HackerOne
Coverage of HackerOne in the Nexus archive.
- HackerOne takes an axe to its bug bounty rewards
HackerOne has drastically reduced bug bounty rewards through its Internet Bug Bounty (IBB) program, cutting payouts by 68-88% across all severity levels. The program remains paused while the platform evaluates adjustments, leaving security researchers waiting for payments on previously submitted vulnerabilities.
- Even Claude agrees: hole in its sandbox was real and dangerous
Two now-patched bypass bugs in Claude Code's network sandbox put users at risk, allowing attackers to send private data to any server on the internet. The flaws were reported by Aonan Guan, a researcher who leads cloud and AI security at Wyze Labs. Anthropic has silently fixed the vulnerabilities without issuing a CVE or security advisory.
- AWS to Quick admins: The access control didn't work, but you weren't using it anyway, so what's the problem?
AWS responded to a security vulnerability in Amazon Quick, claiming no customer data was at risk after Fog Security disclosed an authorization bypass, which allowed access to AI Chat Agents despite explicit denial of access. The issue was fixed between March 11 and 12. AWS classified the severity as 'none' and issued no customer notification. The vulnerability was reported via HackerOne, a bug bounty platform.
- Warning: Deribit silently patches critical security flaws and ghosts the researchers. Can we trust an exchange that hides its vulnerabilities?
A security researcher reported critical vulnerabilities to Deribit through its bug bounty program, but the exchange silently patched the issues and ignored the researcher for 70+ days, refusing to communicate or pay. Deribit's 'unmanaged' HackerOne program status prevents forced resolution, raising concerns about transparency and trust in its security practices.
- Warning: Deribit silently patches critical security flaws and ghosts the researchers. Can we trust an exchange that hides its vulnerabilities?
An independent security researcher reported critical vulnerabilities to Deribit via its bug bounty program, but the exchange silently patched the flaws and ignored the researcher for over 70 days without communication or payment. The researcher raised concerns about Deribit's lack of transparency and trustworthiness, as the exchange is listed as an 'unmanaged' program on HackerOne, preventing forced resolution.
- AI drives surge in ‘bug bounty’ reports, but the ‘slop’ is rising too
HackerOne reported a 7% increase in valid bug bounty submissions in 2025, reaching 85,000 cases, driven by AI advancements, though concerns about rising 'slop' (low-quality reports) persist.
- Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus
Vibe coding platform Lovable denied allegations of a data leak where users' sensitive information could be accessed, initially blaming 'intentional behavior' and unclear documentation. The company later shifted blame to HackerOne, a bug-bounty service, amid criticism for mishandling vulnerability reports.
- AI-Led Remediation Crisis Prompts HackerOne to Pause Bug Bounties
HackerOne has paused bug bounties due to an AI-led remediation crisis, where remediation has become the bottleneck for open source bug fixes rather than discovery. Automated tools now outpace manual discovery, leaving bounties ineffective in addressing remediation challenges.