• Hive Five
  • Posts
  • ๐Ÿ Hive Five 196 - How To Make $100k Bug Hunting in 2025

๐Ÿ Hive Five 196 - How To Make $100k Bug Hunting in 2025

The 2024 Best Inventions list, Notion Email client, Neovim Markdown setup, 20 essential Gmail settings, HeroCTF v6 writeups, and more...

Hi friends,

Greetings from the hive!

After a short detour, we're back to regular scheduling. The OG newsletter outline is back. Last week's issue didn't feel the same.

While curating for this newsletter, the following quote by Sahil stood out to me: "The same things that make you 'weird' as a kid are what will make you successful as an adult. Your unique blend of interests, hobbies, and eccentricities attract lucky events into your life."

Let's take this week by swarm!

๐Ÿ The Bee's Knees

  1. HeroCTF v6 Writeups covering: Express, Chromium cache partitioning, Service Worker hijacking through the Cache API, and Webpack DOM clobbering. MORE

  2. The 2024 Best Inventions list, curated by editors from Time magazine, showcases innovative products and technologies across various categories. Google's NotebookLM is one of the winners. MORE

  3. How a programmer with over three decades of experience writes code using Cursor. The real value is changing how you code. MORE

"Cursor is the best example of the potential of LLM coding assistants, and if you want to explore how this type of tool might be of value I suggest you give it a spin."

  1. CVE-2024-8956, CVE-2024-8957: How to Steal a 0-Day RCE (With a Little Help from an LLM). MORE

  2. How to earn $100,000 as a bug bounty hunter in 2025. MORE

Want to sponsor an upcoming issue? Letโ€™s partner up!

Upgrade Yourself โ†’

You're getting the free version. Members get more โ€” including exclusive & bonus content, access to an online community of smart and driven people, the complete Hive Archive, deep discounts, and so much more. See what you're missing.

Table of Contents

๐Ÿ“ฐ Updates

๐Ÿฏ My work

๐Ÿšจ News

  1. At GitHub Universe, Microsoft announced Anthropicโ€™s Claude 3.5 Sonnet, Googleโ€™s Gemini 1.5 Pro, and OpenAIโ€™s o1-preview and o1-mini are coming to GitHub Copilotโ€”bringing a new level of choice to every developer. MORE

  2. Ivan Zhao, the founder of Notion, held a 1-hour keynote at the company's first in-person conference, announcing 8 new launches that are sure to captivate the audience. The one that stood out to me the most was their email client. MORE

This reminds me of a 37 Signal play. Only difference is that they have a proven track record. I suppose Notion has the user base.

  1. New payloads in PortSwigger's URL Validation Bypass Cheat Sheet. MORE

โœ… Changelog

  1. OWASP Noir, a static analysis tool, has just released version 0.18.1, introducing passive scan, status code flags, and more. MORE

  2. The release of version 2.2.4 of the gau tool contains several fixes and a merge request. MORE

  3. uro v1.0.1 makes the declutters URL lists tool 80x faster. MORE

  4. Arjun, a tool for discovering HTTP parameters, has released version 2.2.7, introducing two new flags and several fixes. MORE

  5. The latest Burp feature update added some features, including the ability to use Bambdas to perform match / replace in the Proxy. MORE

๐Ÿ’ผ Work

๐Ÿ’ฐ Career

  1. Chompie is starting a new offensive research team at X-Force and is hiring a security researcher. MORE

  2. Ivan on their career move to Meta's WhatsApp: "I donโ€™t want to spend the next 10 years of my life perfecting detection capabilities in the desktop world when the smart kids spent their last 10 years exiting it." MORE

  3. Ania Wysocka built a business that scaled to $2m in revenue with a staff of zero. She founded Rootd, the worldโ€™s leading app for managing panic attacks. MORE

  4. Why David Quit his high-paying Wall Street job to revive his family's struggling air filter business, embarking on a mission to build a world-leading indoor air quality company. MORE

  5. A step-by-step approach to landing two six-figure remote Gov tech jobs in two weeks. MORE

๐Ÿš€ Productivity

  1. Marc Andreessen shares personal anecdotes of Elon Musk's remarkable effectiveness, shedding light on how he achieves so much. MORE

  2. Cartographer is a powerful tool that leverages evolving Natural Language Processing (NLP) models to search through your document bases right from the comfort of your text editor. MORE

  3. A Neovim markdown setup, including all plugins and tips for taking markdown notes. MORE

  4. Some problems have straightforward solutions, while others require immense effort, resources, and coordination to overcome their complexity. Focus on simple but difficult problems. MORE

"What truly matters, though, are the important problems. The ones that arenโ€™t rocket science, but need a significant amount of guts, emotional labor and community coordination to solve."

