Something that came across clearly during the demonstrations and social events in DC surrounding the SCOTUS case on men in women's sports is that this issue is going to be won not just because it is the one where the bizarre derangement of transgender dogmas are most palpable and self-evident to the wider public, but also because the women who have rallied to this cause have a lifetime of training in persevering through adversity, summoning reserves of courage and energy in the face of resistance, bouncing back from injuries and losses, and risking everything in pursuit of victory.
They will win because they are winners and winners win.
Race Condition IDOR, $36,750
Where automation fails is often in the gray areas. In the case of this bug, an IDOR existed by integer "orderId", which would allow viewing and hijacking someone else's order by simple swapping the order number - but ONLY IF the order had not yet completed.
We see here that the order is 10099780. If we increment up by 1 to 10099781, it may have said "not found" (404) or access denied (403), and we keep incrementing upwards to maybe 10099788 (eight orders higher), and suddenly we get data back (200). You tinker around a bit more, come back to that same number, and now it says access denied (403). Hrmm.
So you increment up again, and get another hit, which again turns to access denied in a matter of seconds or minutes. After some pondering, you realize it turns out that once an order is completed, the access control kicks in, but not while the order is still in progress. Well ain't that fun.
From an attackers perspective, what can we do with this? What is the risk? Imagine you could change the shipping address on someones uncompleted order and intercept the product they are about to pay for. Or increasing the quantity of the product they are purchasing. Suddenly you have a warehouse full of goods you didn't pay for. That's not good for the company!
Perhaps automated tooling was used to scan this, but if no other orders were in progress in lower environments, maybe it got missed. Sometimes things just don't get found until they are in production for so many reasons.
If you are gonna do some #hacking, may as well do it on #bugbounty programs and get paid for it instead of wasting time on HTB and random labs.
"Hey random guy, how did you get so good at hammering?"
Random Guy: "I used the hammer every day for 5 years."
Pollo App 3.0 is LIVE!
Your pocket-sized AI Studio has arrived. Create anytime, anywhere.
24H Only :Follow + RT + Reply "PolloApp3.0" to win a 333 Credits code!
To prevent bot farming, we only issue credits to X accounts with a profile photo.
Another vulnerability in React Server Components (CVE-2026-23864) that I reported was disclosed today.
This is separate from the one disclosed in December, so you'll need to update again.
https://t.co/k7hgEzIWDb
this is a game-changer.
Ollama just dropped: ollama launch
a single command that sets up coding tools like Claude Code, Opencode, and Codex with local or cloud models.
all you need is one command, no environment variables or config files.
think about what this means:
- pick your model (local or cloud)
- pick your tool
- start coding
that's it.
want to run Claude code with a local glm-4.7-flash?
> ollama launch claude
done.
the barrier to running AI-powered coding workflows just dropped to zero.
It’s wild how far things have moved.
Just a year ago, local open-source models struggled to code a basic Snake game.
Now I’m running a local model with solid agentic tool use—good enough to build a self-playing 3D Snake game.
The pace of progress is unreal.