dang dude I'm gonna be out of a job real quick. I wish it had occurred to me to advise people to implement authentication.

RT @vxunderground: those mfers did WHAT?

if you actually cared about command injection you'd just patch it yourself.

If you landed in red check out this website:

Just taking the opportunity to repost this classic

RT @lonelysloth_sec: @Ehsan1579 I usually take the opposite approach. Whenever I audit a codebase I can give a 100% guarantee that I’ll mis….

Friendly reminder to devs to create a SECURITY[.]md file.

Bug bounty programs won't survive if they continue to be DDoS'd by LLM slop. It stops being worth the effort to triage. If you make money from bounties, or believe they're good for security, then you should refrain from and discourage slop submissions.

RT @zack_overflow: Prior to coding agents, I used to think bike-shedding like this about code/file structure and naming was a massive waste….

RT @osec_io: NEW: Building on Cosmos?. We uncovered hidden bugs commonly overseen by developers, backed by real-world examples. Our latest….

My guess is that it's a misapplication of the EVM security model to Solana:.- the bug classes aren't one-to-one.- Anchor's internals change a ton.- Solidity is a silly language that's easy to learn by pattern matching, but Rust demands a lot more understanding to get right.

PSA: Pretty much every "Solana/Anchor top vulnerabilities" checklist I've seen has numerous entries that are wrong. Either the remediations are wrong or entire bug classes are made up (perhaps hallucinated?).

👀👀👀 .Alternate title: retroactively justifying all of my Informational findings.

👀👀

👀

RT @Montyly: Might be a hot take but “More audits, contests, or bigger bounties” is not always the best advice. What protocols often need t….

"gibberish".

I feel the opposite way for the most part. I really wish that Go actually was "boring" but instead there are a million hidden ways for your code panic at runtime.

RT @_FelixsIntern: GitHub is my TikTok.