Just published a new write-up - Hacking 700 Million Electronic Arts Accounts battleda.sh/blog/ea-accoun…

Sometimes the most illogical approach wins. XBOW discovered XSS in Salesforce Aura by testing aura.format=JSON - which counterintuitively returns text/html content type instead of JSON. The kind of discovery that comes from systematic testing without assumptions. Full hunt

bug bounty industry is so fucking good these days… so many programs, good payouts, wide scopes. We are truly blessed 😇 get stuck in, there are bugs out there, and lots of them ! (And no AI isn’t close to replacing us, it’s helping us more than ever)

When applying for a job at McDonald's, over 90% of franchises use "Olivia," an AI-powered chatbot. We (Ian Carroll and I) discovered a vulnerability that could allow an attacker to access the over 64 million chat records using the password "123456". ian.sh/mcdonalds

change it back HackerOne , please

I know many of you aren’t fans of the new HackerOne dark mode. I’ve built a small Chrome extension to bring back the old look. There are still a few bugs (some purple elements remain), but I’ll be working on it more tonight. For now, it’s already a big improvement over the

how to tell if someone does bug bounties:

another successful H1 event with the legend Jonathan Bouman, great bugs and gaining lots of new insights for future hunts! :) that's me done with hacking now til september, getting married in 2 weeks so i'm going afk to chill :D happy hacking, go get them crits✌️

XBOW has changed the bug bounty game tbh.. shits gonna get wild over the next few years! i can see lots of people having their own AI agents (I bet people are building one right now). kudos to them for being transparent on everything :)

Today, we're releasing the new Searchlight Cyber (Searchlight Cyber) tools website, which allows you to use several of our open-source tools for free via a web interface. You can self-register at tools.slcyber.io (+ all our wordlists will be released there from now on!)