2024 YTD #BugBounty stats update, Week 44:

📄 74 issues Reported (51 Crit, 12 High, 10 Medium, 1 Low)
💰 50 issues Paid
🟤 7 Duplicate
⚪ 3 Informational
🔴 9 OOS

Spent a good deal of time crafting a new Chrome renderer exploit last week, which I'm hoping will pay off soon 😁

💵 average bounty change from Week 43: 🔽

💵🎯 November: Not met
💵🎯 2024: Met 🔥🔥🔥
💵🎯 2024 stretch: Met 🔥🔥🔥

🧑‍💻 38 Collabs
🪲 51 Programs
⏰ 57 Days oldest unpaid report

2024 YTD #BugBounty stats update, Week 9:

📄 19 issues reported (13 crit, 3 high, 3 medium)
💰 15 issues Paid
🟤 2 Duplicate
⚪ 1 Informational
🔴 1 OOS

Big bounty week last week 💰💵🪙

https://x.com/ajxchapman/status/1762101366057525521?s=20

@nathan Hell no lol

Things I am surprised haven’t entered the bug bounty community:
- Mixer vs Twitch like exclusivity contracts for hackers, platforms could offer better invites, a % on top of all bounties and various other perks for x hours minimum spent hacking on the platform

Nothing quite says "we really value your contribution" than an automated message, on Christmas day, on a 6 month old #BugBounty report, saying "we really value your contribution"... but still haven't got around to working on your report.

Glad to be here here making a difference in the world!

@bayo Thanks, I was looking for something like this!

Since when did Chrome start hiding the minor, build and patch version numbers? They are masked from both JavaScript and the HTTP User-Agent 🤔​

@Dcuthbert GLHF

I am going to be at Black Hat EU with @Bugcrowd@twitter.com check out their booth 307 and come say hi! I’m going to be chatting about some of my favourite bug stories and how I approach hacking 👌

Ah, @ky1ebot to the rescue once again!

https://blog.kylebot.net/2022/02/06/DiceCTF-2022-memory-hole/

@michenriksen I definitely don't need a LLM to question my own sanity 😆​

Every time I look at writing another exploit for Chrome there is a new exploit mitigation to contend with. This is excellent work from the Chrome team, but an absolute pain for the likes of me!

Last time it was WASM memory protection keys, today Sandboxed V8 pointers... what ever next???

@anant yeah, this sort of auditing was part of the reason I was investigating runc.

I created a container image that prints the runc version in use. Why is this useful? I have no idea, but it was pretty fun working it out.

Code at https://github.com/ajxchapman/runc-version-image
#Docker #Kuberntes

Managed to DoS myself playing with containers, again 🤦‍♂️​ Now I'm going to have to spend the rest of the day trying to work out what on earth I managed to do...

After almost six years years doing some kick-ass Vulnerability Management work, it's time to spread both the knowledge and the workload, so come and work with and learn from, me!

Listed as Leeds (UK), but remote in UK, Ireland, Portugal or Romania could all work.

https://careers.flutteruki.com/jobs/r007332/vulnerability-analyst/

Boost are very welcome!

"If the container is stated with the option --pid=host, and the SYS_PTRACE and SYS_ADMIN capabilities are granted to the container... and an AppArmor profile is configured with either allow ptrace() or Unconfined... you can escape the container"

I mean... yes, but I think you have other problems if you ended up with this configuration.

As promised: Here's the first $10,000 Intel bug (aka CVE-2022-33942) that allows to bypass the authentication of Intel's DCM by spoofing Kerberos and LDAP responses.

Exploit inside, enjoy 😎​

https://www.rcesecurity.com/2022/11/from-zero-to-hero-part-1-bypassing-intel-dcms-authentication-by-spoofing-kerberos-and-ldap-responses-cve-2022-33942

#BugBounty #security

One of the more difficult challenges of hunting for bugs in CI/CD environments is working out if code execution is a feature or a bug 😑​