Happy New Year, Hackers! 🎆 We’re looking forward to a 2026 full of crazy exploits, instant patches, and - most importantly - YOU, the amazing human beings behind the screens.

What's the Bobby Tables equivalent in #AI era?

Join us tomorrow to learn more about this cool audit!

Want to learn more about our approach into auditing complex libraries and writing cool exploits? 🗓️: Dec 02 🕗: 20:00 CET RSVP: luma.com/ostif-meetup...

👋🏿 Hackers! Are you a Red Teaming Wizard 🧙🏿 looking for a new challenge? @shielder.com is hiring a Red Teaming Lead to join our crew! More info ⬇️ (share appreciated) #hiring #redteaming romhack.io/job-opportun...

Working with folks from @lucasfilm.bsky.social, @ilmvfx.bsky.social, and Apple to secure some of the OSS foundations the movie and entertainment industries rely on was so cool! Big shout-out 📣 to the @ostifofficial.bsky.social and ASWF for making this possible.

The TumpiCon experience will start tomorrow! Can't wait to meet y'all in Pinerolo 🏞️ Schedule is out: tumpicon.org

Woah - thanks Nestlè and @intigriti.com!

It's so cool working with the GoogleVRP team - folks over there are amazing. I love the concept of "you report something, then we work together with you to escalate it as much as possible". High bounties are also a nice addendum :) #BugBounty #bugbountytips

Romhack is coming up and the CfP is still open! Got novel research you’d love to present in front of an eager audience, with the stunning Roman landscape as your backdrop, and on the same stage where @jameskettle.com will deliver the keynote? Submit now! cfp.romhack.io/romhack-2025/

We are so excited to announce the publication of our audit of PHP core! This work was made possible through a collaboration between OSTIF, @thephpf.bsky.social, and @quarkslab.bsky.social with funding provided by @sovereign.tech. For the report and further links, check out ostif.org/php-audit-co...

Is there a way I can wipe this from my brain? Jim Carrey any recommendations? mobapc.it/prodotto/sha...

Just published some talks on tumpicon.org Wanna join us? Follow the trail 🥾

Last week Apple released MacOS 13.4 which contains a fix for a vulnerability @suidpit.bsky.social exploited to escape the Sandbox. Update now and stay tuned for the technical details! Ref: support.apple.com/en-us/122373

Woah -- more Google Chrome VRP swag in my mailbox today! Wondering how to get some yourself? Find vulnerabilities in Chrome! More info here: bughunters.google.com/about/rules/...

One of my old Google VRP reports just went public -- check it out if you want to see an example of CEF exploitation. bughunters.google.com/reports/vrp/...

Our next meetup is a presentation from our friends at X41 D-Sec GmbH. Join us next Wednesday, March 26th, at 14:00 CDT for a presentation and discussion with Markus Vervier and Eric Sesterhenn on their audit of @mullvad.bsky.social. We can't wait for this one! RSVP at lu.ma/wreregye

We recently analyzed the latest Cellebrite device support matrix published in February 2025. The reality is worrisome. It can be used to unlock most of the mobile devices we use every day. Read our report: (ENG) osservatorionessuno.org/blog/2025/03... (ITA) osservatorionessuno.org/it/blog/2025...

Swag day -- thanks ChromeVRP and @amyre.bsky.social

In Lausanne for @1ns0mn1h4ck.bsky.social? Don’t miss the chance to meet our very own @not4nhacker.bsky.social! If you're into cursed OAuth hacking techniques or breaking mobile apps, find a comfy spot -- you might be there for a while!

Hey hackers! We’ve started sending out the first invites — check your inbox! 👀 Didn’t get one? Take the fast track and submit a talk!

tmux and chill

🗣️

On my way to @fosdem.bsky.social! If you are into securing open source code then we should definitely have a chat -- looking forward to meeting y'all!

Discover blocklist bypasses via unicode overflows using the latest updates to ActiveScan++, Hackvertor & Shazzer! Thanks to Ryan Barnett and Neh Patel for sharing this technique. portswigger.net/research/byp...