  1. This guide covers 20 essential Gmail settings to transform your inbox experience. From disabling annoying nudges to setting up efficient swipe actions on mobile. MORE

๐ŸŒŽ Community

๐ŸŽ‰ Celebrate

  1. Firefox celebrates 20 years, and everyone who has used it is vital in making the internet better. Thank you! MORE

  2. NahamSec reported an RCE to Meta this weekend and has received an initial "good find". Exciting! MORE

  3. STร–K announced his exciting new role on the security team at Visma. Love it! MORE

  4. Bugcrowds secured $50M in growth capital from Silicon Valley Bank. Boom! MORE

โšก๏ธ Timeline

  1. People complain about bug bounty payout disputes, but nobody forces them to participate. Payout levels are often pre-defined, so if they still choose to proceed, it is their own decision. MORE

  2. Katie had a medical emergency while in the US, which they have now recovered from. However, the experience was frightening, as dealing with medical issues in the US can be difficult. MORE

๐Ÿ’› Follow
Awesome accounts to follow. Randomly selected from my curated Twitter lists.

  1. @kepano | kepano | making Obsidian.

  2. @niemand_sec | Niemand | Independent Security Consultant - Founder at SwordBytesSec - Ex immunityinc.

  3. @seanyeoh | sean | appsec @ bytedance | former assetnote.

  4. @bitquark | bitquark.

  5. sunilyedla2 | Sunil Yedla | Trying to make the Internet a safer place by helping companies find security loopholes.

๐Ÿ„ Level up

๐Ÿ“ฐ Read

  1. Certificate Error Mishandling: Misuse and Abuse of the SslErrorHandler Class. This class should be used cautiously, perhaps, at most, for simply logging SSL errors somewhere. MORE

  2. From Naptime to Big Sleep: Using Large Language Models To Catch Vulnerabilities In Real-World Code. MORE

"Finding a vulnerability in a widely-used and well-fuzzed open-source project is an exciting result! When provided with the right tools, current LLMs can perform vulnerability research."

  1. What Are My OPTIONS? CyberPanel v2.3.6 pre-auth RCE. MORE

  2. Writes and Write-Nots. Paul observes that many people struggle with writing, and predicts that in a couple of decades, there will be few who can write. MORE

"If you're thinking without writing, you only think you're thinking."

  1. Give Me the Green Light Part 1: Hacking Traffic Control Systems. Andrew shares their findings dealing with traffic controllers and other traffic systems. MORE | PART 2

๐Ÿ’ก Tips

  1. TIL you can use ChatGPT in iOS Shortcuts. MORE

I can't wait for Claude to add this feature as well. The automations this unlocks is mindblowing. An example in the link above.

  1. Reset your dopamine and change your life by learning the power of brain chemicals from neuroscientist TJ Power. MORE

  2. Tip by ZwinK: "If you get a 403 or 401 on an API path, try url encoding parts of the path or add one of these to the end of path /, ?, #, %2f, %3f. Or, add // or %2f%2f. Sometimes it throws off the access control logic and lets you in." MORE

๐Ÿง  Wisdom

  1. 3 Exercises to Reverse Out Shoulder Pain. MORE

  2. Sam Altman on the best path to proficiency being straightforward practice, not overly complex preparatory work. MORE

"a lot of very capable people outsmart themselves with complex plans that involve working a lot on fake prerequisites."

  1. What "Follow Your Dreams" Misses. In his commencement speech at Harvey Mudd in 2024, Grant Sanderson urged graduates to remain adaptable, view passion as fuel, and follow opportunities instead of dreams. MORE

  2. The fight-or-flight response is an automatic physiological reaction to perceived threats, preparing the body to either confront or flee from danger. A more accurate sequence might be Freeze, Flight, Fight, Fright. MORE

  3. NFL quarterback Jayden Daniels uses VR every morning to simulate live reps that include moving in the pocket and throwing into tight windows. MORE

๐Ÿ“š Resources

  1. A wide range of more than 100 powerful BadUSB scripts exclusively designed for Mac OS & the Flipper Zero device. MORE

  2. Resources for learning Kubernetes, Docker, Cloud Native tech, and cloud computing. Find certification suggestion guides, childrenโ€™s books that explain cloud concepts simply, and more. MORE

  3. The Hacker News community shares their favorite text-based adventure games. MORE

  4. XSS WAF Bypass: One payload for all. MORE

  5. Everyone should take advantage of these free online resources: free online courses, educational videos, and open-source software. MORE

๐Ÿ›  Explore

๐Ÿงฐ Tools

  1. You-Get is a tiny command-line utility to download media contents (videos, audio, images) from the Web, in case there is no other handy way to do it. MORE

  2. GlazeWM is a tiling window manager for Windows inspired by i3wm. MORE

If I was still a Windows user I would jump on this! I have never been so effective managing windows as when I was using i3wm on my Ubuntu install.

