#CVECrowd, your go-to place for #CVE discussions on the Fediverse and Bluesky, now supports email alerts.

https://cvecrowd.com

Here's how it works:

- You define one or more alert keywords
- Keywords are matched against vendor, product, and package names from official CVE data
- If a post mentions a CVE that matches one of your keywords, you receive an email notification

Read more below 🧵

#Pentesting #AppSec #InfoSec #CyberSecurity #BugBounty #Hacking

#CVECrowd, your go-to place for #CVE discussions on the Fediverse and Bluesky, now supports email alerts.

https://cvecrowd.com

Here's how it works:

- You define one or more alert keywords
- Keywords are matched against vendor, product, and package names from official CVE data
- If a post mentions a CVE that matches one of your keywords, you receive an email notification

Read more below 🧵

#Pentesting #AppSec #InfoSec #CyberSecurity #BugBounty #Hacking

🔓 Found critical vulns in Taimi (LGBTQ+ dating app) - all fixed, $10k bounty

What I found:

• "Expiring" videos didn't expire, URLs stayed valid forever
• Decrement attachment ID = anyone's private videos
• Location feature bypassed photo permission checks (why upload a map preview image through the photo system??)
• Fake system messages (made a Raid Shadow Legends sponsorship lol)

The good news: Taimi actually handled this right. Fast response, $10k bounty, everything fixed quickly. No lawyers, no threats.

This is how disclosure should work. Take notes, Lovense.

Full writeup: https://bobdahacker.com/blog/taimi-idor

#InfoSec #BugBounty #ResponsibleDisclosure #IDOR #Taimi #DatingApp #Security #Privacy #CyberSecurity #LGBTQ

🔓 Found critical vulns in Taimi (LGBTQ+ dating app) - all fixed, $10k bounty

What I found:

• "Expiring" videos didn't expire, URLs stayed valid forever
• Decrement attachment ID = anyone's private videos
• Location feature bypassed photo permission checks (why upload a map preview image through the photo system??)
• Fake system messages (made a Raid Shadow Legends sponsorship lol)

The good news: Taimi actually handled this right. Fast response, $10k bounty, everything fixed quickly. No lawyers, no threats.

This is how disclosure should work. Take notes, Lovense.

Full writeup: https://bobdahacker.com/blog/taimi-idor

#InfoSec #BugBounty #ResponsibleDisclosure #IDOR #Taimi #DatingApp #Security #Privacy #CyberSecurity #LGBTQ

$1900 Bug Bounty to Fix the Lenovo Legion Pro 7 16IAX10H's Speakers on Linux

https://github.com/nadimkobeissi/16iax10h-linux-sound-saga

#HackerNews #BugBounty #Lenovo #LegionPro7 #Linux #Speakers #Fix #SoundSaga

Here's my new article on how I escalated a CSS injection to remote code execution on a Google app. Enjoy!

https://bm.gy/gwdrce3

#Cybersecurity#InfoSec#BugBounty#IndieSec#Vulnerability

Here's my new article on how I escalated a CSS injection to remote code execution on a Google app. Enjoy!

https://bm.gy/gwdrce3

#Cybersecurity#InfoSec#BugBounty#IndieSec#Vulnerability

Hacked Monster Energy 💀

They think their customers are "lower income Caucasian males (skews Hispanic)" and left their ENTIRE file system exposed.

https://bobdahacker.com/blog/monster-energy

#InfoSec#Security#DataBreach#MonsterEnergy#Vulnerability#CyberSecurity#ResponsibleDisclosure#BugBounty

Hacked Monster Energy 💀

They think their customers are "lower income Caucasian males (skews Hispanic)" and left their ENTIRE file system exposed.

https://bobdahacker.com/blog/monster-energy

#InfoSec#Security#DataBreach#MonsterEnergy#Vulnerability#CyberSecurity#ResponsibleDisclosure#BugBounty

