Navia Breach Impacts HackerOne Data
Read More: buff.ly/okMMU1I

#ThirdPartyRisk #VendorBreach #HackerOne #EmployeeData #DataExposure #SupplyChainRisk #CyberIncident #Infosec

HackerOne discloses data breach affecting 287 employees due to Navia Benefit Solutions hack. Stay vigilant against phishing attempts. #CyberSecurity #DataBreach #HackerOne Link: thedailytechfeed.com/hackerone-da...

HackerOne discloses employee data breach after Navia hack Bug bounty platform HackerOne is notifying hundreds of employees that their data was stolen after attackers hacked Navia, one of its U.S. benefits administrators.

#HackerOne discloses employee #DataBreach after #Navia hack

www.bleepingcomputer.com/news/security/hackerone-...

#cybersecurity #benefits #privacy

Original post on webpronews.com

When the Bug Bounty Giant Gets Bitten: HackerOne Employees Exposed in Third-Party Benefits Breach HackerOne, the world's largest bug bounty platform, disclosed that employee personal data was c...

#CybersecurityUpdate #bug #bounty #platform #security […]

[Original post on webpronews.com]

Awakari App

HackerOne Employee Data Exposed in Massive Navia Breach The cybersecurity firm said the personal information of hundreds of employees was stolen in the hacker attack targeting Navia. The post Hacke...

#Data #Breaches #data #breach #HackerOne #Navia

Origin | Interest | Match

Four Data Breaches Hit HackerOne, Mazda, Infinite Campus and Dutch Ministry HackerOne, Mazda, Infinite Campus and the Dutch Ministry report data breaches, exposing employee and partner data across multiple sectors worldwide.

📢⚠️ HackerOne, Mazda, Infinite Campus, and the Dutch Ministry have all confirmed separate data breaches, exposing employee and partner data across sectors.

Read more: hackread.com/hackerone-ma...

#DataBreach #CyberSecurity #HackerOne #Mazda #ShinyHunters

HackerOne slams supplier for weeks-long breach notification delay Nearly 300 HackerOne staff affected in Navia breach involving 2.7 million people. Company criticises supplier for weeks-long notification delay.

HackerOne slams supplier for weeks-long breach notification delay

#DataBreach #Cybersecurity #HackerOne #InfoSec #AusNews

thedailyperspective.org/article/2026-03-24-hacke...

IMPORTANT: The AT&T BGW320-500 vulnerability (HackerOne #3546501, CVSS 9.6) is NOT an Arris issue. AT&T owns the firmware. Arris made the hardware. The exploit is AT&T’s code. AT&T owns the patch. #ATT #CyberSecurity #HackerOne #Infosec#ATT #CyberSecurity #HackerOne #BugBounty #Infosec

Awakari App

WiFi Pentesting Series— Breaking WEP Hi everyone, I’m starting a new series where I’ll be documenting and sharing the Wi-Fi pentesting methodology I’m currently learning. Continue reading o...

#penetration-testing #wifi-pentesting #hackerone #wifi #cybersecurity

Origin | Interest | Match

Original post on mastodon.social

#Hackerone allows researchers a certain amount of "trial submissions" even when they have a signal value below the lowest accepted threshold for a specific program.

This effectively makes the signal requirement pointless for an individual project as the worst researcher on the platform might […]

