Olivia
Online
AndrewMohawk⁽ⁿᵘˡˡ⁾
@AndrewMohawk
Sec/Madness
@privy_io principal security , @_seal_org technical council
prev: HoS @uniswap, D&R/IR @RobinhoodApp, IR @BitMEX, Built @Paterva Maltego with RT
New York, USA
Joined February 2008
3.1K Following
5.3K Followers
12.7K Posts
Pinned Tweet
Fun react bug, (CVE-2025-55183) if you have a server side component and it explicitly or implicitly exposes a stringified argument you can get the source code for that function. Also found DoS, but reported it to vercel instead of meta and some else reported the next day 🙃
Incredible stuff happening on this app
1Password absolutely smashing the PR here, still one of my fav security companies
We @1Password are listening...and care.
Geoffrey got fixed up by our support team but how do we prevent these situations in the first place?
Today we're announcing a big step in the right direction.
See this reddit post for more info.
https://t.co/GrclXJfNgb
@0x158_ Nope, can only be paid by my h1b employer, luckily I fuckn love security so I do it for fun!
Who to follow
Dan Guido 
@dguido
CEO @trailofbits, organizer @EmpireHacking
Joe Fitz
@securelyfitz
Hardware Security Trainer and Researcher
Tanya Janca | Shehackspurple
@shehackspurple
Secure Coding Trainer, Best-selling author of Alice and Bob Learn Secure Coding & Alice and Bob Learn Application Security. #AppSec she/her 🌻
Pretty stoked that this report from my harness was automated e2e (besides for me giving it a target), including a lot of validation and agent discussion before submiting. I cant claim bounties (on h1b visa) but Ive got 41 open bugs (manually submitted) just on h1!
https://t.co/eL9LGhBds4
Pretty stoked that this report from my harness was automated e2e (besides for me giving it a target), including a lot of validation and agent discussion before submiting. I cant claim bounties (on h1b visa) but Ive got 41 open bugs (manually submitted) just on h1!
Fun react bug, (CVE-2025-55183) if you have a server side component and it explicitly or implicitly exposes a stringified argument you can get the source code for that function. Also found DoS, but reported it to vercel instead of meta and some else reported the next day 🙃
https://t.co/nbCIWxa12l
Another CVE from working with codex last month: CVE-2026-27135 https://t.co/ICA45S2T7j
Somewhere I missed that anthropic dropped a zero-trust for agents paper: https://t.co/An1zvaAbrc
@S1r1u5_ It also really depends on what "critical" vulnerabilities means and what they had previously tried. Its possible the MUCH cheaper models could find most of these and/or that a few "criticals" are in places that are things like unreachable code so really dont have any impact!
Any vendor punching down @gf_256 or @zellic_io should carefully consider what they are trying to prove.
I have had nothing but *excellent* audits and reports from Zellic over multiple companies with a consistent high level of security expertise which is incredibly rare.
I guess I will wait to see what @gf_256 and @zellic_io respond with, but demanding a critical bug bounty payout and then announcing you will publicly release 0day on a client your firm audited (even without these bugs, even 5 yrs ago) is not the level of maturity we need
@tayvano_ @AaluxxMyth @gf_256 @zellic_io @trailofbits Audits/testing also includes trusting the vendor you have selected to be professional, you are trusting them with (often) unreleased / new features and code and might have critical bugs in your stack that you work together to remediate and keep your users/apps safe!
I guess I will wait to see what @gf_256 and @zellic_io respond with, but demanding a critical bug bounty payout and then announcing you will publicly release 0day on a client your firm audited (even without these bugs, even 5 yrs ago) is not the level of maturity we need
We reported a critical loss of funds bug to @Thorchain (32M TVL, 150M FDV)
They silently patched it and told us their bug bounty program is permanently retired.
We have more Thorchain chain halt DoS vulns. We intend to release them (open disclosure) in the coming few days
@tayvano_ @AaluxxMyth @gf_256 @zellic_io My comments are not at all about TC but the actions of zellic, a well established security brand in the space. Demanding a bounty, threatening publicly dropping exploits and making a show on twitter is not how I’d expect them to act. I would do the same if @trailofbits did this!
🚨 Instagram had an exploit that allowed you to use Meta AI to reset passwords to accounts with no MFA on them. The exploit was patched a short time ago.
NYC folks: https://t.co/y1GRMOl37x meetup this Thursday @ Etsy, 10+ lightning talks, registration link above! Our biggest one yet!
Very 'We take your privacy and security seriously'-coded
Over the past several days, we have been listening to the conversation around coordinated disclosure and the relationship between security researchers and vendors. We recognize that this relationship is both critical and, at times, fragile. We deeply value the security community, and will continue to take your feedback seriously.
To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research. When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate.
We recognize the work that goes into researching and submitting a vulnerability. We are committed to approaching every interaction with transparency, clear communication, and professionalism. We continue to believe strongly in Coordinated Vulnerability Disclosure as the foundation for protecting customers and improving our products. Each year we process a high volume of vulnerability reports. That volume continues to grow and will continue with the rise of AI-enabled research. We acknowledge that some interactions have fallen short and are working to learn from them.
Many of us have experience on both sides of this work, as researchers reporting vulnerabilities and as responders triaging and assessing them. That perspective informs how we approach this feedback and the importance we place on getting it right, particularly as the volume and complexity of research continues to grow.
The security community plays a vital role in helping us protect customers. We are committed to maintaining a constructive and respectful relationship and growing together. We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.
Be the Mythos you want to see in the world!
This tshirt I made for Symantec Vulnerability Research, a program predating Google Project Zero by nearly a decade where we’d discover, report, & disclose vulnerabilities we found in other people’s software, is 20 years old.
Still holds true: Don’t hate the Finder, hate the vuln
Not long after the 9/11 terrorist attacks MSRC published “It’s time to end information anarchy”. It was one step short of labeling security researchers terrorists. The essay was not well received by industry _at all_ and triggered a sea change at MS, ushering in a new era. 1/2
@yolwoocle_ This is super neat!
The circle of life, msrc is going to need to reward researchers and get them on board the same as they had to do way back with all of South America 15 years ago!
@b_o_f_h_ That will be the thing to see, but still love the idea either way!
Okay well this is awesome
Google Chrome is rolling out device-bound session credentials to all users. Session cookies get cryptographically tied to your device, so stolen cookies can't be replayed from a different machine. Attackers who exfiltrate your cookie database get nothing usable.
Last Seen Users on Sotwe
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.7M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.2M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.5M followers
KATY PERRY
@katyperry
86.7M followers
Taylor Swift
@taylorswift13
80.5M followers
Lady Gaga
@ladygaga
72.1M followers
Kim Kardashian
@kimkardashian
69.3M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.4M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
60.9M followers
X
@x
60.9M followers
CNN Breaking News
@cnnbrk
59.9M followers