Found critical vulns in Lovense (the biggest sex toy company) affecting 11M+ users. They ignored researchers for 2+ years, then fixed in 2 days after public exposure. 🤦

What I found:
- Email disclosure via XMPP (username→email)
- Auth bypass (email→account takeover, no password)

History of ignoring researchers:
- 2022: Someone else reports XMPP email leak, ignored
- Sept 2023: Krissy reports account takeover + different email leak via HTTP API, paid only $350
- 2024: Another person reports XMPP email leak AND Account Takeover vuln, offered 2 free sex toys (accepted for the meme)
- March 2025: I report account takeover + XMPP email leak, paid $3000 (after pushing for critical)
- Told me fix for email vuln needs 14 months because "legacy support" > user security (had 1-month fix ready)
- July 28: I go public
- July 30: Both fixed in 48 hours

Same bugs, different treatment. They lied to journalists saying it was fixed in June, tried to get me banned from HackerOne after giving permission to disclose.

News covered it but my blog has the full technical details:
https://bobdahacker.com/blog/lovense-still-leaking-user-emails/

Edit: If you have Twitter Please retweet this. This guy was one of the CO Founders of Lovense and got kicked out like how Mark Zuckerburg from Facebook did to one of his Co-Founders
https://x.com/LovenseDispute/status/1879155775865589995

#InfoSec#BugBounty#ResponsibleDisclosure#Security#Vulnerability#IoT #cybersecurity

Found critical vulns in Lovense (the biggest sex toy company) affecting 11M+ users. They ignored researchers for 2+ years, then fixed in 2 days after public exposure. 🤦

What I found:
- Email disclosure via XMPP (username→email)
- Auth bypass (email→account takeover, no password)

History of ignoring researchers:
- 2022: Someone else reports XMPP email leak, ignored
- Sept 2023: Krissy reports account takeover + different email leak via HTTP API, paid only $350
- 2024: Another person reports XMPP email leak AND Account Takeover vuln, offered 2 free sex toys (accepted for the meme)
- March 2025: I report account takeover + XMPP email leak, paid $3000 (after pushing for critical)
- Told me fix for email vuln needs 14 months because "legacy support" > user security (had 1-month fix ready)
- July 28: I go public
- July 30: Both fixed in 48 hours

Same bugs, different treatment. They lied to journalists saying it was fixed in June, tried to get me banned from HackerOne after giving permission to disclose.

News covered it but my blog has the full technical details:
https://bobdahacker.com/blog/lovense-still-leaking-user-emails/

Edit: If you have Twitter Please retweet this. This guy was one of the CO Founders of Lovense and got kicked out like how Mark Zuckerburg from Facebook did to one of his Co-Founders
https://x.com/LovenseDispute/status/1879155775865589995

#InfoSec#BugBounty#ResponsibleDisclosure#Security#Vulnerability#IoT #cybersecurity

»Wegen KI-Schrott – Curl-Entwickler erwägt Ende der Bug-Bounty-Prämien:
Minderwertige Bug-Reports belasten Open-Source-Entwickler immer stärker. Curl-Maintainer @bagder zieht nun radikale Maßnahmen in Erwägung.«

Lasst mich raten, IT-Konzerne belasten Developer von Werkzeugen, die sie Täglich selber nutzen. Was ist daran intelligent oder gar künstlerisch?
/s

🤨 https://www.golem.de/news/wegen-ki-schrott-curl-entwickler-erwaegt-ende-der-bug-bounty-praemien-2507-198123.html

#curl #opensource #web #internet #ai #ki #belastung #entwickler #kischrott #bugbounty

Death by a thousand slops

https://daniel.haxx.se/blog/2025/07/14/death-by-a-thousand-slops/

#curl#AI #bugbounty

Death by a thousand slops

https://daniel.haxx.se/blog/2025/07/14/death-by-a-thousand-slops/

#curl#AI #bugbounty