Meta's Bug Bounty Program marked its 15th anniversary, awarding over $4 million in bounties this year alone, totaling more than $25 million since its start. The program is expanding with a new pilot for experienced researchers and highlighting significant findings, including vulnerabilities in WhatsApp and Oculus.

A security researcher has criticized Apple's macOS bug bounty program for significantly lowering payouts for certain vulnerabilities. Despite increasing rewards for high-profile exploits, many macOS categories now offer much smaller financial incentives, which could discourage researchers from reporting flaws.

Microsoft will now reward researchers for identifying critical vulnerabilities in any of its online services, regardless of the code's origin. This change aims to enhance security by incentivizing the discovery of flaws in both Microsoft's own and third-party components that impact its services.

This article outlines key security vulnerabilities in Next.js applications, including SSRF, XSS, and CSRF. It provides practical tips and techniques for penetration testers to effectively assess Next.js apps.

The article explores the critical web vulnerability known as Insecure Direct Object References (IDOR), a common issue in access control that allows unauthorized users to access or modify data by manipulating identifiers in URLs and requests. It emphasizes the importance of proper access control mechanisms, outlines various types of access control flaws, and provides practical strategies for identifying and exploiting these vulnerabilities during bug bounty hunting.

A security researcher details their experience discovering multiple vulnerabilities in the McDonald's app and internal systems, highlighting poor security practices and difficulties in reporting issues. Despite successfully prompting fixes, the researcher emphasizes the need for better security channels and practices within the company.