Another one of my reports got disclosed 🎉. @GoogleVRP did a great job of nearly eliminating XSS-es from their core apps, but some are still to be found. A technical writeup, describing this and corresponding issues, should be published by end of month 🤞.

Still can't quite believe that one of my reports won the most creative category award at recent @GoogleVRP bugSWAT LHE! 🎉. Can't disclose the details yet but I'll surely cover the entire attack scenario in a dedicated writeup.

I'm honestly blown away by how much using tools like Gemini CLI & Claude Code, aids in vulnerability research. 🤯. It feels like having a conversation with the more technical coworker who actually went through the code 😆.

RT @terminatorLM: 👻This is GerriScary: a vulnerability I discovered in Google's Gerrit that allowed to hack several projects and affected 1….

Sharing a writeup on Bucket Traversals, which in my opinion is an under researched vulnerability class:. It's based on a case study which ended being rewarded by OSS @GoogleVRP:. I hope you'll find it interesting!

@GoogleVRP PS. I don't really like XSS as an attack vector but this one was cool.

@GoogleVRP None of the current guesses are close - it's a cloud specific scenario which was reported and written about in the past. I intend to stick with the standard 90 days post disclosure / 30 days post fix practice, so no details until then.

Well-known attack technique, still relevant. Will publish an educational writeup in a few weeks/months🤞. @GoogleVRP

Rarely do I post but this is in my book a must watch by @snyff. Great insights and for me personally a much needed recalibration of expectations & approach.

RT @S1r1u5_: Imagine opening a Discord message and suddenly your computer is hacked. We discovered a bug that made this possible and earne….

RT @gregxsunday: Story of a Cloud Architecture Diagramming Tool gone wrong by @j_domeracki.#BBRENewsletter84 https:….

Sharing a technical writeup, which goes over an almost year long responsible disclosure process:. The severity of disclosed shortcomings, resulted in getting decommissioned 🚧. Greatly appreciate the cooperation with @GoogleVRP! 🎉.

Doomsday or blessing? 🤔.

RT @shanselman:

Nice 👌.