BBLabs NewsBBLabs News
NewsAll articlesTopics
ES
Live·40 d ago·Shopify: email confirmation bypass → account takeover
7 articles·4 streams
TopicsCVEAIBug BountyCyberattacks

Bug bounty newsletter

If you're into bug bounty (or want to start), this newsletter curates and summarises disclosed writeups from HackerOne, Bugcrowd and Intigriti. Daily: one highlighted writeup — bug class, technique, concrete payload, program, payout, and the lesson you can apply on your next target. We cover IDOR, SSRF, auth bypass, account takeover, RCE in production, creative chains, and overlooked in-scope bugs. The idea: spend 3 minutes a day, keep levelling up as a hacker, without manually trawling every platform. Curated by Gorka (creator of 0xGorka), free, no spam.

Subscribe freeBrowse all articles

Latest Bug Bounty articles

Bug Bounty31 may 2026·2 min

Shopify: email confirmation bypass → account takeover

@ngalog bypassed Shopify's patch for a prior email-confirmation bug and verified arbitrary emails to access accounts they didn't own.

Leer artículo
Bug Bounty30 may 2026·2 min

Ruby JSON.generate leaks heap memory via null bytes

Ruby's JSON.generate leaks arbitrary heap memory when null bytes are passed via JSON::State.space.

Leer artículo
Bug Bounty28 may 2026·2 min

TaxJar: org owner could hijack any member's account

TaxJar (Stripe) let an org owner overwrite any member's email address, enabling full account takeover.

Leer artículo
Bug Bounty27 may 2026·2 min

Kimwolf DDoS-for-hire botnet operator arrested in Canada

DoJ arrests Canadian operator of Kimwolf, a DDoS-for-hire botnet built as a variant of AISURU.

Leer artículo
Bug Bounty26 may 2026·3 min

Repo jacking on bundler.io: open supply chain attack

Repo jacking on bundler.io let an attacker claim Bundler's orphaned GitHub repo and inject malicious code into any Ruby project referencing it.

Leer artículo
Bug Bounty26 may 2026·1 min

Jacob Butler arrested for running Kimwolf botnet

Canadian Jacob Butler, 23, arrested for running the Kimwolf botnet; US seeks extradition on federal hacking charges.

Leer artículo
Bug Bounty24 may 2026·2 min

KimWolf botnet admin charged: 2M devices, US-Canada joint op

US and Canadian authorities charged a Canadian national for running KimWolf, a DDoS botnet that infected nearly two million devices worldwide.

Leer artículo

Bug Bounty — frequently asked questions

What is bug bounty and how do I start?+

Bug bounty is a program where companies pay ethical hackers to find vulnerabilities in their products. To start: learn the OWASP Top 10, set up a lab (Burp + vulnerable targets like PortSwigger Academy), sign up on HackerOne and Bugcrowd, and pick programs with broad scope + realistic payouts. This newsletter shares disclosed writeups to accelerate your learning curve.

Which platforms do you cover?+

HackerOne, Bugcrowd, Intigriti, YesWeHack, Immunefi (Web3), and disclosure directly via GitHub Security Advisories. When a writeup is worth it, we summarise it: bug class, payload, program, payout, and the takeaway.

Is bug bounty legal?+

Yes, as long as you stay within the program's scope. Each platform defines which assets are in scope, which types of testing are allowed (no DoS, no real data access), and how to report. Going out of scope can be illegal — always read the rules before testing.

BBLabs NewsBBLabs News

BBLabs News

Una historia al día. Cero ruido.

Newsletter técnica de ciberseguridad. Una historia al día sobre CVEs críticos, brechas, bug bounty e IA. Filtrado por IA, escrito para humanos.

Producto

  • Hemeroteca
  • Ediciones
  • Temas
  • Glosario
  • RSS
  • Atom
  • JSON Feed

Editorial

  • Acerca de
  • Suscribirse
  • Cuenta
  • English

Legal

  • Privacidad
  • Términos
  • Contacto: team@bblabs.es

Conectar

  • YouTube · @0xGorka
  • Instagram · @bblabs.es
  • Discord BBLabs
  • Discord Bug Bounty ES
31 artículos·10 ediciones·Desde 2026·Hecho en España
© 2026 BBLabs News·Por Gorka El Bochi