We discovered two more JS Prototype Pollution vulnerabilities in one more nmp-package: CVE-2020-28449, CVE-2020-28450. The package has ~200 weekly downloads, so the popularity level is limited. However, due to the patch is still unavailable check the details and make sure that your Node.js app is not affected.
Quick summary of Bug Hunting Village, the first time we organized offline:
- 12 talks and workshops focused on vulnerability research and bug bounty;
- highest payouts during two days of conference by our partners (thanks to Mail.ru Group, VK.com, Азбука Вкуса, Avito, iSimpleLab);
- prizes for most active bug hunters (thanks to PHDays organizers and Timur Yunusov);
- communication in our Chat and knowledge sharing in Telegram-channel, and continuous movement to the next offline event.
Organised within a separate section at PHDays for the first time, leading security researchers and bug hunters will share the results of their work, and owners of bug bounty programs can attract bug hunters by making an announcement. During the event, our sponsors and partners will announce the highest bounties for their vulnerability disclosure programs, and the most active bug hunters will be additionally awarded by organisers.
Submit your talk, workshop or just register yourself to participate here (for Russian-based submissions).
Once bug hunting becomes a race of known misconfigurations and CVE detection, automation is required:
- monitor daily #BugBountyTips and CVEs;
- filter results with trendy potential;
- get alerts on time (13:37 UTC +0).
“Bug Hunting Hub” is a Telegram channel with my notes and bot notifications.