zlacker

[parent] [thread] 6 comments
1. tptace+(OP)[view] [source] 2025-06-24 18:38:29
Moreover, I don't think XBOW is likely generating the kind of slop beg bounty people generate. There's some serious work behind this.
replies(2): >>teclea+b1 >>radial+s1
2. teclea+b1[view] [source] 2025-06-24 18:43:21
>>tptace+(OP)
Still they're sending hundreds of reports that are being refused because they are not following the rules of the bounties. So they better work on that.
replies(1): >>tptace+u3
3. radial+s1[view] [source] 2025-06-24 18:44:32
>>tptace+(OP)
Do you have sources for if we want to learn more?
replies(1): >>moyix+h6
◧◩
4. tptace+u3[view] [source] [discussion] 2025-06-24 18:52:58
>>teclea+b1
If you thought human bounty program participants were generally following the rules, or that programs weren't swamped with slop already... at least these are actually pre-triaged vetted findings.
replies(1): >>teclea+Qv
◧◩
5. moyix+h6[view] [source] [discussion] 2025-06-24 19:04:07
>>radial+s1
We've got a bunch of agent traces on the front page of the web site right now. We also have done writeups on individual vulnerabilities found by the system, mostly in open source right now (we did some fun scans of OSS projects found on Docker Hub). We have a bunch more coming up about the vulns found in bug bounty targets. The latter are bottlenecked by getting approval from the companies affected, unfortunately.

Some of my favorites from what we've released so far:

- Exploitation of an n-day RCE in Jenkins, where the agent managed to figure out the challenge environment was broken and used the RCE exploit to debug the server environment and work around the problem to solve the challenge: https://xbow.com/#debugging--testing--and-refining-a-jenkins...

- Authentication bypass in Scoold that allowed reading the server config (including API keys) and arbitrary file read: https://xbow.com/blog/xbow-scoold-vuln/

- The first post about our HackerOne findings, an XSS in Palo Alto Networks GlobalProtect VPN portal used by a bunch of companies: https://xbow.com/blog/xbow-globalprotect-xss/

◧◩◪
6. teclea+Qv[view] [source] [discussion] 2025-06-24 21:34:41
>>tptace+u3
But I was hoping the idea wasn't "as there's a lot of sloppy posts, we're going to be sloppy too let's flood them". So, use the AI for something useful and at least grep the rules properly. That'd be neat.
replies(1): >>weq+yi1
◧◩◪◨
7. weq+yi1[view] [source] [discussion] 2025-06-25 06:56:16
>>teclea+Qv
In the first version it grepped the rules properly. By the 10th interation those rules were lost to the heavens, and replaced by a newly hallucinated set that no one noticed because everyone was now dumber.
[go to top]