Big news: @rez0__ and I just launched a new LLM evaluation designed to test for one of the most dangerous model failure modes—sycophancy. We call it: The Glazing Score 👇

One of the hardest parts of a security code review? Figuring out how the project is structured. https://t.co/TxPtEGUyuM just changed the game: 🧠 Repo overview 🧩 Component relationships 🧭 Architecture map 💬 Ask: “Any secrets?” “SQLi here?” Try it. It's 🔥 for AppSec.

I just started a blog to share my experiences in Web2 and Web3! My first post is live: https://t.co/l3AkSEjKCB I hope it will be helpful, especially for those getting started!

Recently found unauthenticated fileupload on a public bugbounty programs' SOAP service!, managed to upload a PHP webshell via SOAP documentRequest feature and almost gained code execution. Full #writeup coming soon! #BugBounty

Just published a new blog post on the collaborative environment we use with @R_Marot for smart contract auditing https://t.co/pOwNCsLmU9 This can easily be replicated for web2 code audits and it makes teamwork much easier

Bad timing, a few hours after my tweet, bugcrowd announces that MFA is mandatory and pushes a change that breaks the authentication system in ScopesExtractor I've just pushed the fix !

it's been a long time since I posted a blog post ! Today I posted "Extract and monitor bugbounty scopes" https://t.co/vitfIMFbwe With new projects in the pipeline, I've already lined up a number of upcoming articles 😁

🚀 We wrapped up our first First Flight event on @CodeHawks with my teammate @J0_mart! 🔥 An amazing first experience with quite good results: 5 high / 1 medium / 1 low vulnerabilities reported. Time to keep sharpening our skills and leveling up our audits!

This is how you take responsibility for a breach.

Last month, our Security Research team discovered and disclosed a critical pre-authentication RCE in CraftCMS (CVE-2024-56145). You can read our blog post on the issue here: https://t.co/5XKTpW5SNq

Thank you @PentesterLab !

After H1-0131 and H1-702, we wanted to share our experience as LHE hackers for aspiring hackers and newcomers.

#CyberPanel (n)day pre-auth root RCE drop 🎁 I also intended to note down my mental process while auditing code since the bug is relatively easy, definitely recommended for upcomers Left a challenge at the end if you want to find your own n-day bug :) https://t.co/jAtQG9zQFV

1 Bug, $50K+ in bounties: how Zendesk left a backdoor in hundreds of companies #bugbountytips https://t.co/8pkfFsXRWR

Thanks @yeswehack, the poster is sublime !

gowitness v3 is out! A huge task, but I refactored basically _everything_ for version 3 in just over a week, followed by also writing the longest release notes of my life! Hopefully it's the best version yet. A lot has changed, so feel free to dig in. 🤖 🧵👇

🔥 White-Box Penetration Testing: Debugging For Python Vulnerabilities 🔗 https://t.co/cS3vAfgs3c #BugBounty

Someone just exploited https://t.co/hSm8iKVvZs with a Pwn Request and added their payloads to the main branch… @stripe

In April, @samwcyo and I discovered a way to bypass airport security via SQL injection in a database of crewmembers. Unfortunately, DHS ghosted us after we disclosed the issue, and the TSA attempted to cover up what we found. Here is our writeup: https://t.co/g9orwwgoxt

🚀 Introducing SanicDNS 🚀 Looking for lightning-fast domain resolutions? SanicDNS resolves up to 5M domains per second! 🏎️💨 https://t.co/aE01QGeAq8