🚀 Introducing SanicDNS 🚀 Looking for lightning-fast domain resolutions? SanicDNS resolves up to 5M domains per second! 🏎️💨 github.com/hadriansecurit…

In April, Sam Curry and I discovered a way to bypass airport security via SQL injection in a database of crewmembers. Unfortunately, DHS ghosted us after we disclosed the issue, and the TSA attempted to cover up what we found. Here is our writeup: ian.sh/tsa

Someone just exploited github.com/stripe-samples… with a Pwn Request and added their payloads to the main branch… Stripe

🔥 White-Box Penetration Testing: Debugging For Python Vulnerabilities 🔗 yeswehack.com/learn-bug-boun… #BugBounty

gowitness v3 is out! A huge task, but I refactored basically _everything_ for version 3 in just over a week, followed by also writing the longest release notes of my life! Hopefully it's the best version yet. A lot has changed, so feel free to dig in. 🤖 🧵👇

Thanks YesWeHack ⠵, the poster is sublime !

1 Bug, $50K+ in bounties: how Zendesk left a backdoor in hundreds of companies #bugbountytips gist.github.com/hackermondev/6…

#CyberPanel (n)day pre-auth root RCE drop 🎁 I also intended to note down my mental process while auditing code since the bug is relatively easy, definitely recommended for upcomers Left a challenge at the end if you want to find your own n-day bug :) dreyand.rs/code/review/20…

After H1-0131 and H1-702, we wanted to share our experience as LHE hackers for aspiring hackers and newcomers.

Thank you PentesterLab !

Last month, our Security Research team discovered and disclosed a critical pre-authentication RCE in CraftCMS (CVE-2024-56145). You can read our blog post on the issue here: assetnote.io/resources/rese…

This is how you take responsibility for a breach.

🚀 We wrapped up our first First Flight event on Cyfrin CodeHawks with my teammate Jomar! 🔥 An amazing first experience with quite good results: 5 high / 1 medium / 1 low vulnerabilities reported. Time to keep sharpening our skills and leveling up our audits!

it's been a long time since I posted a blog post ! Today I posted "Extract and monitor bugbounty scopes" blog.jomar.fr/posts/2025/ext… With new projects in the pipeline, I've already lined up a number of upcoming articles 😁

Bad timing, a few hours after my tweet, bugcrowd announces that MFA is mandatory and pushes a change that breaks the authentication system in ScopesExtractor I've just pushed the fix !

Recently found unauthenticated fileupload on a public bugbounty programs' SOAP service!, managed to upload a PHP webshell via SOAP documentRequest feature and almost gained code execution. Full #writeup coming soon! #BugBounty

Just published a new blog post on the collaborative environment we use with Rémy Marot for smart contract auditing blog.jomar.fr/posts/2025/col… This can easily be replicated for web2 code audits and it makes teamwork much easier

I just started a blog to share my experiences in Web2 and Web3! My first post is live: blog.rmsec.io/posts/leveragi… I hope it will be helpful, especially for those getting started!

One of the hardest parts of a security code review? Figuring out how the project is structured. deepwiki.com just changed the game: 🧠 Repo overview 🧩 Component relationships 🧭 Architecture map 💬 Ask: “Any secrets?” “SQLi here?” Try it. It's 🔥 for AppSec.

Big news: Joseph Thacker and I just launched a new LLM evaluation designed to test for one of the most dangerous model failure modes—sycophancy. We call it: The Glazing Score 👇