  1. Automatically detect potential vulnerabilities and analyze repository metrics to prioritize open-source security research targets MORE

  2. Code-based QR code generator. MORE

  3. Python tool for scanning Microsoft Outlook PST files to detect potentially sensitive information and security risks. MORE

Get $200 to try DigitalOcean โ€” the go-to for all my recon, automation, and VPN needs. Get access to a comprehensive range of cloud resources, all at an affordable price.

๐ŸŽฅ Watch

  1. Web Dev Challenge #7: Build an app thatโ€™s haunted. Make it spooky, make it creepy. Joel Hooks, Douglas Rogers, Danny Thompson, and Jason Lengstorf took on the challenge. MORE

  2. How Union Square Ventures Built an AI Brain for Venture Capital. MORE

  3. Lina Lau's talk at BSides Canberra 2024 she shares that you can be an iOS hacker: Stack Pivots and JOP/ROPs. MORE

  4. A comparison between Github Spark, v0, and Bolt.new that allow you to prompt, run, edit, and deploy full-stack web apps. MORE

  5. Justin and MatanBer delve into browser extensions. They talk about the structure and threat models and cover things like service workers, extension pages, and isolated worlds. MORE

๐ŸŽต Listen

  1. Scott Hanselman and Mark Russinovich explore AI's evolving role, from boosting coding productivity with tools like GitHub Copilot to pondering the pitfalls of over-reliance on AI, as it reshapes education and professions. MORE

  2. The DevZero Podcast discussed key decisions, communication, and what drives effective engineering teams. MORE

  3. Unorthodox frameworks for growing your product, career, and impact by Bangaly Kaba (Director of Product YouTube, ex-Instagram, ex-Facebook, ex-Instacart). MORE

I had no idea what to expect with this one, but it blew my mind. From the frameworks to the advice. Fascinating! What stuck with me the most is the importance of โ€œunderstand workโ€.

๐ŸŒ Technology

  1. AI at its best, adding 'bolt.new' in front of a GitHub repo starts building it right away. This allows you to begin working on the project immediately. MORE

This is actually crazy. Who would have thought this was ever going to be a thing. I sure didn't.

  1. Best Free Fonts is a curated selection of free fonts, including serif, sans serif, script, and monospace varieties. MORE

  2. Angela Jin recently departed her role as Head of Programs & Contributor Experience at Automattic and stepped away from the WordPress project. MORE

  3. mymind is a private workspace to save one's most cherished notes, images, quotes, and highlights, enhanced with AI to aid memory without the burden of categorization. MORE

As a daily Obsidian user, I wouldn't replace the PKM portion. However, as a swipe file, focused on visuals, I think it would be hugely beneficial to anyone.

  1. Six techniques to create a great user experience for shell scripts, including providing clear error messages, using interactive prompts, and incorporating helper functions. MORE

๐Ÿ‘€ Interesting

  1. Book Cover Review provides a platform for authors and publishers to receive professional feedback on their book covers. MORE

  2. Colorango offers a collection of free, printable coloring pages for all ages, covering a wide range of themes from animals to seasonal designs. MORE

  3. 77 cocktail recipes visualized. MORE

  4. How Vinyl Records Are Made (feat. Third Man Records). MORE

  5. TimeGuessr is a web-based game that challenges players to guess the time shown in a series of images. MORE

๐Ÿ’ญ Quote

โ

"Let us remember: One book, one pen, one child, and one teacher can change the world."

Malala

๐Ÿ“ˆ Learned something?

Upgrade Yourself โ†’

You're getting the free version. Members get more โ€” including exclusive & bonus content, access to an online community of smart and driven people, the complete Hive Archive, deep discounts, and so much more. See what you're missing.

Share Hive Five โ†’

Share this newsletter with your friends and colleagues.

1 REFERRAL = 20% OFF EVERYTHING IN THE STORE

Until next week, take care of yourself and each other,

Bee ๐Ÿ

This newsletter may contain affiliate links that support its costs. These links lead to tools, courses, and resources that I've personally found helpful.