Reginaldo Silva
@reginaldojsfSecurity @ Mysten Labs. Opinions are mine and do not necessarily reflect my employer’s.
Similar User
@pwntester
@BenHayak
@soaj1664ashar
@shafigullin
@panchocosil
@evil_xorb
@yappare
@opnsec
@Singh_Jasminder
@WisecWisec
@Simon90_Italy
@vibs123i
@omer_gil
@netfuzzer
Sui had an outage. The team fixed it quickly. Here's the post mortem.
Last night's outage resolution: blog.sui.io/sui-mainnet-ou… Very strong response by the team! The night is dark and full of terrors but we got @aschran and @technicaldebtor 💪.
I joined Mysten Labs ~2 months ago and have been learning a lot and having fun. Now, my team is hiring. If you love appsec, static analysis, and/or nerding out about high-impact, low-sloc programs (a.k.a smart contracts), let's work together!! Apply at: jobs.ashbyhq.com/mystenlabs/3e9…
Reposting for the benefit of my bug-bounty and CTF friends. If you haven't played with Sui yet, you're missing out.
Our Capture the Flag security challenge at #SuiBasecamp starts tomorrow, April 9! Get your team together to secure flags and win prizes. Onchain and open to all – get started at basecamp.osec.io
Dear bug bounty platforms and programs, Please work together in 24' to figure out a way to allow bug hunters to perform source assisted assessments. We hate making millions of requests and reading js until our eyes bleed when it would have taken 30 minutes with source. Thanks!
I love getting paid to hack billion dollar companies. Yet, one of the nicest feelings is when I run apt upgrade and it fixes a bug I reported. This time it was CVE-2023-6185 and CVE-2023-6186, which were the subject of my @h2hconference talk.
We’ve known about CVE-2023-51385 since 2016 or so. In fact, it was one of the first rules we added to Meta’s Zoncolan and @FrancescoLogozz used it as an example in talks. At the time, we all thought that it was an OpenSSH feature from how the code was written. Yay progress!
Dear folks running bounty programs, I have a holiday request: If I send you a full read XXE, consider it as RCE. That has been true for me, always, since 2012. I don't want to mess with your prod environment to change the CVSS from 9.6 to 9.8 or 10 but if, you ask, I will. Thanks
Did you know there is a legal fund that helps protect fellow bug hunters from legal threats? If you instruct us to donate your reward to the Security Research Legal Defense Fund, Google will quadruple it!
Went to report a vulnerability to a Fortune 500 company to their own form. Blocked by the WAF because it thought my message looks suspicious. Of course. It has a payload. That's the whole point of that form, isn't it?
The slides, demo videos, and stuff for my @h2hconference talk are at ubercomp.com/h2hc/2023/
The coolest bug I submitted to Facebook was not the openid RCE, but one that affected Parse. Back then, it was easy to have type confusion bugs in v8. So you could bind an image to buffer functions, and it gave a read/write gadget on a random memory area. Node.js was affected too
#bugbounty woes / a poem Critical issue Reported on the 11th / a saturday Fixed on the 13th / right away If they knew about it, they never said Yet they closed it on the 30th a duplicate.
My best #bugbounty investment to date in terms of ROI is to have a machine powerful enough to run some big data queries locally. AWS Athena is great, but breaks my flow and gets expensive quickly.
And I was born on Halloween :) That should explain all the spell casting.
🎃🕷️ Our spooktacular DOD Vulnerability Disclosure Program Researcher of the Month is none other than @reginaldojsf! They've exorcised a wicked remote code execution bug from the Royal Elementor Addons plugin. We're bewitched by their skills! 🌟👻 #ResearcheroftheMonth
TIL that if you accidentally click the @shodanhq cancel subscription button, not only does it cancel your subscription without confirmation, it eats your credits too. On the 5th. Shodan has been flaky but I still want to subscribe.
TFW you know for a fact you have RCE on thousands of machines and you've never made a single request to them. Thanks to shodan and (since shodan has been flaky) fofa.
United States Trends
- 1. Thanksgiving 30,2 B posts
- 2. #AEWDynamite 24,6 B posts
- 3. Tyrese Martin 1.280 posts
- 4. Friday Night Lights 15,1 B posts
- 5. Druski 20,2 B posts
- 6. Pat Spencer N/A
- 7. #Survivor47 4.295 posts
- 8. Kevin Hart 8.229 posts
- 9. Knicks 13,1 B posts
- 10. Zuck 10,2 B posts
- 11. Vindman 58,4 B posts
- 12. #BillboardIsOverParty 135 B posts
- 13. Cruz Azul 17,9 B posts
- 14. Ace Bailey 1.165 posts
- 15. #ALLCAPS 1.114 posts
- 16. Trae Young 6.033 posts
- 17. Max Christie 2.137 posts
- 18. #Blackhawks 1.312 posts
- 19. Harden 14,8 B posts
- 20. Taylor Hall 1.133 posts
Who to follow
-
Alvaro Muñoz
@pwntester -
Ben Hayak
@BenHayak -
Ashar Javed
@soaj1664ashar -
Roman Shafigullin
@shafigullin -
Francisco Correa
@panchocosil -
xorb
@evil_xorb -
yappare
@yappare -
Enguerran
@opnsec -
Jasminder Pal Singh
@Singh_Jasminder -
Stefano Di Paola
@WisecWisec -
Simone Memoli
@Simon90_Italy -
@v!b$123!
@vibs123i -
Omer Gil
@omer_gil -
Cássio Gomes
@netfuzzer
Something went wrong.
Something went wrong.