Dad’s books are full of empathy, common sense, and a healthy suspicion of the powerful. But at its heart his work is also about how systems keep people poor while pretending it’s their own fault. So I hope Kemi’s taking notes as well as reading the jokes.

An in depth summary of the consequence of Google VRP increasing bounties in 2024. "We observe statistically significant increases in the reporting of high-value bugs, especially in the highest impact tiers and high merit submissions." 🔥 arxiv.org/abs/2509.16655

An in depth summary of the consequence of Google VRP increasing bounties in 2024. "We observe statistically significant increases in the reporting of high-value bugs, especially in the highest impact tiers and high merit submissions." 🔥 arxiv.org/abs/2509.16655

The new favourite fidget toy on my desk is the Zippo lighter I've had since I was a teenager. There is something about the noise of the cap flipping open and flint sparking. This has replaced the ever popular poker chips. Needless to say, I am not a great example for my kids 😬

Hackers tops the list of films that have influenced my life. Without seeing this film as a young teen I may not have misspent my youth in front of a computer trying to understand how it all worked. Which, despite what my parents suggested at the time, seems to have worked out well for me 😆

That feeling when you finally read that blog post you've had open in a browser tab for 3 months, and it's complete garbage 😑

It's been another year since my wife and I lost our first daughter Chloë. She would have been 7 today. With each passing year I can't help but think about what her life would have been like, what our life would have been like, had she been given a chance. I love her so much, but don't even know her.

This jaw dropping write-up of an LLM solving a DEF CON CTF challenge(!) with minimal human interaction 🤯 It seems like "vibe-reversing" is becoming a viable option now...

There is something quite depressing about many of the advertised agentic AI use cases being posting "viral" content to social media. It stinks of one person assuming their time is inherently worth more than everyone else.

I've said it before and I'll say it again, Windows 11 is _such_ a hostile user experience, it's like they've actively tried to make it unpleasant to use 😑

Can Bluesky say every word in the dictionary? I dunno but I plan to find out! I made a website that tracks every single word said on bluesky (as of yesterday).

The whitepaper is live! Learn how to win the HTTP desync endgame... and why HTTP/1.1 needs to die: http1mustdie.com

We released our Fuzzilli-based V8 Sandbox fuzzer: github.com/googleprojec... It explores the heap to find interesting objects and corrupts them in a deterministic way using V8's memory corruption API. Happy fuzzing!

I presented my magnum opus in 2014 and have been in steady decline ever since.

There are bad security takes, and then there is @daniel.haxx.se attempting to shame @jameskettle.com for not "responsibly disclosing" a vulnerability to the curl project that doesn't affect the curl project... and _then_ complaining the details are being kept "secret" :facepalm:

I presented my magnum opus in 2014 and have been in steady decline ever since.

There are bad security takes, and then there is @daniel.haxx.se attempting to shame @jameskettle.com for not "responsibly disclosing" a vulnerability to the curl project that doesn't affect the curl project... and _then_ complaining the details are being kept "secret" :facepalm:

After the intense focus of Live Hacking Events, I often find myself at quite a deep emotional low point. The highs of the event fade, focus needs to completely shift to other, usually less valuable, targets. I find these events hugely rewarding, but need to remember to be kind to myself after them.

If you have a machine with PKEY support and somewhat recent Linux kernel you can now play around with hardware support for the V8 sandbox. When active, JS + Wasm code has no write permissions outside the sandbox address space. To enable, simply set `v8_enable_sandbox_hardware_support = true`.

Famous last words: > This just leads to weird behavior, not a vulnerability

Today was my last day as a pentester at Bsecure. After a three-year journey of hunting on the side, I’m ready to go all-in as a full-time bug bounty hunter. You can read about my journey from pentester to full-time hunter here: gelu.chat/posts/from-p...

Yesterday I discovered it's theoretically possible to create an ASCII Jar file, one where each byte of the file is a valid ASCII character. Today I'm trying to create one. Sometimes I regret my impulses.

