Trail of Bits discovered and disclosed two vulnerabilities in the widely used elliptic JavaScript library that could allow signature forgery or prevent valid signature verification, with one vulnerability still unfixed after the 90-day disclosure window.

This blog introduces SonarQube's enhanced analysis capabilities for GitHub Actions, designed to proactively identify and remediate security vulnerabilities like Command Injection and Code Execution that pose a significant supply chain risk.

We hacked our way into Lovable's office by demoing SupaPwn — a chain that could potentially enable region-wide tenant takeover: event-trigger privilege window, DB superuser, host RCE, SUID escalation, exposed configs, orchestration takeover

Three types of price manipulation techniques threat actors are using this Black Friday and Cyber Monday

Posted by Dave Kleidermacher, VP, Platforms Security & Privacy, Google Technology should bring people closer together, not create walls. ...

This blog introduces SonarQube's enhanced analysis capabilities for GitHub Actions, designed to proactively identify and remediate security vulnerabilities like Command Injection and Code Execution that pose a significant supply chain risk.

🔓 Cracking a Weak HS256 JWT: How I Forged a Token and Retrieved the Masterkey

Hi hackers, Welcome to the latest edition of Bug Bytes! In this month’s issue, we’ll be featuring:  Finding an RCE using AI in GitHub  CORS exploitation cheat sheet  Scanning codebases with AI  Bypass...

We’re excited to announce that Sonar has been named a Fast Company Next Big Things in Tech honoree for Applied AI! This prestigious award honors technology breakthroughs poised to define the future of their industries.

The promise of AI-assisted coding is immense, but it rests on a simple, fundamental reality: the quality and security of the code generated by a Large Language Model (LLM)  depends on the quality of the data that it was trained on.

Turn your signal-to-noise ratio into a key metric, learn how to score it, and identify challenges regarding scope, policy, staff, rewards, researchers, and processes.  

Welcome to watchTowr vs the Internet, part 68.

That feeling you’re experiencing? Dread. You should be used to it by now.

As is fast becoming an unofficial and, apparently, frowned upon tradition - we identified incredible amounts of publicly exposed passwords…

By: savi0r  Date: November 2025  Duration: ~3 hours  Result: Full Solve (JWT Admin Takeover → SSTI → RCE → Flag)  Status: ✅ Completed

This blog post explores a bug, (CVE-2025-64755), I found while trying to find a command execution primitive within Claude Code to demonstrate the risks of web-hosted MCP to a client.

At Intigriti, we host monthly web-based Capture The Flag (CTF) challenges as a way to engage with the security research community. This month, we've decided to take on a challenge ourselves as a way t...

We are thrilled to announce the launch of the Sonar Integration Program. This strategic initiative formalizes and expands our partner ecosystem, unifying SonarQube's integrations with leading technology partners under a single, comprehensive program.

Introduction

This blog serves as a detailed methodology guide for analyzing, reversing, and researching web vulnerabilities, particularly those with CVEs assigned. The content outlines repeatable processes used to evaluate vague advisories, analyze vulnerable…

Hello Security Researchers & Bug Bounty Community,

We are thrilled to announce the launch of the Sonar Integration Program. This strategic initiative formalizes and expands our partner ecosystem, unifying SonarQube's integrations with leading technology partners under a single, comprehensive program.