🚨 New Open Source Audit Alert! 🚨 Shielder, with @ostifofficial.bsky.social & @cncf.io, audited karmada-io: 🔍 6 issues found (1 high, 1 medium, 2 low, 2 info) ✔️ Most fixed, others planned. 🗣️ to @suidpit.bsky.social and @thezero.org Full details in the blog post! www.shielder.com/blog/2025/01...

Love when we can publish the results of our effort!

The second edition of TumpiCon is here! 📅 June 27-28, 2025 📍 Somewhere near Turin, Italy 🔒 Invite-only No flashy stages. No fluff. Just raw, technical, and unfiltered hacking. More details? If you know, you know. Follow the trail: tumpicon.org

Looking for a chill, invite-only, and uncensored conference? Then you are in the right place :)

Ever wondered why you NEVER see chunked responses in Burp? 🤔 The answer is simple, default settings hide them! 🫣 Go to "Settings > Network > HTTP > Streaming responses" to make them appear 🔍

I have discount codes for *annuals plans* of Mozilla VPN, Firefox Relay Premium Email Masking and Monitor Plus (US only). Message me in private. Happy to hook you up, if we know each other :) #ad

Have you tried my december XSS challenge? The solution's public now in this writeup! It includes two vulnerabilities in CodeIgniter that abuse the cache storage format and bypass its builtin XSS filter. Merry Christmas! 🎄

⚠️Challenge time again⚠️ It is based on a real-world situation. Use the HTML injection to leak the flag to an external domain ☃️ This time, send solutions in DM; we don't want to spoil the fun. I also might want to patch any obvious blunder I made creating it joaxcar.com/xss/outer.ht...

TIL: Array.fromAsync([1],alert)

Some cool new additions on cspbypass.com for skype.[com] and x.[com]/ twitter.[com]

Imagine opening a Discord message and suddenly your computer is hacked. We discovered a bug that made this possible and earned a $5,000 bounty for it. Here's the story and a beginner-friendly deep dive into V8 exploit development. watch: youtu.be/R3SE4VKj678?...

You wake up. It’s 2013. Some language platform has chosen to use an insecure algorithm for its random() function, and HN is blaming the numerous security flaws that resulted from this decision on individual software developers. www.zellic.io/blog/proton-...

Our 2024 collaboration report with the @cncf.io is available to read at ostif.org/2024-cncf-os...! Learn about our ongoing work managing security audits for CNCF projects, dive into specifics about Notary's second OSTIF audit, and see how funding is spent to improve security.

Welcome to #curl 8.11.1 daniel.haxx.se/blog/2024/12...

This is really great research by @ryotak.net - I appreciated that he covered some of his experiments along the way, and how he landed on a finely tuned way of finding a 12-char hash collision with a command injection payload at the end. flatt.tech/research/pos...

Awesome research! It's always crazy how many vulnerabilities you can still find by just reading RFCs 🔥

Sweeet a unicode table is now in Shazzer! shazzer.co.uk/unicode-tabl...

Wow - @nastystereo.com Is on fire! Are you doing some kind of infosec advent calendar in your blog? It's amazing to see such great content each day! 🔥

My latest blog post is live 🔥 Read it to learn what SafeMarshal is and *two* very different ways to escape and get RCE! Read it to find out why Date is *not* a safe class in Ruby or how to leverage serialized strings being constructed with string concatenation! nastystereo.com/security/rub...

New blog post is up! Shiny Vulnerabilities in R's Most Popular Web Framework nastystereo.com/security/r-s... Turns out the programming language R is used for more than statistics, including web apps!

Knock knock! Anybody home? We're pumped to be on (yet another) social media platform. Follow us for #opensource security, meetups, and opportunities to get involved with the Open Source Technology Improvement Fund!

Encoding isn't magic ✨: It doesn’t bypass filters or hack systems unless something decodes it. Learn how to avoid this common security misconception: pentesterlab.com/blog/encodin... #AppSec #CyberSecurity #BugBounty