I often find when explaining complex exploits that it can appear like such an unlikely event that the exploitable steps exist. In reality it's just _this_ is the particular set of unlikely steps I found. I'm sure there are others, but I stopped looking after these steps were successful 🤔

I love it when I answer my own questions

I've recently reported a bug that was _caused_ by patching. If the old version of the library was left unpatched it wouldn't have been vulnerable 🫣 Remember folks, don't patch your dependencies... or do... or you are damned either way 🤷‍♂️

At 33,500,000,000 hashes / second, it'll only take *checks calculator* 17.5 years and $115,000 for an exhaustive search... I might need to rethink this 🤔

I'm currently at the "Is it worth it to rent some cloud GPUs in order to attempt to bruteforce a hash" stage of bug hunting 😬

CVE-2025-5419 ITW Chrome exploit mitigated in 1(!) day after report to all users without requiring a browser update 🤯 I hand't read up on the Finch Kill Switch before, such a powerful exploit mitigation feature from the Chrome team! developer.chrome.com/docs/web-pla...

The recording of my recent AMA with the Burp Suite Discord community has just landed on YouTube! 40 minutes of unscripted Q&A on security research, AI, and Burp Suite: youtu.be/mgmUZ9odkvU

For those who missed it, check out my talk, “Widgets Gone Wild: Exploiting XSS through Flawed postMessage Origin Checks.” 📺 Watch here: www.youtube.com/watch?v=qgB0... 🖥️ Follow along with the slides: 0-a.nl/nahamcon/

The slides and examples for my talk "Widgets Gone Wild: Exploiting XSS Through Flawed postMessage Origin Checks" at NahamCon can be found here: 0-a.nl/nahamcon/

If you’re into bug bounty hunting and like finding weird XSS bugs (like me 😊) in places most people overlook, come check out my talk at NahamCon 2025 this Friday, May 23. "Widgets Gone Wild: Exploiting XSS Through Flawed postMessage Checks"

A skill I would have have expected to develop as a #BugBounty hunter is video editing 🤔 The number of PoC videos I've had to produce over the years. I really wish I could share some of them... especially the ones with explosions in 😆

To whoever got a hold of one of my old (private) WebKit exploits, you should probably change the logging URL to point to something other than my web server :facepalm: Also, if you are having problems with it, check your ROP addresses 🤷‍♂️

Shameful bullish. What's done incalculable damage is a decade of pernicious falsehoods about immigration, while people who should know better refuse to counter the lies of the increasingly normalised far right. Let's tackle those lies:

Just got paid a critical bounty for a report submitted over 18 months ago 🤯 I'd long ago given up hope on that report, a very happy Monday indeed. I wonder what the longest time on any program from report to bounty is 🤔

With the rise in AI slop bug reporting, us remaining human bug hunters are going to need to stand out. From now on I'm going to title all my bug reports "hand made" and "artisanal" 😆

My writeup for CVE-2024-7971. Just a POC. Let me know if u have any questions. github.com/mistymntncop...

The number of incredibly talented Vulnerability Researchers who are incredibly bad at Exploit Development is mind boggling

"Push harder than you think you should when something is very close to being exploitable. There is often a way." PREACH IT @rhynorater!!! www.bugcrowd.com/blog/hacker-...

#IngressNightmare: Wiz Research uncovers a critical vulnerability in Ingress-NGINX 🚨 Wiz Research found a novel attack vector in one of Kubernetes's most fundamental projects, Ingress-NGINX, which is rated CVSS 9.8.

I have "thoughts" on the Triage Efficiency topic raised by @monke.ie here, but broadly agree. There is very limited triage time, it makes little sense to spend that time triaging reports from program established hackers Also triage metrics are bad, and I believe the reason behind many NMI responses

There is nothing more humbling, as an industry veteran of nearly 18 years, to read up on a complex topic you don't yet understand to have the blog post which explains it all start: "As part of my internship" There are some truly talented people out there, both 'experienced' and new to the industry

Writing exploits for V8 with DCHECKs enabled is a whole different game. So many more hoops you have yo jump through and things that'll trip you up. Lot of fun though!

I've received 4 unique solutions to this challenge so far. Who knew securing against XSS could be so difficult??!? 😆 I'll publish all solutions next Monday, but will be keeping the challenge online indefinitely.

Following other's lead, I put together an XSS challenge to solve a somewhat tricky injection I'd come across. In producing the challenge I came up with my solution (so in that way I guess it served it's purpose) but interested in how other's would approach it 🤔 blog.ajxchapman.com/xss/challeng...

If you haven't seen elburritomonster on YouTube yet this is a sign you definitely should!

It would help if I actually served a exploit payload to this crawler instead of a 404 page :facepalm: Let's try again on 1st April 🤞

It's really a testament to the Chrome / V8 dev team's skill that Chrome renderer & v8 sandbox escape exploits can work without modification across operating systems (Linux, Windows and macOS) and architectures (x86, x64 and aarch64) 🤯