MonkeHacks #55

Welcome back for another weekly update! This week, my mom visited me for the first few days. It was great to host her here in Edinburgh. She tried VR for the first time on my Meta Quest 3 and was amazed, and thankfully the weather was alright while she was here.

I got a few hours of hacking in each day, and thankfully I found a bunch of crits with my buddies rez0 and archangel. It was really fun; the adrenaline from some of the bugs was insane. I’m well on track to overshoot my March goals, so the great momentum continues.

I’m visiting a friend in Bremen, Germany this week. My flight home on Monday got cancelled due to strike action, so I’m here until Wednesday instead. The weather is great here so I’m taking a few days to rest properly before the intense upcoming Live Hacking Event preparation.

Weekly Ideas / Notes 

• I crossed 4,000 reputation points on HackerOne this week. Onwards to 5,000! Not that the points matter much these days, but it’s still a nice milestone to reach.

• I found quite a few bugs with rez0 and archangel this week. It’s been an excellent collaboration so far and it’s very clear to me where we complement each other’s strengths. Thank you both! And here’s to more good work in the future.

• After the upcoming LHE, I want to focus on Google VRP and Meta. They’re generally overlooked, the triage is excellent, and the payouts are among those at the top of the industry. I’m continuing to expand my automation and quick tools.

• I’m trying to educate myself on DevOps properly as I work on my automation. Yes, AI might do the majority of the work soon, but for the foreseeable future, it’s still dependent on us to guide it. Remember that AI isn’t trained on good code. It’s just trained on code, and most people write bad code (otherwise we wouldn’t be career bug bounty hunters!). As such, my automation might develop more slowly, but I’m learning a hell of a lot more in the process.

• I’ve been reading No Rules Rules: Netflix and the Culture of Reinvention by Reed Hastings and Erin Meyer. It’s about Netflix’s work culture and the why and how of its development over the past 20 years. It was recommended to me by a friend, and I like it a lot so far.

• I have a lot of travel and time away from my usual workplace over the next two months or so. I’m determined to figure out a better system for me to work more consistently, and I’ll share my thoughts as I go. For now I know that I need to get an external portable monitor and a foldable stand for it. It’ll fit nicely into my travel setup.

Resources

• Sitecore: Unsafe Deserialisation Again! (CVE-2025-27218): Detailed writeup of an RCE affecting Sitecore via insecure deserialization.

• Depi Launch: A New Approach to Software Supply Chain Security: Huge congratulations to Lupin on finally launching Depi! We occasionally chatted about his work so I’m very happy to see that he has finally launched the product. Also, his website design is easily one of the coolest themes I’ve seen in ages.