curl security moves again tldr: curl goes back to Hackerone. When we announced the end of the curl bug-bounty at the end of January 2026, we simultaneously moved over and started accepting curl security reports on GitHub instead of its previous platform. This move turns out to have been a mistake and we are now undoing that part of the decision. The reward money is still gone, _there is no bug-bounty_ no money for vulnerability reports, but we return to accepting and handling curl vulnerability and security reports on **Hackerone**. Starting March 1st 2026, this is now (again) the official place to report security problems to the curl project. This sick-sacking is unfortunate but we do it with the best of intentions. In the curl security team we were naively thinking that since so many projects are already using this setup it should be good enough for us too since we don’t have any particular special requirements. _We wrongly thought_. Now I instead question how other Open Source projects can use this. It feels like an area and use case for Open Source projects that is under-focused: proper, secure and efficient vulnerability reporting without bug-bounty. ## What we want from a security reporting system To illustrate what we are looking for, I made a little list that should show that we’re not looking for overly crazy things. 1. Incoming submissions are _reports_ that identify _security problems_. 2. The reporter needs an account on the system. 3. Submissions start private; only accessible to the reporter and the curl security team 4. All submissions must be disclosed and made public once dealt with. Both correct and incorrect ones. This is important. We are Open Source. Maximum transparency is key. 5. There should be a way to discuss the problem amongst security team members, the reporter and per-report invited guests. 6. It should be possible to post security-team-only messages that the reporter and invited guests cannot see 7. For confirmed vulnerabilities, an advisory will be produced that the system could help facilitate 8. If there’s a field for CVE, make it possible to provide our own. We are after all our own CNA. 9. Closed and disclosed reports should be clearly marked as invalid/valid etc 10. Reports should have a tagging system so that they can be marked as “AI slop” or other terms for statistical and metric reasons 11. Abusive users should be possible to ban/block from this program 12. Additional (customizable) requirements for the privilege of submitting reports is appreciated (rate limit, time since account creation, etc) ## What’s missing in GitHub’s setup? Here is a list of nits and missing features we fell over on GitHub that, had we figured them out ahead of time, possibly would have made us go about this a different way. This list might interest fellow maintainers having the same thoughts and ideas we had. I have provided this feedback to GitHub as well – to make sure they _know_. 1. GitHub sends the whole report over email/notification with no way to disable this. SMTP and email is known for being insecure and cannot assure end to end protection. This risks leaking secrets early to the entire email chain. 2. We can’t disclose invalid reports (and make them clearly marked as such) 3. Per-repository default collaborators on GitHub Security Advisories is annoying to manage, as we now have to manually add the security team for each advisory or have a rather quirky workflow scripting it. https://github.com/orgs/community/discussions/63041 4. We can’t edit the CVE number field! We are a CNA, we mint our own CVE records so this is frustrating. This adds confusion. 5. We want to (optionally) get rid of the CVSS score + calculator in the form as we actively discourage using those in curl CVE records 6. No CI jobs working in private forks is going to make us effectively not use such forks, but is not a big obstacle for us because of our vulnerability working process. https://github.com/orgs/community/discussions/35165 7. No “quote” in the discussions? That looks… like an omission. 8. We want to use GitHub’s security advisories as the _report_ to the project, not the final _advisory_ (as we write that ourselves) which might get confusing, as even for the confirmed ones, the project advisories (hosted elsewhere) are the official ones, not the ones on GitHub 9. No number of advisories count is displayed next to “security” up in the tabs, like for issues and Pull requests. This makes it hard to see progress/updates. 10. When looking at an individual advisory, there is no direct button/link to go back to the list of current advisories 11. In an advisory, you can only “report content”, there is no direct “block user” option like for issues 12. There is no way to add private comments for the team-only, as when discussing abuse or details not intended for the reporter or other invited persons in the issue 13. There is a lack of short (internal) identifier or name per issue, which makes it annoying and hard to refer to specific reports when discussing them in the security team. The existing identifiers are long and hard to differentiate from each other. 14. You quite weirdly cannot get completion help for `@nick` in comments to address people that were added into the advisory thanks to them being in a team you added to the issue? 15. There are no labels, like for issues and pull requests, which makes it impossible for us to for example mark the AI slop ones or other things, for statistics, metrics and future research ## Email? Sure, we could switch to handling them all over email but that also has its set of challenges. Including: * Hard to keep track of the state of each current issue when a number of them are managed in parallel. Even just to see how many cases are still currently open or in need of attention. * Hard to publish and disclose the invalid ones, as they never cause an advisory to get written and we rather want the initial report and the full follow-up discussion published. * Hard to adapt to or use a reputation system beyond just the boolean “these people are banned”. I suspect that we over time need to use more crowdsourced knowledge or reputation based on how the reporters have behaved previously or in relation to other projects. ## Onward and upward Since we dropped the bounty, the inflow tsunami has dried out _substantially_. Perhaps partly because of our switch over to GitHub? Perhaps it just takes a while for all the _sloptimists_ to figure out where to send the reports now and perhaps by going back to Hackerone we again open the gates for them? We just have to see what happens. We will keep iterating and tweaking the program, the settings and the hosting providers going forward to improve. To make sure we ship a robust and secure set of products and that the team doing so can do that ## Security problems? If you suspect a security problem in curl or libcurl, report it here: https://hackerone.com/curl ## The other forges don’t even try Gitlab, Codeberg and others are GitHub alternatives and competitors, but few of them offer this kind of security reporting feature. That makes them bad alternatives or replacements for us for this particular service.

