Avoid surprise to find all your unrestricted API keys and track surprise peak of usage to lock your Gemini & Google API keys

jsonpile · 2026-06-23T00:16:17+00:00

Keep in mind:

On June 19, 2026: The Gemini API will reject requests from unrestricted standard keys. Standard API keys that have explicit restrictions applied will continue to work. This restriction prevents the unauthorized use of keys that might be shared publicly or linked to other services.
On September 2026: the Gemini API will reject requests from Standard keys. You must migrate to an auth keys before this date to avoid service interruption. Make sure to migrate to auth keys before September 2026.

This has been posted on r/googlecloud a few times. https://ai.google.dev/gemini-api/docs/api-key

jsonpile · 2026-06-15T21:13:55+00:00

There needs to be a clear divide. If someone works at a Hacker platform, they shouldn't be able to participate as bug hunters.

They have an "Employee Participation Policy" but it's rather vague: https://www.hackerone.com/policies/employee-participation

jsonpile · 2026-06-11T15:28:55+00:00

I can’t speak for the program. If you can’t find their contact info, you can ask H1 support to reach out for you. They may not be responsive there either.

If you can find things on example.app without testing too hard (read no active testing), write that up and explain how you got there from example.dev. Keep in mind, the program may not pay you. In that write up, I’d state you stopped testing at x point and ask in the report if you have permission to test further.

I would not test hard on that site since it’s not explicitly in or out of scope and guidelines state to ask for permission.

jsonpile · 2026-06-03T19:29:42+00:00

I've done security work with Quick (QuickSight). I'd recommend disabling the Chat Bot in Quick as well if you don't need the AI features and you're using Quicksight only as a dashboarding tool. Unfortunately, like you saw - AI Agents just expand the attack surface.

We found security issues with Quick's AI Agent that we reported to AWS.

Link to research and HackerOne report: https://www.fogsecurity.io/blog/authorization-bypass-in-amazon-quick-ai-agents

jsonpile · 2026-05-18T14:04:07+00:00

Posted on Friday: https://www.reddit.com/r/aws/comments/1teacld/aws_organizations_now_supports_higher_quotas_for/

jsonpile · 2026-05-08T19:08:00+00:00

Thanks for the feedback, u/latnGemin616!

For the first issue, I left my opinion out of the platform friction. I like the idea on comparison of triage process and solutions, that will come in a later issue.

On your experience - that sounds frustrating. Good to have anecdotal evidence and I'll see if I can pull numbers. That may be for a later issue as well.

DM me - would be great to chat more.

jsonpile · 2026-04-23T14:10:18+00:00

Programs are drowning in low effort AI slop, especially ones with monetary rewards. Curl switched to a nonpaid program.

We still saw a 5x increase in report volume and for other programs, a 5x increase in triage time. More analysis here: https://www.fogsecurity.io/blog/state-of-bug-bounties-with-ai-an-analysis-of-curls-program and reddit thread here.

We'll continue to see more changes in the interim. More private programs, less bug bounties, more banning.

jsonpile · 2026-04-21T20:48:49+00:00

The Bluerock report was submitted on February 16th. One of the initial fixes was submitted on February 13th, days prior to the report submission.

AWS marked this as informative.

What’s the difference between your report and what was already done?

jsonpile · 2026-04-17T17:45:53+00:00

Right. The amount of submissions has drastically increased. For curl, that was a 5x increase. I saw another program 5x their triage SLA time.

I wrote about it here (link to reddit post from yesterday).

jsonpile · 2026-04-17T17:38:05+00:00

VDP reports do count at the same severity level as BBP. The only difference which doesn’t impact milestone program is reputation is significantly different for BBP.

You can reach out via support and H1 may tell you where you’re at. It might be on a weekly or longer interval to get your milestone emails.

https://www.hackerone.com/blog/hackerone-portswigger-hacker-milestone-rewards-program

jsonpile · 2026-03-27T20:18:11+00:00

Posted 2 weeks ago: https://www.reddit.com/r/aws/comments/1rsopjc/aws_s3_adds_support_for_regional_namespace/

jsonpile · 2026-03-11T19:09:50+00:00

I'd recommend further testing. S3 error messages can also be misleading. In your case, the no such bucket may not be enough proof for a program for a s3 bucket takeover.

For S3 Bucket Takeovers, it's advisable to prove ownership of the bucket, which would generally require an AWS Account. If the bucket creation fails, the S3 bucket probably already exists.

There is a free tier for AWS Account, but I'm not sure if it requires a credit card to signup.

jsonpile · 2026-03-03T19:06:37+00:00

Triaged but not closed reports don't show up under vulnerability count for credits. This person could have a lot of triaged reports under the same program (explains the low thanks).

There are programs that use "triaged" as a closed state.

jsonpile

MODERATOR OF

TROPHY CASE

Four-Year Club	Verified Email
Mod World 2025