CriticalOPPOApril 2026
How We Cracked a Smartphone Giant's Encryption for $5
OPPO Cloud's transport encryption was using a key size broken since 1999. We factored it for $5 in cloud compute. Every production endpoint accepted forged requests.
blog
Research & Writeups
HighAndurilMarch 2026
Finding Auth Bypass Across 60 Military Deployments
An authentication vulnerability in Anduril's Lattice platform affected over 60 instances across production, development, and military environments.
MediumDoorDashMarch 2026
How DoorDash's API Let Us Count Every Order Ever Placed
DoorDash's API returned different error messages for existing vs non-existing records with no rate limiting, enabling full order ID enumeration.
MediumBest BuyFebruary 2026
Best Buy's Employee Login Was Visible to Everyone
Best Buy's employee authentication system was publicly accessible, leaking 47 internal service names and helpdesk contact details.
MediumDoDFebruary 2026
A U.S. Military Website That Trusted Every Domain on Earth
A Department of Defense website for the Non-Lethal Weapons Program accepted cross-origin requests from any domain with credentials.
Methodology & Guides
GuideReconnaissanceMarch 2026
What Your JavaScript Bundle Tells an Attacker
How production JS bundles leak staging hostnames, API keys, feature flag configs, and internal service names. With real examples from CLEAR and Exness.
GuideMethodologyMarch 2026
Why Scanners Miss the Bugs That Matter
What automated scanners are good at vs what they miss. Business logic, auth bypass, chained attacks, and crypto weaknesses all require manual testing.
GuideMethodologyApril 2026
Turning Three Low Bugs Into a Critical
The concept of vulnerability chaining. How information disclosure, SSRF, and cloud misconfiguration combine into full data access.
GuideAPI SecurityFebruary 2026
5 Things Wrong With Most GraphQL APIs
Introspection, no depth limits, batching without rate limits, verbose errors, and missing field-level authorization. With a real DoorDash example.
GuideOrigin StoryApril 2026
How Valkant Started: Our First 90 Days on HackerOne
Top 2.5% in 90 days. $18k in bounties. Goldman Sachs, DoorDash, Anduril, OPPO, and the DoD. What worked, what didn't.