Bug-Bounty on HackingPassion.com : root@HackingPassion.com-[~]

Google Told the Researcher Nice Catch Then Refused to Pay and Never Fixed It

Tue, 23 Jun 2026 12:12:16 +0200

Google told a security researcher his bug was a nice catch, lined up his payout, then eleven days later called it harmless and refused to pay a cent. The flaw he reported lets anyone with basic Kubernetes access take over a complete Google Cloud organization in about five seconds, with three lines of text and no special permissions at all. Months on, it still is not fixed. He named it ConfigConfusion.

Six Working Windows Zero Days and the Researcher Microsoft Called a Criminal

Sun, 31 May 2026 15:08:03 +0200

Six working Windows attacks are sitting in the open right now, three of them already seen in a real intrusion, and the researcher who published them did it after he says Microsoft refused him, deleted the account he reported bugs through, and paid him nothing. Microsoft removed his account, called his actions criminal, and pointed at its crime unit. Both stories are out there, and the security world cannot agree on who is more to blame.

GitHub RCE CVE-2026-3854: One Semicolon, Millions of Private Repositories

Wed, 29 Apr 2026 11:54:47 +0200

GitHub RCE CVE. A semicolon broke GitHub. One character in a push option field, and a security researcher was running code on the backend servers that store private repositories from millions of users and organizations. The git service user that processes every push on those servers has filesystem access to every repository on the node, and that access does not check who the repository belongs to. Private code from banks, hospitals, governments, and individual developers all sits on the same shared infrastructure. The command that got the researcher there is something every developer already runs every day.