#curl security moves again. Back to #hackerone

daniel.haxx.se/blog/2026/02/25/curl-sec...

Is @zimaspace.bsky.social Powerful enough to handle KASM a #CybersecurityNews #Pentesting #DevOps #Server Lab? Let's find out www.youtube.com/watch?v=t1Ap... #zima #casaos #Ubuntu #linux #docker #100DaysOfCyberSecurity #BusinessStrategy #Europe #infosecurity #Python #hackerone #developerlife

three chocolate bars in gold, white and black, in the design of Toblerone, but with the text Hackerone on them

My Swiss brain is so tuned to associate stuff that ends in "...one" with certain chocolate products that I just mispronounced Hackerone (thereby confusing my colleagues).
#hackerone #toblerone #justswissthings #chocolate #Switzerland #infosec

📰 Curl Hentikan Program Bug Bounty Setelah Dibanjiri Laporan “AI Slop”

👉 Baca artikel lengkap di sini: ahmandonk.com/2026/01/23/curl-hentikan...

#ai #slop #bug #bounty #curl #hackerone #keamanan #open-source

@bagder Shld I submit a #hackerone submission for #curl, identifying hackerone as a DoS attack vector for the project, recommending depreciation?

Original post on cyberscoop.com

Inside Vercel’s sleep-deprived race to contain React2Shell Talha Tariq quickly found his company at the center of a fast-moving, high-stakes mitigation effort. The result: a bounty program, a cat...

#Cybersecurity #Technology #Threats #greynoise #HackerOne […]

[Original post on cyberscoop.com]

Original post on cyberscoop.com

Inside Vercel’s sleep-deprived race to contain React2Shell Talha Tariq quickly found his company at the center of a fast-moving, high-stakes mitigation effort. The result: a bounty program, a cat...

#Cybersecurity #Technology #Threats #greynoise #HackerOne […]

[Original post on cyberscoop.com]

(The user who submitted this report was going by the name "b4sh0ne" up until their last comment when they renamed to this new name. Unfortunately, the HackerOne interface does not properly show this. We banned the user nonetheless.)

1. User complains to #hackerone that I named his *previous* name when he renamed himself to a silly name after I banned them in a #curl report filed back in October.

2. Hackerone asks me to respond on their support forum, on which I have no account. Grrr. I […]

[Original post on mastodon.social]

Hackerone reports per year in #curl, showing 2025 having many more than any previous year, in particular the number of AI slops

This is not working. The number of #hackerone report submissions for #curl in 2025 is going through the roof, while the quality is going through the floor.

And the year isn't over yet.

Ce mec a entraîné une IA avec 4000 rapports de bug bounty pour chasser les failles automatiquement Voilà un outil qui va plaire à ceux qui chassent les failles de sécurité... Ce projet s'appelle **Security Skills ** et c'est un système de compétences pour agents IA (genre Claude Code ou Gemini CLI) qui transforme votre proxy mitmproxy en chasseur de failles automatisé. Vous lui dites "trouve-moi des problèmes de sécurité sur example.com" et l'IA se met à analyser le trafic HTTP intercepté en appliquant des patterns qu'elle a appris de vrais bugs rémunérés.

