issues in Home Assistant.
Thanks to everyone who contributed with code, issues, suggestions, and reviews!
CI and buildNicoco put in a lot of work in order to get all possible wheels built in CI. We now have manylinux and musl builds of everything doable within codeberg,
published to the codeberg pypi repo, and published on pypi. … ⌘ Read more
yarnd (what runs twtxt.net). I'd change this to something that's more supproted like PNG, JPEG, etc.
@eric@itsericwoodward.com Name change is no worries! 😉 Interesting/funnily enough my client yarnd seems to have picked it up automatically which is nice (I’ve historically always had a few bugs to iron out there 🤣)
Spiders are the only web developers that enjoy finding bugs.
@lyse@lyse.isobeef.org you will have to agree, though, that Yarn has contributed to make it possible to mass adopt (with its many glitches, bugs, and all) because, still, the web is king.
@twtxt.net@twtxt.net HI KIWU YOUR PROFILE’S A BIT BUGGED ON OUR END BUT IT’S OK IT’LL FIX ITSELF
Thinking about doing “Wayland Wednesday”. Only use Wayland every Wednesday. Collect bugs, report bugs, fix bugs.
… which is probably a GTK bug.
Just realized: One of the reasons why I don’t like “flat UIs” is that they look broken to me. Like the program has a bug, missing pixmaps or whatever.
Take this for example:

I’m talking about this area specifically:

One UI element ends and the other one begins – no “transition” between them.
The style of old UIs like these two is deeply ingrained into my brain:


