Bug Bytes #194 – Google’s highest bounty of 2022, making extensions and Chaos goes into beta
By travisintigriti
February 28, 2023
Last updated on March 6, 2025
Bug Bytes is a weekly newsletter curated by members of the bug bounty community. The second series is curated by InsiderPhD. Every week, she keeps us up to date with a comprehensive list of write-ups, tools, tutorials and resources.
This issue covers the weeks from February 20th to February 26th
Intigriti News
And challenged you to find the vulnerability in our code snippet, here’s the solution if you missed it!
From my notebook
This week Google reflected on it’s vulnerability management program, which is their bug bounty program. So the first two links are their blogpost and a podcast episode which gives a little more context. Number 3 is a great introduction to how chrome extensions are created and particularly the kind of permissions you give them when you install it. Finally, the last 2 are about some specialist skills, first of hardware tools for IoT/physical device security and then a look at version control using .git and how that became an RCE.
EP109 How Google Does Vulnerability Management: The Not So Secret Secrets!
Unlocking the Secrets of IoT Security: A Comprehensive Guide to Using Hardware Tools for Bug…
Other Amazing Things
NO. 370 | GoDaddy Hack, EU Chinese APTs, Hacking with ChatGPT
189 – Compromising Azure, Password Verification Fails, and Readline Crime
Nuclei: Automating Web Application and Network Service Testing [Cheat Sheet]
Exploring the Dangers of SQL Injection and Cross-Site Scripting
Exploiting Remote Command Execution Vulnerability in EasyNAS
My First Un-Expected $$$$ Digit Bounty for an Un-Expected Vulnerability
The Vulnerability That Exposed an UN Website to Remote Code Execution
Interesting Stored XSS in sandboxed environment to Full Account Takeover
How i was able to find Django Misconfiguration using Shodan.
Bypassing CORS configurations to produce an Account Takeover for Fun and Profit
How I Used JS files inspection and Fuzzing to do admins/supports stuff
Html Injection On One Of The Indian Government’s Official Domain
Information Disclosure Vulnerability in Adobe Experience Manager affecting multiple companies…
Using the “World’s Worst Fuzzer” To Find A Kernel Bug In The FiiO M6
SQL Injection + RCE | How I got a shell on my university website
[1500$ Worth — Slack] vulnerability, bypass invite accept process
Bypassing SSO Authentication from the Login Without Password Feature Lead to Account Takeover
Trellix Advanced Research Center Discovers a New Privilege Escalation Bug Class on macOS and iOS
FavFreak: A Penetration Testing Tool for Favicon Analysis and Subdomain Enumeration [Cheat Sheet]
Probable_Subdomains – Subdomains Analysis And Generation Tool. Reveal The Hidden!
Project Discovery’s Chaos goes into beta – Recon data for Public Bug Bounty Programs
FilePursuit – lists files available on the internet from open directories
You may also like
May 30, 2026
Intigriti Bug Bytes #236 - May 2026 🚀
Welcome to the latest edition of Bug Bytes! In this month's issue, we'll be featuring: Earning $148K via RCE in Google Cloud How public Google API keys became Gemini credentials Our first official Burp Suite extension Two new bypasses for Chrome's Sanitizer API One-click account takeover from a
April 24, 2026
Intigriti Bug Bytes #235 - April 2026 🚀
Welcome to the latest edition of Bug Bytes! In this month's issue, we'll be featuring: Compromising an NPM package with 40M weekly downloads Bypassing Cloudflare WAF for a full ATO 20-part series on exploiting JWT vulnerabilities First Intigriti Bug Bounty Meetup And so much more! Let's dive
March 27, 2026
Intigriti Bug Bytes #234 - March 2026 🚀
Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring: Earning $180K via SSRFs Free Burp Suite Pro licenses for top hackers Bypassing tricky file upload restrictions Injecting malicious code into AI coding assistants And so much more! Let’s dive in! We've team