Filtering Noise from Malicious Activity by Combining Automation, Human Judgment, and Governance Blake Entrekin, Deputy CISO at HackerOne, details AI driven access threats and the evolving researcher style attacker behavior.

Full interview:
www.technadu.com/filtering-no...

How are your teams adapting detection as attackers blend into legitimate activity? Share your thoughts below.
#Cybersecurity #BugBounty #AI #ThreatDetection #SecOps #HackerOne

Neuer PS4-Blu-ray-Exploit bis Firmware 13.02 im Anmarsch Der Programmierer Gezine meldete Sonys Bug Bounty Programm einen neuen PS4-Blu-ray-Exploit, der auch neuere Firmware-Versionen betrifft. Der Artikel <a href="https://tarnkappe.info/artikel/jailbreaks/neuer-ps4-blu-ray-exploit-bis-firmware-13-02-im-anmarsch-324023.html">Neuer PS4-Blu-ray-Exploit bis Firmware 13.02 im Anmarsch</a> erschien zuerst auf <a href="https://tarnkappe.info">TARNKAPPE.INFO</a>

📬 Neuer PS4-Blu-ray-Exploit bis Firmware 13.02 im Anmarsch

#Gaming #Jailbreaks #BugBounty #firmware #Gezine #hackerone #PS4BlurayExploit #Sony #UserlandExploit

HackeroneでRenwa氏が1万ドルの報奨金 中身はWebkit exploit HackeroneのPlayStation部門において、Renwa氏がカーネルexploit級となる1万ドルの報奨金を獲得していました。→→→この記事の続きを読む The post HackeroneでRenwa氏が1万ドルの報奨金 中身はWebkit exploit first appeared on 大人のためのゲーム講座.

ホワイトハッカーと共に探る最先端の脆弱性対策セミナー情報 12月10日に開催されるHackerOneとPriv Techの共催ウェビナー。サイバーセキュリティの最新戦略とホワイトハッカーの役割に迫ります。

ホワイトハッカーと共に探る最先端の脆弱性対策セミナー情報 #東京都 #港区 #バグバウンティ #Priv_Tech #HackerOne

12月10日に開催されるHackerOneとPriv Techの共催ウェビナー。サイバーセキュリティの最新戦略とホワイトハッカーの役割に迫ります。

📰 Vulnerability Email Spoofing DoorDash Picu Sengketa Pengungkapan yang Memanas

👉 Baca artikel lengkap di sini: ahmandonk.com/2025/11/18/g-doordash-em...

#breach #bug-bounty #cybersecurity #doordash #hackerone #phishing #ransomware #security #vulnerability

I have to admit, I see the domain hackerone dot com and in my head it rhymes with macaroni dot com.
#hackerone #hacker #infosec

Original post on mastodon.social

Does anyone here think either #bugcrowd or #hackerone are actually useful?

We get several of these, essentially identical, messages from random #gmail addresses every week for a while now - […]

Hackeroneでmour0ne氏が1万ドル報奨金 またカーネルexploitか HackeroneのPlayStation部門において、mour0ne氏がカーネルexploit級となる1万ドルの報奨金を獲得していました。→→→この記事の続きを読む The post Hackeroneでmour0ne氏が1万ドル報奨金 またカーネルexploitか first appeared on 大人のためのゲーム講座.

TheFloW氏 BD-J脆弱性をHackeroneに報告 報奨金は5,000ドル TheFloW氏が以前とは別の脆弱性を利用したBD-Jの脆弱性をHackeroneに報告していたことが明らかになりました。→→→この記事の続きを読む The post TheFloW氏 BD-J脆弱性をHackeroneに報告 報奨金は5,000ドル first appeared on 大人のためのゲーム講座.

TheFloW氏 BD-J脆弱性をHackeroneに報告 報奨金は5,000ドル TheFloW氏が以前とは別の脆弱性を利用したBD-Jの脆弱性をHackeroneに報告していたことが明らかになりました。→→→この記事の続きを読む The post TheFloW氏 BD-J脆弱性をHackeroneに報告 報奨金は5,000ドル first appeared on 大人のためのゲーム講座.