Bug bounty newsletter
If you're into bug bounty (or want to start), this newsletter curates and summarises disclosed writeups from HackerOne, Bugcrowd and Intigriti. Daily: one highlighted writeup — bug class, technique, concrete payload, program, payout, and the lesson you can apply on your next target. We cover IDOR, SSRF, auth bypass, account takeover, RCE in production, creative chains, and overlooked in-scope bugs. The idea: spend 3 minutes a day, keep levelling up as a hacker, without manually trawling every platform. Curated by Gorka (creator of 0xGorka), free, no spam.
Latest Bug Bounty articles
Shopify: email confirmation bypass → account takeover
@ngalog bypassed Shopify's patch for a prior email-confirmation bug and verified arbitrary emails to access accounts they didn't own.
Ruby JSON.generate leaks heap memory via null bytes
Ruby's JSON.generate leaks arbitrary heap memory when null bytes are passed via JSON::State.space.
TaxJar: org owner could hijack any member's account
TaxJar (Stripe) let an org owner overwrite any member's email address, enabling full account takeover.
Kimwolf DDoS-for-hire botnet operator arrested in Canada
DoJ arrests Canadian operator of Kimwolf, a DDoS-for-hire botnet built as a variant of AISURU.
Repo jacking on bundler.io: open supply chain attack
Repo jacking on bundler.io let an attacker claim Bundler's orphaned GitHub repo and inject malicious code into any Ruby project referencing it.
Jacob Butler arrested for running Kimwolf botnet
Canadian Jacob Butler, 23, arrested for running the Kimwolf botnet; US seeks extradition on federal hacking charges.
KimWolf botnet admin charged: 2M devices, US-Canada joint op
US and Canadian authorities charged a Canadian national for running KimWolf, a DDoS botnet that infected nearly two million devices worldwide.
Bug Bounty — frequently asked questions
What is bug bounty and how do I start?
Bug bounty is a program where companies pay ethical hackers to find vulnerabilities in their products. To start: learn the OWASP Top 10, set up a lab (Burp + vulnerable targets like PortSwigger Academy), sign up on HackerOne and Bugcrowd, and pick programs with broad scope + realistic payouts. This newsletter shares disclosed writeups to accelerate your learning curve.
Which platforms do you cover?
HackerOne, Bugcrowd, Intigriti, YesWeHack, Immunefi (Web3), and disclosure directly via GitHub Security Advisories. When a writeup is worth it, we summarise it: bug class, payload, program, payout, and the takeaway.
Is bug bounty legal?
Yes, as long as you stay within the program's scope. Each platform defines which assets are in scope, which types of testing are allowed (no DoS, no real data access), and how to report. Going out of scope can be illegal — always read the rules before testing.







