August huntr highlights: New profiles!

August huntr highlights: New profiles!

Hello huntrs, as always, here is a quick update on this months progress.

huntr highlights 

lets-chat is a simple chat application used for small teams. Mik317 identified that it was vulnerable to a POST-based CSRF issue which occurs in the /account/profile endpoint, leading to personal information change and key generation/revocation.

Check it out >>

buggycoder-sys disclosed a path traversal vulnerability in the package httpster, a package that is downloaded over 10,000 times per week. It allows an attacker to read system files, and could have enabled them to leverage attacks like remote code execution.

Take a look >>

Asjid Kalam fixed a command injection vulnerability in node-key-sender by replacing child_process function exec() with execFile() which mitigates any possible Command Injections as it accepts inputs as arrays.

The patch >>


New Profile Page

We have given your profile a new paint job and added social links. New badges and your activity log are coming soon!

Get set up >>


Now when your contribution is accepted, your dog tag is placed on the bounty page, so the whole community can see your success!

See what it looks like in fsociety >>

Podcast: Bug huntr


Mufeed VH is a developer, a huntr sheriff, and has been in the bug bounty world for around 5 years. We recently co-wrote an article about the vulnerability found in the most used package in the NPM ecosystem, Lodash.

Listen in for his advice on how to manage your side projects, and how to stay positive and motivated throughout.


Jim0ny speaks with Ben Beale, a software engineer with a background in quality engineering, application security, and automation, about his passion for open source development.

We discuss his setup, how he got started in open source, and the interesting way he fixed a ReDoS vulnerability in the package url-regex.

huntr of the month 🦸‍♀️ 🦸‍♂️

This month's huntr of the month is Asjid Kalam - well done! 👏 👏 

In the last 30 days, Asjid has fixed 10 vulnerabilities in packages like ffmpeg-web-gui, access-policy and casperjs to name a few. Thank you for helping protect open source, we have awarded you this month's gold huntr of the month badge and will be getting a huntr hoody sent to you shortly! 🏆 

Thank you for your love and support - there are plenty more vulnerabilities to find, fix and review, so keep it coming, and let's take September on head first!

Until next time...

Ready to join in on the fun?