The Pentest-Tools.com vulnerability research manifesto

Author(s)
Andra Zaharia Head of Content & Community

Updated at: January 08, 2024

We work everyday to develop the tools, detections, and exploits that help ethical hackers fight to improve organizations’ defenses.

As you know, the fight is unfair - and rigged: penetration testers and other offensive security practitioners are bound by the terms of engagement, while attackers are free to do anything - and everything.

That’s why our research team dissects vulnerabilities that bad actors use in active attacks, for which there are no available public exploits security pros can use.

We will often build those exploits and put them in your hands, so you can do good and counteract the damage criminals cause with their own.

We know you may have questions about why we’re doing this, so here are some answers.

We believe information security only evolves if we, the people who care about it, share what we know, what we learn, and how we think about things.

We discover what we (don’t) know by talking to others and working together.

shared knowledge with customers, developers, and operations

Tools are neither intrinsically good, nor bad

Personal motivation influences everything. This is extremely important in offensive security, where the same set of skills and knowledge can either destroy or protect.

We make the conscious choice of building not just hacking tools but also the learning resources that help security practitioners use them with uncompromised ethics and strong integrity.

offensive security tools are nether good nor bad

There are more defenders than criminals

We believe that people who want to use their hacking skills and know-how for good outnumber the individuals driven by destructive desires.

They deserve our help, our support, and our faith in their ability to do good and influence others to do the same.

more defenders than criminals

Offensive security work has a disproportionate impact

A public exploit has the power to mobilize an organization to fix critical vulnerabilities much faster. This is especially important in situations where a security issue can become debilitating for a company on which thousands of people depend for access to healthcare, food, transportation, employment, and more.

fixing critical vulnerabilities

We believe in you - and your integrity

You wouldn’t read this if you didn’t resonate with what we do and how we approach things.

There’s a lot of good we can do together, even if we don’t know each other personally.

We contribute to the same effort. We belong to the same tribe of people who believe technology can improve the world - if we build, use, and improve it to be safer.

doing the ethical work in offensive security

Thank you for doing the work!

Get vulnerability research & write-ups

In your inbox. (No fluff. Actionable stuff only.)

Roundcube: exfiltrating emails with CVE-2021-44026

We think we know hacking is a tool for deeper change

CVE-2024-3094 - The XZ Utils Backdoor, a critical SSH vulnerability in Linux

The SSH backdoor would allow remote unauthenticated attackers to achieve remote code execution on the infected systems bypassing the authentication in place. From the information available at the time of writing, the backdoor seems to work only on GNU Linux x86/64 when the SSH server is run as a service by Systemd. Moreover, the library should have been installed by a packet manager. For the exploit to work, one should also expose the SSH server to the Internet so the attacker can interact remotely with it.

Author(s)

David Bors

Published at: 02 Apr 2024

Securing your Laravel application: A comprehensive guide

As someone who has worked with the Laravel framework for years, I've seen firsthand the importance of taking security seriously. I've seen how simple mistakes lead to disastrous consequences, and I've also seen the benefits of a secure and well-maintained Laravel application.