🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

Haven’t found any great bugs this week, but I got a mention in this Gareth Heyes \u2028 post and that just as great! Give it a read

Life doing deep dive: Monday->Thursday nothing->Friday a nice finding->Next week report->in 2 weeks triage->Sometime around 3 months from now payout No need to rush report as there is 0% chance of duplicate. Lets just leave the bug there and take a weekend with family

I was really surprised to see that the Cache API is exposed on window, allowing a simple XSS to hijack a service worker and achieve persistent XSS on most pages of a vulnerable website! It might not be a new, but I feel like it is an incredible XSS leveraging gadget :D

Ben Sadeghipour The most valuable thing iv learned that reaches way beyond bounties is expectations management! its never personal. If a report gets valued in a different way than you wanted, or the triager dont understand the impact. work on your soft skills. i know it sounds off, but being

javascript coke

must watch!

This is going to be interesting! I will be there for sure, others should take the opportunity as well

One of the best blog posts of 2024. Just go read this now!

Posted a tiny XSS challenge/question on Bluesky, lets see if it can fly over there joaxcar.bsky.social

An interesting take on the behavior of SAAS companies to put security features in paid plans by Rasmus Holm. With an accompanying "name and shame" list

Was a blast hanging out with Bug Bounty Reports Explained a few hours in gray and cold Gothenburg! Glad that we finally got to meet in real life

I have been doing some JS challenges over on Bluesky. Traction is a bit harder to achieve, but I will stay true to only posting new stuff there for now. If you are in to JS quirks it could be worth jumping over to have a look, also a small writeup bsky.app/profile/joaxca…

End of year review of the GitLab bug bounty program! 🦊🏆 about.gitlab.com/blog/2025/01/0…

SSRFs can be tough to make critical without metadata, especially against a target like GitLab that strengthens its infra with every SSRF. Yet Johan Carlsson broke through with the first critical SSRF on GitLab since 2020. Enjoy our explanation from Sweden🇸🇪🔥 youtu.be/YQ5ixykKnyY

How hard can it be to give me my data... I am on a slow move to remove my account from here. I just need Twitter to give me my zip file, and then I am off Feel free to follow me on joaxcar.bsky.social if you want to keep in touch! 👋