When all these little elements (borders, handles, even just simple lines, …) are no longer present, then the program looks buggy and broken to me. And I’m not sure if I’ll ever be able to un-learn that.
Saw this on Mastodon:
https://racingbunny.com/@mookie/114718466149264471
18 rules of Software Engineering
- You will regret complexity when on-call
- Stop falling in love with your own code
- Everything is a trade-off. There’s no “best” 3. Every line of code you write is a liability 4. Document your decisions and designs
- Everyone hates code they didn’t write
- Don’t use unnecessary dependencies
- Coding standards prevent arguments
- Write meaningful commit messages
- Don’t ever stop learning new things
- Code reviews spread knowledge
- Always build for maintainability
- Ask for help when you’re stuck
- Fix root causes, not symptoms
- Software is never completed
- Estimates are not promises
- Ship early, iterate often
- Keep. It. Simple.
Solid list, even though 14 is up for debate in my opinion: Software can be completed. You have a use case / problem, you solve that problem, done. Your software is completed now. There might still be bugs and they should be fixed – but this doesn’t “add” to the program. Don’t use “software is never done” as an excuse to keep adding and adding stuff to your code.
OpenBSD has the wonderful pledge() and unveil() syscalls:
https://www.youtube.com/watch?v=bXO6nelFt-E
Not only are they super useful (the program itself can drop privileges – like, it can initialize itself, read some files, whatever, and then tell the kernel that it will never do anything like that again; if it does, e.g. by being exploited through a bug, it gets killed by the kernel), but they are also extremely easy to use.
Imagine a server program with a connected socket in file descriptor 0. Before reading any data from the client, the program can do this:
unveil("/var/www/whatever", "r");
unveil(NULL, NULL);
pledge("stdio rpath", NULL);
Done. It’s now limited to reading files from that directory, communicating with the existing socket, stuff like that. But it cannot ever read any other files or exec() into something else.
I can’t wait for the day when we have something like this on Linux. There have been some attempts, but it’s not that easy. And it’s certainly not mainstream, yet.
I need to have a closer look at Linux’s Landlock soon (“soon”), but this is considerably more complicated than pledge()/unveil():
@lyse@lyse.isobeef.org Rust is so different and, at the same time, so complex – it’s not far fetched to assume that I simply don’t understand what’s going on here. The docs appear to be clear, but alas … is it a bugs in the docs? Is it a lack of experience on my part? Who knows.
By the way, looks like there was a bit of a discussion regarding that name:
Hmmm 🧐 Not what I thought was going on… No bug…
time="2025-06-14T15:24:25Z" level=info msg="updating feeds for 8 users"
time="2025-06-14T15:24:25Z" level=info msg="skipping 0 inactive users"
time="2025-06-14T15:24:25Z" level=info msg="skipping 0 subscribed feeds"
time="2025-06-14T15:24:25Z" level=info msg="updating 80 sources (stale feeds)"
Cracking JWTs: A Bug Bounty Hunting Guide [Part 6] ⌘ Read more
上下文取消鏈:摧毀我們支付系統的 bug
一個看似無害的 Go 語言特性如何引發級聯故障,導致了 110,000 美元的交易損失。警報響起時,我們的支付處理系統已經癱瘓。信用卡交易失敗、訂閱無法續訂、客服聊天窗口被憤怒的消息淹沒。一次常規部署演變成了我們兩年內最嚴重的生產事故。罪魁禍首?對 Go 語言上下文取消的細微誤解,它引發了一連串我從未預料到的反應。背景:一次 “簡單” 的優化三週前,我接到了優化支付處理流程的任務。系統每分鐘處理數 ⌘ Read more
上下文取消鏈:摧毀我們支付系統的 bug
一個看似無害的 Go 語言特性如何引發級聯故障,導致了 110,000 美元的交易損失。警報響起時,我們的支付處理系統已經癱瘓。信用卡交易失敗、訂閱無法續訂、客服聊天窗口被憤怒的消息淹沒。一次常規部署演變成了我們兩年內最嚴重的生產事故。罪魁禍首?對 Go 語言上下文取消的細微誤解,它引發了一連串我從未預料到的反應。背景:一次 “簡單” 的優化三週前,我接到了優化支付處理流程的任務。系統每分鐘處理數 ⌘ Read more
Cracking JWTs: A Bug Bounty Hunting Guide [Part 5] ⌘ Read more
$1,000 Bug: Firefox Account Deletion Without 2FA or Authorization
How a Missing Backend Check Let Attackers Nuke Accounts With Just a Password
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/1-000-bu … ⌘ Read more
How can one write blazing fast yet useful compilers (for lazy pure functional languages)?
I’ve decided enough is enough and I want to write my own compiler (seems I caught a bug and lobste.rs is definitely not discouraging it). The language I have in mind is a basic (lazy?) statically-typed pure functional programming language with do notation and records (i.e. mostly Haskell-lite).
I have other ideas I’d like to explore as well, but mainly, I want the compiler to be so fast (w/ optimisations) that … ⌘ Read more
$7,500 Bug: Exposing Any HackerOne User’s Email via Private Program Invite
How One GraphQL Query Turned Private Invites into Public Data Leaks
[Continue reading on InfoSec Write-ups »](https://infosecwrite … ⌘ Read more
Cracking JWTs: A Bug Bounty Hunting Guide [Part 4] ⌘ Read more
golang 每日一庫之 GoAdmin
你是不是曾經想用 Go 寫個後臺系統,結果一不小心就寫成了 Bug 系統?是不是寫到權限控制的時候,感覺自己變成了權限受害者?是不是本來想安安心心做個 CRUD 工人,結果被前端 UI 折磨到懷疑人生?別怕,GoAdmin 來拯救你了!什麼是 GoAdmin簡單說,GoAdmin 就是 Go 語言界的 “萬能後臺神器”。它能幫你:三分鐘起飛 :快速搭出一個後臺系統; 一行不寫也 ⌘ Read more
golang 每日一庫之 GoAdmin
你是不是曾經想用 Go 寫個後臺系統,結果一不小心就寫成了 Bug 系統?是不是寫到權限控制的時候,感覺自己變成了權限受害者?是不是本來想安安心心做個 CRUD 工人,結果被前端 UI 折磨到懷疑人生?別怕,GoAdmin 來拯救你了!什麼是 GoAdmin簡單說,GoAdmin 就是 Go 語言界的 “萬能後臺神器”。它能幫你:三分鐘起飛 :快速搭出一個後臺系統; 一行不寫也 ⌘ Read more
Top File Read Bug POCs that made $20000
Learning & Methodology to find File Read from top 5 POCs by Elite hackers
404 to $4,000: Exposed .git, .env, and Hidden Dev Files via Predictable Paths”
How Bug Bounty Hunters Can Turn Common 404s Into Critical Information Disclosure Bounties
[Continue reading on InfoSec Write-u … ⌘ Read more
**2. Setting Up the Ultimate Hacker’s Lab (Free Tools Only) **
“You don’t need a fortune to break into bug bounty. You just need the right mindset — and the right setup.”
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/2-se … ⌘ Read more
Cracking JWTs: A Bug Bounty Hunting Guide [Part 3] ⌘ Read more
GNOME OS ready for more extensive testing
While it’s still early days and it’s not recommended for non-technical audiences, GNOME OS is now ready for developers and early adopters who know how to deal with occasional bugs (and importantly, file those bugs when they occur). ↫ Tobias Bernard This is great news, and means GNOME OS is progressing nicely. I’m a proponent of this and KDE’s equivalent project, because it allows the people working on GNOME and KDE to really showcase their work in … ⌘ Read more
$540 Bounty: How a Misconfigured Warning Endpoint in Apache Airflow Exposed DAG Secrets
CVE-2023–42780: An Improper Access Control Bug That Let Low-Privileged Users View DAG Impo … ⌘ Read more
Bug Bounty from Scratch | Everything You Need to Know About Bug Bounty
📌Free Article Link
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/bug-bounty-from-scratch-everything-you-need-to-know … ⌘ Read more
Bypassing Regex Validations to Achieve RCE: A Wild Bug Story
Free Article Lin
[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/bypassing-regex-validations-to-achieve-rce-a-wild-bug-story-6476faccbc23?source=r … ⌘ Read more
GitHub Recon: The Underrated Technique to Discover High-Impact Leaks in Bug Bounty
Master the Art of Finding API Keys, Credentials and Sensitive Data in Public Repositories
[Continue re … ⌘ Read more