cURL's maintainer, Daniel Stenberg, has shut down the project's bug bounty program due to an overwhelming number of low-quality, AI-generated submissions. He hopes this will encourage more meaningful bug reports while maintaining public accountability for poor submissions.

Meta's Bug Bounty Program marked its 15th anniversary, awarding over $4 million in bounties this year alone, totaling more than $25 million since its start. The program is expanding with a new pilot for experienced researchers and highlighting significant findings, including vulnerabilities in WhatsApp and Oculus.

A security researcher has criticized Apple's macOS bug bounty program for significantly lowering payouts for certain vulnerabilities. Despite increasing rewards for high-profile exploits, many macOS categories now offer much smaller financial incentives, which could discourage researchers from reporting flaws.

Microsoft will now reward researchers for identifying critical vulnerabilities in any of its online services, regardless of the code's origin. This change aims to enhance security by incentivizing the discovery of flaws in both Microsoft's own and third-party components that impact its services.

This article outlines key security vulnerabilities in Next.js applications, including SSRF, XSS, and CSRF. It provides practical tips and techniques for penetration testers to effectively assess Next.js apps.

Researcher Jakub Ciolek reported two critical bugs in Argo CD but was left without communication or his $8,500 bug bounty for months. After inquiries and an email from The Register, HackerOne finally acknowledged the delay, citing a backlog in processing rewards. Ciolek emphasizes the need for better communication in bug bounty programs to maintain trust.

reNgine 2.2.0 introduces new features like bounty hub integration, enhanced subdomain enumeration, and customizable PDF reports. It’s a web application reconnaissance tool aimed at security professionals, offering advanced capabilities for data collection and project management. Key updates enhance user experience and streamline reconnaissance tasks.

This article discusses the challenges posed by AI-generated vulnerability reports in the bug bounty industry. It highlights the distinction between valid and invalid submissions, the strain on open-source maintainers, and the burnout resulting from sifting through low-quality reports.

Sharon Brizinov shares her experience of earning $64,350 through bug bounty hunting by automating the recovery of deleted files from public GitHub repositories. By scanning thousands of repositories for exposed API keys and credentials hidden in Git's history, she highlighted the importance of addressing security vulnerabilities from seemingly deleted information.

The article explores the critical web vulnerability known as Insecure Direct Object References (IDOR), a common issue in access control that allows unauthorized users to access or modify data by manipulating identifiers in URLs and requests. It emphasizes the importance of proper access control mechanisms, outlines various types of access control flaws, and provides practical strategies for identifying and exploiting these vulnerabilities during bug bounty hunting.

A security researcher details their experience discovering multiple vulnerabilities in the McDonald's app and internal systems, highlighting poor security practices and difficulties in reporting issues. Despite successfully prompting fixes, the researcher emphasizes the need for better security channels and practices within the company.