"AntiCheat-Testing-Framework" is all the code developed during my research for @reconmtl I hope it will help people understand how Anti-Cheats work, and let them dive into this amazing topic. Feel free to collaborate. https://t.co/sh2qr3Kuj1 #security #reversing

This week, Disclosed. #BugBounty H1-65 Singapore & H1-468 Stockholm winners, new H1-Elites, Google’s AI VRP, YesWeHack wins EU tender, new programs, tools, write-ups & videos — and more. Full issue → https://t.co/P2Zjyh57Bs Highlights below 👇 @tiktok_us & @okx H1-65

🚨 Critical SQL injection in Chef Automate (CVE-2025-8868) If you're running Chef for infrastructure automation, patch immediately to version 4.13.295 or later. Full technical breakdown: https://t.co/BtOAk40tVn What XBOW found 🧵

Unfortunately only one of them was in person to receive the poster. But we will ship them a framed version, fear not. Congrats @niemand_sec! Well deserved.

Polymarket is coming back to the US. 🇺🇸 Get on the waiting list to get early access to Polymarket's fully regulated U.S. trading platform:

Congratulations to the new @Hacker0x01 H1-Elite members, @niemand_sec, @ArchAngelDDay and @mallocsys. Well deserved. Some More to come soon! Stay tuned!

200+ real vulns. 0 false positives. XBOW agents ran autonomous exploits across Docker Hub webapps, and uncovered vulnerabilities traditional tools miss. Systematic. Validated. No assumptions. 🗓️ This Thurs — @moyix + @pwntester lead a live breakdown https://t.co/Wztoo32YGs

Our talk is available on YouTube now!! 🔥🔥 Hope you enjoy it!

Tomorrow we will be releasing the recording of our talk at the @BugBountyDEFCON Stay tuned!!

XBOW is moving on from Bug Bounties. As I’ve always said, BBs are a great playground, not just for learning, but also for testing your tech and tooling. We learned a lot. We leveled up a lot.

Wandering through DEFCON someone yelled at me “hey it’s Mr False Positives!!”. Sadly, I was slightly too slow on the uptake to reply “That’s right, first name ‘Zero’”

Are you hyped? Because I am! 🤩 At 10 AM, @defcon 33 kicks off, and three talks/workshop are happening at the same time in the @BugBountyDEFCON : ✅ @Rhynorater and his masterclass in Caido (my initial plan was to attend this one, a bit sad to miss it, but also happy at the

If you want to know more about how we got into the top leaderboard of @Hacker0x01 , we wait for you tomorrow at the creator stage!

Tomorrow, 10:00 AM @ #defcon33 @djurado9 & @niemand_sec break down how we built XBOW. Hear about the journey, the challenges, and the most impressive bugs we've found, straight from our top researchers.

First vulnerability of the day! We’re at Black Hat, come meet the team. 📍 Booth 3257

The new episode of @ctbbpodcast is out! Huge thanks to @Rhynorater and @rez0__ for having me. I had a great time chatting with you about XBOW and HackerOne’s Ambassador World Cup. It was a blast! 🫶🏼

Found by @Xbow, Blogpost written by @pwntester, thread written by @moyix What a combo!

⚡️XBOW found LFI where most tools would have given up. Photo download endpoint blocked all path traversal attempts. But JavaScript analysis revealed /photo/proxy?url= - vulnerable to file:// scheme access. Successfully read a password file via proxy endpoint. Technical

What if two AI models could collaborate without knowing it? Our Head of AI, Albert Ziegler developed "model alloys" - alternating between different LLMs in a single conversation. Sonnet handles some steps, Gemini others, but neither knows about the switch. Result: 55% solve

Super excited to share our results once again at @BugBountyDEFCON Especially in the company of a great colleague and friend, @djurado9 :)

New 0-day from XBOW: Arbitrary File Read in a well known WordPress Plugin

Salesforce Aura is an app that we all have to deal with at least once in our life. I was so surprised when XBOW popped up this finding that many of us missed for a long time.